pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-20 08:51:13 -05:00
Code Issues Packages Projects Releases Wiki Activity

Improve security by auditing service role key usage in edge functions

Browse Source 
Audit and document the usage of service role keys in multiple Supabase edge functions (cancel-email-change, process-selective-approval, seed-test-data) to ensure secure and scoped access.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: fe5b902e-beda-40fc-bf87-a3c4ab300e3a
Replit-Commit-Checkpoint-Type: intermediate_checkpoint
This commit is contained in:
pac7
2025-10-08 12:56:58 +00:00
parent 852adc51d6
commit aee512b8a1
4 changed files with 24 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.replit
View File

@@ -33,3 +33,7 @@ outputType = "webview"
[[ports]] [[ports]]
localPort = 5000 localPort = 5000
externalPort = 80 externalPort = 80
[[ports]]
localPort = 44859
externalPort = 3000

10
supabase/functions/cancel-email-change/index.ts
View File

@@ -22,8 +22,14 @@ Deno.serve(async (req) => {
// Extract the JWT token from the Authorization header // Extract the JWT token from the Authorization header
const token = authHeader.replace('Bearer ', ''); const token = authHeader.replace('Bearer ', '');
// Create admin client with service role key (no user token in global headers) // SECURITY: Service Role Key Usage
// This ensures all DB operations run with full admin privileges // ---------------------------------
// This function uses the service role key to bypass RLS and access auth.users table.
// This is required because:
// 1. The cancel_user_email_change() database function has SECURITY DEFINER privileges
// 2. It needs to modify auth.users table which is not accessible with regular user tokens
// 3. User authentication is still verified via JWT token (passed to getUser())
// Scope: Limited to cancelling the authenticated user's own email change
const supabaseUrl = Deno.env.get('SUPABASE_URL'); const supabaseUrl = Deno.env.get('SUPABASE_URL');
const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY'); const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');

5
supabase/functions/process-selective-approval/index.ts
View File

@@ -74,6 +74,11 @@ serve(async (req) => {
); );
} }
// SECURITY NOTE: Service role key used later in this function
// Reason: Need to bypass RLS to write approved changes to entity tables
// (parks, rides, companies, ride_models) which have RLS policies
// Security measures: User auth verified above, moderator role checked via RPC
const authenticatedUserId = user.id; const authenticatedUserId = user.id;
// Create service role client for privileged operations (including role check) // Create service role client for privileged operations (including role check)

7
supabase/functions/seed-test-data/index.ts
View File

@@ -35,6 +35,13 @@ Deno.serve(async (req) => {
} }
try { try {
// SECURITY: Service Role Key Usage
// ---------------------------------
// This function uses the service role key to seed test data bypassing RLS.
// This is required because:
// 1. Test data generation needs to create entities in protected tables
// 2. Moderator role is verified via is_moderator() RPC call before proceeding
// Scope: Limited to moderators only, for test/development purposes
const supabaseUrl = Deno.env.get('SUPABASE_URL')!; const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!; const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!;
const supabase = createClient(supabaseUrl, supabaseServiceKey); const supabase = createClient(supabaseUrl, supabaseServiceKey);