fix(security): harden licserver config access controls
All checks were successful
Staging Build / build (push) Successful in 2m50s
All checks were successful
Staging Build / build (push) Successful in 2m50s
- Add auth guard to getLicServerConfig() - unauthenticated callers now receive null config instead of DB values - Remove non-existent 'superadmin' role from saveLicServerConfig() check (only 'admin' exists per project schema) - New migration: restrict settings table WRITE to admins only (previously any authenticated user could overwrite licserver_api_key)
This commit is contained in:
@@ -8,12 +8,17 @@ export interface LicServerConfig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Read LicServer config from the settings table (admin only).
|
* Read LicServer config from the settings table.
|
||||||
* Falls back to environment variables if DB values are empty.
|
* Falls back to environment variables if DB values are empty.
|
||||||
|
* Returns null config for unauthenticated callers.
|
||||||
*/
|
*/
|
||||||
export async function getLicServerConfig(): Promise<LicServerConfig> {
|
export async function getLicServerConfig(): Promise<LicServerConfig> {
|
||||||
const supabase = await createClient()
|
const supabase = await createClient()
|
||||||
|
|
||||||
|
// Auth guard — never expose config to unauthenticated callers
|
||||||
|
const { data: { user } } = await supabase.auth.getUser()
|
||||||
|
if (!user) return { base_url: null, api_key: null }
|
||||||
|
|
||||||
const { data } = await supabase
|
const { data } = await supabase
|
||||||
.from('settings')
|
.from('settings')
|
||||||
.select('licserver_base_url, licserver_api_key')
|
.select('licserver_base_url, licserver_api_key')
|
||||||
@@ -45,8 +50,9 @@ export async function saveLicServerConfig(
|
|||||||
.eq('id', user.id)
|
.eq('id', user.id)
|
||||||
.single()
|
.single()
|
||||||
|
|
||||||
if (!userData || !['admin', 'superadmin'].includes(userData.role)) {
|
// Only 'admin' exists in schema — 'superadmin' removed
|
||||||
return { success: false, error: 'Keine Berechtigung' }
|
if (!userData || userData.role !== 'admin') {
|
||||||
|
return { success: false, error: 'Keine Berechtigung (nur Admins)' }
|
||||||
}
|
}
|
||||||
|
|
||||||
const { error } = await supabase
|
const { error } = await supabase
|
||||||
|
|||||||
@@ -0,0 +1,26 @@
|
|||||||
|
-- Migration: Restrict settings table write access to admins only
|
||||||
|
-- Previously any authenticated user could write to settings (including licserver_api_key).
|
||||||
|
-- This fixes the RLS policy to only allow admins to write.
|
||||||
|
|
||||||
|
DROP POLICY IF EXISTS "Allow authenticated write on settings" ON public.settings;
|
||||||
|
|
||||||
|
-- Admins can write all settings
|
||||||
|
CREATE POLICY "Only admins can write settings" ON public.settings
|
||||||
|
FOR ALL
|
||||||
|
USING (
|
||||||
|
EXISTS (
|
||||||
|
SELECT 1 FROM public.users
|
||||||
|
WHERE id = auth.uid() AND role = 'admin'
|
||||||
|
)
|
||||||
|
)
|
||||||
|
WITH CHECK (
|
||||||
|
EXISTS (
|
||||||
|
SELECT 1 FROM public.users
|
||||||
|
WHERE id = auth.uid() AND role = 'admin'
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
-- All authenticated users can still READ settings (needed for proxy routes to load licserver config)
|
||||||
|
-- The READ policy remains: "Allow authenticated read on settings"
|
||||||
|
|
||||||
|
NOTIFY pgrst, 'reload schema';
|
||||||
Reference in New Issue
Block a user