Introducing Neon Authorize: Simplifying Row-Level Security For Postgres
RLS policies in your codebase, verified by Neon
Today we’re launching Neon Authorize, a tool that aims to simplify the usage of Postgres row-level security policies while enabling new deployment models for app developers. With Neon Authorize, you can manage RLS directly in your codebase and integrate with any authentication provider, making it easier to enforce fine-grained access control without added complexity.
Every app needs a database. And every app needs authentication and authorization.
However, it can be cumbersome to bind these things together. If you’ve worked on application backends before, it’s very likely you’ve seen code like this:
This type of database access is hard to properly secure. The core issue is that it’s quite easy to mess up the authorization check – WHERE ur.user_id = $1 AND r.role_name = $2)
.
This is where Row Security Policies in Postgres come in. This feature allows developers to configure declarative access rules for their tables. As an example, let’s say you have the following users
table:
To secure it with RLS, you’d configure the following rules:
Notice that auth.user_id()
and auth.session()
are part of the open-source pg_session_jwt Postgres extension, authored by the Neon team.
info
With access logic at the database level, your application becomes much safer. Just like foreign keys enforce referential integrity, and CASCADE deletes can be used to enforce data correctness, RLS can enforce authorization on every database query.
Expanding access to RLS with Neon Authorize
With Authorize, we’re making it easier for developers to use RLS by providing an integration between any authentication provider and Postgres on Neon. After setting it up, calls to the database can be authenticated with a JWT (JSON Web Token) generated by the auth provider, which will be:
– Verified by the Neon Proxy
– Added to the request and made available for RLS rules and WHERE clauses alike
Furthermore, you’ll also have access to a few utility functions such as auth.session()
and auth.user_id()
which will help you use the JWTs that are coming from your auth provider.
Any authentication provider is automatically supported by our platform as long as it can generate JWTs and provide some URL for us to download the JWKS. Here’s an example of using the JWT in a filter:
Here’s a list of Auth providers we’ve already tested in partnership with each team (more to come):
- Clerk – Example Repo
- Stack Auth – Example Repo
- Auth0 – Example Repo
- Stytch – Example Repo
- AWS Cognito – Example Repo
- Azure AD – Example Repo
- Descope Auth – Example Repo
- Supertokens – Example Repo
- Firebase Auth
- Keycloak
- GCP Cloud Identity
Refer to the Neon Authorize docs for all the details.
The elephant in the room: RLS’s SQL syntax
One of the biggest issues with Postgres RLS is the difficult-to-understand SQL syntax. While LLMs can be great at generating this syntax, it still can easily become too hard to reason about.
That’s why we’ve partnered with Drizzle ORM to offer a cleaner, more intuitive way of defining RLS rules. With Drizzle and Neon, developers can set up RLS policies in a declarative format right alongside their schema definitions. This means you can manage RLS in the same place as your schema and data models, making your codebase more organized and easier to maintain.
What if I'm not using Drizzle?
We worked with the Drizzle team in order to design and test both the `pgPolicy` function, as well as a `crudPolicy` higher-level API that can be used as a helper utility to generate multiple Postgres policies with one function call.
Here’s a sneak peek of what it looks like to use `@drizzle-orm/pg` and `@drizzle-orm/neon` together. Also in this repo:
https://github.com/neondatabase-labs/social-wall-drizzle-neon-authorize
In this schema, we’re using Postgres for a bunch of different things:
– Column uniqueness
– Referential integrity
– Cascade deletes
– And with Authorize: access rules!
Of course, one can also just keep all these rules in “regular application code”. We’re not forcing anyone to use RLS policies. By having authenticated database requests with JWTs, developers can make use of their payloads in WHERE
clauses from their app’s backend as well.
Get started with Neon Authorize + Drizzle + Clerk
If you’re using Clerk, we have a tutorial to help you get set up quickly, using a sample todos app built with Next.js. Also in this repo:
https://github.com/neondatabase-labs/clerk-nextjs-neon-authorize
What you’ll learn:
- How to configure Neon Authorize with Clerk for authentication
- How to set up RLS policies via Drizzle in a clear, declarative way alongside your schema
- How to test and verify your setup to ensure smooth, secure access control
Wrapping Up
Neon Authorize is just the start of our journey towards making application development faster with Postgres. We hope to partner with more authentication providers and ORMs in the future to streamline all of this even more.
One of the novelties that comes out of this new feature is that you can now develop applications that are entirely client-side without a server/backend. We believe that for simple apps, you can get away with hosting them (for free) on GitHub Pages and then using Neon together with your auth provider of choice, without a backend. However, for more serious projects, we still recommend that you build a backend to protect your database.
RLS for everything or not?
Whether to use PG RLS for everything or not is an interesting debate. For the most part, we recommend defining some RLS rules for very important and core authorization logic. For example, multi-tenant enterprise applications can definitely benefit from having RLS for extra security. However, it’s probably better to define very intricate access logic in your backend code.
Since all of this is a bit novel, we’re hoping to get a lot of feedback from the community. So, we’ve created a channel for #neon-authorize on our Discord server. Please reach out!