diff --git a/.github/workflows/authorize-vercel-deploys.yml b/.github/workflows/authorize-vercel-deploys.yml new file mode 100644 index 0000000000000..6a72b23d7a6ad --- /dev/null +++ b/.github/workflows/authorize-vercel-deploys.yml @@ -0,0 +1,50 @@ +name: Authorize Vercel Deploys + +# This workflow is triggered by the validate-pr workflow. When it's triggered, it will run the +# authorize-vercel-deploys.yml in master branch. If you want to change it, you'll have to merge it into master. +on: + # only run this workflow when the validate-pr workflow completes (successfully or not) + workflow_run: + workflows: ['Validate pull request'] + types: [completed] + +# Cancel old builds on new commit for same workflow + branch/PR. +concurrency: + group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + authorize-vercel-deploys: + runs-on: blacksmith-4vcpu-ubuntu-2404 + + steps: + # Checkout the master branch from the supabase repo and run that script to authorize Vercel deploys + - name: Check out repo + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + ref: master + # fetch only the root files and scripts folder + sparse-checkout: | + scripts + - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 + name: Install pnpm + with: + run_install: false + - name: Setup node + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + with: + node-version-file: '.nvmrc' + cache: 'pnpm' + - name: Download dependencies + run: | + pnpm install --frozen-lockfile + - name: Authorize Vercel Deploys + run: |- + pnpm run authorize-vercel-deploys + env: + VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }} + # The SHA of the commit that triggered the validate-pr workflow + HEAD_COMMIT_SHA: ${{ github.event.workflow_run.head_sha }} diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml index b8b4226b25d64..ffb9c43ca9500 100644 --- a/.github/workflows/validate-pr.yml +++ b/.github/workflows/validate-pr.yml @@ -1,5 +1,6 @@ name: Validate pull request +# This workflow will trigger the authorize-vercel-deploys workflow when it's finished. on: pull_request: types: [opened, labeled, unlabeled, synchronize, ready_for_review] diff --git a/apps/docs/public/humans.txt b/apps/docs/public/humans.txt index fe640a61f1109..5df37c22d4130 100644 --- a/apps/docs/public/humans.txt +++ b/apps/docs/public/humans.txt @@ -171,6 +171,7 @@ Steven Eubank Stojan Dimitrovski Sugu Sougoumarane Supun Sudaraka Kalidasa +Taha Le Bras Taryn King Terry Sutton Thomas E diff --git a/apps/docs/spec/common-cli-sections.json b/apps/docs/spec/common-cli-sections.json index 43ece8d6f388c..ebec574b2cbf0 100644 --- a/apps/docs/spec/common-cli-sections.json +++ b/apps/docs/spec/common-cli-sections.json @@ -208,6 +208,12 @@ "title": "Apply pending migration files", "slug": "supabase-migration-up", "type": "cli-command" + }, + { + "id": "supabase-migration-down", + "title": "Reset migrations to a prior version", + "slug": "supabase-migration-down", + "type": "cli-command" } ] }, diff --git a/apps/studio/components/interfaces/Organization/Documents/SOC2.tsx b/apps/studio/components/interfaces/Organization/Documents/SOC2.tsx index 7c77b0d90bbde..4a097721b55c0 100644 --- a/apps/studio/components/interfaces/Organization/Documents/SOC2.tsx +++ b/apps/studio/components/interfaces/Organization/Documents/SOC2.tsx @@ -12,6 +12,7 @@ import { import NoPermission from 'components/ui/NoPermission' import { getDocument } from 'data/documents/document-query' import { useSendEventMutation } from 'data/telemetry/send-event-mutation' +import { useCheckEntitlements } from 'hooks/misc/useCheckEntitlements' import { useAsyncCheckPermissions } from 'hooks/misc/useCheckPermissions' import { useSelectedOrganizationQuery } from 'hooks/misc/useSelectedOrganization' import { Button } from 'ui' @@ -27,8 +28,8 @@ export const SOC2 = () => { PermissionAction.BILLING_READ, 'stripe.subscriptions' ) - - const currentPlan = organization?.plan + const { hasAccess: hasAccessToSoc2Report, isLoading: isLoadingEntitlement } = + useCheckEntitlements('security.soc2_report') const [isOpen, setIsOpen] = useState(false) @@ -37,11 +38,23 @@ export const SOC2 = () => { const soc2Link = await getDocument({ orgSlug, docType: 'soc2-type-2-report' }) if (soc2Link?.fileUrl) window.open(soc2Link.fileUrl, '_blank') setIsOpen(false) - } catch (error: any) { - toast.error(`Failed to download SOC2 report: ${error.message}`) + } catch (error: unknown) { + const message = error instanceof Error ? error.message : 'Unknown error occurred' + toast.error(`Failed to download SOC2 report: ${message}`) } } + const handleDownloadClick = () => { + if (!slug) return + + sendEvent({ + action: 'document_view_button_clicked', + properties: { documentName: 'SOC2' }, + groups: { organization: slug }, + }) + setIsOpen(true) + } + return ( @@ -53,34 +66,28 @@ export const SOC2 = () => { - {isLoadingPermissions ? ( + {isLoadingPermissions || isLoadingEntitlement ? (
