alt Hacker News> Either your app has all the data access and you put your access control there, or you do the access control in the database. There really aren't other options here.
That's odd, I just clearly delineated an option in which this is not the case. The DB enforces RLS, users provide the RLS token, and an app gates access to the db.
I must have missed that in the comment stream.
It's not really any different than using pgbouncer or something similar. All it buys you is not having to use the PG protocol on the client.
There is no extra security here though. One could even argue you lose security here, since now you have to rely on the app to not get tokens confused, since they hold and use the tokens on behalf of the user. A single bad CVE in the app and one can become any user the app currently knows about.