Skip to content

Commit 8e74150

Browse files
riderxriderx
committed
fix: to wide permissiion on functions
1 parent 6c7dd80 commit 8e74150

File tree

4 files changed

+6583
-6673
lines changed

4 files changed

+6583
-6673
lines changed

src/pages/settings/account/ChangePassword.vue

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -221,7 +221,9 @@ async function submit(form: { password: string, password_confirm: string }) {
221221

222222
<!-- Password requirements list -->
223223
<div class="mb-4 p-3 bg-[#FFFBEC] rounded-md">
224-
<p class="text-sm font-medium text-[#973C00] mb-2">{{ t('password-must-meet') }}</p>
224+
<p class="text-sm font-medium text-[#973C00] mb-2">
225+
{{ t('password-must-meet') }}
226+
</p>
225227
<ul class="text-sm space-y-1">
226228
<li class="flex items-center gap-2">
227229
<svg class="w-4 h-4 shrink-0" viewBox="0 0 20 20" fill="currentColor">

supabase/migrations/20260104000000_revoke_process_function_queue_public_access.sql

Lines changed: 156 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,156 @@
1+
-- Revoke public access to internal cron/admin functions
2+
-- These functions are internal utilities that should only be called by postgres/service_role
3+
-- Many expose internal API secrets via get_apikey() or perform admin operations
4+
-- They should not be accessible to anon/authenticated users
5+
6+
-- =============================================================================
7+
-- PROCESS_FUNCTION_QUEUE - Core queue processing (uses get_apikey())
8+
-- =============================================================================
9+
REVOKE ALL ON FUNCTION "public"."process_function_queue" ("queue_names" "text"[], "batch_size" integer) FROM "anon";
10+
REVOKE ALL ON FUNCTION "public"."process_function_queue" ("queue_names" "text"[], "batch_size" integer) FROM "authenticated";
11+
12+
REVOKE ALL ON FUNCTION "public"."process_function_queue" ("queue_name" "text", "batch_size" integer) FROM "anon";
13+
REVOKE ALL ON FUNCTION "public"."process_function_queue" ("queue_name" "text", "batch_size" integer) FROM "authenticated";
14+
15+
-- =============================================================================
16+
-- CRON/QUEUE PROCESSING FUNCTIONS (internal scheduler functions)
17+
-- =============================================================================
18+
REVOKE ALL ON FUNCTION "public"."process_admin_stats"() FROM "anon";
19+
REVOKE ALL ON FUNCTION "public"."process_admin_stats"() FROM "authenticated";
20+
21+
REVOKE ALL ON FUNCTION "public"."process_all_cron_tasks"() FROM "anon";
22+
REVOKE ALL ON FUNCTION "public"."process_all_cron_tasks"() FROM "authenticated";
23+
24+
REVOKE ALL ON FUNCTION "public"."process_billing_period_stats_email"() FROM "anon";
25+
REVOKE ALL ON FUNCTION "public"."process_billing_period_stats_email"() FROM "authenticated";
26+
27+
REVOKE ALL ON FUNCTION "public"."process_channel_device_counts_queue"("batch_size" integer) FROM "anon";
28+
REVOKE ALL ON FUNCTION "public"."process_channel_device_counts_queue"("batch_size" integer) FROM "authenticated";
29+
30+
REVOKE ALL ON FUNCTION "public"."process_cron_stats_jobs"() FROM "anon";
31+
REVOKE ALL ON FUNCTION "public"."process_cron_stats_jobs"() FROM "authenticated";
32+
33+
REVOKE ALL ON FUNCTION "public"."process_deploy_install_stats_email"() FROM "anon";
34+
REVOKE ALL ON FUNCTION "public"."process_deploy_install_stats_email"() FROM "authenticated";
35+
36+
REVOKE ALL ON FUNCTION "public"."process_stats_email_monthly"() FROM "anon";
37+
REVOKE ALL ON FUNCTION "public"."process_stats_email_monthly"() FROM "authenticated";
38+
39+
REVOKE ALL ON FUNCTION "public"."process_stats_email_weekly"() FROM "anon";
40+
REVOKE ALL ON FUNCTION "public"."process_stats_email_weekly"() FROM "authenticated";
41+
42+
-- =============================================================================
