Programming

26072 readers

65 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Follow the programming.dev instance rules
Keep content related to programming in some way
If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago

MODERATORS

snowe@programming.dev

Ategon@programming.dev

UlrikHD@programming.dev

bugsmith@programming.dev

Spyro@programming.dev

is it a security issue that All the supabase requests are coming directly from client instead of the backend ( vercel ) ? (programming.dev)

submitted 2 days ago by ghodawalaaman@programming.dev to c/programming@programming.dev

7 comments fedilink hide all child comments

Hello,

recently I was working on a project entirely made by AI. at first it looked plausible but as I dig deeper into the code I found out ton of security issues. we solved the security issues one by one. ( thankfully the site isn't released yet and only have beta testing users )

my question is that is it considered a security issue if I let the client ( browser ) make the supabase api call instead of routing those requests through the backend ( vercel ) even when I have made policies that prevents unauthorized users from submitting INSERT queries however I am still not sure if this is enough.

one thing that comes in my mind is that any authorized user can just spam the database and fill it with junk data but I think I can just ban that user and delete all the junk data relatively easily using a SQL query?

the thing is that I don't want to refactor AI code and make it "use server" instead of "use client". since I have to make a ton of changes and I am still learning Nextjs. ( thinking about using AI to fix AI code but I don't think it will work and don't want more AI slop in the codebase )

any suggestions are appreciated!

you are viewing a single comment's thread
view the rest of the comments

[–] kibiz0r@midwest.social 3 points 2 days ago* (last edited 2 days ago)

As always: it depends

My first concern with exposing a DB to an authenticated client is incomplete state transitions. Often, a user interaction requires updating multiple DB entities in order to complete properly. Clients can die at any point, but servers should (hopefully) stay alive through one entire request and ensure that the DB goes from one complete valid state to the next.

My second would be: just because you verify that the user is allowed to modify a given record doesn’t mean that all possible DB-level modifications are valid at an application level. That’s where resource-level security is insufficient. Security gaps often consist of having legitimate access to a resource but performing unexpected actions against it.

I don’t know anything about supabase specifically, so I can’t guide you there. But those are the big two security (and data integrity) concerns I’d never stop worrying about in a direct-to-DB scenario.