Comment by _fat_santa
11 hours ago
It's kinda shocking that the same Supabase RLS security hole we saw so many times in past vibe coded apps is still in this one. I've never used Supabase but at this point I'm kinda curious what steps actually lead to this security hole.
In every project I've worked on, PG is only accessible via your backend and your backend is the one that's actually enforcing the security policies. When I first heard about the Superbase RLS issue the voice inside of my head was screaming: "if RLS is the only thing stopping people from reading everything in your DB then you have much much bigger problems"
Supabase is aware of this and they actually put big banners stating this flaw when you unlock your authentication.
What I think it happens is that non-technical people vibe-coding apps either don't take those messages seriously or they don't understand what it means but made their app work.
I used to be careful, but now I am paranoid on signing up to apps that are new. I guess it's gonna be like this for a while. Info-sec AIs sound way worse than this, tbh.
My thought exactly. Is this standard practice with using Supabase to simply expose the production database endpoint to the world with only RLS to protect you?
Just started vibing and have integrated codex into my side project which uses Supabase. I turned off RLS so that could iterate quickly and not have to mess with security policies. Fully understand that this isn't production grade and have every intention of locking it down when I feel the time is right. I access it from a ReactNative app - no server in the middle. Codex does not have access to my Supabase instance.
RLS doesn’t slow you down. It actually speeds things up because you are forced to design things properly. It’s like type checking.
That makes sense and appreciate the response. Definitely a topic I need to invest more time with if that is the case.