Restrict audit_logs to authenticated users

[riderx]

Summary (AI generated)

• Restrict audit_logs access to authenticated users only
• Replace the audit_logs RLS policy to use auth.uid-based super_admin checks

Motivation (AI generated)

• Audit logs are not meant to be accessible via API keys or anon requests

Business Impact (AI generated)

• Reduces unauthenticated DoS risk and tightens access to audit logs

Test plan (AI generated)

• bun lint:backend

Screenshots

• N/A

Checklist

• My code follows the code style of this project and passes
  .
• My change requires a change to the documentation.
• I have updated the documentation
  accordingly.
• My change has adequate E2E test coverage.
• I have tested my code manually, and I have provided steps how to reproduce
  my tests

Generated with AI

Summary by CodeRabbit

• Chores

  • Restricted audit log access to authenticated super-admin users only.

• Bug Fixes

  • Removed anonymous access paths to audit logs to ensure policy evaluation occurs for authenticated requests.

• Tests

  • Strengthened tests to reset auth between API-key and user contexts and verify correct audit attribution.

• New Features

  • Added a reusable test helper to obtain cached authenticated request headers.

• Refactor

  • Audit endpoints and functions now operate using JWT-based authenticated user context.

[coderabbitai]

Warning

Rate limit exceeded

@riderx has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 34 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

Replaces API-key based access with JWT-authenticated access for audit logs: DB RLS now requires authenticated super_admin via public.check_min_rights; backend audit routes use middlewareAuth and supabaseWithAuth; tests and test-utils obtain and use real auth headers and reset auth between API-key and user contexts.

Changes

Cohort / File(s)	Summary
RLS Security supabase/migrations/20260203160000_optimize_audit_logs_rls.sql	Revokes anon access for audit_logs and its sequence, drops the old permissive policy, and adds a new SELECT policy that requires auth.uid() + public.check_min_rights(..., 'super_admin').
Backend: audit auth flow supabase/functions/_backend/public/organization/audit.ts, supabase/functions/_backend/public/organization/index.ts	Removes apikey parameter and apikey-based checks; switches route middleware to middlewareAuth, uses c.get('auth') + supabaseWithAuth and RPC check_min_rights for super_admin authorization; getAuditLogs signature no longer accepts apikey.
Tests: auth header management supabase/tests/40_test_audit_log_apikey.sql, tests/audit-logs.test.ts, tests/test-utils.ts	Adds getAuthHeaders() to obtain JWT bearer headers, caches headers, resets authentication between API-key and user contexts (calls to tests.clear_authentication() and set_config('request.headers', null, true)), and replaces static header usage with dynamic authHeaders/apiKeyHeaders in tests.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Client as Client/Test
participant Auth as Auth Service
participant Edge as Edge Function (middlewareAuth)
participant DB as Supabase (RPC / RLS / DB)
Client->>Auth: sign-in (email/password) => JWT
Client->>Edge: request with Authorization: Bearer
Edge->>Edge: middlewareAuth validates token, sets c.get('auth')
Edge->>DB: supabaseWithAuth(c, auth) -> RPC check_min_rights(super_admin) then SELECT audit_logs
DB->>DB: RLS policy evaluates using auth.uid() and check_min_rights
DB-->>Edge: audit_rows
Edge-->>Client: response with audit_rows

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• perf(auth): switch to claim-based user lookups #1498: Moves backend auth flow from API-key to JWT/claim-based middleware — closely related to middlewareAuth adoption here.
• fix: delta updload #1249: Changes around API-key vs DB-based min-rights checks and middlewareKey behavior; overlaps with authorization checks updated in this change.
• feat: 2FA enforcement - database #1300: Modifies check_min_rights behavior (e.g., 2FA enforcement); directly relevant because this PR invokes public.check_min_rights(...) in RLS/backend.

Poem

🐇 I hopped through headers, token snug in my fur,

Swapped anon crumbs for a JWT burr,
Super admins guard the log-hen house tight,
Tests reset their hats between API and night,
I nibble secure carrots and wink with delight.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Restrict audit_logs to authenticated users' clearly and concisely describes the main change in the pull request, which is to restrict access to audit logs to authenticated users only.
Description check	✅ Passed	The description includes a summary, motivation, business impact, and test plan, matching the template structure. However, the checklist items are incomplete (all unchecked) and manual testing steps are not provided despite being required.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch riderx/audit-logs-rls

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b18befa158

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve API-key access for audit logs

Revoking anon and limiting the SELECT policy to authenticated makes all API-key requests to audit_logs fail, because supabaseApikey(...) creates a client with the anon key and relies on RLS to authorize via capgkey (see supabase/functions/_backend/public/organization/audit.ts using supabaseApikey(...).from('audit_logs')). With this change, auth.uid() is null for those calls, so org audit endpoints that are currently API-key authenticated will start returning permission errors. If the intent is to keep API-key access, the policy needs to include anon (or a separate policy for capgkey-based access); otherwise, the backend endpoint must be updated to use authenticated/service-role access instead.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

This pull request attempts to optimize audit_logs Row Level Security (RLS) by restricting access to authenticated users only. However, the changes introduce critical breaking changes to the existing API.

Changes:

• Revokes all anon role access to audit_logs table and its sequence
• Replaces the existing RLS policy with one that only allows authenticated role access using auth.uid()-based super_admin checks
• Removes support for API key-based audit log access

[Copilot]

This change breaks API key access to audit logs. The endpoint /organization/audit uses supabaseApikey() which creates a Supabase client with the anon role (see supabase/functions/_backend/utils/supabase.ts:93). The old policy allowed anon role access via get_identity_org_allowed(), but revoking ALL permissions from anon means API keys can no longer query audit logs. The new policy restricts access to the authenticated role only, which API keys don't use.

This will cause all audit log tests in tests/audit-logs.test.ts to fail, as they use API key authentication (Authorization header with APIKEY_TEST_ALL). Additionally, this breaks the documented API functionality for customers using API keys to retrieve audit logs via the /organization/audit endpoint.

[Copilot]

The new policy uses a subquery with auth.uid() to call check_min_rights. However, this pattern is inconsistent with the existing audit_logs policy (see supabase/migrations/20251226125240_audit_log.sql:177-191) which used get_identity_org_allowed() to support both authenticated users AND API keys.

If the intent is to restrict to authenticated users only (excluding API keys), the correct approach would be:

1. Keep the anon role grant if API keys should have access, OR
2. Update the backend endpoint to use JWT authentication instead of API keys for audit logs

The PR description states "audit logs are not meant to be accessible via API keys", but this contradicts the existing implementation which explicitly supports API keys via the /organization/audit endpoint with the middlewareKey middleware.

Suggested change

	-- Restrict audit_logs access to authenticated users only and fail fast for anon
	-- to avoid expensive RLS evaluation on unauthenticated requests.
	REVOKE ALL ON TABLE "public"."audit_logs" FROM "anon";
	REVOKE ALL ON SEQUENCE "public"."audit_logs_id_seq" FROM "anon";
	DROP POLICY IF EXISTS "Allow select for auth, api keys (super_admin+)" ON "public"."audit_logs";
	DROP POLICY IF EXISTS "Allow select for auth (super_admin+)" ON "public"."audit_logs";
	CREATE POLICY "Allow select for auth (super_admin+)" ON "public"."audit_logs"
	FOR SELECT TO "authenticated"
	USING (
	(SELECT public.check_min_rights(
	'super_admin'::public.user_min_right,
	auth_check.uid,
	org_id,
	NULL::character varying,
	NULL::bigint
	)
	FROM (SELECT auth.uid() AS uid) AS auth_check)
	-- Optimize audit_logs RLS while preserving access for both authenticated users
	-- and API keys (anon role), relying on get_identity_org_allowed() to resolve
	-- the caller identity in a unified way.
	-- NOTE: Do not revoke anon privileges here; existing grants are required so
	-- API-key-based access (middlewareKey) can still reach the table and rely
	-- on RLS for authorization.
	DROP POLICY IF EXISTS "Allow select for auth, api keys (super_admin+)" ON "public"."audit_logs";
	DROP POLICY IF EXISTS "Allow select for auth (super_admin+)" ON "public"."audit_logs";
	CREATE POLICY "Allow select for auth, api keys (super_admin+)" ON "public"."audit_logs"
	FOR SELECT TO "authenticated", "anon"
	USING (
	public.check_min_rights(
	'super_admin'::public.user_min_right,
	public.get_identity_org_allowed(org_id),
	org_id,
	NULL::character varying,
	NULL::bigint
	)

