Replit db, help me

It is not really a code help but.
Is it possible to set the replit db URL so that I can have the Database save among all users is by setting the DB’s URL. But Only I can edit it. ( Basically the owner ). And when the user forks the repl and tries to retrieve data or extract data to another db ( eg. JSON ), return an error instead.
How do I do this? I do not know where to start tbh

So, you can use a database proxy. Create one by forking this Repl. Then, do this in your code:

from replit import db

db.db_url = ""


Now, everybody who uses the database will have the same database.


But will other people be able to change the data through forking?

Not even through forking. Just copying the URL. Maybe in the proxy check if it is really you and then return the actual URL.

can you give me an example of how 2 do this?

from os import environ
x = environ['REPL_OWNER']
if x == 'idkwhttph':


well that’ll always return True

1 Like

Can you give me an example of how to yk. Do the proxy check if it is rlly me.

I tried this:

import os
import flask
import requests

app = flask.Flask(__name__)
sess = requests.Session()

@app.route("/", defaults={"path": ""}, methods=["GET", "POST", "DELETE"])
@app.route("/<path:path>", methods=["GET", "POST", "DELETE"])
def proxy(path):
    owner = os.environ.get('REPL_OWNER')  # Get the owner from environment variable
    if owner and owner != 'Idkwhttph':
        return "Unauthorized", 401  # Return unauthorized status if requester is not the owner

    url = os.environ["REPLIT_DB_URL"]
    if flask.request.path != "/":
        url += flask.request.path

    req = requests.Request(flask.request.method, url, data=flask.request.form, params=flask.request.args).prepare()
    resp = sess.send(req)

    proxy_resp = flask.make_response(resp.text)
    proxy_resp.status_code = resp.status_code
    for k, v in resp.headers.items():
        proxy_resp.headers[k] = v

    return proxy_resp

# uncomment this to run:"")

No it won’t. REPL_OWNER is the name of the user using it.


Not on website based repls. In that case, it becomes the Creator’s name IIRC.


You should NEVER use REPL_OWNER as an access control or DRM solution. Instead use (going to find in the docs eait 1 sec)

Edit: the real repl identity is a signed token, send that to your database proxy and verify it there.

1 Like

Repl Identity (Unless it’s been fixed) is insecure, and is still possible to bypass.

why? Just use replit db as usual on a website, and create a Flask route which updates the db in a controlled, rate-limited manner as needed (you could rate limit by IP, which you get by X-Forwarded-For, or require users to authorise via replit auth, and rate limit by request.headers["X-Replit-User-Name"])
If you want to have some sort of admin thing and you need authorisation, Replit Auth


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.