fix(db): enable RLS on all 11 public app tables and revoke API-role grants#111
Merged
Conversation
…rants Clears the remaining rls_disabled_in_public Supabase advisor lints. All public application tables were exposed through PostgREST with full anon/authenticated grants, including api_keys, device_tokens, and webhook_subscriptions which hold secrets. Nothing in the stack uses the Supabase Data API (backend connects via asyncpg as the table owner, which bypasses RLS), so RLS with no policies is deny-by-default for the API roles and a no-op for the app. The REVOKE is guarded by a DO block so plain Postgres (local/CI) without Supabase roles is unaffected. spatial_ref_sys is PostGIS-owned and cannot have RLS enabled by the postgres role; documented as a known limitation in the migration docstring.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #109. Clears the 11 remaining
rls_disabled_in_publicERROR lints from the Supabase security advisor:nws_alerts,mrms_files,mrms_grids,mrms_nowcasts,nowcast_verifications,metar_observations,webhook_subscriptions,webhook_deliveries,alert_rules,api_keys,device_tokens.Three of these are sensitive —
api_keys,device_tokens(token column),webhook_subscriptions(secret column) — and all were readable/writable through PostgREST with just the publishable anon key.Approach
web/orsdk-ts/; the FastAPI backend connects via asyncpg as the table-owningpostgresrole, which bypasses RLS), so this is deny-by-default for the PostgREST API roles and a no-op for the application.anon/authenticatedas defense in depth, guarded by aDOblock checking the roles exist — local dev and CI Postgres have no Supabase roles, so the guard makes the migration portable.The migration reaches production via the Railway boot sequence (
scripts/railway-start.shrunsalembic upgrade headbefore starting the API).Validation
Against an ephemeral
postgis/postgis:16-3.5container:alembic upgrade headwith no Supabase roles (the CI/local path): clean, guard skips the REVOKE, RLS enabled on all 11 tables +alembic_version.anon/authenticatedcreated and granted ALL (the Supabase path): upgrade revokes grants on exactly the 11 app tables; downgrade restores grants and disables RLS; re-upgrade clean.ruff checkandruff format --checkpass.Known limitation
public.spatial_ref_sysalso trips the advisor lint but is owned by the PostGIS extension — thepostgresrole cannot enable RLS on it. Documented in the migration docstring; the longer-term fix is moving thepostgisextension out ofpublic.