security(rls): enable RLS on du_shared_reports + tighten du_feedback policy#63
Open
security(rls): enable RLS on du_shared_reports + tighten du_feedback policy#63
Conversation
…policy Supabase advisor flagged two findings on the public Dear User project: - ERROR rls_disabled_in_public + sensitive_columns_exposed on du_shared_reports: PostgREST exposed the whole table (including share tokens) to anon. The original 006 migration argued tokens act as capabilities, but that only holds if you can't list rows without one. Migration 008 enables RLS with no anon/authenticated policies — service role still bypasses, so loadSharedReport (web) and insertSharedReport (mcp) keep working. - WARN rls_policy_always_true on du_feedback: WITH CHECK (true) let anon insert anything in any column. Migration 009 replaces the policy with bounded length checks across message/context/email/user_agent and adds a 100/hour global rate-limit trigger. The existing tabular CHECKs on message length, rating range, and source enum stay. Side-effect: anon INSERT with `Prefer: return=representation` requires a SELECT permission we don't grant, so feedback.ts switches to return=minimal and drops the unused `id` round-trip. Tests updated. Verified post-apply: anon SELECT on both tables returns [], anon INSERT on du_feedback succeeds with return=minimal, advisor re-run is clear of ERROR/WARN findings on these tables. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
du_shared_reports(was off — PostgREST exposed all share tokens to anon)du_feedbackpolicy fromWITH CHECK (true)to bounded length checks + 100/hr rate-limit triggerfeedback.tstoPrefer: return=minimal(anon no longer has implicit SELECT, so representation broke)Why
Supabase advisor flagged on the public Dear User project:
rls_disabled_in_public+sensitive_columns_exposedondu_shared_reportsrls_policy_always_trueondu_feedbackThe original 006 migration argued tokens-as-capabilities was sufficient, but PostgREST happily lists the whole table for anon, returning every token. RLS now blocks that — service role still bypasses, so
loadSharedReport(web) andinsertSharedReport(mcp) keep working without code changes.Verified post-apply
anon GET /rest/v1/du_shared_reports?select=*→[]anon GET /rest/v1/du_feedback?select=*→[]anon POST /rest/v1/du_feedbackwithreturn=minimal→ 201rls_enabled_no_policyis intentional — service-role only)feedback.test.ts: 6/6 passTest plan
/r/<token>— should still work via service-role readdearuser feedback "test"— should still get "Tak — din feedback er modtaget"du_shared_reportsfrom any anon client — should return empty🤖 Generated with Claude Code