Policy
Valid Use Cases
Webhook Processing
- Purpose: Validate external webhooks
- Functions:
checkout-stripe-webhook,sendgrid-webhook - Reason: No user context available
User Creation
- Purpose: Create initial user records
- Functions:
patient-signup - Reason: User has no permissions yet
Cross-User Operations
- Purpose: Send notifications across users
- Functions:
prescription-notifications - Reason: Must access multiple user records
Authentication Management
- Purpose: Manage auth operations
- Functions:
auth-operations - Reason: Password resets, invitations
Payment Processing
- Purpose: Process payments from webhooks
- Functions:
checkout-submit-order - Reason: Complex multi-table operations
Mobile Sync
- Purpose: Sync data for mobile app
- Functions:
mobile-application-patient-sync - Reason: Cross-table data access
Security Requirements
Service Key Functions
- Document why service key is required
- Minimize data access scope
- Add audit logging for sensitive operations
Anon Key Functions
- Always validate JWT tokens
- Use RLS policies for data access
- Add comments about RLS requirements
Implementation
Refactoring Checklist
- Check if function only accesses user’s own data
- Verify RLS policies support the access pattern
- Replace service key with anon key + auth header
- Test all operations still work
- Deploy updated function
Code Pattern
RLS Required: Functions using anon key require proper RLS policies on all accessed tables