The README tells users:
Service role key: Found in "Project API keys" as "service_role" (Reminder: Treat this like a password!)
However, the setup of supabase/migrations/20240108234540_setup.sql takes the Service role key as a hard-coded string and even the default value is provided, which is bound to mislead some users into thinking that this is not a credential. I have looked into 5 forks of the repo and in two cases the service role key was leaked into their publicly available forks. In other cases, users changed the line to read the key from the environment, e.g.
service_role_key TEXT := getenv('SUPABASE_SERVICE_ROLE_KEY');
Please implement this as soon as possible, if you value your user's security.
Bumped into this problem just today with a new deploy; best mitigation I found was to fork, then import the fork in a bitbucket private repo and move from there
The README tells users:
Service role key: Found in "Project API keys" as "service_role" (Reminder: Treat this like a password!)
However, the setup of
supabase/migrations/20240108234540_setup.sql
takes the Service role key as a hard-coded string and even the default value is provided, which is bound to mislead some users into thinking that this is not a credential. I have looked into 5 forks of the repo and in two cases the service role key was leaked into their publicly available forks. In other cases, users changed the line to read the key from the environment, e.g.service_role_key TEXT := getenv('SUPABASE_SERVICE_ROLE_KEY');
Please implement this as soon as possible, if you value your user's security.