43+
-- CLEANUP/MAINTENANCE FUNCTIONS (should only run via cron)
44+
-- =============================================================================
45+
REVOKE ALL ON FUNCTION "public"."cleanup_expired_apikeys"() FROM "anon";
46+
REVOKE ALL ON FUNCTION "public"."cleanup_expired_apikeys"() FROM "authenticated";
47+
48+
REVOKE ALL ON FUNCTION "public"."cleanup_frequent_job_details"() FROM "anon";
49+
REVOKE ALL ON FUNCTION "public"."cleanup_frequent_job_details"() FROM "authenticated";
50+
51+
REVOKE ALL ON FUNCTION "public"."cleanup_job_run_details_7days"() FROM "anon";
52+
REVOKE ALL ON FUNCTION "public"."cleanup_job_run_details_7days"() FROM "authenticated";
53+
54+
REVOKE ALL ON FUNCTION "public"."cleanup_old_audit_logs"() FROM "anon";
55+
REVOKE ALL ON FUNCTION "public"."cleanup_old_audit_logs"() FROM "authenticated";
56+
57+
REVOKE ALL ON FUNCTION "public"."cleanup_queue_messages"() FROM "anon";
58+
REVOKE ALL ON FUNCTION "public"."cleanup_queue_messages"() FROM "authenticated";
59+
60+
REVOKE ALL ON FUNCTION "public"."cleanup_webhook_deliveries"() FROM "anon";
61+
REVOKE ALL ON FUNCTION "public"."cleanup_webhook_deliveries"() FROM "authenticated";
62+
63+
REVOKE ALL ON FUNCTION "public"."remove_old_jobs"() FROM "anon";
64+
REVOKE ALL ON FUNCTION "public"."remove_old_jobs"() FROM "authenticated";
65+
66+
REVOKE ALL ON FUNCTION "public"."expire_usage_credits"() FROM "anon";
67+
REVOKE ALL ON FUNCTION "public"."expire_usage_credits"() FROM "authenticated";
68+
69+
REVOKE ALL ON FUNCTION "public"."delete_old_deleted_apps"() FROM "anon";
70+
REVOKE ALL ON FUNCTION "public"."delete_old_deleted_apps"() FROM "authenticated";
71+
72+
-- =============================================================================
73+
-- SENSITIVE DATA/ADMIN FUNCTIONS
74+
-- =============================================================================
75+
-- get_db_url exposes database connection string
76+
REVOKE ALL ON FUNCTION "public"."get_db_url"() FROM "anon";
77+
REVOKE ALL ON FUNCTION "public"."get_db_url"() FROM "authenticated";
78+
79+
-- Admin statistics functions - internal use only
80+
REVOKE ALL ON FUNCTION "public"."get_customer_counts"() FROM "anon";
81+
REVOKE ALL ON FUNCTION "public"."get_customer_counts"() FROM "authenticated";
82+
83+
REVOKE ALL ON FUNCTION "public"."get_update_stats"() FROM "anon";
84+
REVOKE ALL ON FUNCTION "public"."get_update_stats"() FROM "authenticated";
85+
86+
-- =============================================================================
87+
-- TRIGGER FUNCTIONS (should never be called directly)
88+
-- =============================================================================
89+
REVOKE ALL ON FUNCTION "public"."enqueue_channel_device_counts"() FROM "anon";
90+
REVOKE ALL ON FUNCTION "public"."enqueue_channel_device_counts"() FROM "authenticated";
91+
92+
REVOKE ALL ON FUNCTION "public"."enqueue_credit_usage_alert"() FROM "anon";
93+
REVOKE ALL ON FUNCTION "public"."enqueue_credit_usage_alert"() FROM "authenticated";
94+
95+
REVOKE ALL ON FUNCTION "public"."audit_log_trigger"() FROM "anon";
96+
REVOKE ALL ON FUNCTION "public"."audit_log_trigger"() FROM "authenticated";
97+
98+
REVOKE ALL ON FUNCTION "public"."auto_apikey_name_by_id"() FROM "anon";
99+
REVOKE ALL ON FUNCTION "public"."auto_apikey_name_by_id"() FROM "authenticated";
100+
101+
REVOKE ALL ON FUNCTION "public"."auto_owner_org_by_app_id"() FROM "anon";
102+
REVOKE ALL ON FUNCTION "public"."auto_owner_org_by_app_id"() FROM "authenticated";
103+
104+
REVOKE ALL ON FUNCTION "public"."check_if_org_can_exist"() FROM "anon";
105+
REVOKE ALL ON FUNCTION "public"."check_if_org_can_exist"() FROM "authenticated";
106+
107+
REVOKE ALL ON FUNCTION "public"."check_org_user_privileges"() FROM "anon";
108+
REVOKE ALL ON FUNCTION "public"."check_org_user_privileges"() FROM "authenticated";
109+
110+
