Supabase service role key sa lai vakaraitaki ena JavaScript: na kena ibalebale kei na sala me kunei kina

Na cava na service role key

Na Supabase e soli rua na key duidui ena project yadua: na anon key (e vakatokai talega me publishable key ena project vou) kei na service_role key. Erau ruarua na JSON Web Tokens era sain kina e dua na JWT secret ni nomu project. Na duidui na role claim e tu ena JWT payload — anon me public key, service_role me master key. Na PostgREST, Supabase Storage, kei na Supabase Auth era veisau kece ki na bypass-everything mode ni ratou raica na service_role claim.

Decode e dua na Supabase key ena jwt.io ka raica na payload. Na mata ni service-role JWT e tarai matata:

Na decoded payload ni dua na service-role JWT (vakaraitaki vaka e dua na syntax-highlighted block ena ra).

{
  "iss": "supabase",
  "ref": "[project-ref]",
  "role": "service_role",
  "iat": 1700000000,
  "exp": 2000000000
}

Na Supabase project vou era soli secret-style keys kei na prefix sb_secret_ ena vukuna ga e dua na JWT. Na ivakarau e tautauvata — na veika kece e taura na sb_secret_ ena dua na public bundle e ca vakacaca tale ga.

Na sala e leak kina na AI coding tools na service role key

Keimami sa raica na ivakarau vata oqo ena udolu na vibe-coded apps. Na yadua e tekivu kei na dua na developer e kerea me dau vukea e dua na AI tool ka oti mai kina na service key sa inline ki na bundle.

Pattern 1: Dua ga na .env file kei na NEXT_PUBLIC_ prefix

Na developer e kerea vua na AI tool me "set up Supabase" ka taura mai dua ga na .env kei na rua na key. Na AI tool — sa vakavulici ena dua na corpus na levu ni environment variables era expose ena NEXT_PUBLIC_* — e prefix na ruarua kei na NEXT_PUBLIC_. Na Next.js e inline na ka kece e vakatauvatani kei na prefix oqo ki na client bundle ena gauna ni build. Ship ki na Vercel, ka sa tu na service key ena main.[hash].js.

Pattern 2: Key tawadodonu ena createClient call

Na developer e paste na rua na key ki na config.ts file na AI e generate kina, ka na AI e vakatutu na browser-side createClient() call kei na process.env.SUPABASE_SERVICE_ROLE_KEY ena cala. Na build e taura na variable ki loma, ka na JWT e laki tu kina bundle.

Pattern 3: Service-role key e tu vakaikoya ena seed scripts

Na developer e kerea vua na AI tool me vola e dua na script me vakatevataka na database. Na AI e hardcode na service-role key ki na file (sega ni wilika mai na environment), commit na file ki na repository, ka sa veiqaravi tiko na public GitHub repo se na deployed app na /scripts/seed.js route ena key.

Na sala e raica kina na FixVibe bundle scan na leak

Na FixVibe bundle-secrets check e download na JavaScript file kece e vakatautaki ena deployed app — entry chunks, lazy-loaded chunks, web workers, service workers — ka cakacaka kina e dua na detector e decode na ka kece e vakatauvatani kei na JWT shape (eyJ[base64-header].eyJ[base64-payload].[signature]). Ke tu ena decoded payload na "role": "service_role", e tukuna na scan me critical finding kei na file path kei na line dodonu e basika kina na key. Na check vata e match talega na ivakarau vou sb_secret_* ena kena prefix.

Na scan e sega ni authenticate kei na key sa kunei. E kila na shape ka tukuna na leak — na kena vakayagataki na key me vakadinadinataki na exploit me dua na unauthorised access ki na nomu database. Na evidence e tu vakaikoya ena JWT payload.

Sa kunei — na cava mo cakava ena imatai ni aua

E dua na runtime emergency na service role key sa lai vakaraitaki. Vakanananua sa scrape oti na key — na attackers era vakaraica na public bundle ena gauna sara. Vakanananua na database me sa compromise ka me sa rotate na key ka audit na cakacaka sa caka.

1. Rotate na key ena gauna sara. Ena Supabase Dashboard, lako ki Project Settings → API → Service role key → Reset. Na key makawa e sa invalidate ena loma ni vica na minisi. Na server-side code kece e vakayagataka na key me sa update ka redeploy ni bera ni yaco mai na rotation.
2. Audit na cakacaka ni database sa caka. Dolava Database → Logs ena dashboard. Filter ena 7 na siga sa oti. Sagai na SELECT * queries era unusual ena teveli kei na PII, na UPDATE kei na DELETE statements era levu, kei na requests mai na IP era sega ni kilai mai na nomu infrastructure. Na Supabase e log na x-real-ip header ena request yadua.
3. Check na storage objects. Lako i Storage → Logs ka raica na file downloads sa caka. E soli na service-role key sa lai vakaraitaki bypass-everything access ki na private buckets talega.
4. Cavuta na key mai na source control. Ke mada ga sa rotate, ke se tu ena nomu git history na JWT, e rawa ni kunei tiko ena public repo. Vakayagataka na git filter-repo se BFG Repo-Cleaner me cavuta mai na history, ka force-push (tukuna i liu vei ira na kau-i-tikotiko).
5. Re-scan ni oti na fix. Cakava e dua na FixVibe scan vou ki na redeployed app. Na bundle-secrets finding ena dredre. Vakadinadinataka me kakua ni tu e dua na service_role JWT se na sb_secret_* string ena chunk.

Sa tarovi na leak ena imatai

Na structural fix e ivakarau ni vakatokayaca kei na guardrails ena tool level:

• Kakua ni prefix na service key kei na NEXT_PUBLIC_*, VITE_*, se dua tale na bundle-inlining prefix. Na naming convention e duabau ga na iyalayala — e veidokai na framework kece.
• Kakua ni biuta na service key ena .env ena developer machine. Wilika mai na secret manager (Doppler, Infisical, Vercel encrypted env vars) ena deploy, kakua sara ni commit ena nomu vanua.
• <strong>Mark every Supabase client construction with explicit context.</strong> Files named <code>supabase/browser.ts</code> use the anon key; files named <code>supabase/server.ts</code> use the service-role key with <code>import 'server-only'</code> at the top. The <code>server-only</code> import causes a build error if a client component tries to consume the module.
• <strong>Add a pre-commit hook that greps for JWT-shaped strings.</strong> <code>git diff --staged | grep -E 'eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+'</code> catches both anon and service tokens before they leave your machine.
• Vakatutu e dua na CI gate me scan na build output. Ni sa oti na next build, grep na .next/static/chunks/ output ki na service_role string. Fail na build ke ra match e dua na ka.

# Pre-commit hook: refuse any staged JWT-shaped string.
git diff --staged \
  | grep -E 'eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+' \
  && echo "JWT detected in staged changes — refusing commit" \
  && exit 1

# CI gate: fail the build if "service_role" shipped to the static bundle.
grep -RE 'service_role|sb_secret_' .next/static/chunks/ \
  && echo "Service-role credential leaked into bundle" \
  && exit 1

Na taro era dau tarogi

Tikitiki tarava

Cakava e dua na FixVibe scan ki na nomu production URL — sa saumi ga na bundle-secrets check, sega na signup, ka tukuna na service_role exposure ena loma ni dua na minisi. Vakatauvatana qo kei na Supabase RLS scanner me vakadinadinataki ni cakacaka vinaka na RLS layer, kei na Supabase storage bucket security checklist me sogo na file access. Me dua na rai ki na vuna na AI tools era cakava na leak class oqo, wilika Na vuna na AI coding tools era biuta tu na security gaps.