LinumIQ/linumiq_net-docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f313701e5ebd58b00fa388e2e1347002a025b2b7
linumiq_net-docker/dev/supabase/migrations/0003_least_privilege.sql
T
linumiq_net-user 7fe0cc3753 dev: add parallel dev environment under /docker/dev 
Near-1:1 clone of the prod remote-access stack, isolated on a new external
dev_edge network and fronted by the same shared Caddy instance (dual-homed on
edge + dev_edge). Dev is manual-start (not on boot).

- Hostnames: app-dev / api-dev .linumiq.net, tunnels under *.dev.linumiq.net,
  dev tunnel ingress on port 7001.
- Dev Supabase (project supabase-dev, *-dev containers), web, frps, redis,
  stripe-stub, bandwidth-worker with fresh independent secrets (gitignored).
- Shared Caddyfile: app-dev -> web-dev, api-dev -> dev kong (+webhook block),
  *.dev -> frps-dev vhost. Caddy compose dual-homed on dev_edge.
- On-demand-TLS authorizer (prod check-subdomain, in gitignored volumes/)
  extended additively: app-dev/api-dev -> 200; *.dev delegated to the dev
  authorizer. Prod allow-list logic unchanged.
- dev.sh manual up/down/ps helper; README documents topology + secrets.

Secrets, frps.toml, volumes/, web worktree and data dirs are gitignored.
2026-05-30 13:23:34 +02:00

21 lines
1.0 KiB
PL/PgSQL
Raw Blame History

-- 0003: least-privilege table grants (A4/W3 hardening).
-- Supabase's default privileges grant ALL on public tables to anon &
-- authenticated. RLS gates DML, but TRUNCATE bypasses RLS and unauthenticated
-- (anon) should have no direct table rights at all. Reduce to the minimum the
-- app actually needs; service_role (which bypasses RLS) keeps full access.
BEGIN;
REVOKE ALL ON public.tunnels FROM anon, authenticated;
REVOKE ALL ON public.subscriptions FROM anon, authenticated;
REVOKE ALL ON public.usage_samples FROM anon, authenticated;
REVOKE ALL ON public.users_profile FROM anon, authenticated;
-- Authenticated users get read-only dashboard access (still gated by RLS
-- owner policies). users_profile also needs UPDATE (it has an owner policy).
GRANT SELECT ON public.tunnels TO authenticated;
GRANT SELECT ON public.subscriptions TO authenticated;
GRANT SELECT, UPDATE ON public.users_profile TO authenticated;
-- usage_samples: service_role only (no anon/authenticated access).
COMMIT;
Reference in New Issue View Git Blame Copy Permalink