kartava
commented
2 months ago It seems this could be related to: https://github.com/nuxt-modules/supabase/issues/276
Open nicokempe opened 7 months ago
kartava
commented
2 months ago It seems this could be related to: https://github.com/nuxt-modules/supabase/issues/276
Enviroment
Reproduction Link
https://github.com/nuxt-modules/supabase/tree/main/demo
Steps to reproduce
What is Expected?
Sensitive information like Supabase tokens and URLs should not be exposed in the client-side code. These details should remain secure and confidential, especially when the application is built for production. -> I am no security expert so I don't know if this is possibly just the functionality and it should work like this? It feels wrong to be able to access the Supabase data of others and creating users or logging in with them on my own page. I don't know how much more is possible (creating tables or gathering user data) and if this is even possible with this key or if the service key is needed for such things.
What is actually happening?
The entire Nuxt configuration, including sensitive information such as Supabase tokens and URLs, is being exposed in the window.NUXT.config script block. This exposure presents a significant security risk, as it allows anyone with knowledge of browser DevTools to access and potentially misuse these credentials. As I have already said I am not sure if this key can be used to do really "bad" things but I would not want others to be able to register with just an email & password if I only provide OAuth using GitHub on my page for example like on the demo page. 😄
I was able to access some tokens using the exposed key. But I am not sure how sensitive they actually are or if those are public keys (they don't look as if they are but I don't know, as I have already told I am not a Security Expert, just an developer that saw something that looked like a security problem, that's why I am reporting / asking this):