tighten supabase read access

Author: dnywh

src/app/actions.ts

@@ -633,8 +633,11 @@ export const deleteListingAction = async (
   const {
     data: { user },
   } = await supabase.auth.getUser();
+  const {
+    data: { session },
+  } = await supabase.auth.getSession();
 
-  if (!user) {
+  if (!user || !session?.access_token) {
     return redirect("/sign-in");
   }
   // Then continue with the delete listing
@@ -644,10 +647,11 @@ export const deleteListingAction = async (
       {
         method: "POST",
         headers: {
-          Authorization: `Bearer ${process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY}`,
+          apikey: process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+          Authorization: `Bearer ${session.access_token}`,
           "Content-Type": "application/json",
         },
-        body: JSON.stringify({ slug }), // Send the slug in the request body
+        body: JSON.stringify({ slug }),
       }
     );
 
@@ -689,8 +693,11 @@ export const deleteAccountAction = async () => {
   const {
     data: { user },
   } = await supabase.auth.getUser();
+  const {
+    data: { session },
+  } = await supabase.auth.getSession();
 
-  if (!user) {
+  if (!user || !session?.access_token) {
     return redirect("/sign-in");
   }
 
@@ -700,25 +707,24 @@ export const deleteAccountAction = async () => {
       {
         method: "POST",
         headers: {
-          Authorization: `Bearer ${process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY}`,
+          apikey: process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
+          Authorization: `Bearer ${session.access_token}`,
           "Content-Type": "application/json",
         },
-        body: JSON.stringify({ user_id: user.id }),
       }
     );
 
     console.log("Response status:", response.status);
     console.log("Response ok:", response.ok);
 
-    // const data = await response.json();
-    // console.log("Response data:", data);
-
-    redirectPath = `/sign-in?success=${encodeURIComponent(t("accountDeleted"))}`;
+    const data = await response.json();
 
-    // if (!response.ok) {
-    //   console.error("Delete account failed:", data);
-    //   redirectPath = `/profile?error=Failed to delete account`
-    // }
+    if (!response.ok) {
+      console.error("Delete account failed:", data);
+      redirectPath = `/profile?error=${encodeURIComponent(t("deleteAccountFailed"))}`;
+    } else {
+      redirectPath = `/sign-in?success=${encodeURIComponent(t("accountDeleted"))}`;
+    }
   } catch (error) {
     console.error("Delete account error:", error);
     redirectPath = `/profile?error=${encodeURIComponent(t("deleteAccountFailed"))}`;

supabase/functions/_shared/storage-utils.ts

@@ -21,15 +21,15 @@ export async function deleteListingMedia(
   supabase: SupabaseClient,
   slug: string
 ) {
-  // Get listing media info
+  // Service-role callers use this after authorising the requested listing operation.
   const { data: listing, error: fetchError } = await supabase
-    // We can access the "listings" table here directly as we have a policy set allowing owners access to their full listings
     .from("listings")
     .select("avatar, photos")
     .eq("slug", slug)
-    .single();
+    .maybeSingle();
 
   if (fetchError) throw fetchError;
+  if (!listing) return;
 
   const deletePromises = [];
 

supabase/functions/delete-account/index.ts

@@ -2,6 +2,19 @@ import { serve } from "https://deno.land/std@0.168.0/http/server.ts";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2";
 import { deleteListingMedia } from "../_shared/storage-utils.ts";
 