) : !canReadSubscriptions ? ( + ) : !hasAccessToSoc2Report ? ( +
+ + + +
) : (
- {currentPlan?.id === 'free' || currentPlan?.id === 'pro' ? ( - - - - ) : ( - - )} +
)} { PermissionAction.BILLING_READ, 'stripe.subscriptions' ) - - const currentPlan = organization?.plan + const { hasAccess: hasAccessToQuestionnaire, isLoading: isLoadingEntitlement } = + useCheckEntitlements('security.questionnaire') const fetchQuestionnaire = async (orgSlug: string) => { try { @@ -35,11 +36,23 @@ export const SecurityQuestionnaire = () => { docType: 'standard-security-questionnaire', }) if (questionnaireLink?.fileUrl) window.open(questionnaireLink.fileUrl, '_blank') - } catch (error: any) { - toast.error(`Failed to download Security Questionnaire: ${error.message}`) + } catch (error: unknown) { + const message = error instanceof Error ? error.message : 'Unknown error occurred' + toast.error(`Failed to download Security Questionnaire: ${message}`) } } + const handleDownloadClick = () => { + if (!slug) return + + sendEvent({ + action: 'document_view_button_clicked', + properties: { documentName: 'Standard Security Questionnaire' }, + groups: { organization: slug }, + }) + fetchQuestionnaire(slug) + } + return ( <> @@ -53,39 +66,31 @@ export const SecurityQuestionnaire = () => { - {isLoadingPermissions ? ( + {isLoadingPermissions || isLoadingEntitlement ? (
) : !canReadSubscriptions ? ( + ) : !hasAccessToQuestionnaire ? ( +
+ + + +
) : ( - <> -
- {currentPlan?.id === 'free' || currentPlan?.id === 'pro' ? ( - - - - ) : ( - - )} -
- +
+ +
)} diff --git a/apps/studio/components/interfaces/Settings/Integrations/AWSPrivateLink/AWSPrivateLinkSection.tsx b/apps/studio/components/interfaces/Settings/Integrations/AWSPrivateLink/AWSPrivateLinkSection.tsx index 95176c3344184..3ac613b285f68 100644 --- a/apps/studio/components/interfaces/Settings/Integrations/AWSPrivateLink/AWSPrivateLinkSection.tsx +++ b/apps/studio/components/interfaces/Settings/Integrations/AWSPrivateLink/AWSPrivateLinkSection.tsx @@ -11,7 +11,7 @@ import { ResourceList } from 'components/ui/Resource/ResourceList' import { UpgradeToPro } from 'components/ui/UpgradeToPro' import { useAWSAccountDeleteMutation } from 'data/aws-accounts/aws-account-delete-mutation' import { useAWSAccountsQuery } from 'data/aws-accounts/aws-accounts-query' -import { useSelectedOrganizationQuery } from 'hooks/misc/useSelectedOrganization' +import { useCheckEntitlements } from 'hooks/misc/useCheckEntitlements' import { useSelectedProjectQuery } from 'hooks/misc/useSelectedProject' import { IS_PLATFORM } from 'lib/constants' import { Button, Card, CardContent, cn } from 'ui' @@ -22,7 +22,6 @@ import { AWSPrivateLinkForm } from './AWSPrivateLinkForm' export const AWSPrivateLinkSection = () => { const { data: project } = useSelectedProjectQuery() - const { data: organization } = useSelectedOrganizationQuery() const { data: accounts } = useAWSAccountsQuery({ projectRef: project?.ref }) const [selectedAccount, setSelectedAccount] = useState(null) @@ -37,9 +36,8 @@ export const AWSPrivateLinkSection = () => { }, }) - const isTeamsOrEnterpriseAndUp = - organization?.plan?.id === 'enterprise' || organization?.plan?.id === 'team' - const promptPlanUpgrade = IS_PLATFORM && !isTeamsOrEnterpriseAndUp + const { hasAccess: hasPrivateLinkAccess } = useCheckEntitlements('security.private_link') + const promptPlanUpgrade = IS_PLATFORM && !hasPrivateLinkAccess const onAddAccount = () => { setSelectedAccount(null) diff --git a/apps/www/_blog/2026-01-07-supabase-security-2025-retro.mdx b/apps/www/_blog/2026-01-07-supabase-security-2025-retro.mdx new file mode 100644 index 0000000000000..19b3e6cff1b7c --- /dev/null +++ b/apps/www/_blog/2026-01-07-supabase-security-2025-retro.mdx @@ -0,0 +1,267 @@ +--- +title: 'Supabase Security Retro: 2025' +description: 'A summary of Supabase platform security changes made in 2025 and the security defaults planned for 2026.' +categories: + - product +tags: + - security +date: '2026-01-07' +toc_depth: 3 +author: bilharmer,paul_copplestone +image: 2026/security-retro/og.png +thumb: 2026/security-retro/thumb.png +--- + +This post covers security changes made to the Supabase platform in 2025 and what to expect in 2026. Some changes may be breaking. + +Postgres Row Level Security (RLS) is powerful but can be complex for