FixVibe

// docs / baas security / supabase service role exposure

Igodo ọrụ-eke Supabase ekpughere na JavaScript: ihe ọ pụtara na otu esi achọta ya

Igodo ọrụ-eke Supabase bụ igodo isi nke ọdụ data gị. Onye ọ bụla ji ya na-agafe Nchekwa Larịị-Ahịrị, nwere ike ịgụ ogidi ọ bụla nke tebụl ọ bụla, ma nwere ike ide ma ọ bụ hichapụ ihe ọ bụla ọ họọrọ. E mere ya ka ọ bie naanị na koodu akụkụ-sava — ọ dịghị mgbe na nchọgharị. Mgbe ngwa ihe nkuzi koodu AI na-ebuga ya na ngwakọta JavaScript, ọdụ data gị, n'ụzọ dị irè, bụ ọha. Edemede a na-akọwa ọdịdị JWT na-amata igodo gbasara, ụzọ ngwa AI atọ na-emepụta gbasara ahụ, ihe ị ga-eme n'awa mbụ mgbe achọpụtara, na otu esi enyocha ya na-akpaghị aka tupu ndị ọrụ.

Ihe igodo ọrụ-eke bụ

Supabase na-enye igodo abụọ dị iche maka ọrụ ọ bụla: igodo anon (a na-akpọkwa igodo nbipụta na ọrụ ọhụrụ) na igodo service_role. Ha abụọ bụ JSON Web Token nke nzuzo JWT nke ọrụ gị bịanyere aka. Ọdịiche bụ ọkwa role mere na ngwakọta JWT — anon maka igodo ọha, service_role maka igodo isi. PostgREST, Supabase Storage, na Supabase Auth niile na-aghọta ọnọdụ nrụgharị-ihe-niile mgbe ha hụrụ ọkwa service_role.

Tugharia igodo Supabase ọ bụla na jwt.io ma lelee ngwakọta. Ọdịdị JWT ọrụ-eke abụghị nke a na-enweghị ike ịghọta:

Ngwakọta atụgharịrị nke JWT ọrụ-eke (egosipụtara dị ka ngọngọ ọchịchịrị-asụsụ n'okpuru).

json
{
  "iss": "supabase",
  "ref": "[project-ref]",
  "role": "service_role",
  "iat": 1700000000,
  "exp": 2000000000
}

Ọrụ Supabase ọhụrụ na-enye igodo nzuzo nke nwere prefiks sb_secret_ kama JWT. Omume bụ otu — ihe ọ bụla na-ebu sb_secret_ na ngwakọta ọha bụ otu nnukwu mbibi.

Otu ngwa ihe nkuzi koodu AI si eziga igodo ọrụ-eke

Anyị ahụla otu ụdị atọ a n'ọtụtụ puku ngwa vibe-coded. Nke ọ bụla na-amalite na onye mmepe na-arịọ ngwa AI maka enyemaka ma na-akwụsị na igodo ọrụ tinyere n'ime ngwakọta.

Ụdị 1: Otu faịlụ .env nwere prefiks NEXT_PUBLIC_

Onye mmepe na-arịọ ngwa AI ka ọ "hazie Supabase" ma na-anara otu .env nwere igodo abụọ. Ngwa AI — nke a zụrụ na corpus ebe ọtụtụ mgbanwe gburugburu ebe obibi na-egosipụta site na NEXT_PUBLIC_* — na-etinye prefiks NEXT_PUBLIC_ na ha abụọ. Next.js na-etinye ihe ọ bụla dabara na prefiks ahụ na ngwakọta onye ahịa n'oge ụlọ. Ziga na Vercel, igodo ọrụ ahụ dị na main.[hash].js.

Ụdị 2: Igodo na-ezighi ezi na ọkpụkpọ createClient

Onye mmepe na-agbanye igodo abụọ n'ime faịlụ config.ts nke AI mepụtara, ma AI na-etinye ọkpụkpọ createClient() akụkụ-nchọgharị na process.env.SUPABASE_SERVICE_ROLE_KEY site na njehie. Iwu wụsara mgbanwe ahụ, na JWT na-erute na ngwakọta.

Ụdị 3: Igodo ọrụ-eke etinyere na edemede mkpụrụ

Onye mmepe na-arịọ ngwa AI ka ọ dee edemede nke na-akụnye ọdụ data. AI na-etinye igodo ọrụ-eke kpọmkwem n'ime faịlụ (kama ịgụ na gburugburu ebe obibi), na-etinye faịlụ ahụ n'ụlọ ihe nrụnye, na repo GitHub ọha ma ọ bụ ụzọ /scripts/seed.js nke ngwa ezigara na-eje ozi igodo ahụ ugbu a.

