Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version 2.7.0 prevents reading data on web under certain conditions #1085

Open
Mr-Pepe opened this issue Nov 15, 2024 · 5 comments · May be fixed by #1087
Open

Version 2.7.0 prevents reading data on web under certain conditions #1085

Mr-Pepe opened this issue Nov 15, 2024 · 5 comments · May be fixed by #1087
Labels
bug Something isn't working

Comments

@Mr-Pepe
Copy link

Mr-Pepe commented Nov 15, 2024

Describe the bug
Under certain conditions a client with a service role key can not circumvent RLS policy restrictions on web.

To Reproduce
Add the following code to a flutter project:

// integration_test/supabase_test.dart

import 'package:flutter/material.dart';
import 'package:flutter_test/flutter_test.dart';
import 'package:integration_test/integration_test.dart';
import 'package:supabase_flutter/supabase_flutter.dart' as supabase;

void main() async {
  IntegrationTestWidgetsFlutterBinding.ensureInitialized();

  testWidgets('Analytics', (WidgetTester tester) async {
    final client1 = supabase.SupabaseClient(
      getSupabaseUrl(),
      getSupabaseKey(role: 'service'),
    );

    final client2 = supabase.SupabaseClient(
      getSupabaseUrl(),
      getSupabaseKey(),
    );

    await tester.pumpWidget(
      const MaterialApp(
        home: Scaffold(
          body: Center(child: Text('Hello')),
        ),
      ),
    );

    // Commenting out this line makes the test pass
    await client2.auth.signInAnonymously();

    // Commenting out this line makes the test pass
    await client1.from('session_events').select();

    final events = await client1.from('session_events').select();

    expect(events, isNotEmpty, reason: 'Session events empty');
  });
}
// test_driver/integration_test.dart

import 'package:flutter_driver/flutter_driver.dart';
import 'package:integration_test/integration_test_driver_extended.dart';

Future<void> main() async {
  return integrationDriver(driver: await FlutterDriver.connect());
}

Create a table "session_events" that has an RLS policy preventing everyone from reading it.

Run the test on Linux with flutter test -d linux integration_test and on Chrome with flutter drive --driver=test_driver/integration_test.dart --target=integration_test/supabase_test.dart -d web-server --browser-name chrome --no-headless. Make sure to first start ChromeDriver on port 4444.

Observed behavior

  • Run on Chrome -> The test fails
  • Run on Linux -> The test passes
  • Comment out the anonymous sign-in -> The test passes
  • Comment out the first read -> The test passes
  • Run on Chrome with version 2.6.0 -> Test passes

Version (please complete the following information):

├── supabase 2.4.0
│   ├── functions_client 2.3.3
│   ├── gotrue 2.9.0
│   ├── postgrest 2.2.0
│   ├── realtime_client 2.3.0
│   ├── storage_client 2.1.0
├── supabase_flutter 2.7.0
│   ├── supabase...
@Mr-Pepe Mr-Pepe added the bug Something isn't working label Nov 15, 2024
@Vinzent03
Copy link
Collaborator

I'm pretty sure this is because on web session changes are broadcasted to other instances to affect other tabs.
I briefly discussed an option to disable this behavior here
So I will once again think about how we should handle this and hopefully fix this unintended behavior.

@Vinzent03 Vinzent03 linked a pull request Nov 21, 2024 that will close this issue
Open
@Mr-Pepe
Copy link
Author

Mr-Pepe commented Jan 31, 2025

It looks like the refactoring PR (#1087) is not going anywhere anytime soon (please correct me if I'm wrong). Is that refactoring required to fix this issue? Or can this issue be fixed as a smaller change?

@Vinzent03
Copy link
Collaborator

@dshukertjr Since you don't want to merge #1087 to fix this issue. Do you prefer a different way to fix this issue? It's a bad design that two supabase clients can't be isolated properly.

@dshukertjr
Copy link
Member

@Vinzent03 What exactly is the cause of this issue, and how does #1087 solve it?

@Vinzent03
Copy link
Collaborator

I haven't actually run this, but I'm pretty sure that when the test is run on chrome the following happens: By signing in on client2 the session gets broadcasted to client1 (because we added that feature for the web) and overwrites the existing service role session with the anon session. client1 therefore can't circumvent the RLS any longer, because its service role session is gone.

#1087 fixes this my moving the session persisting to the gotrue client (like in auth-js) and only if the client persists the session (off by default), the session is broadcasted to other clients. With default parameters, the session is only broadcasted when using supabase_flutter, because we provide an async storage for the session only there and set persistSession to true.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
3 participants
@dshukertjr @Mr-Pepe @Vinzent03