🛡️ Sentinel: [CRITICAL] Fix hardcoded Supabase secrets#470
Conversation
Co-authored-by: Oxygen-Low <95589118+Oxygen-Low@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
📝 WalkthroughWalkthroughSupabase URL and anon-key values now come from environment variables across client and server modules. Supporting sentinel notes and Markdown spacing are updated, and Chatbot JSX formatting is compacted without described rendering logic changes. ChangesSupabase credential sourcing
Formatting updates
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.jules/sentinel.md:
- Around line 7-11: Update the “Hardcoded Supabase Secrets in Backend” entry in
sentinel.md to describe the anon key as a publishable client credential and the
change as externalising project configuration. Reserve “secret” and “major
security flaw” language for privileged credentials such as service-role keys,
and replace “node” with “Node.js” in the environment-variable guidance.
In `@client/lib/supabase.ts`:
- Around line 3-4: Update the CSP configuration in server/index.ts to derive
connect-src, WebSocket, image, and media origins from the same validated
Supabase URL used by the client configuration, rather than hard-coding the
previous project’s origins. Ensure the derived origins remain valid CSP entries
and stay synchronized when VITE_SUPABASE_URL changes.
In `@server/lib/aikido.ts`:
- Around line 6-7: Replace duplicated environment-backed Supabase credentials
with the shared getAuthenticatedClient(token) helper for JWT-backed operations.
Update server/lib/aikido.ts at lines 6-7 and use it in aikidoUserMiddleware;
update server/lib/repoAuth.ts at lines 5-6 for JWT validation,
server/lib/repoManager.ts at lines 11-12 in its token-aware client flow,
server/routes/ai.ts at lines 10-11 for bearer-token access, and
server/routes/git.ts at lines 11-12 for authenticated repository queries. Retain
the anon client only where no JWT is available.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: d88980b2-ad50-458c-a244-fdfdad1ae9cb
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (11)
.jules/bolt.md.jules/palette.md.jules/sentinel.mdclient/components/apps/Chatbot.tsxclient/lib/supabase.tsserver/lib/aikido.tsserver/lib/repoAuth.tsserver/lib/repoManager.tsserver/lib/supabase.tsserver/routes/ai.tsserver/routes/git.ts
| ## 2024-05-18 - Hardcoded Supabase Secrets in Backend | ||
|
|
||
| **Vulnerability:** Hardcoded Supabase URL and anon keys found across the backend and frontend. | ||
| **Learning:** Hardcoding API keys is a major security flaw allowing exploitation. | ||
| **Prevention:** Always use environment variables for sensitive info (`import.meta.env` for Vite or `process.env` in node). |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
Clarify that the Supabase anon key is publishable, not a secret.
The anon key is intentionally exposed to browser clients; RLS and server-side secret handling provide the security boundary. Describe this as externalising project configuration, and reserve “secret”/“major security flaw” wording for privileged keys such as a service-role key. Also use “Node.js” rather than “node”.
🧰 Tools
🪛 LanguageTool
[uncategorized] ~11-~11: The preposition ‘for’ seems more likely in this position.
Context: ...ort.meta.envfor Vite orprocess.env` in node).
(AI_HYDRA_LEO_REPLACE_IN_FOR)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.jules/sentinel.md around lines 7 - 11, Update the “Hardcoded Supabase
Secrets in Backend” entry in sentinel.md to describe the anon key as a
publishable client credential and the change as externalising project
configuration. Reserve “secret” and “major security flaw” language for
privileged credentials such as service-role keys, and replace “node” with
“Node.js” in the environment-variable guidance.
Source: Linters/SAST tools
| const supabaseUrl = import.meta.env.VITE_SUPABASE_URL; | ||
| const supabaseKey = import.meta.env.VITE_SUPABASE_ANON_KEY; |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
Keep the CSP allowlist aligned with the configured Supabase URL.
server/index.ts still hard-codes the previous Supabase connect-src, WebSocket, image, and media origins. If VITE_SUPABASE_URL points to another project, the browser will create a client for that project but CSP will block its requests. Derive these origins from the same validated configuration or update the allowlist as part of deployment.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@client/lib/supabase.ts` around lines 3 - 4, Update the CSP configuration in
server/index.ts to derive connect-src, WebSocket, image, and media origins from
the same validated Supabase URL used by the client configuration, rather than
hard-coding the previous project’s origins. Ensure the derived origins remain
valid CSP entries and stay synchronized when VITE_SUPABASE_URL changes.
| const supabaseUrl = process.env.VITE_SUPABASE_URL as string; | ||
| const supabaseAnonKey = process.env.VITE_SUPABASE_ANON_KEY as string; |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Use the shared authenticated Supabase client for JWT-backed operations.
These modules each retain their own environment-backed client configuration even though they already have a user JWT. Import and use getAuthenticatedClient(token) from server/lib/supabase.ts; keep the anon client only for operations without a JWT. This avoids divergent auth behaviour and follows the repository’s Supabase client contract.
server/lib/aikido.ts#L6-L7: remove the duplicate credentials and usegetAuthenticatedClient(token)inaikidoUserMiddleware.server/lib/repoAuth.ts#L5-L6: use the shared helper for JWT validation.server/lib/repoManager.ts#L11-L12: replace the private token-aware client factory with the shared helper.server/routes/ai.ts#L10-L11: use the shared helper for the bearer-token Supabase client.server/routes/git.ts#L11-L12: use the shared helper for authenticated repository queries.
📍 Affects 5 files
server/lib/aikido.ts#L6-L7(this comment)server/lib/repoAuth.ts#L5-L6server/lib/repoManager.ts#L11-L12server/routes/ai.ts#L10-L11server/routes/git.ts#L11-L12
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@server/lib/aikido.ts` around lines 6 - 7, Replace duplicated
environment-backed Supabase credentials with the shared
getAuthenticatedClient(token) helper for JWT-backed operations. Update
server/lib/aikido.ts at lines 6-7 and use it in aikidoUserMiddleware; update
server/lib/repoAuth.ts at lines 5-6 for JWT validation,
server/lib/repoManager.ts at lines 11-12 in its token-aware client flow,
server/routes/ai.ts at lines 10-11 for bearer-token access, and
server/routes/git.ts at lines 11-12 for authenticated repository queries. Retain
the anon client only where no JWT is available.
Source: Coding guidelines
import.meta.env(for Vite frontend) andprocess.env(for Node backend). Added a journal entry to.jules/sentinel.mddocumenting this issue.pnpm testandpnpm typecheckto ensure no functionality is broken. Ensure.envis loaded with proper values during deployment.PR created automatically by Jules for task 9197243752297577956 started by @Oxygen-Low
Summary by CodeRabbit
Security
Documentation
Refactor