// docs / baas security / supabase service role exposure
An fallasa maɓallin matsayin sabis na Supabase a cikin JavaScript: abin da yake nufi da yadda za a same shi
Maɓallin matsayin sabis na Supabase shine babban maɓallin ga bayananku. Duk wanda ke riƙe da shi yana ƙetare Tsaron Matakin Layi, zai iya karanta kowane shafi na kowane tebur, kuma zai iya rubuta ko share duk abin da ya zaɓa. An ƙirƙira shi don ya rayu kawai a cikin lambar gefen sabar — ba taɓa cikin burauza ba. Lokacin da kayan aikin coding na AI ya aika shi zuwa haɗakar JavaScript, bayananku, a haƙiƙa, na jama'a ne. Wannan labarin yana bayyana siffar JWT da ke gano maɓallin da aka yoyo, sifofin kayan aiki AI guda uku da suke samar da yoyon, abin da za a yi a sa'a ta farko bayan ganowa, da yadda za a bincika shi ta atomatik kafin masu amfani su yi.
Abin da maɓallin matsayin sabis yake
Supabase yana ba da maɓallai biyu daban-daban don kowane aiki: maɓallin anon (wanda kuma ake kira maɓallin shawagi a sabbin ayyukan) da maɓallin service_role. Duka biyun JSON Web Tokens ne da aka sa hannu ta sirrin JWT na aikinku. Bambancin shine ƙararrawar role da aka gasa cikin nauyin JWT — anon don maɓallin jama'a, service_role don babban maɓallin. PostgREST, Supabase Storage, da Supabase Auth duk suna canzawa zuwa yanayin ƙetare-komai lokacin da suke ganin ƙararrawar service_role.
Bayyana kowane maɓallin Supabase a jwt.io kuma duba nauyin. Siffar JWT na matsayin sabis ba ta da shakku:
Nauyin da aka bayyana na JWT na matsayin sabis (an nuna a matsayin toshe mai siffar-haske a ƙasa).
{
"iss": "supabase",
"ref": "[project-ref]",
"role": "service_role",
"iat": 1700000000,
"exp": 2000000000
}Sabbin ayyukan Supabase suna ba da maɓallan irin-asirin tare da gabatarwar sb_secret_ maimakon JWT. Hali yana da kama da — duk abin da ke ɗauke da sb_secret_ a cikin haɗakar jama'a daidai yake da bala'i.
Yadda kayan aikin coding na AI suke yoyon maɓallin matsayin sabis
Mun ga sifofi uku iri ɗaya a cikin dubban manhajojin vibe-coded. Kowane ɗaya yana farawa da mai haɓakawa yana tambayar kayan aikin AI taimako kuma yana ƙarewa da maɓallin sabis ya shiga cikin haɗaka.
Siffa 1: Fayil .env ɗaya tare da gabatarwar NEXT_PUBLIC_
Mai haɓakawa yana tambayar kayan aikin AI ya "saita Supabase" kuma yana karɓar .env ɗaya tare da maɓallai biyu. Kayan aikin AI — wanda aka horar akan tarin inda mafi yawan masu canjin yanayi ake fallasa ta NEXT_PUBLIC_* — yana gabatar da duka biyun da NEXT_PUBLIC_. Next.js yana shigar da duk abin da ya dace da wannan gabatarwa cikin haɗakar abokin ciniki a lokacin gini. Aika zuwa Vercel, kuma maɓallin sabis yana cikin main.[hash].js.
Siffa 2: Maɓallin kuskure a kiran createClient
Mai haɓakawa yana manna maɓallai biyu cikin fayil ɗin config.ts da AI ya samar, kuma AI yana cika kiran createClient() na gefen-burauza tare da process.env.SUPABASE_SERVICE_ROLE_KEY ta kuskure. Ginin yana cire mai canji, kuma JWT yana sauka a cikin haɗakar.
Siffa 3: An hardcode maɓallin matsayin sabis a cikin rubutun zuriya
Mai haɓakawa yana tambayar kayan aikin AI don rubuta rubutun da ke shuka bayanan. AI yana hardcode maɓallin matsayin sabis kai tsaye cikin fayil ɗin (maimakon karanta daga yanayi), yana yi wa fayil ɗin commit zuwa ma'ajiyar, kuma ma'ajiyar GitHub ta jama'a ko manhajar manhajar da aka aika /scripts/seed.js hanyar yanzu tana yin sabis na maɓallin.
Yadda binciken haɗakar FixVibe ke gane yoyon
Binciken bundle-secrets na FixVibe yana sauke kowane fayil ɗin JavaScript da manhajar da aka aika ke nuni — guntun shigarwa, guntun masu jinkiri, ma'aikatan yanar gizo, ma'aikatan sabis — kuma yana gudanar da su ta hanyar mai ganowa wanda yake bayyana komai da ya dace da siffar JWT (eyJ[base64-header].eyJ[base64-payload].[signature]). Idan nauyin da aka bayyana ya ƙunshi "role": "service_role", binciken yana ba da rahoton hakan a matsayin gano mai mahimmanci tare da hanyar fayil da ainihin layin inda maɓallin ke bayyana. Wannan binciken kuma yana dacewa da sabuwar siffar sb_secret_* ta gabatarwa.
Binciken bai taɓa shaidar kansa da maɓallin da aka gano ba. Yana gano siffar kuma yana ba da rahoton yoyon — amfani da maɓallin don tabbatar da yiwuwar amfani zai zama shiga ba bisa ƙa'ida ba zuwa bayananku. Tabbacin yana cikin nauyin JWT da kansa.
An gano — abin da za a yi a sa'a ta farko
Yoyon maɓallin matsayin sabis gaggawa ce ta lokacin gudanarwa. Cera maɓallin an scrape — masu kai hari suna lura da haɗakar jama'a a ainihin lokaci. Kula da bayanan kamar an sami matsala har sai kun juya maɓallin kuma kun bincika ayyuka na kwanan nan.
- Juya maɓallin nan da nan. A Dashboard ɗin Supabase, je zuwa Saitin Aikin → API → Maɓallin matsayin sabis → Sake saita. An sokewa tsohuwar maɓallin a cikin daƙiƙun guda. Duk lambar gefen-sabis ɗin da ke amfani da maɓallin dole ne a sabunta su kuma a sake aikawa kafin juyawar ta sauka.
- Bincika ayyukan bayanai na kwanan nan. Buɗe Database → Logs a dashboard. Tace a kwanaki 7 da suka gabata. Nemo tambayoyi marasa kyau na
SELECT *akan teburai tare da PII, manyan bayananUPDATEkoDELETE, da buƙatu daga IPs a waje da kayan aikin da kuka sani. Supabase yana yin rikodin kanunx-real-ipakan kowane buƙata. - Duba abubuwan ajiya. Ziyarci Storage → Logs kuma bincika abubuwan da aka sauke na kwanan nan. Maɓallin matsayin sabis da aka yoyo yana ba da damar ƙetare-komai zuwa buhunan na sirri kuma.
- Cire maɓallin daga kula da tushen. Ko da bayan juyawa, barin JWT a tarihin git ɗinku yana nufin za a iya gano shi a ma'ajiyar jama'a. Yi amfani da
git filter-repoko BFG Repo-Cleaner don tsabtace shi daga tarihi, sannan force-push (gargaɗin masu haɗin gwiwa da farko). - Sake bincike bayan gyara. Gudanar da sabon binciken FixVibe akan manhajar da aka sake aikawa. Ganowar bundle-secrets ya kamata ya share. Tabbatar babu
service_roleJWT kuma babu zarensb_secret_*da ya rage a kowane gunto.
Hana yoyon a wuri na farko
Gyaran tsari shine ƙwarewar suna tare da matakan kariya na kayan aiki:
- Kar a taɓa gabatar da maɓallin sabis tare da
NEXT_PUBLIC_*,VITE_*, ko kowane gabatarwa-shigar da haɗaka. Yarjejeniyar suna ita ce iyaka — kowane tsari yana mutunta shi. - Kiyaye maɓallin sabis a waje da
.envgaba ɗaya akan na'urar mai haɓakawa. Karanta shi daga mai sarrafa asirin (Doppler, Infisical, masu canjin yanayi Vercel masu rufaffe) lokacin aikawa, kar a taɓa yin commit a gida. - <strong>Mark every Supabase client construction with explicit context.</strong> Files named <code>supabase/browser.ts</code> use the anon key; files named <code>supabase/server.ts</code> use the service-role key with <code>import 'server-only'</code> at the top. The <code>server-only</code> import causes a build error if a client component tries to consume the module.
