feat: add origin protection header

hf · hf · commit 004dd15d51a7 · 2024-08-19T15:12:37.000+02:00
diff --git a/ansible/files/envoy_config/lds.yaml b/ansible/files/envoy_config/lds.yaml
@@ -37,6 +37,28 @@ resources:
                     rules:
                       action: DENY
                       policies:
+                        origin_protection_key_missing:
+                          permissions:
+                            - any: true
+                          principals:
+                            - not_id:
+                                or_ids:
+                                  ids:
+                                    - header:
+                                        name: x-sb-origin-protection-key
+                                        present_match: true
+                        origin_protection_key_not_valid:
+                          permissions:
+                            - any: true
+                          principals:
+                            - not_id:
+                                or_ids:
+                                  ids:
+                                    # when rolling over the key add a new entry here, deploy, then remove the old key and deploy again
+                                    - header:
+                                        name: x-sb-origin-protection-key
+                                        string_match:
+                                          exact: origin_protection_key
                         api_key_missing:
                           permissions:
                             - any: true
diff --git a/ansible/files/envoy_config/remove_apikey_query_parameter.lua b/ansible/files/envoy_config/remove_apikey_query_parameter.lua
@@ -5,4 +5,9 @@ function envoy_on_request(request_handle)
   request_handle
     :headers()
     :replace(":path", path:gsub("([&?])apikey=[^&]+&?", "%1"):gsub("&$", ""))
+
+  -- Removes the x-sb-origin-protection-key as it can be inspected via PostgREST pre-request hook, etc.
+  request_handle
+    :headers()
+    :replace("x-sb-origin-protection-key", "")
 end
diff --git a/docker/all-in-one/init/configure-envoy.sh b/docker/all-in-one/init/configure-envoy.sh
@@ -42,6 +42,7 @@ sed -i -e "s|anon_key|${ANON_KEY}|g" \
   -e "s|service_key|${SERVICE_ROLE_KEY}|g" \
   -e "s|supabase_admin_key|${ADMIN_API_KEY}|g" \
   -e "s|c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5|$(echo -n "service_role:${SERVICE_ROLE_KEY}" | base64 --wrap 0)|g" \
+  -e "s|origin_protection_key|${ORIGIN_PROTECTION_KEY}|g" \
   "${ENVOY_LDS_CONF}"
 
 # Update Envoy ports
