I wonder if it's possible to deny access to all tables/views and only allow to functions? I just want to control the data I pass.
I can't disable access with pg roles for the tables, cause the functions use the same tables.
I can put on NGINX before PostgREST and disable anything that doesn't start with /rpc, but that the only way?
You can create and expose a dedicated schema(using the db-schema config) that only contains functions. This way no table will have direct access through the REST API.
The above follows the schema isolation guide on the postgrest docs.