Solving RLS

derjogi · derjogi · commit 247ed07d1e4d · 2025-04-24T11:37:57.000+12:00
* We cannot authenticate users with API keys, because we don't have their password
* When other users are authenticated (just created an account, checked their api keys etc...) then authorization for those users might still be active (JWT tokens still on the server), and supabase would use those instead of service_role. So: sign out any user before verifying tokens.
diff --git a/app/api/v1/routes/auth.py b/app/api/v1/routes/auth.py
@@ -100,15 +100,12 @@ async def create_api_key(credentials: UserCredentials) -> ApiKeyResponse:
         HTTPException: 400 if creation fails, 401 if authentication fails
     """
     try:
-        print("\nCreate API key endpoint hit!")  # See if we reach this endpoint
         print(f"Creating API key for {credentials.email}")
-        print("\nCreating API key...")
-        print(f"Test environment: {settings.ENVIRONMENT == 'TEST'}; SKIP EMAIL VERIFICATION: {settings.SKIP_EMAIL_VERIFICATION}")
-        log = f"Authenticating user {credentials.email} with password {credentials.password}"
+        if settings.ENVIRONMENT == 'TEST':
+          print(f"Test environment: {settings.ENVIRONMENT == 'TEST'}; SKIP EMAIL VERIFICATION: {settings.SKIP_EMAIL_VERIFICATION}")
+        log = f"Authenticating user {credentials.email} with password ***"
         user = await backend.authenticate_user(credentials.email, credentials.password)
         log = f"User authenticated: {user}"
-        print(f"User authenticated: {user}")
-        print(f"User metadata: {user.user_metadata}")
         
         # Skip verification check in test environment
         if not (settings.ENVIRONMENT == "TEST" and settings.SKIP_EMAIL_VERIFICATION):
diff --git a/app/core/security.py b/app/core/security.py
@@ -121,7 +121,12 @@ async def list_api_keys(user):
   return api_keys
 
 async def verify_token(request: Request, credentials: Optional[HTTPAuthorizationCredentials] = Security(security)) -> dict:
-    """Verify JWT token and return user info with credits"""          
+    """Verify JWT token and return user info with credits"""
+    
+    # Whatever the logic flow, first we need to make sure that there isn't a different user still authorized:
+    db.auth.sign_out()
+    
+    # Now we can do the rest of the logic. run test routines first, then check guest or proper user.           
     try:
         # Skip email verification in test environment
         if settings.ENVIRONMENT == "TEST" and settings.SKIP_EMAIL_VERIFICATION:
@@ -227,4 +232,4 @@ def generate_guest_id(request: Request) -> dict:
     ip = request.client.host
     # Hash the IP to get 32 hex chars
     hex_hash = hashlib.sha256(ip.encode()).hexdigest()[:32]
-    return {"id": f"{UUID(hex_hash)}"}
+    return {"id": f"{UUID(hex_hash)}"}
diff --git a/supabase/migrations/004_service_role_api_key_access.sql b/supabase/migrations/004_service_role_api_key_access.sql
@@ -0,0 +1,18 @@
+BEGIN;
+
+-- Create new comprehensive service role policies
+CREATE POLICY "Service role has full access to API keys"
+ON public.api_keys
+FOR ALL
+TO service_role
+USING (true)
+WITH CHECK (true);
+
+CREATE POLICY "Service role has full access to credits"
+ON public.credits
+FOR ALL
+TO service_role
+USING (true)
+WITH CHECK (true);
+
+COMMIT;