developers new to the pattern. Most of the changes in 2025 focused on safer defaults and better tooling to make security more accessible. + +We'll cover what shipped in 2025 and outline planned improvements for 2026. + +## Disabling the Data API when creating a project + +Disabling Data API on project creation + +New projects can disable the Data API entirely or change the default schema from `public` to a custom schema like `api`. This gives you control over what's exposed via the auto-generated REST and GraphQL APIs. + +## Disabling the Data API on existing projects + +Disabling Data API in project settings + +Existing projects can disable the Data API in project settings. Once disabled, you can continue to use the database like standard Postgres (similar to RDS), connecting directly or through the connection pooler. + +## New API keys + +New API key management interface + +The new API key model replaces long-lived JWT-based anon and service_role keys. Projects now use `publishable` keys for low-privilege access and multiple revocable `secret` keys for elevated access. Keys can be rotated instantly, audited, and scoped more granularly. This improves key management workflows, particularly around rotation and auditing. Legacy keys remain available during migration but will be removed in late 2026. + +## Asymmetric JWTs + +Asymmetric JWT signing flow + +The new API key system supports asymmetric JWTs (signed with private keys, verified with public keys). This enables safer key distribution and rotation compared to shared secrets. It also reduces the impact if a signing key is compromised. + +## Revoking leaked keys via GitHub Secret Scanning + +GitHub secret scanning and key revocation + +With the new API key formats, Supabase automatically revokes secret keys that are detected in public GitHub repositories. When a leak is detected, we immediately revoke the key and notify the project owner with instructions to rotate it. + +## RLS by default for new tables + +RLS enabled by default for new tables + +For tables created via the dashboard, RLS is enabled by default. Tables are protected from the moment they're created, following the principle of secure by default. + +## Automatically enable RLS when tables are created + +Event trigger configuration for automatic RLS + +If you create tables using external tools or migrations that don't enable RLS, you can use Postgres Event Triggers to enforce RLS automatically. We added Event Triggers to the platform in 2025, [documented](/docs/guides/database/postgres/event-triggers#example-trigger-function---auto-enable-row-level-security) how to set up automatic RLS enforcement for any table creation method, and added a one-click setup in the dashboard. + +## Clear labels when tables are exposed + +Clear labels when tables are exposed + +The Table Editor now shows a clear warning label for any table that has RLS disabled. This makes it immediately obvious which tables are exposed via the API without row-level security policies. + +## Security alerts for tables without RLS + +Security alert for tables without RLS + +If you create any tables with RLS disabled, Supabase sends email alerts to project owners. These alerts also appear in the dashboard, making it easy to identify and secure tables before deploying to production. + +## Security Advisors + +Security Advisors weekly report + +Security Advisors scan your project for misconfigurations using [Splinter](https://supabase.github.io/splinter/), an open-source security linter for Postgres. Advisors check for common patterns like tables without RLS, policies that could be more restrictive, and exposed sensitive columns. Organization owners receive weekly security emails summarizing any findings. All detected issues are also visible in the dashboard with recommended fixes. + +## Fixing security issues with AI + +AI-powered security issue fixes + +The dashboard includes an Assistant that helps fix security issues detected by Security Advisors. When viewing alerts, you can ask the Assistant to generate and apply RLS policies. Describe your security requirements in plain text and the Assistant will generate the corresponding policy SQL. The Assistant can also suggest improvements for policies and configurations. This helps developers write correct RLS policies more quickly. + +Security Advisors are also available through our MCP server, allowing developers to scan and fix all security issues from their development environment with a simple command. This integrates security checks directly into your workflow. + +## Column-level security + +Column-level privilege configuration + +Postgres supports column-level privileges that restrict access to specific columns in a table. This is useful for sensitive data like social security numbers, salaries, or other PII. You can grant SELECT access to a table while excluding specific columns, and those columns won't appear in API responses or queries unless the user has explicit column access. + +Column-level security works independently from RLS. You can use both together: RLS controls which rows a user can access, while column privileges control which columns they can see within those rows. + +## Custom Claims and RBAC + +Custom claims for RBAC + +[Custom claims](/docs/guides/database/postgres/custom-claims-and-role-based-access-control-rbac) let you add metadata to JWTs for role-based access control (RBAC). Instead of writing RLS policies for each table, you can embed role information in the authentication token and check it in your policies. This works well if you're migrating from traditional RBAC systems or prefer centralized role management. + +## VPC / Private Link on AWS + +AWS PrivateLink configuration + +[PrivateLink](/docs/guides/platform/privatelink) connects your VPC directly to Supabase infrastructure without traversing the public internet. This reduces attack surface and improves latency. Enable it from the project settings in the dashboard. + +## Restricting direct access to your Postgres database + +IP allowlist configuration + +All Supabase databases run fail2ban to automatically block IPs after failed login attempts. You can also [configure IP allowlists](https://supabase.com/docs/guides/platform/network-restrictions) to restrict database access to specific trusted addresses. + +## OpenAPI spec restricted with publishable keys + +The OpenAPI spec is no longer publicly visible when using the new `publishable` keys. Previously, anyone with an anon key could view your complete API schema, including all tables and columns. With publishable keys, the OpenAPI spec requires elevated permissions. This prevents unauthorized schema enumeration and reduces information disclosure. + +## Continuous Researcher Engagement: HackerOne VDP + +Supabase runs continuous security testing using external researchers in both red team and purple team engagements. Red team testing is adversarial and unannounced. Purple team testing is collaborative and focuses on validating controls and isolation boundaries. + +In addition to scheduled testing, we operate an active vulnerability disclosure program on HackerOne. Since launch, we have resolved 139 reports from 96 researchers. In the last 90 days, we received 42 reports. The most recent resolution was 13 days ago. This program runs continuously. + +Response targets + +- First response: 2 business days (median 8 hours) +- Triage: 5 business days (median 10 hours) +- Resolution: severity-dependent (median 2 days) + +We prioritize fast responses because slow acknowledgment reduces researcher participation. + +### Scope + +The VDP covers Supabase platform infrastructure, including PostgREST exposure, authentication flows, service role isolation, Realtime subscriptions, Storage access controls, Edge Functions, and network segmentation. Researchers may only test their own projects. Automated scanning requires prior notice to security@supabase.io. + +### Recognition and bounties + +The program is currently recognition-only. Paid bounties will launch in 2026, scaled by severity and impact. + +### Use of findings + +Validated issues are not only patched. They feed into platform hardening, detection rules, and architectural reviews. For example, an auth bypass report triggers audits for similar patterns and often results in new automated checks. + +This program complements scheduled testing by providing continuous external validation of the platform security boundaries. Supabase secures the platform. Application-level security remains the responsibility of each customer. + +## What's next for 2026 + +Several security improvements are planned for this year: + +#### Grant toggles for exposed schemas + +A new UI control will allow you to toggle API access for individual tables directly from the dashboard. Instead of manually managing Postgres grants, you'll be able to enable or disable table access with a single click. This makes it easier to control exactly which tables are accessible via the Data API without needing to write SQL grant statements. This feature is currently in staging and undergoing extensive testing before production release. + +Grant toggles for controlling table access + +#### Alternative authorization