Otu nyocha ngwakọta FixVibe si achọpụta nzuzo

Nyocha nzuzo ngwakọta nke FixVibe na-ebudata faịlụ JavaScript ọ bụla nke ngwa ezigara na-ezo aka — chunks mbata, chunks na-eburu ọrụ na-anaghị eme ọsọ, ndị ọrụ web, ndị ọrụ ọrụ — ma na-agba ha site na onye nchọta nke na-atụgharị ihe ọ bụla dabara na ọdịdị JWT (eyJ[base64-header].eyJ[base64-payload].[signature]). Ọ bụrụ na ngwakọta atụgharịrị nwere "role": "service_role", nyocha na-akọ ya dị ka nchọpụta dị oke njọ na ụzọ faịlụ na ahịrị kpọmkwem ebe igodo na-egosi. Otu nyocha na-emekwa sb_secret_* ọhụrụ site na prefiks.

Nyocha adịghị mgbe na-eji igodo achọpụtara mee njirimara. Ọ na-amata ọdịdị ma na-akọ nzuzo — iji igodo igosi mmegharị ahụ ga-abụ ohere na-enwetaghị ikike na ọdụ data gị. Ihe akaebe dị na ngwakọta JWT n'onwe ya.

Achọpụtara — ihe ị ga-eme n'awa mbụ

Igodo ọrụ-eke ezigara bụ ihe ngwa ngwa mgbe ọ na-agba ọsọ. Were ya na e tịpụtara igodo ahụ — ndị na-awakpo na-elele ngwakọta ọha n'oge. Were ọdụ data dị ka emebiri ya ruo mgbe ị gbanwere igodo ma nyochaa mmemme na nso nso a.

  1. Gbanwee igodo ozugbo. Na Dashboard Supabase, gaa na Ntọala Ọrụ → API → Igodo ọrụ-eke → Tọgharịa. Igodo ochie na-enweghị ike na sekọnd. Koodu akụkụ-ọrụ ọ bụla na-eji igodo aghaghị ịhazi ya ma gbarụọ ya ọzọ tupu mgbanwe arute.
  2. Nyochaa mmemme ọdụ data nso nso a. Mepee Ọdụ Data → Ndekọ na dashboard. Nzacha n'ụbọchị 7 gara aga. Chọọ ajụjụ SELECT * dị iche megide tebụl nwere PII, nnukwu nkwupụta UPDATE ma ọ bụ DELETE, na arịrịọ sitere na IP n'èzí akụrụngwa ị maara. Supabase na-edekọ isi x-real-ip na arịrịọ ọ bụla.
  3. Lelee ihe nchekwa. Gaa na Nchekwa → Ndekọ ma lelee mbudata faịlụ nso nso a. Igodo ọrụ-eke ezigara na-enye ohere agafe ihe niile na bọket nzuzo.
  4. Wepu igodo na njikwa isi mmalite. Ọbụlagodi mgbe e gbanwere ya, ịhapụ JWT na akụkọ ihe mere eme git pụtara na enwere ike ịchọta ya na repo ọha. Jiri git filter-repo ma ọ bụ BFG Repo-Cleaner ihichapụ ya na akụkọ ihe mere eme, mgbe ahụ manye-bụga (dọọ ndị ibe ọrụ aka ná ntị buru ụzọ).
  5. Nyocha ọzọ mgbe edozichara. Gbaa nyocha FixVibe ọhụrụ megide ngwa egbarụọrọ ọzọ. Nchọpụta nzuzo ngwakọta ga-ehichapụ. Kwado na ọ dịghị JWT service_role na ọ dịghị eriri sb_secret_* na-anọgide na chunks ọ bụla.

Igbochi nzuzo na mbụ

Ndozi ihe owuwu bụ ịkpa aha aka na ihe nche ọkwa ngwá ọrụ:

  • Etinyela prefiks NEXT_PUBLIC_*, VITE_*, ma ọ bụ prefiks ngwakọta-ntinye ọzọ ọ bụla na igodo ọrụ. Iwu ịkpọ aha bụ oke — usoro ọ bụla na-asọpụrụ ya.
  • Mee ka igodo ọrụ pụọ na .env kpamkpam na igwe onye mmepe. Gụọ ya na onye njikwa nzuzo (Doppler, Infisical, mgbanwe gburugburu ebe obibi e debanyere na Vercel) na nrụnye, agbasarala ya n'ime ụlọ.
  • <strong>Mark every Supabase client construction with explicit context.</strong> Files named <code>supabase/browser.ts</code> use the anon key; files named <code>supabase/server.ts</code> use the service-role key with <code>import 'server-only'</code> at the top. The <code>server-only</code> import causes a build error if a client component tries to consume the module.
  • <strong>Add a pre-commit hook that greps for JWT-shaped strings.</strong> <code>git diff --staged | grep -E 'eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+'</code> catches both anon and service tokens before they leave your machine.
  • Tinye ọnụ ụzọ CI nke na-enyocha mmepụta ụlọ. Mgbe next build, gba grep .next/static/chunks/ mmepụta maka eriri service_role. Mee ka ụlọ daa ma ọ bụrụ na ihe ọ bụla dabara.
bash
# Pre-commit hook: refuse any staged JWT-shaped string.
git diff --staged \
  | grep -E 'eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+' \
  && echo "JWT detected in staged changes — refusing commit" \
  && exit 1

# CI gate: fail the build if "service_role" shipped to the static bundle.
grep -RE 'service_role|sb_secret_' .next/static/chunks/ \
  && echo "Service-role credential leaked into bundle" \
  && exit 1

Ajụjụ a na-ajụkarị

Kedụ ngwa ngwa ndị na-awakpo na-achọta igodo ọrụ-eke Supabase ezigara?

