Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: revert changes to auth functions #1633

Closed
wants to merge 4 commits into from
Closed

fix: revert changes to auth functions #1633

wants to merge 4 commits into from

Conversation

J0
Copy link
Contributor

@J0 J0 commented Jun 24, 2024
edited
Loading

What kind of change does this PR introduce?

The changes in Auth v2.154.1 are not compatible with the current version of Postgrest and associated features on dashboard, including PostgREST

This is because of changes which affect auth.* functions (e.g. auth.uid()). Ostensibly, newer versions of PostgREST set store claims under request.jwt.claims rather than request.jwt.claim.sub which might have lead to auth.uid() etc returning null instead of the user ID as expected.

We revert the change by reinstating the older version of the functions. We preserve search_path='' though.

For more context see: https://supabase.slack.com/archives/C07A55TKL3S/p1719237535404369

Functions taken from:
auth.jwt() -

auth/migrations/20220531120530_add_auth_jwt_function.up.sql

Line 4 in e81c25d

comment on function {{ index .Options "Namespace" }}.role() is 'Deprecated. Use auth.jwt() -> ''role'' instead.';

auth.uid()-

auth/migrations/20220224000811_update_auth_functions.up.sql

Line 25 in e81c25d

create or replace function {{ index .Options "Namespace" }}.email()

auth.email() -

auth/migrations/20220224000811_update_auth_functions.up.sql

Line 25 in e81c25d

create or replace function {{ index .Options "Namespace" }}.email()

Tested by running:

SELECT
    n.nspname as schema_name,
    p.proname as function_name,
    pg_catalog.pg_get_functiondef(p.oid) as function_definition
FROM
    pg_catalog.pg_proc p
    LEFT JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace
WHERE
    n.nspname = 'auth'
ORDER BY
    schema_name,
    function_name;

Against the v2.152.0 and doing a diff. Also tested against a staging instance after substituting the placeholder and creating the new functions.

@coveralls
Copy link

coveralls commented Jun 24, 2024
edited
Loading

Pull Request Test Coverage Report for Build 9647790488

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 57.674%
Totals Coverage Status
Change from base Build 9596939146: 0.0%
Covered Lines: 8699
Relevant Lines: 15083
💛 - Coveralls

@coveralls
Copy link

coveralls commented Jun 24, 2024
edited
Loading

Pull Request Test Coverage Report for Build 9647826417

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 57.674%
Totals Coverage Status
Change from base Build 9596939146: 0.0%
Covered Lines: 8699
Relevant Lines: 15083
💛 - Coveralls

@coveralls
Copy link

coveralls commented Jun 24, 2024
edited
Loading

Pull Request Test Coverage Report for Build 9647965343

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 57.674%
Totals Coverage Status
Change from base Build 9596939146: 0.0%
Covered Lines: 8699
Relevant Lines: 15083
💛 - Coveralls

@J0 J0 marked this pull request as ready for review June 24, 2024 15:24
@J0 J0 requested a review from a team as a code owner June 24, 2024 15:24
hf
hf reviewed Jun 24, 2024
View reviewed changes
migrations/20240624145325_recreate_auth_functions.up.sql
Comment on lines +46 to +47
nullif(current_setting('request.jwt.claim', true), ''),
nullif(current_setting('request.jwt.claims', true), '')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm is it like this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you referring to the lack of search_path ? Set that to '' the rest should be accurate

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not actually sure that we need to replace .jwt() at all let me check.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry just wanted to validate this...

auth/migrations/20220531120530_add_auth_jwt_function.up.sql

Line 7 in e81c25d

create or replace function {{ index .Options "Namespace" }}.jwt()

@hf
Copy link
Contributor

hf commented Jun 24, 2024

Ugh... what about we just drop this whole search path shenaningans...

I'm worried that replacing a function may drop some grants we can't track.

@J0
Copy link
Contributor Author

J0 commented Jun 24, 2024
edited
Loading

As discussed, closing in favour of a revert.

@J0 J0 closed this Jun 24, 2024
@hf hf deleted the j0/update_auth_functions branch June 24, 2024 15:38
@coveralls
Copy link

coveralls commented Jun 24, 2024
edited
Loading

Pull Request Test Coverage Report for Build 9648187697

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 57.674%
Totals Coverage Status
Change from base Build 9596939146: 0.0%
Covered Lines: 8699
Relevant Lines: 15083
💛 - Coveralls

@J0 J0 mentioned this pull request Jun 24, 2024
Merged
J0 added a commit that referenced this pull request Jun 24, 2024
@J0
fix: revert define search path in auth functions (#1634)
155e87e 
Reverts #1616

Follow up to #1633 - more context there and in this discussion:
https://supabase.slack.com/archives/C07A55TKL3S/p1719237535404369
uxodb pushed a commit to uxodb/auth that referenced this pull request Nov 13, 2024
@J0
fix: revert define search path in auth functions (supabase#1634)
805ad0c 
Reverts supabase#1616

Follow up to supabase#1633 - more context there and in this discussion:
https://supabase.slack.com/archives/C07A55TKL3S/p1719237535404369
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 13, 2024
@J0 @LashaJini
fix: revert define search path in auth functions (supabase#1634)
692689c 
Reverts supabase#1616

Follow up to supabase#1633 - more context there and in this discussion:
https://supabase.slack.com/archives/C07A55TKL3S/p1719237535404369
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 15, 2024
@J0 @LashaJini
fix: revert define search path in auth functions (supabase#1634)
6595831 
Reverts supabase#1616

Follow up to supabase#1633 - more context there and in this discussion:
https://supabase.slack.com/archives/C07A55TKL3S/p1719237535404369
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hf hf hf left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@J0 @coveralls @hf