Submission fails with RLS policy violation on submissions table #41
Description
Bug Report
Submitting cc.json data via the website UI fails with the following error:
Failed to create submission: new row violates row-level security policy for table "submissions"
Root Cause Analysis
The RLS policy on the submissions table (defined in supabase/migrations/001_initial_schema.sql) only grants INSERT access to service_role:
CREATE POLICY "Service write submissions" ON submissions
FOR ALL USING (auth.role() = 'service_role');The server-side data layer (src/lib/data/supabase/client.ts) creates the Supabase client with the service role key in createSupabaseServerDataLayer():
export function createSupabaseServerDataLayer(): DataLayer {
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
const supabaseServiceKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
// ...
const client = createClient(supabaseUrl, supabaseServiceKey);
return new SupabaseDataLayer(client);
}The RLS error indicates that the insert is being executed with the anon key rather than the service role key. This suggests SUPABASE_SERVICE_ROLE_KEY may be missing or misconfigured in the deployment environment, causing a fallback or the wrong client to be used.
Steps to Reproduce
- Go to the viberank website
- Submit a valid cc.json file
- Observe the RLS policy violation error
Expected Behavior
The /api/submit route should use the service role key for database writes, bypassing RLS as intended.
Suggested Fix
Verify that SUPABASE_SERVICE_ROLE_KEY is correctly set in the deployment environment (e.g., Vercel). Also consider adding a more descriptive error message in createSupabaseServerDataLayer() when the key is missing, rather than silently falling back.