-
Notifications
You must be signed in to change notification settings - Fork 384
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: revert changes to auth functions #1633
Conversation
Pull Request Test Coverage Report for Build 9647790488Details
💛 - Coveralls |
Pull Request Test Coverage Report for Build 9647826417Details
💛 - Coveralls |
Pull Request Test Coverage Report for Build 9647965343Details
💛 - Coveralls |
nullif(current_setting('request.jwt.claim', true), ''), | ||
nullif(current_setting('request.jwt.claims', true), '') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm is it like this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you referring to the lack of search_path
? Set that to '' the rest should be accurate
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not actually sure that we need to replace .jwt()
at all let me check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry just wanted to validate this...
create or replace function {{ index .Options "Namespace" }}.jwt() |
Ugh... what about we just drop this whole search path shenaningans... I'm worried that replacing a function may drop some grants we can't track. |
As discussed, closing in favour of a revert. |
Pull Request Test Coverage Report for Build 9648187697Details
💛 - Coveralls |
Reverts #1616 Follow up to #1633 - more context there and in this discussion: https://supabase.slack.com/archives/C07A55TKL3S/p1719237535404369
Reverts supabase#1616 Follow up to supabase#1633 - more context there and in this discussion: https://supabase.slack.com/archives/C07A55TKL3S/p1719237535404369
Reverts supabase#1616 Follow up to supabase#1633 - more context there and in this discussion: https://supabase.slack.com/archives/C07A55TKL3S/p1719237535404369
Reverts supabase#1616 Follow up to supabase#1633 - more context there and in this discussion: https://supabase.slack.com/archives/C07A55TKL3S/p1719237535404369
What kind of change does this PR introduce?
The changes in Auth v2.154.1 are not compatible with the current version of Postgrest and associated features on dashboard, including PostgREST
This is because of changes which affect
auth.*
functions (e.g.auth.uid()
). Ostensibly, newer versions of PostgREST set store claims underrequest.jwt.claims
rather thanrequest.jwt.claim.sub
which might have lead toauth.uid()
etc returning null instead of the user ID as expected.We revert the change by reinstating the older version of the functions. We preserve
search_path=''
though.For more context see: https://supabase.slack.com/archives/C07A55TKL3S/p1719237535404369
Functions taken from:
auth.jwt() -
auth/migrations/20220531120530_add_auth_jwt_function.up.sql
Line 4 in e81c25d
auth.uid()-
auth/migrations/20220224000811_update_auth_functions.up.sql
Line 25 in e81c25d
auth.email() -
auth/migrations/20220224000811_update_auth_functions.up.sql
Line 25 in e81c25d
Tested by running:
Against the v2.152.0 and doing a diff. Also tested against a staging instance after substituting the placeholder and creating the new functions.