fix: enable RLS for failed webhook events#177
Conversation
|
@saurabhhhcodes is attempting to deploy a commit to the codersogs-3057's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
Hey @saurabhhhcodes You have 4 open PRs right now. The limit is 3 at a time. Please get your existing PRs merged or closed before opening new ones:
This PR will remain open but won't be reviewed until you're under the limit. See our Contributing Guidelines for details. |
Siddhartha-singh01
left a comment
Siddhartha-singh01
left a comment
There was a problem hiding this comment.
The hardening itself is exactly right @saurabhhhcodes failed_webhook_events
stores raw webhook payloads and error messages, and Supabase exposes tables via
PostgREST to authenticated roles by default, so enabling RLS with no policies (and
keeping it service-role-only) is the correct call. Same pattern you used for
flagged_accounts in #185, consistent.
Two things to sort before this can merge:
-
Stale branch + migration number collision. The branch was forked from older
main, so it still has0010_add_failed_webhook_events.sql. On current main that
file was renamed to0011_add_failed_webhook_events.sql(by #146). Your new
migration is0011_failed_webhook_events_rls.sqlso after merge there'd be two
0011_*migrations with ambiguous apply order, and Git may also resurrect the
old 0010 filename.Please rebase on current main and rename your migration to
0012_(or0013_
if #185 lands first with 0012). And update the hardcoded filename in
rls-migrations.test.ts to match. -
Soften the test description (or strengthen the test). The vitest test
regex-matches the SQL file text it doesn't actually verify RLS is enabled at
the DB level. As a tripwire (so the file can't be accidentally deleted/altered),
it's fine, but the PR description claims "this RLS requirement is covered in CI"
which is overselling it. Either strengthen the test to actually apply the
migration and check pg_class.relrowsecurity (needs a real DB), or soften the
description to "tripwire test that the migration's RLS statement isn't removed."
Once rebased and renumbered, this is good to merge. Solid security work.
|
@saurabhhhcodes please Wait till the issue get assigned to u then only u can pull request |
|
Thanks for clarifying, @Soumya-codr. I will pause further work on this PR until the issue is formally assigned to me and until I am back within the repo open-PR limit. The current branch already has CI green except for the external Vercel authorization gate. If the maintainers decide they still want this PR updated later, I can rebase it on latest main, rename the migration to avoid the numbering collision, and soften the test/PR wording as requested in review. If you prefer this closed because the issue is unassigned, I am okay with that too. |
u can continue working on that but from now onward please wait to get assigned and also i have already compensated u so please go ahead and work thanks 😊 |
saurabhhhcodes
force-pushed
the
codex/failed-webhook-rls-161
branch
from
f6888db to
51046d0
Compare
|
Addressed the review points in Changes:
Validation:
Local |
|
Quick correction from the right account: the review fixes for #177 are already on the PR branch in What changed after Siddhartha's review:
Validation I ran:
The remaining red status is still the external Vercel authorization gate. Please re-review when you get a chance. |
Thanks For understanding @Siddhartha-singh01 @Piyush-Thakkarr will review it Thanks😊 |
4 participants
Summary
failed_webhook_eventsValidation
vitest run src/lib/db/rls-migrations.test.ts(blocked locally by Rollup native optional dependency loading on macOS in this checkout)prettier --check supabase/migrations/0013_failed_webhook_events_rls.sql src/lib/db/rls-migrations.test.tseslint src/lib/db/rls-migrations.test.tstsc --noEmitgit diff --checkFixes #161
For scoring, please add/keep
GSSOC26,level:intermediate,type:security,backend, andgssoc:approvedif this qualifies. If this is also counted in NSoC, please add the matching NSoC label as well.