Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version 2.7.0 prevents reading data on web under certain conditions #1085

Open
Mr-Pepe opened this issue Nov 15, 2024 · 1 comment · May be fixed by #1087
Open

Version 2.7.0 prevents reading data on web under certain conditions #1085

Mr-Pepe opened this issue Nov 15, 2024 · 1 comment · May be fixed by #1087
Labels
bug Something isn't working

Comments

@Mr-Pepe
Copy link

Mr-Pepe commented Nov 15, 2024

Describe the bug
Under certain conditions a client with a service role key can not circumvent RLS policy restrictions on web.

To Reproduce
Add the following code to a flutter project:

// integration_test/supabase_test.dart

import 'package:flutter/material.dart';
import 'package:flutter_test/flutter_test.dart';
import 'package:integration_test/integration_test.dart';
import 'package:supabase_flutter/supabase_flutter.dart' as supabase;

void main() async {
  IntegrationTestWidgetsFlutterBinding.ensureInitialized();

  testWidgets('Analytics', (WidgetTester tester) async {
    final client1 = supabase.SupabaseClient(
      getSupabaseUrl(),
      getSupabaseKey(role: 'service'),
    );

    final client2 = supabase.SupabaseClient(
      getSupabaseUrl(),
      getSupabaseKey(),
    );

    await tester.pumpWidget(
      const MaterialApp(
        home: Scaffold(
          body: Center(child: Text('Hello')),
        ),
      ),
    );

    // Commenting out this line makes the test pass
    await client2.auth.signInAnonymously();

    // Commenting out this line makes the test pass
    await client1.from('session_events').select();

    final events = await client1.from('session_events').select();

    expect(events, isNotEmpty, reason: 'Session events empty');
  });
}
// test_driver/integration_test.dart

import 'package:flutter_driver/flutter_driver.dart';
import 'package:integration_test/integration_test_driver_extended.dart';

Future<void> main() async {
  return integrationDriver(driver: await FlutterDriver.connect());
}

Create a table "session_events" that has an RLS policy preventing everyone from reading it.

Run the test on Linux with flutter test -d linux integration_test and on Chrome with flutter drive --driver=test_driver/integration_test.dart --target=integration_test/supabase_test.dart -d web-server --browser-name chrome --no-headless. Make sure to first start ChromeDriver on port 4444.

Observed behavior

  • Run on Chrome -> The test fails
  • Run on Linux -> The test passes
  • Comment out the anonymous sign-in -> The test passes
  • Comment out the first read -> The test passes
  • Run on Chrome with version 2.6.0 -> Test passes

Version (please complete the following information):

├── supabase 2.4.0
│   ├── functions_client 2.3.3
│   ├── gotrue 2.9.0
│   ├── postgrest 2.2.0
│   ├── realtime_client 2.3.0
│   ├── storage_client 2.1.0
├── supabase_flutter 2.7.0
│   ├── supabase...
@Mr-Pepe Mr-Pepe added the bug Something isn't working label Nov 15, 2024
@Vinzent03
Copy link
Collaborator

I'm pretty sure this is because on web session changes are broadcasted to other instances to affect other tabs.
I briefly discussed an option to disable this behavior here
So I will once again think about how we should handle this and hopefully fix this unintended behavior.

@Vinzent03 Vinzent03 linked a pull request Nov 21, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
2 participants
@Mr-Pepe @Vinzent03