[Copilot]

The policy drops both the old policies but only creates one new policy. The migration drops two policies:

1. "Allow select for auth, api keys (super_admin+)" (the original broad policy)
2. "Allow select for auth (super_admin+)" (possibly added in a later migration)

However, searching through migrations shows that only the first policy "Allow select for auth, api keys (super_admin+)" was created in 20251226125240_audit_log.sql. The second policy name doesn't exist in any prior migrations. This DROP statement for a non-existent policy is harmless (due to IF EXISTS) but indicates unclear understanding of the current state.

Suggested change

DROP POLICY IF EXISTS "Allow select for auth (super_admin+)" ON "public"."audit_logs";

[Copilot]

The migration lacks test coverage updates. The existing tests in tests/audit-logs.test.ts use API key authentication and will fail after this migration. No corresponding changes to the test file or backend endpoint are included in this PR to accommodate the new authentication requirement. The PR test plan only mentions "bun lint:backend", which doesn't catch this runtime breaking change.

[coderabbitai]

Actionable comments posted: 4

🤖 Fix all issues with AI agents

In `@supabase/functions/_backend/public/organization/audit.ts`:
- Around line 40-42: The code calls hasOrgRight(c, body.orgId, auth.userId,
'super_admin') which uses the admin SDK and bypasses RLS; replace this with a
rights check using an auth-scoped client so RLS applies (e.g., call the RPC or
permission check via supabaseWithAuth(c, auth).rpc(...) or equivalent
auth-scoped method), passing body.orgId and the required role ('super_admin')
and throw the same simpleError if the RPC result denies access; update the logic
around hasOrgRight, auth, and c to use supabaseWithAuth instead of the admin
client.
- Around line 28-38: The getAuditLogs guard currently only checks auth.userId;
require the request to be authenticated via JWT by checking
c.get('auth')?.authType === 'jwt' in addition to auth.userId (i.e., ensure auth
exists, auth.userId is present, and auth.authType === 'jwt'); if that check
fails, throw the same simpleError('not_authorized', 'Not authorized') to prevent
apikey-based access (refer to the auth variable retrieved in getAuditLogs and
enforce auth.authType === 'jwt' before proceeding or calling supabaseWithAuth).

In `@tests/audit-logs.test.ts`:
- Line 5: Tests for bundle create/update/delete are currently passing JWT auth
(authHeaders) and should exercise API-key auth; update those test cases that
call the /bundle endpoints to use API-key headers instead of getAuthHeaders()
while keeping JWTs (getAuthHeaders()) for /organization/audit checks.
Concretely, in the tests that call fetchWithRetry('/bundle...') replace the auth
header argument (the variable that holds getAuthHeaders()) with the API-key
header variable (create or reuse the existing API-key header constant/source
from your test-utils or Supabase client), ensuring the /organization/audit calls
still use getAuthHeaders(); apply the same change to the other /bundle call
blocks referenced (around the other ranges).