- <strong>Add a pre-commit hook that greps for JWT-shaped strings.</strong> <code>git diff --staged | grep -E 'eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+'</code> catches both anon and service tokens before they leave your machine.
- Ƙara ƙofar CI da ke bincika fitarwar gini. Bayan
next build, yi grep ga fitarwar.next/static/chunks/don zarenservice_role. Kasa gini idan komai ya dace.
# Pre-commit hook: refuse any staged JWT-shaped string.
git diff --staged \
| grep -E 'eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+' \
&& echo "JWT detected in staged changes — refusing commit" \
&& exit 1
# CI gate: fail the build if "service_role" shipped to the static bundle.
grep -RE 'service_role|sb_secret_' .next/static/chunks/ \
&& echo "Service-role credential leaked into bundle" \
&& exit 1Tambayoyin da ake yawan yi
Yaya da sauri masu kai hari suke samun maɓallan matsayin sabis na Supabase da aka yoyo?
Masu binciken haɗakar jama'a suna kewaya sabbin aika a cikin mintuna. Masu bincike sun rubuta amfani da aiki akan sababbin ayyukan Supabase a ƙasa da sa'a ɗaya daga aika ta farko. Kula da kowane fallasa matsayin sabis a matsayin taga na minti 60, ba ranar 60 ba.
Shin juya maɓallin ya isa, ko kuwa dole na ɗauka cewa an cire bayanan?
Juyawa yana sokewa maɓallin da aka yoyo amma ba ya warware bayanan da aka riga aka cire ba. Idan teburanku sun ƙunshi PII, bayanan biyan kuɗi, ko kowane bayanan da aka tsara, kuna iya samun aikin sanarwa ƙarƙashin GDPR (sa'o'i 72), CCPA, ko HIPAA. Bincika logs kuma tuntuɓi mai shawara na shari'a idan binciken ya nuna damar mai shakku.
Shin RLS zai iya kare ni idan maɓallin matsayin sabis ya yoyo?
A'a. Tsaron Matakin Layi yana ƙetarewa gaba ɗaya ta ƙararrawar service_role. Wannan ta hanyar zane — maɓallin yana wanzuwa daidai don ya ba lambar backend damar tsallake RLS don ayyukan admin. Rage shi shine tabbatar da maɓallin ba zai taɓa kaiwa mahallin inda mai kai hari zai iya karantawa ba.
Shin wannan yana amfani da sabuwar samfurin maɓallin shawagi / asiri na Supabase (<code>sb_publishable_</code> / <code>sb_secret_</code>)?
Eh — daidai matsayin haɗari. Maɓallin sb_secret_* ita ce sabuwar siffar maɓallin asiri da ke maye gurbin JWT na matsayin sabis na sababbin ayyukan. Duk abin da ke ɗauke da sb_secret_* a cikin haɗaka daidai yake da bala'i kamar JWT na matsayin sabis da aka yoyo. Mai gano bundle-secrets na FixVibe yana dacewa da sifofin biyu.
Yaya game da maɓallin anon / shawagi — wannan amintacce ne a cikin haɗakar?
Eh, ta hanyar zane. An niyya maɓallin anon ya rayu a cikin burauza kuma shine abin da kowane abokin ciniki na yanar gizo na Supabase ke amfani da shi. Amintaccen sa ya dogara gaba ɗaya akan saita RLS daidai akan kowane teburin jama'a. Duba labarin Na'urar bincike ta Supabase RLS don abin da za a duba.
Matakai na gaba
Gudanar da binciken FixVibe akan URL ɗin samarwarku — binciken bundle-secrets kyauta ne, ba sa hannu, kuma yana ba da rahoton fallasa service_role a ƙasa da minti ɗaya. Haɗa wannan tare da labarin Na'urar bincike ta Supabase RLS don tabbatar da cewa layin RLS yana yin aikinsa, da Jeren bincike na tsaron buhun ajiya na Supabase don kulle damar fayil. Don bayani kan dalilin da ya sa kayan aikin AI ke samar da wannan ajin yoyo akai-akai, karanta Me yasa kayan aikin coding na AI suke barin gibin tsaro.