+function jsonResponse(body: Record<string, unknown>, status: number) {
+  return new Response(JSON.stringify(body), {
+    headers: {
+      "Content-Type": "application/json",
+    },
+    status,
+  });
+}
+
+function getErrorMessage(error: unknown) {
+  return error instanceof Error ? error.message : "Unexpected error";
+}
+
 serve(async (req) => {
   const supabaseAdmin = createClient(
     Deno.env.get("SUPABASE_URL") ?? "",
@@ -13,14 +26,34 @@ serve(async (req) => {
       },
     }
   );
-  const { user_id } = await req.json();
+
   try {
+    if (req.method !== "POST") {
+      return jsonResponse({ error: "Method not allowed" }, 405);
+    }
+
+    const authHeader = req.headers.get("Authorization");
+    const accessToken = authHeader?.replace("Bearer ", "");
+
+    if (!accessToken) {
+      return jsonResponse({ error: "Missing access token" }, 401);
+    }
+
+    const {
+      data: { user },
+      error: userError,
+    } = await supabaseAdmin.auth.getUser(accessToken);
+
+    if (userError || !user) {
+      return jsonResponse({ error: "Invalid access token" }, 401);
+    }
+
     // Get the user's profile to find avatar
     const { data: profile, error: profileError } = await supabaseAdmin
       .from("profiles")
       .select("avatar")
-      .eq("id", user_id)
-      .single();
+      .eq("id", user.id)
+      .maybeSingle();
     if (profileError) {
       console.error("Profile fetch error:", profileError);
       throw profileError;
@@ -40,7 +73,7 @@ serve(async (req) => {
     const { data: listings, error: listingsError } = await supabaseAdmin
       .from("listings")
       .select("slug")
-      .eq("owner_id", user_id);
+      .eq("owner_id", user.id);
     if (listingsError) {
       console.error("Listings fetch error:", listingsError);
       throw listingsError;
@@ -59,35 +92,15 @@ serve(async (req) => {
     }
     // Delete auth user (cascade will handle the rest)
     const { error: deleteUserError } =
-      await supabaseAdmin.auth.admin.deleteUser(user_id);
+      await supabaseAdmin.auth.admin.deleteUser(user.id);
     if (deleteUserError) {
       console.error("Auth user deletion error:", deleteUserError);
       throw deleteUserError;
     }
     console.log("Deleted auth user");
-    return new Response(
-      JSON.stringify({
-        success: true,
-      }),
-      {
-        headers: {
-          "Content-Type": "application/json",
-        },
-        status: 200,
-      }
-    );
+    return jsonResponse({ success: true }, 200);
   } catch (error) {
     console.error("Final error:", error);
-    return new Response(
-      JSON.stringify({
-        error: error.message,
-      }),
-      {
-        headers: {
-          "Content-Type": "application/json",
-        },
-        status: 400,
-      }
-    );
+    return jsonResponse({ error: getErrorMessage(error) }, 400);
   }
 });

supabase/functions/delete-listing/index.ts

@@ -2,6 +2,17 @@ import { serve } from "https://deno.land/std@0.168.0/http/server.ts";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2";
 import { deleteListingMedia } from "../_shared/storage-utils.ts";
 
+function jsonResponse(body: Record<string, unknown>, status: number) {
+  return new Response(JSON.stringify(body), {
+    headers: { "Content-Type": "application/json" },
+    status,
+  });
+}
+
+function getErrorMessage(error: unknown) {
+  return error instanceof Error ? error.message : "Unexpected error";
+}
+
 serve(async (req) => {
   const supabaseAdmin = createClient(
     Deno.env.get("SUPABASE_URL") ?? "",
@@ -13,30 +24,60 @@ serve(async (req) => {
       },
     }
   );
-  const { slug } = await req.json();
 
   try {
+    if (req.method !== "POST") {
+      return jsonResponse({ error: "Method not allowed" }, 405);
+    }
+
+    const { slug } = await req.json();
+
+    if (!slug || typeof slug !== "string") {
+      return jsonResponse({ error: "Missing listing slug" }, 400);
+    }
+
+    const authHeader = req.headers.get("Authorization");
+    const accessToken = authHeader?.replace("Bearer ", "");
+
+    if (!accessToken) {
+      return jsonResponse({ error: "Missing access token" }, 401);
+    }
+
+    const {
+      data: { user },
+      error: userError,
+    } = await supabaseAdmin.auth.getUser(accessToken);
+
+    if (userError || !user) {
+      return jsonResponse({ error: "Invalid access token" }, 401);
+    }
+
+    const { data: listing, error: listingError } = await supabaseAdmin
+      .from("listings")
+      .select("owner_id")
+      .eq("slug", slug)
+      .maybeSingle();
+
+    if (listingError) throw listingError;
+
+    if (!listing || listing.owner_id !== user.id) {
+      return jsonResponse({ error: "Listing not found" }, 404);
+    }
+
     // Delete all media first
     await deleteListingMedia(supabaseAdmin, slug);
 
     // Delete the listing
     const { error: deleteError } = await supabaseAdmin
-      // We can access the "listings" table directly here as we're doing an operation through supabaseAdmin
       .from("listings")
       .delete()
       .eq("slug", slug);
 
     if (deleteError) throw deleteError;
 
-    return new Response(JSON.stringify({ success: true }), {
-      headers: { "Content-Type": "application/json" },
-      status: 200,
-    });
+    return jsonResponse({ success: true }, 200);
   } catch (error) {
     console.error("Final error:", error);
-    return new Response(JSON.stringify({ error: error.message }), {
-      headers: { "Content-Type": "application/json" },
-      status: 400,
-    });
+    return jsonResponse({ error: getErrorMessage(error) }, 400);
   }
 });