patterns + +We're exploring integrations with authorization systems like OpenFGA and Zanzibar for developers who need fine-grained permissions beyond RLS. Like everything else in Supabase, we're taking a Postgres-native approach. Community developers have already built Postgres extensions for alternative security models, like [supabase_rbac](https://database.dev/pointsource/supabase_rbac), which simplifies role-based access control. We're planning improved extension documentation and tighter dashboard integration to make these patterns more accessible. + +#### GitHub push protection + +Our leaked key detection currently uses GitHub's secret scanning API for post-commit detection. We're working with GitHub to add push protection, which will block commits containing secret keys before they reach the repository. + +#### GraphQL disabled by default + +pg_graphql will be disabled by default on new projects. You can still enable it manually if needed, but it won't be exposed automatically to reduce the attack surface. + +#### Expanded Security Advisor lints + +New security checks will be added to Splinter to detect more misconfigurations. This includes detecting weak password policies, excessive function privileges, and insecure extension configurations. + +#### Hardened project configurations + +New project configuration options will allow developers to choose extremely hardened security environments. This includes strict defaults for all security settings and mandatory security policies. Bring Your Own Cloud will be available to more customers beyond Supabase for Platforms. + +#### Security-focused test harness + +A dedicated test harness for security will help developers validate RLS policies, test authorization logic, and ensure security configurations are correct before deploying to production. + +#### Assistant everywhere + +The dashboard Assistant will be available in more locations. You'll be able to fix security issues directly from GitHub, Slack, and email recommendations, rather than needing to go to the dashboard. The Assistant will be integrated into your existing workflows. + +#### Enhanced security alerts + +Security alerts and recommendations will be enhanced with more detailed explanations of impact, step-by-step remediation guidance, and inline code examples to help developers resolve issues faster. diff --git a/apps/www/data/features.tsx b/apps/www/data/features.tsx index 8b8ab261a2bdd..9bd142daa6cf4 100644 --- a/apps/www/data/features.tsx +++ b/apps/www/data/features.tsx @@ -1927,7 +1927,7 @@ Absolutely. The SQL Editor includes syntax highlighting to improve code readabil ### Is the editor accessible via the Supabase CLI? -While the editor is primarily a web-based tool within Supabase Studio, you can execute SQL queries using the [Supabase CLI](/features/cli) by utilizing the supabase db query command. This allows for integration into scripts and automation workflows. +Yes, the editor is available locally through [Supabase CLI](/features/cli). `, icon: FileCode2, products: [ADDITIONAL_PRODUCTS.STUDIO], diff --git a/apps/www/public/images/blog/2026/security-retro/ai-security-fixes.png b/apps/www/public/images/blog/2026/security-retro/ai-security-fixes.png new file mode 100644 index 0000000000000..fa1d9a38bd60c Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/ai-security-fixes.png differ diff --git a/apps/www/public/images/blog/2026/security-retro/api-keys.png b/apps/www/public/images/blog/2026/security-retro/api-keys.png new file mode 100644 index 0000000000000..896627d5f1b0b Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/api-keys.png differ diff --git a/apps/www/public/images/blog/2026/security-retro/asymmetric-jwt.png b/apps/www/public/images/blog/2026/security-retro/asymmetric-jwt.png new file mode 100644 index 0000000000000..1f31f3d3fb060 Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/asymmetric-jwt.png differ diff --git a/apps/www/public/images/blog/2026/security-retro/auto-enable-rls.png b/apps/www/public/images/blog/2026/security-retro/auto-enable-rls.png new file mode 100644 index 0000000000000..c9503306a82a0 Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/auto-enable-rls.png differ diff --git a/apps/www/public/images/blog/2026/security-retro/column-security.png b/apps/www/public/images/blog/2026/security-retro/column-security.png new file mode 100644 index 0000000000000..cb3c9d3f3e960 Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/column-security.png differ diff --git a/apps/www/public/images/blog/2026/security-retro/custom-claims.png b/apps/www/public/images/blog/2026/security-retro/custom-claims.png