Security Overview - Githubissues

aiku-ai / AiKu

AiKu is life.

https://aiku.netlify.app/

6 stars 2 forks source link

Security Overview #40

Open danwritecode opened 1 year ago

danwritecode commented 1 year ago

Mainly concerned with Supabase, particularly:

Row level security
S3/Storage bucket policies
Other things I'm missing

danwritecode commented 1 year ago

Database table permissions:

Unauthed

Aiku: Read only aikuActivity: Read only aikuCollectionMap: No access collection: No access preset: Read only

Authed

Aiku: Read, Write aikuActivity: Read, Write aikuCollectionMap: Read, Write, Delete collection: Read, Write, Update, Delete preset: Read only

adragione commented 1 year ago

Database table permissions:

Unauthed

Aiku: Read only aikuActivity: Read only aikuCollectionMap: No access collection: No access preset: Read only

Authed

Aiku: Read, Write aikuActivity: Read, Write aikuCollectionMap: Read, Write, Delete collection: Read, Write, Update, Delete preset: Read only

Created RLS policies for all tables within supabase DB; need to validate that they work on conjunction with controls configured on the front-end within the JS code.

adragione commented 1 year ago

S3 bucket for aikus has relevant policies to allow inserts only from authenticated users and reads from all users. Still want to validate that we can't delete anything from the bucket when accessing outside of the app.