The idea of Row Level Security (RLS) was very intriguing to me at first. Authorizaton on database-level sounds amazing; all you have to handle as a developer is the api calls, and the RLS will handle the rest. When I had been mostly doing route-based authorization checks, this sounds amazingly convenient, and as I’m writing this I still like the idea and practicality of it.
So what changed my mind? Why am I now returning to preferring application-level authorization? The benefits are still there; the simplicity in the calls, the support for “true” server-less applications (because normal server-less still usually has some form of a backend), and the more or less automatic authorization management are definitely large benefits and pros for using RLS. However the caveats, or cons, do more and more outweigh the pros in my opinion, especially now that AI-only development is becomming more and more common.
Most of the issues I have with it boils down to mostly one core issues: development enviroment. There are few easily integratable testing enviroments for RLS, debugging is tedious since it’s done through migrations and if a bug slips through you have to create a new migration that overwrites the old RLS function to fix it. Furthermore, in case you update the access control or authorization over time, you will need to go back to migrations from several months ago to see what the current state of authorization is at.
With AI-based development these issues really just get worse since AI-based development thrives on test driven development, having a clear and structured filesystem of what the current state of the code and database are, and is prone to occassionally writing a few bugs.
So as development shifts towards more AI-driven development, the benefits of using an ORM and application-side authorization really start to pile up; having a precise current-state is significantly easier to point an agent to, especially when the alternative is have it look through the migration history and bloat the context with unnecessary code pieces. Because of this, I don’t see RLS as viable of an alternative until the development enviroment has better support for testing and an ORM-like overview of current functions to adequately support agent driven software development.