new file mode 100644 index 0000000000000..79a66535c6484 Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/custom-claims.png differ diff --git a/apps/www/public/images/blog/2026/security-retro/disable-data-api-create.png b/apps/www/public/images/blog/2026/security-retro/disable-data-api-create.png new file mode 100644 index 0000000000000..8decd8e0ac26e Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/disable-data-api-create.png differ diff --git a/apps/www/public/images/blog/2026/security-retro/disable-data-api-settings.png b/apps/www/public/images/blog/2026/security-retro/disable-data-api-settings.png new file mode 100644 index 0000000000000..5e9c3ffb75363 Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/disable-data-api-settings.png differ diff --git a/apps/www/public/images/blog/2026/security-retro/github-scanning.png b/apps/www/public/images/blog/2026/security-retro/github-scanning.png new file mode 100644 index 0000000000000..5d5eb071832e9 Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/github-scanning.png differ diff --git a/apps/www/public/images/blog/2026/security-retro/ip-allowlist.png b/apps/www/public/images/blog/2026/security-retro/ip-allowlist.png new file mode 100644 index 0000000000000..c9e27125ca580 Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/ip-allowlist.png differ diff --git a/apps/www/public/images/blog/2026/security-retro/og.png b/apps/www/public/images/blog/2026/security-retro/og.png new file mode 100644 index 0000000000000..c4c7d0234b6de Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/og.png differ diff --git a/apps/www/public/images/blog/2026/security-retro/privatelink.png b/apps/www/public/images/blog/2026/security-retro/privatelink.png new file mode 100644 index 0000000000000..d17b014eb0126 Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/privatelink.png differ diff --git a/apps/www/public/images/blog/2026/security-retro/rls-default.png b/apps/www/public/images/blog/2026/security-retro/rls-default.png new file mode 100644 index 0000000000000..58f79e71586fa Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/rls-default.png differ diff --git a/apps/www/public/images/blog/2026/security-retro/security-advisors.png b/apps/www/public/images/blog/2026/security-retro/security-advisors.png new file mode 100644 index 0000000000000..a866673403646 Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/security-advisors.png differ diff --git a/apps/www/public/images/blog/2026/security-retro/security-alerts.png b/apps/www/public/images/blog/2026/security-retro/security-alerts.png new file mode 100644 index 0000000000000..705c7328a019d Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/security-alerts.png differ diff --git a/apps/www/public/images/blog/2026/security-retro/simplified-grants.png b/apps/www/public/images/blog/2026/security-retro/simplified-grants.png new file mode 100644 index 0000000000000..78703810941cc Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/simplified-grants.png differ diff --git a/apps/www/public/images/blog/2026/security-retro/thumb.png b/apps/www/public/images/blog/2026/security-retro/thumb.png new file mode 100644 index 0000000000000..5905865ee527c Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/thumb.png differ diff --git a/apps/www/public/images/blog/2026/security-retro/unrestricted-tables.png b/apps/www/public/images/blog/2026/security-retro/unrestricted-tables.png new file mode 100644 index 0000000000000..f2be6cb56f92e Binary files /dev/null and b/apps/www/public/images/blog/2026/security-retro/unrestricted-tables.png differ diff --git a/package.json b/package.json index a35f01b65abd9..b266c2bf46317 100644 --- a/package.json +++ b/package.json @@ -39,7 +39,8 @@ "setup:cli": "supabase start -x studio && supabase status --output json > keys.json && node scripts/generateLocalEnv.js", "generate:types": "supabase gen types typescript --local > ./supabase/functions/common/database-types.ts", "api:codegen": "cd packages/api-types && pnpm run codegen", - "knip": "pnpx knip@~5.50.0" + "knip": "pnpx knip@~5.50.0", + "authorize-vercel-deploys": "tsx scripts/authorizeVercelDeploys.ts" }, "devDependencies": { "@aws-sdk/client-secrets-manager": "^3.823.0", @@ -52,8 +53,10 @@ "supabase": "^2.65.6", "supports-color": "^8.0.0", "tailwindcss": "catalog:", + "tsx": "catalog:", "turbo": "2.3.3", - "typescript": "catalog:" + "typescript": "catalog:", + "zod": "catalog:" }, "repository": { "type": "git", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 45c68ff3c6725..0aa8037bbbc54 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -112,12 +112,18 @@ importers: tailwindcss: specifier: 'catalog:' version: 3.4.1(ts-node@10.9.2(@types/node@22.13.14)(typescript@5.9.2)) + tsx: + specifier: 'catalog:' + version: 4.20.3 turbo: specifier: 2.3.3 version: 2.3.3 typescript: specifier: 'catalog:' version: 5.9.2 + zod: + specifier: 'catalog:' + version: 3.25.76 apps/cms: dependencies: diff --git a/scripts/authorizeVercelDeploys.ts b/scripts/authorizeVercelDeploys.ts new file mode 100644 index 0000000000000..8a068193d5144 --- /dev/null +++ b/scripts/authorizeVercelDeploys.ts @@ -0,0 +1,146 @@ +/** + * Script to authorize Vercel deployments from PR information. + * + * Gets the current SHA from environment variable, fetches GitHub statuses, + * finds authorization-required statuses, and authorizes them via Vercel API. + */ + +import { z } from 'zod' + +interface GitHubStatus { + url: string + avatar_url: string + id: number + node_id: string + state: 'success' | 'pending' | 'failure' | 'error' + description: string + target_url: string + context: string + created_at: string + updated_at: string +} + +const jobInfoSchema = z.object({ + job: z.object({ + headInfo: z.object({ + sha: z.string().min(1, 'SHA is required'), + }), + id: z.string().min(1, 'ID is required'), + org: z.literal('supabase'), + prId: z.number().int().positive('PR ID must be a positive integer'), + repo: z.literal('supabase'), + }), +}) + +type JobInfo = z.infer + +async function fetchGitHubStatuses(sha: string): Promise { + const url = `https://api.github.com/repos/supabase/supabase/statuses/${sha}` + console.log(`Fetching GitHub statuses for SHA: ${sha}`) + + const response = await fetch(url) + if (!response.ok) { + throw new Error(`Failed to fetch GitHub statuses: ${response.status} ${response.statusText}`) + } + + return response.json() +} + +function extractJobInfoFromTargetUrl(targetUrl: string): JobInfo { + const url = new URL(targetUrl) + const jobParam = url.searchParams.get('job') + + if (!jobParam) { + throw new Error('No job parameter found in target URL') + } + + try { + const jobData = JSON.parse(jobParam) + const parsed = jobInfoSchema.parse({ job: jobData }) + return parsed + } catch (e) { + if (e instanceof z.ZodError) { + throw new Error( + `Invalid job info structure: ${e.errors.map((err) => `${err.path.join('.')}: ${err.message}`).join(', ')}` + ) + } + throw new Error(`Failed to parse job parameter as JSON: ${e}`) + } +} + +async function authorizeVercelJob(jobInfo: JobInfo, vercelToken: string): Promise { + const url = 'https://vercel.com/api/v1/integrations/authorize-job' + + const response = await fetch(url, { + method: 'POST', + headers: { + Accept: '*/*', + 'Content-Type': 'application/json; charset=utf-8', + Authorization: `Bearer ${vercelToken}`, + }, + body: JSON.stringify(jobInfo), + }) + + if (!response.ok) { + const errorText = await response.text() + throw new Error( + `Failed to authorize Vercel job: ${response.status} ${response.statusText}\n${errorText}` + ) + } + + console.log('āœ“ Vercel job authorized successfully!') +} + +async function main() { + const sha = process.env.HEAD_COMMIT_SHA + if (!sha) { + throw new Error('HEAD_COMMIT_SHA environment variable is required') + } + + const vercelToken = process.env.VERCEL_TOKEN + if (!vercelToken) { + throw new Error('VERCEL_TOKEN environment variable is required') + } + + console.log(`Starting authorization process for SHA: ${sha}`) + + // Fetch GitHub statuses + const statuses = await fetchGitHubStatuses(sha) + console.log(`Found ${statuses.length} statuses`) + + // Filter for authorization-required statuses + const authRequiredStatuses = statuses.filter( + (status) => status.description === 'Authorization required to deploy.' + ) + + if (authRequiredStatuses.length === 0) { + console.log('No authorization-required statuses found. Nothing to authorize.') + return + } + + console.log(`Found ${authRequiredStatuses.length} authorization-required status(es)`) + + // Process each authorization-required status + for (const status of authRequiredStatuses) { + try { + console.log(`\nProcessing status: ${status.context}`) + console.log(`Target URL: ${status.target_url}`) + + // Extract job info from target URL + const jobInfo = extractJobInfoFromTargetUrl(status.target_url) + + // Authorize the job + await authorizeVercelJob(jobInfo, vercelToken) + } catch (error) { + console.error(`Failed to process status ${status.context}:`, error) + // Continue with other statuses even if one fails + } + } + + console.log('\nāœ“ Authorization process completed!') +} + +main().catch((error) => { + console.error('Fatal error:', error) + process.exit(1) +})