Skip to content

fix(auth): enforce supabase least privilege and RLS for user-facing r…#3411

Open
Daksh7785 wants to merge 1 commit into
ritesh-1918:gssocfrom
Daksh7785:feature/enforce-supabase-rls
Open

fix(auth): enforce supabase least privilege and RLS for user-facing r…#3411
Daksh7785 wants to merge 1 commit into
ritesh-1918:gssocfrom
Daksh7785:feature/enforce-supabase-rls

Conversation

@Daksh7785

Copy link
Copy Markdown

Summary

Enforce the principle of least privilege by separating the Supabase anon and service-role keys in the backend, preventing unauthorized bypass of Row Level Security (RLS) in user-facing endpoints.

Root Cause

The backend previously initialized a single global Supabase client using the SUPABASE_SERVICE_KEY and reused it across all routes and services. Because the service-role key ignores RLS policies, all user operations were effectively executing with administrative database privileges.

Solution

  • Created backend/supabase_client.py to manage anon, admin, and user_scoped clients.
  • Configured user-facing API routes (/tickets, /tickets/search, /tickets/save) to build a dynamically scoped client using the incoming Authorization header.
  • Explicitly assigned the admin client only to background services (RAG, SLA, Notifications) where elevated permissions are needed.
  • Updated .env.example to require SUPABASE_ANON_KEY.

Files Changed

  • backend/.env.example: Added SUPABASE_ANON_KEY.
  • backend/supabase_client.py (New): Client manager for least-privilege scoping.
  • backend/main.py: Refactored to use user-scoped clients.
  • backend/services/rag_service.py: Uses get_admin_client().
  • backend/services/sla_service.py: Uses get_admin_client().
  • backend/services/notification_routing.py: Uses get_admin_client().
  • backend/services/auto_close_service.py: Uses get_admin_client().

Testing

  • Backend loads properly with multiple Supabase clients.
  • Confirmed correct client instantiation in user-facing context versus background processing.

Impact

  • Breaking changes: Yes - Requires SUPABASE_ANON_KEY to be defined in the backend .env.
  • Performance impact: Negligible overhead for client instantiation.
  • Security impact: High positive impact. User-facing routes now enforce RLS policies correctly.
  • Compatibility: Fully backwards compatible, but the frontend must send the Authorization header with API requests for RLS to grant access (which it should normally do).

Checklist

  • Issue solved
  • Build passes
  • Tests pass
  • Lint passes
  • No unrelated changes
  • Ready for review

@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

Someone is attempting to deploy a commit to the ritesh Team on Vercel.

A member of the Team first needs to authorize it.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Caution

Review failed

An error occurred during the review process. Please try again later.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant