fix: use exact app_id match for preview lookup#1674
Merged
Conversation
Contributor
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e565e544f3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| .from('apps') | ||
| .select('app_id, allow_preview') | ||
| .ilike('app_id', appId) | ||
| .eq('app_id', appId) |
There was a problem hiding this comment.
Switching this filter to eq makes preview resolution fail for any app whose stored app_id contains uppercase characters: the preview URL builder lowercases the app id before putting it in the subdomain (src/components/BundlePreviewFrame.vue), while app creation accepts mixed-case ids (reverseDomainRegex is /i and public/app/post.ts inserts body.app_id unchanged). In that scenario the request host always resolves to lowercase and this exact match returns app_not_found, which is a regression from the previous behavior.
Useful? React with 👍 / 👎.
|
riderx
added a commit
that referenced
this pull request
Feb 25, 2026
* fix(frontend): require confirmation for URL session login * fix(build): restore TUS HEAD upload routing (#1664) * fix(build): handle tus HEAD upload route * fix(build): chain HEAD middleware correctly * chore(release): 12.116.2 * fix(security): protect replication endpoint (#1686) * fix(security): protect replication endpoint * fix(api): require replication endpoint internal api secret * fix(api): allow admin JWT access to replication endpoint * fix(frontend): use admin session only when no replication secret * fix(frontend): retain tokens until query login succeeds * fix(database): enforce org-scoped webhook rls (#1676) * fix: use exact app_id match for preview lookup (#1674) * fix(backend): use exact app_id match for preview lookup * fix(backend): preserve case-insensitive preview app lookup * chore(release): 12.116.3 * fix(frontend): require confirmation for URL session login * fix(frontend): retain tokens until query login succeeds --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
riderx
added a commit
that referenced
this pull request
Feb 25, 2026
* fix(frontend): delete replaced profile images from storage * fix(backend): clean stale unlinked user avatars * fix(build): restore TUS HEAD upload routing (#1664) * fix(build): handle tus HEAD upload route * fix(build): chain HEAD middleware correctly * chore(release): 12.116.2 * fix(security): protect replication endpoint (#1686) * fix(security): protect replication endpoint * fix(api): require replication endpoint internal api secret * fix(api): allow admin JWT access to replication endpoint * fix(frontend): use admin session only when no replication secret * fix: address sonar regex exec suggestions * fix(database): enforce org-scoped webhook rls (#1676) * fix: use exact app_id match for preview lookup (#1674) * fix(backend): use exact app_id match for preview lookup * fix(backend): preserve case-insensitive preview app lookup * chore(release): 12.116.3 * fix(frontend): delete replaced profile images from storage * fix(backend): clean stale unlinked user avatars * fix: address sonar regex exec suggestions --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
riderx
added a commit
that referenced
this pull request
Feb 25, 2026
* fix(security): restrict find_apikey_by_value to service role * fix(build): restore TUS HEAD upload routing (#1664) * fix(build): handle tus HEAD upload route * fix(build): chain HEAD middleware correctly * chore(release): 12.116.2 * fix(security): protect replication endpoint (#1686) * fix(security): protect replication endpoint * fix(api): require replication endpoint internal api secret * fix(api): allow admin JWT access to replication endpoint * fix(frontend): use admin session only when no replication secret * fix(database): enforce org-scoped webhook rls (#1676) * fix: use exact app_id match for preview lookup (#1674) * fix(backend): use exact app_id match for preview lookup * fix(backend): preserve case-insensitive preview app lookup * chore(release): 12.116.3 * fix(security): restrict find_apikey_by_value to service role --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
riderx
added a commit
that referenced
this pull request
Feb 25, 2026
* fix(backend): validate stripe redirect URLs * fix(build): restore TUS HEAD upload routing (#1664) * fix(build): handle tus HEAD upload route * fix(build): chain HEAD middleware correctly * chore(release): 12.116.2 * fix(security): protect replication endpoint (#1686) * fix(security): protect replication endpoint * fix(api): require replication endpoint internal api secret * fix(api): allow admin JWT access to replication endpoint * fix(frontend): use admin session only when no replication secret * test(backend): add stripe redirect validation tests * test(backend): fix stripe redirect unit test env setup * fix(database): enforce org-scoped webhook rls (#1676) * fix: use exact app_id match for preview lookup (#1674) * fix(backend): use exact app_id match for preview lookup * fix(backend): preserve case-insensitive preview app lookup * chore(release): 12.116.3 * fix(backend): validate stripe redirect URLs * test(backend): add stripe redirect validation tests * test(backend): fix stripe redirect unit test env setup --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
riderx
added a commit
that referenced
this pull request
Feb 25, 2026
* fix(security): restrict get_orgs_v6(uuid) execution to private roles * fix(build): restore TUS HEAD upload routing (#1664) * fix(build): handle tus HEAD upload route * fix(build): chain HEAD middleware correctly * chore(release): 12.116.2 * fix(security): protect replication endpoint (#1686) * fix(security): protect replication endpoint * fix(api): require replication endpoint internal api secret * fix(api): allow admin JWT access to replication endpoint * fix(frontend): use admin session only when no replication secret * fix(database): enforce org-scoped webhook rls (#1676) * fix: use exact app_id match for preview lookup (#1674) * fix(backend): use exact app_id match for preview lookup * fix(backend): preserve case-insensitive preview app lookup * chore(release): 12.116.3 * fix(security): restrict get_orgs_v6(uuid) execution to private roles --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
riderx
added a commit
that referenced
this pull request
Feb 25, 2026
* fix(security): restrict apikey oracle rpc execution * fix(build): restore TUS HEAD upload routing (#1664) * fix(build): handle tus HEAD upload route * fix(build): chain HEAD middleware correctly * chore(release): 12.116.2 * fix(security): protect replication endpoint (#1686) * fix(security): protect replication endpoint * fix(api): require replication endpoint internal api secret * fix(api): allow admin JWT access to replication endpoint * fix(frontend): use admin session only when no replication secret * fix: remove anon-backed get_user_id calls in private apikey flows * fix(database): enforce org-scoped webhook rls (#1676) * fix: use exact app_id match for preview lookup (#1674) * fix(backend): use exact app_id match for preview lookup * fix(backend): preserve case-insensitive preview app lookup * chore(release): 12.116.3 * fix(security): restrict apikey oracle rpc execution * fix: remove anon-backed get_user_id calls in private apikey flows --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
riderx
added a commit
that referenced
this pull request
Feb 25, 2026
* fix(api): block scoped apikeys from creating keys * fix(build): restore TUS HEAD upload routing (#1664) * fix(build): handle tus HEAD upload route * fix(build): chain HEAD middleware correctly * chore(release): 12.116.2 * fix(security): protect replication endpoint (#1686) * fix(security): protect replication endpoint * fix(api): require replication endpoint internal api secret * fix(api): allow admin JWT access to replication endpoint * fix(frontend): use admin session only when no replication secret * fix(database): enforce org-scoped webhook rls (#1676) * test: fix apikey test lint violations * fix: use exact app_id match for preview lookup (#1674) * fix(backend): use exact app_id match for preview lookup * fix(backend): preserve case-insensitive preview app lookup * chore(release): 12.116.3 * fix(api): block scoped apikeys from creating keys * test: fix apikey test lint violations --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
riderx
added a commit
that referenced
this pull request
Feb 25, 2026
* fix(security): revoke anon access to exist_app_v2 rpc * fix(build): restore TUS HEAD upload routing (#1664) * fix(build): handle tus HEAD upload route * fix(build): chain HEAD middleware correctly * chore(release): 12.116.2 * fix(security): protect replication endpoint (#1686) * fix(security): protect replication endpoint * fix(api): require replication endpoint internal api secret * fix(api): allow admin JWT access to replication endpoint * fix(frontend): use admin session only when no replication secret * fix(security): revoke PUBLIC execute on exist_app_v2 rpc * fix(security): revoke anon execute on exist_app_v2 rpc * fix(database): enforce org-scoped webhook rls (#1676) * fix: use exact app_id match for preview lookup (#1674) * fix(backend): use exact app_id match for preview lookup * fix(backend): preserve case-insensitive preview app lookup * chore(release): 12.116.3 * fix(security): revoke anon access to exist_app_v2 rpc * fix(security): revoke PUBLIC execute on exist_app_v2 rpc * fix(security): revoke anon execute on exist_app_v2 rpc * fix(frontend): require confirmation before URL login session (#1688) * fix(frontend): require confirmation for URL session login * fix(build): restore TUS HEAD upload routing (#1664) * fix(build): handle tus HEAD upload route * fix(build): chain HEAD middleware correctly * chore(release): 12.116.2 * fix(security): protect replication endpoint (#1686) * fix(security): protect replication endpoint * fix(api): require replication endpoint internal api secret * fix(api): allow admin JWT access to replication endpoint * fix(frontend): use admin session only when no replication secret * fix(frontend): retain tokens until query login succeeds * fix(database): enforce org-scoped webhook rls (#1676) * fix: use exact app_id match for preview lookup (#1674) * fix(backend): use exact app_id match for preview lookup * fix(backend): preserve case-insensitive preview app lookup * chore(release): 12.116.3 * fix(frontend): require confirmation for URL session login * fix(frontend): retain tokens until query login succeeds --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * chore(release): 12.116.4 * Riderx/fix email otp rpc reopen (#1693) * fix(security): restrict email otp verification rpc path * fix(security): also revoke otp rpc execute from public * fix(security): record email otp verification via service-side rpc * fix(security): harden email otp verification RPC usage * fix(db): drop legacy record_email_otp_verified overload * fix(frontend): delete replaced profile images from storage (#1683) * fix(frontend): delete replaced profile images from storage * fix(backend): clean stale unlinked user avatars * fix(build): restore TUS HEAD upload routing (#1664) * fix(build): handle tus HEAD upload route * fix(build): chain HEAD middleware correctly * chore(release): 12.116.2 * fix(security): protect replication endpoint (#1686) * fix(security): protect replication endpoint * fix(api): require replication endpoint internal api secret * fix(api): allow admin JWT access to replication endpoint * fix(frontend): use admin session only when no replication secret * fix: address sonar regex exec suggestions * fix(database): enforce org-scoped webhook rls (#1676) * fix: use exact app_id match for preview lookup (#1674) * fix(backend): use exact app_id match for preview lookup * fix(backend): preserve case-insensitive preview app lookup * chore(release): 12.116.3 * fix(frontend): delete replaced profile images from storage * fix(backend): clean stale unlinked user avatars * fix: address sonar regex exec suggestions --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * fix: restrict find_apikey_by_value RPC to service role (#1672) * fix(security): restrict find_apikey_by_value to service role * fix(build): restore TUS HEAD upload routing (#1664) * fix(build): handle tus HEAD upload route * fix(build): chain HEAD middleware correctly * chore(release): 12.116.2 * fix(security): protect replication endpoint (#1686) * fix(security): protect replication endpoint * fix(api): require replication endpoint internal api secret * fix(api): allow admin JWT access to replication endpoint * fix(frontend): use admin session only when no replication secret * fix(database): enforce org-scoped webhook rls (#1676) * fix: use exact app_id match for preview lookup (#1674) * fix(backend): use exact app_id match for preview lookup * fix(backend): preserve case-insensitive preview app lookup * chore(release): 12.116.3 * fix(security): restrict find_apikey_by_value to service role --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * fix: secure get_total_metrics rpc (#1671) * fix(db): harden get_total_metrics rpc auth * fix(db): qualify org_id and harden rpc role checks * fix(db): align get_total_metrics auth overloads * fix(db): harden get_total_metrics rpc auth * fix(db): qualify org_id and harden rpc role checks * fix(db): align get_total_metrics auth overloads * fix(db): harden get_total_metrics rpc auth * fix(db): qualify org_id and harden rpc role checks * fix(db): align get_total_metrics auth overloads * fix(backend): validate stripe redirect URLs (#1681) * fix(backend): validate stripe redirect URLs * fix(build): restore TUS HEAD upload routing (#1664) * fix(build): handle tus HEAD upload route * fix(build): chain HEAD middleware correctly * chore(release): 12.116.2 * fix(security): protect replication endpoint (#1686) * fix(security): protect replication endpoint * fix(api): require replication endpoint internal api secret * fix(api): allow admin JWT access to replication endpoint * fix(frontend): use admin session only when no replication secret * test(backend): add stripe redirect validation tests * test(backend): fix stripe redirect unit test env setup * fix(database): enforce org-scoped webhook rls (#1676) * fix: use exact app_id match for preview lookup (#1674) * fix(backend): use exact app_id match for preview lookup * fix(backend): preserve case-insensitive preview app lookup * chore(release): 12.116.3 * fix(backend): validate stripe redirect URLs * test(backend): add stripe redirect validation tests * test(backend): fix stripe redirect unit test env setup --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * feat(api): auto cleanup EXIF image metadata (#1673) * feat(api): auto cleanup image metadata on updates * fix: preserve content type when stripping image metadata * fix(security): restrict get_orgs_v6(userid uuid) access (#1677) * fix(security): restrict get_orgs_v6(uuid) execution to private roles * fix(build): restore TUS HEAD upload routing (#1664) * fix(build): handle tus HEAD upload route * fix(build): chain HEAD middleware correctly * chore(release): 12.116.2 * fix(security): protect replication endpoint (#1686) * fix(security): protect replication endpoint * fix(api): require replication endpoint internal api secret * fix(api): allow admin JWT access to replication endpoint * fix(frontend): use admin session only when no replication secret * fix(database): enforce org-scoped webhook rls (#1676) * fix: use exact app_id match for preview lookup (#1674) * fix(backend): use exact app_id match for preview lookup * fix(backend): preserve case-insensitive preview app lookup * chore(release): 12.116.3 * fix(security): restrict get_orgs_v6(uuid) execution to private roles --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * fix(security): revoke anon access to apikey oracle RPCs (#1670) * fix(security): restrict apikey oracle rpc execution * fix(build): restore TUS HEAD upload routing (#1664) * fix(build): handle tus HEAD upload route * fix(build): chain HEAD middleware correctly * chore(release): 12.116.2 * fix(security): protect replication endpoint (#1686) * fix(security): protect replication endpoint * fix(api): require replication endpoint internal api secret * fix(api): allow admin JWT access to replication endpoint * fix(frontend): use admin session only when no replication secret * fix: remove anon-backed get_user_id calls in private apikey flows * fix(database): enforce org-scoped webhook rls (#1676) * fix: use exact app_id match for preview lookup (#1674) * fix(backend): use exact app_id match for preview lookup * fix(backend): preserve case-insensitive preview app lookup * chore(release): 12.116.3 * fix(security): restrict apikey oracle rpc execution * fix: remove anon-backed get_user_id calls in private apikey flows --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * fix(security): require capgkey auth in exist_app_v2 * fix(api): block scoped apikey key creation (#1685) * fix(api): block scoped apikeys from creating keys * fix(build): restore TUS HEAD upload routing (#1664) * fix(build): handle tus HEAD upload route * fix(build): chain HEAD middleware correctly * chore(release): 12.116.2 * fix(security): protect replication endpoint (#1686) * fix(security): protect replication endpoint * fix(api): require replication endpoint internal api secret * fix(api): allow admin JWT access to replication endpoint * fix(frontend): use admin session only when no replication secret * fix(database): enforce org-scoped webhook rls (#1676) * test: fix apikey test lint violations * fix: use exact app_id match for preview lookup (#1674) * fix(backend): use exact app_id match for preview lookup * fix(backend): preserve case-insensitive preview app lookup * chore(release): 12.116.3 * fix(api): block scoped apikeys from creating keys * test: fix apikey test lint violations --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * fix: restrict webhook secret access to admin-only (#1692) * fix(security): restrict webhook secret read access * fix(rls): restrict webhook reads to admins * fix(security): keep only apikey-based exist_app_v2 check * fix(security): require capgkey auth in exist_app_v2 --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary (AI generated)
supabase/functions/_backend/files/preview.tsto use exact matching (eq) instead of pattern matching (ilike) when resolving app IDs from preview subdomains.Motivation (AI generated)
Underscore (
_) inapp_idis treated as a wildcard inILIKE, which can produce multiple-row matches and trigger.single()failures in preview auth checks, causing valid apps with_to incorrectly returnapp_not_found.Business Impact (AI generated)
Prevents preview availability regressions for apps whose IDs contain underscores, avoiding false
app_not_foundresponses and preserving preview workflow reliability for affected customers.Test Plan (AI generated)
bun lintbun lint:backendapp_not_foundthen corrected behavior)Generated with AI