supabase · steve-chavez · Apr 5, 2025 · steve-chavez · Apr 5, 2025
@@ -42,8 +42,6 @@ nix run github:supabase/postgres/mybranch#dbmate-tool -- --version 15
 
 aiming to provide a single source of truth for migrations on the platform that can be depended upon by those components. For more information on goals see [the RFC](https://www.notion.so/supabase/Centralize-SQL-Migrations-cd3847ae027d4f2bba9defb2cc82f69a)
 
-
-
 ## How it was Created
 
 Migrations were pulled (in order) from:
@@ -53,9 +51,8 @@ Migrations were pulled (in order) from:
 
 For compatibility with hosted projects, we include [migrate.sh](migrate.sh) that executes migrations in the same order as ami build:
 
-1. Run all `db/init-scripts` with `postgres` superuser role.
-2. Run all `db/migrations` with `supabase_admin` superuser role.
-3. Finalize role passwords with `/etc/postgresql.schema.sql` if present.
+1. Run all `db/migrations` with `supabase_admin` superuser role.
+2. Finalize role passwords with `/etc/postgresql.schema.sql` if present.
 
 Additionally, [supabase/postgres](https://github.com/supabase/postgres/blob/develop/ansible/playbook-docker.yml#L9) image contains several migration scripts to configure default extensions. These are run first by docker entrypoint and included in ami by ansible.
 

@@ -38,11 +38,6 @@ begin
   end if;
 end \$\$
 EOSQL
-    # run init scripts as postgres user
-    for sql in "$db"/init-scripts/*.sql; do
-        echo "$0: running $sql"
-        psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U postgres -f "$sql"
-    done
     psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U postgres -c "ALTER USER supabase_admin WITH PASSWORD '$PGPASSWORD'"
     # run migrations as super user - postgres user demoted in post-setup
     for sql in "$db"/migrations/*.sql; do
@@ -54,8 +49,6 @@ else
   create role postgres superuser login password '$PGPASSWORD';
   alter database postgres owner to postgres;
 EOSQL
-    # run init scripts as postgres user
-    DBMATE_MIGRATIONS_DIR="$db/init-scripts" DATABASE_URL="postgres://postgres:$connect" dbmate --no-dump-schema migrate
     psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -U postgres -c "ALTER USER supabase_admin WITH PASSWORD '$PGPASSWORD'"
     # run migrations as super user - postgres user demoted in post-setup
     DBMATE_MIGRATIONS_DIR="$db/migrations" DATABASE_URL="postgres://supabase_admin:$connect" dbmate --no-dump-schema migrate

