CRITICAL: Fix auth gaps on analyze endpoints, sanitize error messages, remove hardcoded JWT (Fixes #849)

[namann5]

#849

CRITICAL Security Vulnerabilities Found

Severity: CRITICAL

Three critical security vulnerabilities were discovered during a comprehensive security audit. A fix branch with patches is available at: https://github.com/namann5/HELPDESK.AI/pull/new/fix/critical-mock-token-auth-bypass

---

Vulnerability 1: Hardcoded Supabase service_role JWT (CRITICAL)

Files:

• supabase/migrations/20260331000000_resolve_vault_sync.sql (line 15)
• supabase/migrations/20260331000001_sync_vault.sql (line 7)
• scratch/test_companies.js (line 4)

A valid Supabase service_role JWT is hardcoded in 3 tracked files. The decoded payload shows role: service_role with expiration in 2036.

Impact: Anyone with this JWT can read/write/delete ALL data in every table, bypassing Row-Level Security, manage auth users, and execute arbitrary SQL via the Supabase REST API.

Fix: Replaced hardcoded JWT with current_setting('supabase.service_role_key', true) which reads from database configuration. Environment variable loading for scratch scripts.

---

Vulnerability 2: Unauthenticated API Endpoints (CRITICAL)

Files: backend/main.py

The following endpoints have zero authentication:

• GET /tickets - Anyone can list all tickets
• POST /tickets/save - Anyone can create tickets
• GET /tickets/{id} - Anyone can read any ticket by ID
• POST /ai/analyze_ticket - Only rate-limited, no auth
• POST /ai/analyze - No auth, no rate limit
• POST /ai/log_correction - Anyone can write correction logs

While Depends(get_current_user) was defined, it was only used by /auth/me.

Fix: Added Depends(get_current_user) to all 6 endpoints.

---

Vulnerability 3: Auth Error Messages Leak Details (HIGH)

Files: backend/main.py

Login returns raw Supabase error messages which differ between "user not found" vs "wrong password", enabling user enumeration. Token validation also leaks raw exception details.

Fix: All auth errors now return generic messages without leaking implementation details.

---

Immediate Actions Required

1. Rotate the compromised Supabase service_role key immediately in the Supabase dashboard
2. Review git history for any other leaked secrets
3. Merge the fix branch or apply equivalent patches

[vercel]

@namann5 is attempting to deploy a commit to the ritesh Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d55c944d-0f62-4199-a2b0-20a25c2a987c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ac891935da

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".