fix: lock down identity org RPC exposure

[riderx]

Summary

• Added a migration to remove PostgREST-facing access to identity resolution RPCs (get_identity_apikey_only, get_identity_org_allowed, get_identity_org_appid) from anon and authenticated roles.
• Reworked public.get_orgs_v6(userid uuid) to enforce that callable user IDs match the authenticated caller identity, preventing user-id probing and unauthorized org membership leaks.
• Tightened execution grants to keep get_orgs_v6(userid uuid) and identity helpers available only to trusted roles and revoked broad default anonymous/authenticated function/table privilege inheritance for new objects.

Test plan

• Run bun lint.
• Review git diff origin/main... for the migration scope and ensure no unrelated objects changed.
• Apply migration in a non-production environment and verify:
  • get_identity_apikey_only/get_identity_org_allowed/get_identity_org_appid are not callable as anon.
  • get_orgs_v6(<other-user>) is denied for non-service roles.

Screenshots

Checklist

• My code follows the code style of this project and passes
  bun run lint:backend && bun run lint.
• My change requires a change to the documentation.
• I have updated the documentation
  accordingly.
• My change has adequate E2E test coverage.
• I have tested my code manually, and I have provided steps how to reproduce
  my tests

Summary by CodeRabbit

• Bug Fixes
  • Strengthened organization data access security through enhanced role-based permission controls
  • Implemented strict caller identity verification to prevent unauthorized access
  • Sensitive organization information is automatically redacted based on user permissions
  • Restricted public access to organization data endpoints

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fff7b11 and d42db05.

📒 Files selected for processing (1)

• supabase/migrations/20260227000000_fix_identity_oracle_and_org_rpc_exposure.sql

---

📝 Walkthrough

Walkthrough

A new database migration introduces public.get_orgs_v6(), a role-restricted RPC function returning organization data with granular access controls and field redaction based on caller identity. Access is limited to service_role and postgres; public, anonymous, and authenticated roles are explicitly revoked.

Changes

Cohort / File(s)	Summary
New Secure Organization Access Function supabase/migrations/20260227000000_fix_identity_oracle_and_org_rpc_exposure.sql	Adds public.get_orgs_v6(userid uuid) with SECURITY DEFINER, enforcing role-based access control. Returns organization metadata with sensitive fields (paying, trial_left, management_email, etc.) redacted for unauthorized callers. Includes CTEs for app counts, billing cycles, 2FA/password policy checks. Revokes execution from PUBLIC/anon/authenticated and grants only to postgres/service_role.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• Fix audit_logs RLS timeout #1588: Adds SECURITY DEFINER helper functions computing caller-accessible orgs with 2FA/password enforcement to centralize org-level access logic used by RLS/RPC.
• feat: 2FA enforcement - database #1300: Directly modifies get_orgs_v6/get_orgs_v7 with caller identity checks and 2FA-based data redaction, creating overlapping changes to the same function.
• fix: support hashed API keys in RLS identity functions #1351: Updates identity helper RPCs and API key verification functions; this PR further tightens public execution restrictions on identity-related functions by explicit revocation.

Poem

🐰 A vault of orgs, now locked up tight,
Role checks and caller verified right,
Data redacted when access is denied,
Sensitive secrets safely inside! ✨🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: lock down identity org RPC exposure' directly and clearly summarizes the main security-focused change: restricting access to identity-related RPC functions.
Description check	✅ Passed	The description covers the required Summary and Test plan sections with specific, actionable details. Checklist items are mostly addressed; Screenshots section is appropriately omitted for backend changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch riderx/fix-apikey-oracle

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 SQLFluff (4.0.4)

supabase/migrations/20260227000000_fix_identity_oracle_and_org_rpc_exposure.sql

User Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects:
ansi, athena, bigquery, clickhouse, databricks, db2, doris, duckdb, exasol, flink, greenplum, hive, impala, mariadb, materialize, mysql, oracle, postgres, redshift, snowflake, soql, sparksql, sqlite, starrocks, teradata, trino, tsql, vertica

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b63d36cc0a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve anon/auth execute on RLS identity helpers

Revoking EXECUTE from anon/authenticated on get_identity_org_allowed (and similarly get_identity_org_appid) will break any RLS policy that calls these helpers for those roles, because policy expressions still require function execute privileges; for example, supabase/migrations/20260226000100_fix_org_rls_2fa_function_permissions.sql defines an anon/authenticated policy that directly calls get_identity_org_allowed, so those requests will start failing with permission denied for function ... instead of applying RLS.

Useful? React with 👍 / 👎.

[sonarqubecloud]

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud