Skip to content

Submission fails with RLS policy violation on submissions table #41

@dot-agi

Description

@dot-agi

Bug Report

Submitting cc.json data via the website UI fails with the following error:

Failed to create submission: new row violates row-level security policy for table "submissions"

Root Cause Analysis

The RLS policy on the submissions table (defined in supabase/migrations/001_initial_schema.sql) only grants INSERT access to service_role:

CREATE POLICY "Service write submissions" ON submissions
  FOR ALL USING (auth.role() = 'service_role');

The server-side data layer (src/lib/data/supabase/client.ts) creates the Supabase client with the service role key in createSupabaseServerDataLayer():

export function createSupabaseServerDataLayer(): DataLayer {
  const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
  const supabaseServiceKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
  // ...
  const client = createClient(supabaseUrl, supabaseServiceKey);
  return new SupabaseDataLayer(client);
}

The RLS error indicates that the insert is being executed with the anon key rather than the service role key. This suggests SUPABASE_SERVICE_ROLE_KEY may be missing or misconfigured in the deployment environment, causing a fallback or the wrong client to be used.

Steps to Reproduce

  1. Go to the viberank website
  2. Submit a valid cc.json file
  3. Observe the RLS policy violation error

Expected Behavior

The /api/submit route should use the service role key for database writes, bypassing RLS as intended.

Suggested Fix

Verify that SUPABASE_SERVICE_ROLE_KEY is correctly set in the deployment environment (e.g., Vercel). Also consider adding a more descriptive error message in createSupabaseServerDataLayer() when the key is missing, rather than silently falling back.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions