Add Supabase security migration: RLS + view security_invoker

ctrimm · claude · ctrimm · commit 3ef3d35f2a99 · 2026-02-21T08:32:18.000-05:00
Fixes four Supabase Security Advisor warnings:

1. ALTER VIEW recent_unresolved_errors SET (security_invoker = true)
   — prevents view owner's elevated permissions from bypassing RLS

2. Enable RLS on error_log with no public policies
   — service_role (cron) bypasses RLS; anon gets no access

3. Enable RLS on monitored_sites + SELECT policy for anon/authenticated
   — Lambda functions read via anon key; cron writes via service_role

4. Enable RLS on website_emissions + SELECT policy for anon/authenticated
   — Lambda functions read via anon key; cron writes via service_role

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/supabase/migrations/20260221000000_fix_security_issues.sql b/supabase/migrations/20260221000000_fix_security_issues.sql
@@ -0,0 +1,50 @@
+-- Migration: Fix Supabase security advisor warnings
+-- Date: 2026-02-21
+--
+-- Apply in the Supabase SQL Editor (Dashboard → SQL Editor → New query).
+-- Safe to run multiple times (uses IF EXISTS / OR REPLACE where needed).
+
+-- ============================================================
+-- 1. Fix SECURITY DEFINER view
+--    Switch recent_unresolved_errors to SECURITY INVOKER so that
+--    RLS policies of the *querying* user are enforced rather than
+--    those of the view owner (postgres / supabase_admin).
+--    Requires PostgreSQL 15+ — Supabase is on PG15+.
+-- ============================================================
+ALTER VIEW public.recent_unresolved_errors SET (security_invoker = true);
+
+
+-- ============================================================
+-- 2. error_log — enable RLS, no public access
+--    The cron job writes via service_role which bypasses RLS.
+--    No anon/authenticated role should read this internal table.
+-- ============================================================
+ALTER TABLE public.error_log ENABLE ROW LEVEL SECURITY;
+
+
+-- ============================================================
+-- 3. monitored_sites — enable RLS, public read-only
+--    Lambda functions query this table with the anon key.
+--    All writes come from service_role (bypasses RLS).
+-- ============================================================
+ALTER TABLE public.monitored_sites ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "Allow public read access on monitored_sites"
+  ON public.monitored_sites
+  FOR SELECT
+  TO anon, authenticated
+  USING (true);
+
+
+-- ============================================================
+-- 4. website_emissions — enable RLS, public read-only
+--    Lambda functions query this table with the anon key.
+--    All writes come from the cron job via service_role (bypasses RLS).
+-- ============================================================
+ALTER TABLE public.website_emissions ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "Allow public read access on website_emissions"
+  ON public.website_emissions
+  FOR SELECT
+  TO anon, authenticated
+  USING (true);
