Has anyone else noticed this? Every time I ask Claude Code to set up Supabase auth with roles, it generates something like this: if (user.user_metadata.role === ‘admin’) { // admin-only action } Looks fine. Works in dev. But user_metadata is writable by the client — any authenticated user can call Supabase’s /auth/v1/user endpoint and set their own role to admin . No error, no warning. The correct check uses app_metadata.role , which is server-only. Claude Code never uses it. Also keeps doing this one: const supabase = createClient(url, process.env.SUPABASE_SERVICE_ROLE_KEY) …inside a Next.js component. Service role key bypasses RLS entirely and it ships inside the client bundle. Neither of these throw errors. They both work perfectly. Curious if this is consistent for others or if I’m doing something in my prompting that causes it. submitted by /u/reubenzz_dev
Originally posted by u/reubenzz_dev on r/ClaudeCode