Skip to content

[Security] Providers API also uses serviceClient, bypasses Supabase RLS #30

Open
Open
[Security] Providers API also uses serviceClient, bypasses Supabase RLS#30
@hhhashexe

Description

@hhhashexe
hhhashexe
opened on Mar 19, 2026

Description

Similar to #24 (phone_numbers), the GET /api/providers and POST /api/providers endpoints use createServiceClient() instead of the user's authenticated Supabase client.

src/app/api/providers/route.ts:

const serviceClient = createServiceClient();
const { data, error } = await serviceClient
  .from("providers")
  .select("*")
  .eq("user_id", user.id)

And for POST:

const serviceClient = createServiceClient();
const { data, error } = await serviceClient
  .from("providers")
  .insert({ user_id: user.id, ... })

Both manually filter by user_id but bypass Row Level Security.

Fix

Use createServerSupabaseClient() consistently across all API routes.

Severity

🟢 Low

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions