Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review infoConfiguration used: defaults Review profile: CHILL Plan: Pro 📒 Files selected for processing (2)
💤 Files with no reviewable changes (1)
📝 WalkthroughWalkthroughThis pull request revokes anonymous access to three API-key introspection functions across two database migration files, restricting execute privileges on Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested labels
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 SQLFluff (4.0.4)supabase/migrations/20260226153000_restrict_apikey_oracle_rpcs.sqlUser Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects: Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2b59eab3dd
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| GRANT ALL ON FUNCTION "public"."get_org_perm_for_apikey" ("apikey" "text", "app_id" "text") TO "anon"; | ||
|
|
||
| GRANT ALL ON FUNCTION "public"."get_org_perm_for_apikey" ("apikey" "text", "app_id" "text") TO "authenticated"; |
There was a problem hiding this comment.
This commit modifies 20250530233128_base.sql, but /workspace/capgo/AGENTS.md explicitly requires you to “never edit previously committed migrations.” Rewriting an already-applied migration makes schema history non-immutable and can create drift/confusion between environments that already ran the original file and fresh environments that replay the edited file; this hardening should live only in a new migration.
Useful? React with 👍 / 👎.
|
1 participant
Summary (AI generated)
public.get_org_perm_for_apikeyandpublic.get_user_idin the base migration.EXECUTEforanonon the same API-key introspection RPC signatures.Motivation (AI generated)
anonaccess enabled key-existence and permission/app-enumeration oracles, which increased the impact of leaked API keys.Business Impact (AI generated)
Test Plan (AI generated)
bun lintafter the migration updates.git diffandgit diff origin/main...to verify only the intended grant and revoke changes.Screenshots
Not applicable (backend SQL migrations only).
Summary by CodeRabbit