REVOKE ALL ON FUNCTION "public"."force_valid_user_id_on_app"() FROM "anon";
111+
REVOKE ALL ON FUNCTION "public"."force_valid_user_id_on_app"() FROM "authenticated";
112+
113+
REVOKE ALL ON FUNCTION "public"."generate_org_on_user_create"() FROM "anon";
114+
REVOKE ALL ON FUNCTION "public"."generate_org_on_user_create"() FROM "authenticated";
115+
116+
REVOKE ALL ON FUNCTION "public"."generate_org_user_on_org_create"() FROM "anon";
117+
REVOKE ALL ON FUNCTION "public"."generate_org_user_on_org_create"() FROM "authenticated";
118+
119+
REVOKE ALL ON FUNCTION "public"."noupdate"() FROM "anon";
120+
REVOKE ALL ON FUNCTION "public"."noupdate"() FROM "authenticated";
121+
122+
REVOKE ALL ON FUNCTION "public"."record_deployment_history"() FROM "anon";
123+
REVOKE ALL ON FUNCTION "public"."record_deployment_history"() FROM "authenticated";
124+
125+
REVOKE ALL ON FUNCTION "public"."trigger_webhook_on_audit_log"() FROM "anon";
126+
REVOKE ALL ON FUNCTION "public"."trigger_webhook_on_audit_log"() FROM "authenticated";
127+
128+
REVOKE ALL ON FUNCTION "public"."update_webhook_updated_at"() FROM "anon";
129+
REVOKE ALL ON FUNCTION "public"."update_webhook_updated_at"() FROM "authenticated";
130+
131+
-- =============================================================================
132+
-- INTERNAL CREDIT/BILLING FUNCTIONS (admin operations)
133+
-- =============================================================================
134+
REVOKE ALL ON FUNCTION "public"."apply_usage_overage"("p_org_id" "uuid", "p_metric" "public"."credit_metric_type", "p_overage_amount" numeric, "p_billing_cycle_start" timestamp with time zone, "p_billing_cycle_end" timestamp with time zone, "p_details" "jsonb") FROM "anon";
135+
REVOKE ALL ON FUNCTION "public"."apply_usage_overage"("p_org_id" "uuid", "p_metric" "public"."credit_metric_type", "p_overage_amount" numeric, "p_billing_cycle_start" timestamp with time zone, "p_billing_cycle_end" timestamp with time zone, "p_details" "jsonb") FROM "authenticated";
136+
137+
REVOKE ALL ON FUNCTION "public"."calculate_credit_cost"("p_metric" "public"."credit_metric_type", "p_overage_amount" numeric) FROM "anon";
138+
REVOKE ALL ON FUNCTION "public"."calculate_credit_cost"("p_metric" "public"."credit_metric_type", "p_overage_amount" numeric) FROM "authenticated";
139+
140+
REVOKE ALL ON FUNCTION "public"."top_up_usage_credits"("p_org_id" "uuid", "p_amount" numeric, "p_expires_at" timestamp with time zone, "p_source" "text", "p_source_ref" "jsonb", "p_notes" "text") FROM "anon";
141+
REVOKE ALL ON FUNCTION "public"."top_up_usage_credits"("p_org_id" "uuid", "p_amount" numeric, "p_expires_at" timestamp with time zone, "p_source" "text", "p_source_ref" "jsonb", "p_notes" "text") FROM "authenticated";
142+
143+
-- =============================================================================
144+
-- HTTP/QUEUE INTERNAL FUNCTIONS
145+
-- =============================================================================
146+
REVOKE ALL ON FUNCTION "public"."delete_http_response"("request_id" bigint) FROM "anon";
147+
REVOKE ALL ON FUNCTION "public"."delete_http_response"("request_id" bigint) FROM "authenticated";
148+
149+
REVOKE ALL ON FUNCTION "public"."mass_edit_queue_messages_cf_ids"("updates" "public"."message_update"[]) FROM "anon";
150+
REVOKE ALL ON FUNCTION "public"."mass_edit_queue_messages_cf_ids"("updates" "public"."message_update"[]) FROM "authenticated";
151+
152+
-- =============================================================================
153+
-- PG_LOG FUNCTION (internal debugging - could leak sensitive info)
154+
-- =============================================================================
155+
REVOKE ALL ON FUNCTION "public"."pg_log"("decision" "text", "input" "jsonb") FROM "anon";
156+
REVOKE ALL ON FUNCTION "public"."pg_log"("decision" "text", "input" "jsonb") FROM "authenticated";

0 commit comments

Comments
 (0)