In our app, we manage everything with the service role from the backend. We've updated our database role privileges and grants so that the anon and authenticated roles cannot access the public and storage schemas since Supabase hardcodes these schemas as enabled in the client.
We use the client in our frontend app for authentication purposes using the anon_key. However, we noticed that even with the privileges revoked, even non-authenticated users could snoop using the different superbase client functions like select and rpc.
To Reproduce
Steps to reproduce the behavior, please provide code snippets or a repository:
Use the supabase client
Revoke access, privileges and grants from anon/authenticated DB roles
Use any of the supabase client functions that query a table or call an RPC
See response messages and hints
Expected behavior
We don't want any details leakage in our API, and the Supabase client unfortunately acts as a vector to snoop around with the anon key for API details.
Bug report
Describe the bug
In our app, we manage everything with the
service role
from the backend. We've updated our database role privileges and grants so that theanon
andauthenticated
roles cannot access the public and storage schemas since Supabase hardcodes these schemas as enabled in the client.We use the client in our frontend app for authentication purposes using the
anon_key
. However, we noticed that even with the privileges revoked, even non-authenticated users could snoop using the differentsuperbase
client functions likeselect
andrpc.
To Reproduce
Steps to reproduce the behavior, please provide code snippets or a repository:
Expected behavior
We don't want any details leakage in our API, and the Supabase client unfortunately acts as a vector to snoop around with the anon key for API details.
Screenshots
System information