Skip to content

Set search_path to empty string to follow security best practices #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Set search_path to empty string to follow security best practices #18

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 16 additions & 13 deletions install.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
CREATE OR REPLACE FUNCTION is_claims_admin() RETURNS "bool"
LANGUAGE "plpgsql"
SET search_path = ''
AS $$
BEGIN
IF session_user = 'authenticator' THEN
Expand All @@ -9,13 +10,13 @@ CREATE OR REPLACE FUNCTION is_claims_admin() RETURNS "bool"
-- block of code and replace it with:
-- RETURN FALSE;
--------------------------------------------
IF extract(epoch from now()) > coalesce((current_setting('request.jwt.claims', true)::jsonb)->>'exp', '0')::numeric THEN
IF extract(epoch from now()) > coalesce((pg_catalog.current_setting('request.jwt.claims', true)::jsonb)->>'exp', '0')::numeric THEN
return false; -- jwt expired
END IF;
If current_setting('request.jwt.claims', true)::jsonb->>'role' = 'service_role' THEN
If pg_catalog.current_setting('request.jwt.claims', true)::jsonb->>'role' = 'service_role' THEN
RETURN true; -- service role users have admin rights
END IF;
IF coalesce((current_setting('request.jwt.claims', true)::jsonb)->'app_metadata'->'claims_admin', 'false')::bool THEN
IF coalesce((pg_catalog.current_setting('request.jwt.claims', true)::jsonb)->'app_metadata'->'claims_admin', 'false')::bool THEN
return true; -- user has claims_admin set to true
ELSE
return false; -- user does NOT have claims_admin set to true
Expand All @@ -31,23 +32,25 @@ $$;

CREATE OR REPLACE FUNCTION get_my_claims() RETURNS "jsonb"
LANGUAGE "sql" STABLE
SET search_path = ''
AS $$
select
coalesce(nullif(current_setting('request.jwt.claims', true), '')::jsonb -> 'app_metadata', '{}'::jsonb)::jsonb
coalesce(nullif(pg_catalog.current_setting('request.jwt.claims', true), '')::jsonb -> 'app_metadata', '{}'::jsonb)::jsonb
$$;
CREATE OR REPLACE FUNCTION get_my_claim(claim TEXT) RETURNS "jsonb"
LANGUAGE "sql" STABLE
SET search_path = ''
AS $$
select
coalesce(nullif(current_setting('request.jwt.claims', true), '')::jsonb -> 'app_metadata' -> claim, null)
coalesce(nullif(pg_catalog.current_setting('request.jwt.claims', true), '')::jsonb -> 'app_metadata' -> claim, null)
$$;

CREATE OR REPLACE FUNCTION get_claims(uid uuid) RETURNS "jsonb"
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = public
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = ''
AS $$
DECLARE retval jsonb;
BEGIN
IF NOT is_claims_admin() THEN
IF NOT public.is_claims_admin() THEN
RETURN '{"error":"access denied"}'::jsonb;
ELSE
select raw_app_meta_data from auth.users into retval where id = uid::uuid;
Expand All @@ -57,11 +60,11 @@ CREATE OR REPLACE FUNCTION get_claims(uid uuid) RETURNS "jsonb"
$$;

CREATE OR REPLACE FUNCTION get_claim(uid uuid, claim text) RETURNS "jsonb"
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = public
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = ''
AS $$
DECLARE retval jsonb;
BEGIN
IF NOT is_claims_admin() THEN
IF NOT public.is_claims_admin() THEN
RETURN '{"error":"access denied"}'::jsonb;
ELSE
select coalesce(raw_app_meta_data->claim, null) from auth.users into retval where id = uid::uuid;
Expand All @@ -71,10 +74,10 @@ CREATE OR REPLACE FUNCTION get_claim(uid uuid, claim text) RETURNS "jsonb"
$$;

CREATE OR REPLACE FUNCTION set_claim(uid uuid, claim text, value jsonb) RETURNS "text"
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = public
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = ''
AS $$
BEGIN
IF NOT is_claims_admin() THEN
IF NOT public.is_claims_admin() THEN
RETURN 'error: access denied';
ELSE
update auth.users set raw_app_meta_data =
Expand All @@ -86,10 +89,10 @@ CREATE OR REPLACE FUNCTION set_claim(uid uuid, claim text, value jsonb) RETURNS
$$;

CREATE OR REPLACE FUNCTION delete_claim(uid uuid, claim text) RETURNS "text"
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = public
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = ''
AS $$
BEGIN
IF NOT is_claims_admin() THEN
IF NOT public.is_claims_admin() THEN
RETURN 'error: access denied';
ELSE
update auth.users set raw_app_meta_data =
Expand Down
27 changes: 15 additions & 12 deletions supabase_custom_claims--1.0.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@

CREATE OR REPLACE FUNCTION is_claims_admin() RETURNS "bool"
LANGUAGE "plpgsql"
SET search_path = ''
AS $$
BEGIN
IF session_user = 'authenticator' THEN
Expand All @@ -12,10 +13,10 @@ CREATE OR REPLACE FUNCTION is_claims_admin() RETURNS "bool"
-- block of code and replace it with:
-- RETURN FALSE;
--------------------------------------------
IF extract(epoch from now()) > coalesce((current_setting('request.jwt.claims', true)::jsonb)->>'exp', '0')::numeric THEN
IF extract(epoch from now()) > coalesce((pg_catalog.current_setting('request.jwt.claims', true)::jsonb)->>'exp', '0')::numeric THEN
return false; -- jwt expired
END IF;
IF coalesce((current_setting('request.jwt.claims', true)::jsonb)->'app_metadata'->'claims_admin', 'false')::bool THEN
IF coalesce((pg_catalog.current_setting('request.jwt.claims', true)::jsonb)->'app_metadata'->'claims_admin', 'false')::bool THEN
return true; -- user has claims_admin set to true
ELSE
return false; -- user does NOT have claims_admin set to true
Expand All @@ -31,23 +32,25 @@ $$;

CREATE OR REPLACE FUNCTION get_my_claims() RETURNS "jsonb"
LANGUAGE "sql" STABLE
SET search_path = ''
AS $$
select
coalesce(nullif(current_setting('request.jwt.claims', true), '')::jsonb -> 'app_metadata', '{}'::jsonb)::jsonb
coalesce(nullif(pg_catalog.current_setting('request.jwt.claims', true), '')::jsonb -> 'app_metadata', '{}'::jsonb)::jsonb
$$;
CREATE OR REPLACE FUNCTION get_my_claim(claim TEXT) RETURNS "jsonb"
LANGUAGE "sql" STABLE
SET search_path = ''
AS $$
select
coalesce(nullif(current_setting('request.jwt.claims', true), '')::jsonb -> 'app_metadata' -> claim, null)
coalesce(nullif(pg_catalog.current_setting('request.jwt.claims', true), '')::jsonb -> 'app_metadata' -> claim, null)
$$;

CREATE OR REPLACE FUNCTION get_claims(uid uuid) RETURNS "jsonb"
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = public
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = ''
AS $$
DECLARE retval jsonb;
BEGIN
IF NOT is_claims_admin() THEN
IF NOT public.is_claims_admin() THEN
RETURN '{"error":"access denied"}'::jsonb;
ELSE
select raw_app_meta_data from auth.users into retval where id = uid::uuid;
Expand All @@ -57,11 +60,11 @@ CREATE OR REPLACE FUNCTION get_claims(uid uuid) RETURNS "jsonb"
$$;

CREATE OR REPLACE FUNCTION get_claim(uid uuid, claim text) RETURNS "jsonb"
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = public
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = ''
AS $$
DECLARE retval jsonb;
BEGIN
IF NOT is_claims_admin() THEN
IF NOT public.is_claims_admin() THEN
RETURN '{"error":"access denied"}'::jsonb;
ELSE
select coalesce(raw_app_meta_data->claim, null) from auth.users into retval where id = uid::uuid;
Expand All @@ -71,10 +74,10 @@ CREATE OR REPLACE FUNCTION get_claim(uid uuid, claim text) RETURNS "jsonb"
$$;

CREATE OR REPLACE FUNCTION set_claim(uid uuid, claim text, value jsonb) RETURNS "text"
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = public
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = ''
AS $$
BEGIN
IF NOT is_claims_admin() THEN
IF NOT public.is_claims_admin() THEN
RETURN 'error: access denied';
ELSE
update auth.users set raw_app_meta_data =
Expand All @@ -86,10 +89,10 @@ CREATE OR REPLACE FUNCTION set_claim(uid uuid, claim text, value jsonb) RETURNS
$$;

CREATE OR REPLACE FUNCTION delete_claim(uid uuid, claim text) RETURNS "text"
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = public
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = ''
AS $$
BEGIN
IF NOT is_claims_admin() THEN
IF NOT public.is_claims_admin() THEN
RETURN 'error: access denied';
ELSE
update auth.users set raw_app_meta_data =
Expand Down