supabase
client exposes schema details via hint and messages
#1009
Labels
bug
Something isn't working
supabase
client exposes schema details via hint and messages
#1009
Bug report
Describe the bug
In our app, we manage everything with the
service role
from the backend. We've updated our database role privileges and grants so that theanon
andauthenticated
roles cannot access the public and storage schemas since Supabase hardcodes these schemas as enabled in the client.We use the client in our frontend app for authentication purposes using the
anon_key
. However, we noticed that even with the privileges revoked, even non-authenticated users could snoop using the differentsuperbase
client functions likeselect
andrpc.
To Reproduce
Steps to reproduce the behavior, please provide code snippets or a repository:
Expected behavior
We don't want any details leakage in our API, and the Supabase client unfortunately acts as a vector to snoop around with the anon key for API details.
Screenshots
System information
The text was updated successfully, but these errors were encountered: