fix: restrict the realtime schema#1993
Conversation
Apply schema restrictions when supautils grants are available to avoid unintentional and unexpected changes to realtime schema that's supposed to be protected. Closes REAL-778 Closes REAL-773
This comment has been minimized.
This comment has been minimized.
| begin | ||
| if not exists (select from pg_roles where rolname = 'supabase_realtime_admin') then | ||
| create user supabase_realtime_admin noinherit createrole login replication password 'postgres'; | ||
| create role supabase_realtime_admin with noinherit nologin noreplication; |
There was a problem hiding this comment.
Same as migrations.
| else: (_ -> {:ignore, nil}) | ||
| end) do | ||
| value | ||
| case Cachex.fetch(__MODULE__, cache_key(name), fn _key -> |
There was a problem hiding this comment.
This change is unrelated but I found it while testing and it was small enough to include in this PR. See the tests.
| execute("REVOKE ALL ON realtime.schema_migrations FROM postgres, dashboard_user, anon, authenticated, service_role") | ||
|
|
||
| execute( | ||
| "REVOKE INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER ON realtime.schema_migrations FROM supabase_realtime_admin" |
There was a problem hiding this comment.
SELECT is still required but it's safe.
There was a problem hiding this comment.
why supabase_realtime_admin here matters?
There was a problem hiding this comment.
Checked again and it doesn't. I thought it was impacting tests but nope so I added supabase_realtime_adminto the REVOKE ALL ON realtime.schema_migrations because only supabase_admin is supposed to use that table.
There was a problem hiding this comment.
These are the most important assertions. Need to double check if those changes are not too restrictive.
# Conflicts: # .github/workflows/integration_tests.yml # .github/workflows/tests.yml # test/test_helper.exs
CRAP Score Report |
db_userand removesdb_user_realtime. The restriction is controlled by migrations only.use_supabase_realtime_adminRef REAL-25, REAL-527, REAL-630, REAL-631, REAL-773, REAL-778, SEC-562