Enhance security migrations

lovable-dev[bot] · TopProjectsCreator · lovable-dev[bot] · commit 1b364ceaca4e · 2026-04-06T14:43:05.000Z
- Restricted project_stars data access to authenticated users
- Enforced accepted status in is_team_member checks
- Added guard for handle_new_user trigger to prevent misuse

X-Lovable-Edit-ID: edt-c2aa50e1-bf64-4e60-a409-1a85135ded93
Co-authored-by: TopProjectsCreator &lt;230782617+TopProjectsCreator@users.noreply.github.com&gt;
diff --git a/bun.lock b/bun.lock
diff --git a/supabase/functions/manage-env-secrets/index.ts b/supabase/functions/manage-env-secrets/index.ts
@@ -17,12 +17,48 @@ serve(async (req) => {
   }
 
   try {
+    const authHeader = req.headers.get('Authorization');
+    if (!authHeader) {
+      return new Response(JSON.stringify({ error: 'Missing authorization header' }), {
+        status: 401,
+        headers: { ...corsHeaders, 'Content-Type': 'application/json' },
+      });
+    }
+
+    const supabaseAuth = createClient(
+      Deno.env.get('SUPABASE_URL') ?? '',
+      Deno.env.get('SUPABASE_ANON_KEY') ?? '',
+      { global: { headers: { Authorization: authHeader } } }
+    );
+    const { data: { user }, error: authError } = await supabaseAuth.auth.getUser();
+    if (authError || !user) {
+      return new Response(JSON.stringify({ error: 'Unauthorized' }), {
+        status: 401,
+        headers: { ...corsHeaders, 'Content-Type': 'application/json' },
+      });
+    }
+
     const supabase = createClient(
       Deno.env.get('SUPABASE_URL') ?? '',
       Deno.env.get('SUPABASE_SERVICE_ROLE_KEY') ?? '',
     );
     const { projectId, key, value, scope = 'shared' } = await req.json();
 
+    // Verify user owns the project
+    const { data: project, error: projectError } = await supabase
+      .from('projects')
+      .select('id')
+      .eq('id', projectId)
+      .eq('user_id', user.id)
+      .single();
+
+    if (projectError || !project) {
+      return new Response(JSON.stringify({ error: 'Forbidden: you do not own this project' }), {
+        status: 403,
+        headers: { ...corsHeaders, 'Content-Type': 'application/json' },
+      });
+    }
+
     if (!projectId || !key || !value) {
       return new Response(JSON.stringify({ error: 'projectId, key, and value are required' }), {
         status: 400,
diff --git a/supabase/migrations/20260406144201_636d76f0-17a0-4d14-9f1a-35339e55d055.sql b/supabase/migrations/20260406144201_636d76f0-17a0-4d14-9f1a-35339e55d055.sql
@@ -0,0 +1,45 @@
+-- Fix 1: Restrict project_stars SELECT to authenticated users only
+DROP POLICY IF EXISTS "Users can view all stars" ON public.project_stars;
+CREATE POLICY "Authenticated users can view stars"
+ON public.project_stars FOR SELECT
+TO authenticated
+USING (auth.uid() IS NOT NULL);
+
+-- Fix 2: Fix is_team_member to require accepted = true
+CREATE OR REPLACE FUNCTION public.is_team_member(_user_id uuid, _team_id uuid)
+RETURNS boolean
+LANGUAGE sql
+STABLE
+SECURITY DEFINER
+SET search_path = 'public'
+AS $$
+  SELECT EXISTS (
+    SELECT 1
+    FROM public.team_members
+    WHERE user_id = _user_id
+      AND team_id = _team_id
+      AND accepted = true
+  )
+$$;
+
+-- Fix 3: Add trigger context guard to handle_new_user
+CREATE OR REPLACE FUNCTION public.handle_new_user()
+RETURNS trigger
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = 'public'
+AS $$
+BEGIN
+  IF TG_OP != 'INSERT' OR TG_TABLE_NAME != 'users' THEN
+    RAISE EXCEPTION 'Unauthorized function call';
+  END IF;
+
+  INSERT INTO public.profiles (user_id, display_name)
+  VALUES (NEW.id, COALESCE(NEW.raw_user_meta_data->>'display_name', split_part(NEW.email, '@', 1)));
+  
+  INSERT INTO public.user_roles (user_id, role)
+  VALUES (NEW.id, 'user');
+  
+  RETURN NEW;
+END;
+$$;
