supabase / auth

A JWT based API for managing users and issuing JWT tokens

https://supabase.com/docs/guides/auth

MIT License

1.55k stars 375 forks source link

PUT /USER is abusable #1772

Open ZhenFTW opened 2 months ago

ZhenFTW commented 2 months ago

Bug report

Hi i just notice that the PUT /USER endpoint can be abused for adding putting data.

is it intended?

ZhenFTW commented 2 months ago

this can be abused by anyone just because everyone authenticated can access this endpoint and they can flood the /PUT user endpoint to set user data. But I think this could be disabled using RLS policy but seeing this is a default behavior might not be a good idea.