CRITICAL Security Vulnerabilities Found
Severity: CRITICAL
Three critical security vulnerabilities were discovered during a comprehensive security audit. A fix branch with patches is available at: https://github.com/namann5/HELPDESK.AI/pull/new/fix/critical-mock-token-auth-bypass
Vulnerability 1: Hardcoded Supabase service_role JWT (CRITICAL)
Files:
- supabase/migrations/20260331000000_resolve_vault_sync.sql (line 15)
- supabase/migrations/20260331000001_sync_vault.sql (line 7)
- scratch/test_companies.js (line 4)
A valid Supabase service_role JWT is hardcoded in 3 tracked files. The decoded payload shows role: service_role with expiration in 2036.
Impact: Anyone with this JWT can read/write/delete ALL data in every table, bypassing Row-Level Security, manage auth users, and execute arbitrary SQL via the Supabase REST API.
Fix: Replaced hardcoded JWT with current_setting('supabase.service_role_key', true) which reads from database configuration. Environment variable loading for scratch scripts.
Vulnerability 2: Unauthenticated API Endpoints (CRITICAL)
Files: backend/main.py
The following endpoints have zero authentication:
- GET /tickets - Anyone can list all tickets
- POST /tickets/save - Anyone can create tickets
- GET /tickets/{id} - Anyone can read any ticket by ID
- POST /ai/analyze_ticket - Only rate-limited, no auth
- POST /ai/analyze - No auth, no rate limit
- POST /ai/log_correction - Anyone can write correction logs
While Depends(get_current_user) was defined, it was only used by /auth/me.
Fix: Added Depends(get_current_user) to all 6 endpoints.
Vulnerability 3: Auth Error Messages Leak Details (HIGH)
Files: backend/main.py
Login returns raw Supabase error messages which differ between "user not found" vs "wrong password", enabling user enumeration. Token validation also leaks raw exception details.
Fix: All auth errors now return generic messages without leaking implementation details.
Immediate Actions Required
- Rotate the compromised Supabase service_role key immediately in the Supabase dashboard
- Review git history for any other leaked secrets
- Merge the fix branch or apply equivalent patches
CRITICAL Security Vulnerabilities Found
Severity: CRITICAL
Three critical security vulnerabilities were discovered during a comprehensive security audit. A fix branch with patches is available at: https://github.com/namann5/HELPDESK.AI/pull/new/fix/critical-mock-token-auth-bypass
Vulnerability 1: Hardcoded Supabase service_role JWT (CRITICAL)
Files:
A valid Supabase service_role JWT is hardcoded in 3 tracked files. The decoded payload shows role: service_role with expiration in 2036.
Impact: Anyone with this JWT can read/write/delete ALL data in every table, bypassing Row-Level Security, manage auth users, and execute arbitrary SQL via the Supabase REST API.
Fix: Replaced hardcoded JWT with current_setting('supabase.service_role_key', true) which reads from database configuration. Environment variable loading for scratch scripts.
Vulnerability 2: Unauthenticated API Endpoints (CRITICAL)
Files: backend/main.py
The following endpoints have zero authentication:
While Depends(get_current_user) was defined, it was only used by /auth/me.
Fix: Added Depends(get_current_user) to all 6 endpoints.
Vulnerability 3: Auth Error Messages Leak Details (HIGH)
Files: backend/main.py
Login returns raw Supabase error messages which differ between "user not found" vs "wrong password", enabling user enumeration. Token validation also leaks raw exception details.
Fix: All auth errors now return generic messages without leaking implementation details.
Immediate Actions Required