Skip to content

Improve signup validation and fix request_comment RLS policy #331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mhsnook wants to merge 1 commit into
base: next
Choose a base branch
from
Open

Improve signup validation and fix request_comment RLS policy #331

mhsnook wants to merge 1 commit into from
+17 −7

Conversation

@mhsnook
Copy link
Owner

@mhsnook mhsnook commented Jan 23, 2026

Summary

This PR improves type safety in the signup route validation and fixes a security issue in the request_comment table's Row Level Security (RLS) policy.

Key Changes

  • Signup validation: Replaced manual type definition with Zod schema validation for the referrer search parameter

    • Introduces SearchSchema using Zod for runtime validation of UUID format
    • Removes direct dependency on the uuid type import
    • Uses safeParse for safer validation with fallback to empty object on failure

  • Database security: Fixed request_comment UPDATE RLS policy

    • Added missing WITH CHECK clause to the "Users can update own comments" policy
    • Prevents users from modifying the uid field during updates while maintaining read access control
    • Ensures both the USING and WITH CHECK conditions match for proper security enforcement

Implementation Details

The signup validation now uses Zod's built-in UUID validation (z.string().uuid()) instead of relying on a custom type, providing better runtime safety and clearer intent. The optional referrer parameter is properly validated before being passed to the component.

The RLS policy fix ensures that authenticated users can only update their own comments and cannot escalate privileges by changing the uid field to another user's ID.

@claude
Fix security vulnerabilities in signup and RLS policy
d7981c4 
- Add Zod UUID validation for signup referrer parameter to prevent
  open redirect attacks (was only type-cast, not validated at runtime)
- Add WITH CHECK clause to request_comment UPDATE RLS policy to prevent
  potential uid field modification during updates

https://claude.ai/code/session_014CaZaFxxsPGPuygRGo88c4
@vercel
Copy link

vercel bot commented Jan 23, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
sunlo-tanstack Ready Ready Preview, Comment Jan 23, 2026 6:38am

@supabase
Copy link

supabase bot commented Jan 23, 2026
edited
Loading

Updates to Preview Branch (claude/unable-to-assist-8CqAb) ↗︎

Deployments Status Updated
Database Fri, 23 Jan 2026 06:39:03 UTC
Services Fri, 23 Jan 2026 06:39:03 UTC
APIs Fri, 23 Jan 2026 06:39:03 UTC

Tasks are run on every commit but only new migration files are pushed.
Close and reopen this PR if you want to apply changes from existing seed or migration files.

Tasks Status Updated
Configurations Fri, 23 Jan 2026 06:39:57 UTC
Migrations Fri, 23 Jan 2026 06:39:49 UTC
Seeding Fri, 23 Jan 2026 06:40:11 UTC
Edge Functions Fri, 23 Jan 2026 06:39:05 UTC

View logs for this Workflow Run ↗︎.
Learn more about Supabase for Git ↗︎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mhsnook @claude