fix: address CodeRabbit review — auth check in RPC, consistent UX

tomusdrw · claude · tomusdrw · commit 14bdb3732f28 · 2026-03-31T15:18:16.000+02:00
- Security: add auth.uid() validation to increment_usage RPC function
  to prevent users from incrementing other users' quotas
- UX: add "Please log in first" alert to useManageSubscription for
  consistency with useCheckout
- Update docs (Supabase.mdx) with the secured RPC function

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/demo/src/App.tsx b/demo/src/App.tsx
@@ -236,7 +236,10 @@ function useManageSubscription() {
   const { session } = useSession();
 
   return async () => {
-    if (!session?.access_token) return;
+    if (!session?.access_token) {
+      alert("Please log in first");
+      return;
+    }
     try {
       const res = await fetch(`${SUPABASE_URL}/functions/v1/create-portal`, {
         method: "POST",
diff --git a/lib/supabase/Supabase.mdx b/lib/supabase/Supabase.mdx
@@ -90,6 +90,11 @@ create or replace function increment_usage(
 declare
   new_count int;
 begin
+  -- Ensure caller can only increment their own usage
+  if p_user_id != auth.uid() then
+    raise exception 'Access denied: cannot modify another user''s usage';
+  end if;
+
   insert into usage (user_id, app_id, action, period, count)
   values (p_user_id, p_app_id, p_action, p_period, 1)
   on conflict (user_id, app_id, action, period)
diff --git a/supabase/migrations/20260331000000_init.sql b/supabase/migrations/20260331000000_init.sql
@@ -60,6 +60,11 @@ create or replace function increment_usage(
 declare
   new_count int;
 begin
+  -- Ensure caller can only increment their own usage
+  if p_user_id != auth.uid() then
+    raise exception 'Access denied: cannot modify another user''s usage';
+  end if;
+
   insert into usage (user_id, app_id, action, period, count)
   values (p_user_id, p_app_id, p_action, p_period, 1)
   on conflict (user_id, app_id, action, period)
diff --git a/supabase/migrations/20260331000001_fix_increment_usage_auth.sql b/supabase/migrations/20260331000001_fix_increment_usage_auth.sql
@@ -0,0 +1,24 @@
+-- Fix: validate caller identity in increment_usage to prevent
+-- one user from incrementing another user's quota.
+create or replace function increment_usage(
+  p_user_id uuid,
+  p_app_id text,
+  p_action text,
+  p_period text
+) returns int as $$
+declare
+  new_count int;
+begin
+  -- Ensure caller can only increment their own usage
+  if p_user_id != auth.uid() then
+    raise exception 'Access denied: cannot modify another user''s usage';
+  end if;
+
+  insert into usage (user_id, app_id, action, period, count)
+  values (p_user_id, p_app_id, p_action, p_period, 1)
+  on conflict (user_id, app_id, action, period)
+  do update set count = usage.count + 1
+  returning count into new_count;
+  return new_count;
+end;
+$$ language plpgsql security definer;
