Fix RLS permission issues

Author: derjogi

app/core/config.py

@@ -8,6 +8,7 @@ class OperationCost(TypedDict):
 
 class Settings(BaseSettings):
     PROJECT_NAME: str
+    PROJECT_URL: str
 
     # List all published versions here. This enables us to manage them better; i.e. gradually phase them out etc...
     API_V1_STR: str

app/core/security.py

@@ -19,15 +19,16 @@ async def authenticate_user(email: str, password: str):
     if not user.user_metadata["email_verified"]:
         raise HTTPException(status_code=401, detail="Email not verified. Please check your inpox & spam")
 
+    print("User authenticated:", user)
     # Check if user has credits entry
     credits = db.table('credits').select('*').eq('user_id', user.id).execute()
+    print("User credits:", credits.data)
     if not credits.data:
         # Create initial credits entry if none exists
-        db.table('credits').insert({
-            'user_id': user.id,
-            'balance': settings.USER_DAILY_CREDITS  # starting balance for registered users
-        }).execute()
-    
+        db.rpc('add_credits', {
+            'p_user_id': user.id,
+            'amount': settings.USER_DAILY_CREDITS
+        }).execute()    
     return user
 
 async def verify_email_code(email: str, code: str):

supabase/config.toml

@@ -44,7 +44,7 @@ max_client_conn = 100
 
 [db.seed]
 # If enabled, seeds the database after migrations during a db reset.
-enabled = true
+enabled = false
 # Specifies an ordered list of seed files to load during db reset.
 # Supports glob patterns relative to supabase directory: './seeds/*.sql'
 sql_paths = ['./seed.sql']
@@ -97,7 +97,7 @@ file_size_limit = "50MiB"
 enabled = true
 # The base URL of your website. Used as an allow-list for redirects and for constructing URLs used
 # in emails.
-site_url = "http://127.0.0.1:3000"
+site_url = "env(PROJECT_URL)"
 # A list of *exact* URLs that auth providers are permitted to redirect to post authentication.
 additional_redirect_urls = ["https://127.0.0.1:3000"]
 # How long tokens are valid for, in seconds. Defaults to 3600 (1 hour), maximum 604,800 (1 week).
@@ -110,7 +110,7 @@ refresh_token_reuse_interval = 10
 # Allow/disallow new user signups to your project.
 enable_signup = true
 # Allow/disallow anonymous sign-ins to your project.
-enable_anonymous_sign_ins = false
+enable_anonymous_sign_ins = true
 # Allow/disallow testing manual linking of accounts
 enable_manual_linking = false
 # Passwords shorter than this value will be rejected as weak. Minimum 6, recommended 8 or more.

supabase/migrations/001_credit_system.sql

@@ -9,6 +9,7 @@ create table credits (
   last_free_credit_update timestamp with time zone,
   primary key (user_id)
 );
+ALTER TABLE public.credits ENABLE ROW LEVEL SECURITY;
 
 -- Credit transactions table
 create table credit_transactions (
@@ -18,6 +19,7 @@ create table credit_transactions (
   operation_type text not null,
   created_at timestamp with time zone default now()
 );
+ALTER TABLE public.credit_transactions ENABLE ROW LEVEL SECURITY;
 
 -- RLS Policies
 create policy "Users can view their own credits"
@@ -30,13 +32,13 @@ create policy "System can modify credits"
 
 -- Function to add credits
 create or replace function add_credits(
-  user_id uuid,
+  p_user_id uuid,
   amount integer
 ) returns void
 language plpgsql security definer as $$
 begin
   insert into credits (user_id, balance)
-  values (add_credits.user_id, amount)
+  values (p_user_id, amount)
   on conflict (user_id) do update
   set balance = credits.balance + amount;
 
@@ -45,7 +47,7 @@ begin
     amount,
     operation_type
   ) values (
-    add_credits.user_id,
+    p_user_id,
     amount,
     'addition'
   );
@@ -87,4 +89,5 @@ begin
 
   return false;
 end;
-$$;
+$$;
+

supabase/migrations/002_api_keys.sql

@@ -4,3 +4,17 @@ create table api_keys (
     created_at timestamp with time zone default now(),
     revoked_at timestamp with time zone
 );
+ALTER TABLE public.api_keys ENABLE ROW LEVEL SECURITY;
+
+-- Add after table creation
+create policy "Users can view their own API keys"
+  on api_keys for select
+  using (auth.uid() = user_id);
+
+create policy "Users can create their own API keys"
+  on api_keys for insert
+  with check (auth.uid() = user_id);
+
+create policy "Users can delete their own API keys"
+  on api_keys for delete
+  using (auth.uid() = user_id);