Conversation
Co-authored-by: suggestied <suggestied@gmail.com>
|
Cursor Agent can help with this pull request. Just |
Co-authored-by: suggestied <suggestied@gmail.com>
Co-authored-by: suggestied <suggestied@gmail.com>
Co-authored-by: suggestied <suggestied@gmail.com>
Co-authored-by: suggestied <suggestied@gmail.com>
Co-authored-by: suggestied <suggestied@gmail.com>
Co-authored-by: suggestied <suggestied@gmail.com>
Co-authored-by: suggestied <suggestied@gmail.com>
Co-authored-by: suggestied <suggestied@gmail.com>
Co-authored-by: suggestied <suggestied@gmail.com>
Co-authored-by: suggestied <suggestied@gmail.com>
Co-authored-by: suggestied <suggestied@gmail.com>
Co-authored-by: suggestied <suggestied@gmail.com>
Co-authored-by: suggestied <suggestied@gmail.com>
Co-authored-by: suggestied <suggestied@gmail.com>
Co-authored-by: suggestied <suggestied@gmail.com>
Co-authored-by: suggestied <suggestied@gmail.com>
- Enable custom access token hook in configuration to support JWT claims. - Update SQL functions to read tenant ID from JWT claims and maintain backward compatibility with session variables. - Modify comments to clarify the use of user metadata for tenant context and the necessity of refreshing tokens. - Enhance tenant context setting in tests to ensure persistence across PostgREST requests. Co-authored-by: suggestied <suggestied@gmail.com>
- Wrap custom access token hook in exception handling to ensure graceful failure without impacting authentication. - Update user ID extraction logic for compatibility with multiple event structures. - Modify test tenant context setting to force token refresh by signing out and back in, ensuring the custom access token hook runs correctly. - Improve error handling during user sign-in process in tests. Co-authored-by: suggestied <suggestied@gmail.com>
…n installation - Update asset tests to create separate clients for each tenant, ensuring proper tenant context is set during asset creation. - Enhance integration tests by adding configuration parameters for plugin installation, including a new secret reference and region setting. Co-authored-by: suggestied <suggestied@gmail.com>
…orrect tenant context - Modify the SQL migration to separately retrieve the user ID after calling the rpc_setup function, which now returns the tenant ID. - Add comments for clarity on the changes made to user ID extraction and its implications for tenant context handling.
- Recreate the v_plugin_installations view with explicit permission checks in the WHERE clause to ensure that only users with tenant.admin permissions can see plugin installations. - Add comments for clarity on the permission checks and their integration with RLS policies. - Update the view's comment to reflect the new permission requirements and security measures.
- Grant execute permission on the `authz.get_current_tenant_id()` function to the anon role, allowing anonymous users to query views that utilize this function while ensuring they receive empty results. - Update comments on various views to clarify that anonymous users can query them but will receive no data due to tenant context restrictions. - Adjust permissions on tenant-scoped views to ensure proper access control, including granting select permissions to authenticated users and revoking from anon where necessary. - Implement a custom access token hook to add tenant_id to JWT claims, ensuring stateless tenant context across requests and validating tenant membership before adding claims. Co-authored-by: suggestied <suggestied@gmail.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| begin | ||
| v_user_id := authz.rpc_setup(p_tenant_id, 'tenant.admin'); | ||
|
|
||
| perform util.check_rate_limit('plugin_update', null, 20, 1, v_user_id, p_tenant_id); |
There was a problem hiding this comment.
Incorrect variable assignment causes broken rate limiting
High Severity
In rpc_update_plugin_installation and rpc_uninstall_plugin, v_user_id is assigned the return value of authz.rpc_setup(), which returns the tenant_id, not a user_id. This causes the rate limiting to track against tenant_id instead of user_id, allowing individual users to potentially bypass their rate limits or incorrectly blocking legitimate users based on other users' actions. The correct pattern is shown in rpc_install_plugin which uses perform authz.rpc_setup() followed by v_user_id := authz.validate_authenticated().
Additional Locations (1)
| where tenant_id = authz.get_current_tenant_id(); | ||
|
|
||
| comment on view public.v_audit_retention_configs is | ||
| 'Tenant-scoped audit retention configuration for the current tenant context. Requires tenant.admin access via RLS.'; |
There was a problem hiding this comment.
Missing grants prevent access to new audit views
Medium Severity
The views v_audit_retention_configs, v_audit_permission_changes, and v_plugins are created without grant select statements to authenticated users. Unlike v_plugin_installations which has explicit grants (line 1153), these views lack permission grants. This means authenticated users cannot query them, despite the views being documented as accessible ("Requires tenant.admin access via RLS", "Read-only view for client discovery") and having tests that expect to query them. The tests in audit_retention.test.ts will fail due to these missing grants.
Additional Locations (2)
2 participants
Summary
Adds a detailed implementation plan for proposed Architectural Decision Records (ADRs). This provides a structured approach to guide the development work required to move these ADRs to an 'Accepted' status.
Changes
docs/adr/implementation-plan.mdoutlining the implementation steps for ADRs 0002, 0005, 0007, 0008, 0009, and 0010.docs/adr/README.mdto include a link to the new implementation plan.Testing
npm testChecklist
Notes
This PR is purely documentation-focused and does not introduce any code changes. It serves as a blueprint for future development work.
Note
High Risk
High risk because it changes tenant scoping semantics and authentication/token issuance flow (new custom access-token hook + metadata-backed tenant context), and adds new RLS-protected schemas/RPCs for audit retention and plugin installation that affect security and data access patterns.
Overview
Core change: tenant scoping for
publicviews moves from “all memberships viaauth.uid()” to a single active tenant context derived primarily from a new JWTtenant_idclaim (with session-variable fallback). This adds a Supabase Authcustom_access_token_hook, updatesrpc_set_tenant_contextto persistcurrent_tenant_idinto user metadata (requiring token refresh), and updates manypublic.v_*views to filter byauthz.get_current_tenant_id(); several views now explicitly grant/revokeanonaccess.Audit + governance: adds tenant-configurable audit retention (
cfg.audit_retention_configs,public.v_audit_retention_configs,public.rpc_set_audit_retention_config) plus a purge helper (util.purge_audit_records), and introduces an admin-onlypublic.v_audit_permission_changesview. Audit coverage is expanded (newdepartmentsaudit trigger) and indexes added to speed common audit queries.Integrations/plugins: introduces
int.pluginsandint.plugin_installationswith RLS, audit triggers, discovery/admin views (public.v_plugins,public.v_plugin_installations), and admin RPCs to install/update/uninstall; registration is restricted toservice_role. Public API naming is aligned (renames summary/overview views to plural forms), removes a now-redundant migration, tightens local API exposure insupabase/config.toml, and adds docs/checklist updates plus tests (including naming-convention enforcement) while refactoring existing tests away from direct table writes toward RPC/view usage.Written by Cursor Bugbot for commit 7e2f56f. This will update automatically on new commits. Configure here.