Testing Supabase Applications

1. Test RLS Policies

RLS bugs are silent data breaches. Test them explicitly.

describe("RLS: scans table", () => {
  test("user can only see own org scans", async () => {
    const client = await createAuthClient(userA)
    const { data } = await client.from("scans").select("*")
    expect(data.every(s => s.organization_id === orgA.id)).toBe(true)
  })
 
  test("user cannot see other org scans", async () => {
    const client = await createAuthClient(userA)
    const { data } = await client
      .from("scans")
      .select("*")
      .eq("organization_id", orgB.id)
    expect(data).toHaveLength(0)
  })
})

2. Test Server Actions

Server actions are async functions — test them without UI.

test("createRule requires auth", async () => {
  vi.mocked(requireAuth).mockRejectedValue(new Error("Unauthorized"))
  await expect(createRule(mockData)).rejects.toThrow()
})

3. Integration Tests

Use a real Supabase instance, not mocks.

// Use local Supabase: npx supabase start
const supabase = createClient(LOCAL_URL, LOCAL_ANON_KEY)

Testing Supabase Applications

Checklist

References

Addresses

Tags

More from this skill

Explore more rules and knowledge

Testing Supabase Applications

1. Test RLS Policies

2. Test Server Actions

3. Integration Tests