In `@tests/test-utils.ts`:
- Around line 124-159: getAuthHeaders currently caches a rejected promise when
sign-in fails, preventing retries; wrap the async initialization inside a
try/catch so that on any thrown error you clear authHeadersPromise (and
cachedAuthHeaders) before re-throwing, and only set cachedAuthHeaders on
success; specifically update the inner async IIFE used to populate
authHeadersPromise in getAuthHeaders so failures reset authHeadersPromise =
undefined (and cachedAuthHeaders = undefined) to allow subsequent calls to
retry.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

supabase/tests/40_test_audit_log_apikey.sql (1)

141-188: ⚠️ Potential issue | 🟡 Minor

Avoid hardcoded API key triggering secret scanning.

Gitleaks flagged the literal key. If CI runs secret scanning, consider fetching the fixture key from a helper/seed reference or adding an allowlist annotation for this test-only value.

🤖 Fix all issues with AI agents

In `@tests/audit-logs.test.ts`:
- Line 5: The named imports in the test import statement are out of the
ESLint-expected order; reorder the named imports so apiKeyHeaders appears before
getSupabaseClient in the import list (e.g., place apiKeyHeaders just prior to
getSupabaseClient among BASE_URL, fetchWithRetry, getAuthHeaders, apiKeyHeaders,
getSupabaseClient, ORG_ID, TEST_EMAIL, USER_ID) to satisfy the lint rule without
changing any identifiers.

🧹 Nitpick comments (1)

tests/audit-logs.test.ts (1)

71-339: Consider it.concurrent() for parallel test execution.

This file can run faster and align with the parallel-test guideline by using it.concurrent() for the test cases.

🔁 Example change (apply to all tests in this file)

-  it('get audit logs for organization', async () => {
+  it.concurrent('get audit logs for organization', async () => {

As per coding guidelines: Design tests for parallel execution; use `it.concurrent()` instead of `it()` to run tests in parallel within the same file.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix named import order to satisfy ESLint.

The lint rule expects apiKeyHeaders before getSupabaseClient.

🧹 Proposed fix

-import { BASE_URL, fetchWithRetry, getAuthHeaders, getSupabaseClient, headers as apiKeyHeaders, ORG_ID as SEED_ORG_ID, TEST_EMAIL, USER_ID } from './test-utils.ts'
+import { BASE_URL, fetchWithRetry, getAuthHeaders, headers as apiKeyHeaders, getSupabaseClient, ORG_ID as SEED_ORG_ID, TEST_EMAIL, USER_ID } from './test-utils.ts'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	import { BASE_URL, fetchWithRetry, getAuthHeaders, getSupabaseClient, headers as apiKeyHeaders, ORG_ID as SEED_ORG_ID, TEST_EMAIL, USER_ID } from './test-utils.ts'
	import { BASE_URL, fetchWithRetry, getAuthHeaders, headers as apiKeyHeaders, getSupabaseClient, ORG_ID as SEED_ORG_ID, TEST_EMAIL, USER_ID } from './test-utils.ts'

🧰 Tools

🪛 ESLint

[error] 5-5: Expected "apiKeyHeaders" to come before "getSupabaseClient".

(perfectionist/sort-named-imports)

🤖 Prompt for AI Agents

In `@tests/audit-logs.test.ts` at line 5, The named imports in the test import
statement are out of the ESLint-expected order; reorder the named imports so
apiKeyHeaders appears before getSupabaseClient in the import list (e.g., place
apiKeyHeaders just prior to getSupabaseClient among BASE_URL, fetchWithRetry,
getAuthHeaders, apiKeyHeaders, getSupabaseClient, ORG_ID, TEST_EMAIL, USER_ID)
to satisfy the lint rule without changing any identifiers.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[riderx]

/tip $70 @Judel777 thank for finding it

[algora-pbc]

🎉🎈 @Judel777 has been awarded $70 by Capgo! 🎈🎊