@@ -0,0 +1,147 @@
+-- migrate:up
+
+-- Set up realtime
+do $$
+begin
+  if not exists (
+    select 1 from pg_catalog.pg_publication
+    where pubname = 'supabase_realtime'
+  )
+  then
+    set role postgres;
+    create publication supabase_realtime;
+    reset role;
+  end if;
+end
+$$;
+
+-- Supabase super admin
+alter user supabase_admin with superuser createdb createrole replication bypassrls;
+
+-- Supabase replication user
+do $$
+begin
+  if not exists (
+    select 1 from pg_roles
+    where rolname = 'supabase_replication_admin'
+  )
+  then
+    create user supabase_replication_admin with
+      login
+      replication;
+  end if;
+end
+$$;
+
+-- Supabase read-only user
+do $$
+begin
+  if not exists (
+    select 1 from pg_roles
+    where rolname = 'supabase_read_only_user'
+  )
+  then
+    create role supabase_read_only_user with
+      login
+      bypassrls;
+  end if;
+end
+$$;
+grant pg_read_all_data to supabase_read_only_user;
+
+-- Extension namespacing
+create schema if not exists extensions;
+create extension if not exists "uuid-ossp"      with schema extensions;
+create extension if not exists pgcrypto         with schema extensions;
+-- newer versions don't have pgjwt available
+do $$
+begin
+  if exists (
+    select 1 from pg_available_extensions where name = 'pgjwt'
+  ) then
+    create extension if not exists pgjwt            with schema extensions;
+  end if;
+end $$;
+
+-- Set up auth roles for the developer
+do $$
+begin
+  if not exists (
+    select 1 from pg_roles
+    where rolname = 'anon'
+  )
+  then
+    create role anon nologin noinherit;
+  end if;
+end
+$$;
+
+-- "logged in" user: web_user, app_user, etc
+do $$
+begin
+  if not exists (
+    select 1 from pg_roles
+    where rolname = 'authenticated'
+  )
+  then
+    create role authenticated nologin noinherit;
+  end if;
+end
+$$;
+
+ -- allow developers to create JWT's that bypass their policies
+do $$
+begin
+  if not exists (
+    select 1 from pg_roles
+    where rolname = 'service_role'
+  )
+  then
+    create role service_role nologin noinherit bypassrls;
+  end if;
+end
+$$;
+
+do $$
+begin
+  if not exists (
+    select 1 from pg_roles
+    where rolname = 'authenticator'
+  )
+  then
+    create role authenticator login noinherit;
+  end if;
+end
+$$;
+
+
+grant anon              to authenticator;
+grant authenticated     to authenticator;
+grant service_role      to authenticator;
+grant supabase_admin    to authenticator;
+
+-- These are required so that the users receive grants whenever "postgres" creates tables/function
+grant usage                     on schema public to postgres, anon, authenticated, service_role;
+alter default privileges for role postgres in schema public grant all on tables to postgres, anon, authenticated, service_role;
+alter default privileges for role postgres in schema public grant all on functions to postgres, anon, authenticated, service_role;
+alter default privileges for role postgres in schema public grant all on sequences to postgres, anon, authenticated, service_role;
+
+-- Allow Extensions to be used in the API
+grant usage                     on schema extensions to postgres, anon, authenticated, service_role;
+
+-- Set up namespacing
+alter user supabase_admin SET search_path TO public, extensions; -- don't include the "auth" schema
+
+-- These are required so that the users receive grants whenever "supabase_admin" creates tables/function
+alter default privileges for user supabase_admin in schema public grant all
+    on sequences to postgres, anon, authenticated, service_role;
+alter default privileges for user supabase_admin in schema public grant all
+    on tables to postgres, anon, authenticated, service_role;
+alter default privileges for user supabase_admin in schema public grant all
+    on functions to postgres, anon, authenticated, service_role;
+
+-- Set short statement/query timeouts for API roles
+alter role anon set statement_timeout = '3s';
+alter role authenticated set statement_timeout = '8s';
+
+-- migrate:down
@@ -4,7 +4,7 @@ CREATE SCHEMA IF NOT EXISTS auth AUTHORIZATION supabase_admin;
 
 -- auth.users definition
 
-CREATE TABLE auth.users (
+CREATE TABLE IF NOT EXISTS auth.users (
     instance_id uuid NULL,
     id uuid NOT NULL UNIQUE,
     aud varchar(255) NULL,
@@ -28,13 +28,13 @@ CREATE TABLE auth.users (
     updated_at timestamptz NULL,
     CONSTRAINT users_pkey PRIMARY KEY (id)
 );
-CREATE INDEX users_instance_id_email_idx ON auth.users USING btree (instance_id, email);
-CREATE INDEX users_instance_id_idx ON auth.users USING btree (instance_id);
+CREATE INDEX IF NOT EXISTS users_instance_id_email_idx ON auth.users USING btree (instance_id, email);
+CREATE INDEX IF NOT EXISTS users_instance_id_idx ON auth.users USING btree (instance_id);
 comment on table auth.users is 'Auth: Stores user login data within a secure schema.';
 