Ndị na-eme nyocha ngwakọta ọha na-eme nyocha ndị nrụnye ọhụrụ n'ime nkeji. Ndị nyocha edekọwo mmegharị na-arụ ọrụ megide ọrụ Supabase ọhụrụ n'ime otu awa site na nrụnye mbụ. Were ọkpụkpọ ọrụ-eke ọ bụla dị ka oghere nkeji 60, ọ bụghị ụbọchị 60.

Ịgbanwe igodo ọ zuru, ma ọ bụ m ga-eche na e wepụrụ data?

Mgbanwe na-emeghị ka igodo ezigara ghara ịdị irè mana ọ naghị emegharị data ewepụrụ. Ọ bụrụ na tebụl gị nwere PII, data ịkwụ ụgwọ, ma ọ bụ data ọ bụla edoziri edozi, ị nwere ike inwe ọrụ ọkwa n'okpuru GDPR (awa 72), CCPA, ma ọ bụ HIPAA. Nyochaa ndekọ ma jụọ onye ndụmọdụ iwu ma ọ bụrụ na nyocha gosipụtara mmebe enyo.

RLS ọ ga-echebe m ma ọ bụrụ na igodo ọrụ-eke ezigara?

Mba. A na-agafe Nchekwa Larịị-Ahịrị kpamkpam site na ọkwa service_role. Nke ahụ bụ site na nhazi — igodo ahụ dị ka koodu nkwado wee gafee RLS maka ọrụ nchịkwa. Mbelata bụ ime ka igodo ahapụ iru ọnọdụ ebe onye na-awakpo nwere ike ịgụ ya.

Nke a ọ na-emetụta ụdị igodo nbipụta / nzuzo Supabase ọhụrụ (<code>sb_publishable_</code> / <code>sb_secret_</code>)?

Ee — otu klas ihe egwu. Igodo sb_secret_* bụ usoro igodo nzuzo ọhụrụ na-anọchi JWT ọrụ-eke maka ọrụ ọhụrụ. Ihe ọ bụla na-ebu sb_secret_* na ngwakọta bụ ihe na-eweta mbibi dị ka JWT ọrụ-eke ezigara. Onye nchọta nzuzo ngwakọta FixVibe na-emekọrịta ọdịdị abụọ ahụ.

Gịnị banyere igodo anon / nbipụta — ọ dị mma na ngwakọta?

Ee, site na nhazi. Igodo anon bụ maka ibi na nchọgharị ma bụ ihe onye ahịa web Supabase ọ bụla na-eji. Nchekwa ya na-adabere kpamkpam na RLS ahaziri nke ọma na tebụl ọha ọ bụla. Hụ edemede Sikana RLS Supabase maka ihe ị ga-elele.

Nzọụkwụ na-esote

Gbaa nyocha FixVibe megide URL mmepụta gị — nyocha nzuzo ngwakọta bụ efu, enweghị edebanye aha, ma na-akọ nkpughe service_role n'ime nkeji. Jikọta nke a na edemede Sikana RLS Supabase iji kwado na ahịrị RLS na-arụ ọrụ ya, na Akwụkwọ ndepụta nchekwa ihe nchekwa Supabase iji kpọchie ohere faịlụ. Maka ndabere n'ihi na ngwa AI na-emepụta klas nzuzo a nke ọma, gụọ Ihe kpatara ngwa ihe nkuzi koodu AI na-ahapụ oghere nchekwa.

// nyochaa elu BaaS gị

Chọta tebụl mepere emepe tupu mmadụ ọzọ achọta ya.

Tinye URL mmepụta. FixVibe na-edepụta ndị na-eweta BaaS nke ngwa gị na-akpọrịta okwu, na-akara akara ya nke ọha, ma na-akọ ihe onye ahịa na-enweghị nkwenye nwere ike ịgụ ma ọ bụ dee. Efu, enweghị ntinye, enweghị kaadị.

  • Ọkwa efu — nyocha 3 / ọnwa, enweghị kaadị edebanye aha.
  • Akara akara BaaS na-anaghị eme ihe — enweghị mkpa nkwenye ngalaba.
  • Supabase, Firebase, Clerk, Auth0, Appwrite, na ndị ọzọ.
  • Ntugharị ndozi AI na nchọpụta ọ bụla — gbanye azụ na Cursor / Claude Code.
Gbaa nyocha BaaS efu

enweghị mkpa edebanye aha

Igodo ọrụ-eke Supabase ekpughere na JavaScript: ihe ọ pụtara na otu esi achọta ya — Docs · FixVibe