From 71193831396d852ca2f4907bbaffa5b4717b9d46 Mon Sep 17 00:00:00 2001 From: DanielS Date: Tue, 14 Jul 2026 17:35:12 +0200 Subject: [PATCH] fix(security): harden licserver config access controls - Add auth guard to getLicServerConfig() - unauthenticated callers now receive null config instead of DB values - Remove non-existent 'superadmin' role from saveLicServerConfig() check (only 'admin' exists per project schema) - New migration: restrict settings table WRITE to admins only (previously any authenticated user could overwrite licserver_api_key) --- shop/lib/actions/licserver-config.ts | 12 ++++++--- ...0100_fix_settings_rls_admin_only_write.sql | 26 +++++++++++++++++++ 2 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 shop/supabase/migrations/20260714000100_fix_settings_rls_admin_only_write.sql diff --git a/shop/lib/actions/licserver-config.ts b/shop/lib/actions/licserver-config.ts index 22722b2..a5a09db 100644 --- a/shop/lib/actions/licserver-config.ts +++ b/shop/lib/actions/licserver-config.ts @@ -8,12 +8,17 @@ export interface LicServerConfig { } /** - * Read LicServer config from the settings table (admin only). + * Read LicServer config from the settings table. * Falls back to environment variables if DB values are empty. + * Returns null config for unauthenticated callers. */ export async function getLicServerConfig(): Promise { const supabase = await createClient() + // Auth guard — never expose config to unauthenticated callers + const { data: { user } } = await supabase.auth.getUser() + if (!user) return { base_url: null, api_key: null } + const { data } = await supabase .from('settings') .select('licserver_base_url, licserver_api_key') @@ -45,8 +50,9 @@ export async function saveLicServerConfig( .eq('id', user.id) .single() - if (!userData || !['admin', 'superadmin'].includes(userData.role)) { - return { success: false, error: 'Keine Berechtigung' } + // Only 'admin' exists in schema — 'superadmin' removed + if (!userData || userData.role !== 'admin') { + return { success: false, error: 'Keine Berechtigung (nur Admins)' } } const { error } = await supabase diff --git a/shop/supabase/migrations/20260714000100_fix_settings_rls_admin_only_write.sql b/shop/supabase/migrations/20260714000100_fix_settings_rls_admin_only_write.sql new file mode 100644 index 0000000..c56ca00 --- /dev/null +++ b/shop/supabase/migrations/20260714000100_fix_settings_rls_admin_only_write.sql @@ -0,0 +1,26 @@ +-- Migration: Restrict settings table write access to admins only +-- Previously any authenticated user could write to settings (including licserver_api_key). +-- This fixes the RLS policy to only allow admins to write. + +DROP POLICY IF EXISTS "Allow authenticated write on settings" ON public.settings; + +-- Admins can write all settings +CREATE POLICY "Only admins can write settings" ON public.settings + FOR ALL + USING ( + EXISTS ( + SELECT 1 FROM public.users + WHERE id = auth.uid() AND role = 'admin' + ) + ) + WITH CHECK ( + EXISTS ( + SELECT 1 FROM public.users + WHERE id = auth.uid() AND role = 'admin' + ) + ); + +-- All authenticated users can still READ settings (needed for proxy routes to load licserver config) +-- The READ policy remains: "Allow authenticated read on settings" + +NOTIFY pgrst, 'reload schema';