 -- auth.refresh_tokens definition
 
-CREATE TABLE auth.refresh_tokens (
+CREATE TABLE IF NOT EXISTS auth.refresh_tokens (
     instance_id uuid NULL,
     id bigserial NOT NULL,
     "token" varchar(255) NULL,
@@ -44,14 +44,14 @@ CREATE TABLE auth.refresh_tokens (
     updated_at timestamptz NULL,
     CONSTRAINT refresh_tokens_pkey PRIMARY KEY (id)
 );
-CREATE INDEX refresh_tokens_instance_id_idx ON auth.refresh_tokens USING btree (instance_id);
-CREATE INDEX refresh_tokens_instance_id_user_id_idx ON auth.refresh_tokens USING btree (instance_id, user_id);
-CREATE INDEX refresh_tokens_token_idx ON auth.refresh_tokens USING btree (token);
+CREATE INDEX IF NOT EXISTS refresh_tokens_instance_id_idx ON auth.refresh_tokens USING btree (instance_id);
+CREATE INDEX IF NOT EXISTS refresh_tokens_instance_id_user_id_idx ON auth.refresh_tokens USING btree (instance_id, user_id);
+CREATE INDEX IF NOT EXISTS refresh_tokens_token_idx ON auth.refresh_tokens USING btree (token);
 comment on table auth.refresh_tokens is 'Auth: Store of tokens used to refresh JWT tokens once they expire.';
 
 -- auth.instances definition
 
-CREATE TABLE auth.instances (
+CREATE TABLE IF NOT EXISTS auth.instances (
     id uuid NOT NULL,
     uuid uuid NULL,
     raw_base_config text NULL,
@@ -63,32 +63,34 @@ comment on table auth.instances is 'Auth: Manages users across multiple sites.';
 
 -- auth.audit_log_entries definition
 
-CREATE TABLE auth.audit_log_entries (
+CREATE TABLE IF NOT EXISTS auth.audit_log_entries (
     instance_id uuid NULL,
     id uuid NOT NULL,
     payload json NULL,
     created_at timestamptz NULL,
     CONSTRAINT audit_log_entries_pkey PRIMARY KEY (id)
 );
-CREATE INDEX audit_logs_instance_id_idx ON auth.audit_log_entries USING btree (instance_id);
+CREATE INDEX IF NOT EXISTS audit_logs_instance_id_idx ON auth.audit_log_entries USING btree (instance_id);
 comment on table auth.audit_log_entries is 'Auth: Audit trail for user actions.';
 
 -- auth.schema_migrations definition
 
-CREATE TABLE auth.schema_migrations (
+CREATE TABLE IF NOT EXISTS auth.schema_migrations (
     "version" varchar(255) NOT NULL,
     CONSTRAINT schema_migrations_pkey PRIMARY KEY ("version")
 );
 comment on table auth.schema_migrations is 'Auth: Manages updates to the auth system.';
 
+-- insert migrations if they do not yet exist
 INSERT INTO auth.schema_migrations (version)
 VALUES  ('20171026211738'),
         ('20171026211808'),
         ('20171026211834'),
         ('20180103212743'),
         ('20180108183307'),
         ('20180119214651'),
-        ('20180125194653');
+        ('20180125194653')
+ON CONFLICT DO NOTHING;
 
 -- Gets the User ID from the request cookie
 create or replace function auth.uid() returns uuid as $$
@@ -109,8 +111,18 @@ $$ language sql stable;
 GRANT USAGE ON SCHEMA auth TO anon, authenticated, service_role;
 
 -- Supabase super admin
-CREATE USER supabase_auth_admin NOINHERIT CREATEROLE LOGIN NOREPLICATION;
-GRANT ALL PRIVILEGES ON SCHEMA auth TO supabase_auth_admin;
+do $$
+begin
+  if not exists (
+    select 1 from pg_roles
+    where rolname = 'supabase_auth_admin'
+  )
+  then
+    CREATE USER supabase_auth_admin NOINHERIT CREATEROLE LOGIN NOREPLICATION;
+  end if;
+end
+$$;
+
 GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA auth TO supabase_auth_admin;
 GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA auth TO supabase_auth_admin;
 ALTER USER supabase_auth_admin SET search_path = "auth";