feat: 🎸 policies (#1997)

added Row level security on postgres # Description Please include a summary of the changes and the related issue. Please also include relevant motivation and context. ## Checklist before requesting a review Please delete options that are not relevant. - [ ] My code follows the style guidelines of this project - [ ] I have performed a self-review of my code - [ ] I have commented hard-to-understand areas - [ ] I have ideally added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged ## Screenshots (if appropriate):
2024-11-23 21:22:35 +03:00 · 2024-01-08 00:25:00 +01:00 · 2024-01-08 00:25:00 +01:00 · c315b7d104
commit c315b7d104
parent 86b238f346
3 changed files with 586 additions and 27 deletions
--- a/supabase/config.toml
+++ b/supabase/config.toml
@ -8,9 +8,9 @@ enabled = true
 port = 54321
 # Schemas to expose in your API. Tables, views and stored procedures in this schema will get API
 # endpoints. public and storage are always included.
-schemas = ["public", "storage", "graphql_public"]
+schemas = ["public", "storage", "graphql_public", "vault"]
 # Extra schemas to add to the search_path of every request. public is always included.
-extra_search_path = ["public", "extensions"]
+extra_search_path = ["public", "extensions", "stripe", "vault"]
 # The maximum number of rows returns from a view, table, or stored procedure. Limits payload size
 # for accidental or malicious requests.
 max_rows = 1000
@ -32,7 +32,7 @@ port = 54329
 # Configure one of the supported pooler modes: `transaction`, `session`.
 pool_mode = "transaction"
 # How many server connections to allow per user/database pair.
-default_pool_size = 20
+default_pool_size = 15
 # Maximum number of client connections allowed.
 max_client_conn = 100

--- a/supabase/migrations/20240107231636_policies.sql
+++ b/supabase/migrations/20240107231636_policies.sql
@ -0,0 +1,583 @@
+revoke delete on table "public"."documents" from "anon";
+
+revoke insert on table "public"."documents" from "anon";
+
+revoke references on table "public"."documents" from "anon";
+
+revoke select on table "public"."documents" from "anon";
+
+revoke trigger on table "public"."documents" from "anon";
+
+revoke truncate on table "public"."documents" from "anon";
+
+revoke update on table "public"."documents" from "anon";
+
+revoke delete on table "public"."documents" from "authenticated";
+
+revoke insert on table "public"."documents" from "authenticated";
+
+revoke references on table "public"."documents" from "authenticated";
+
+revoke select on table "public"."documents" from "authenticated";
+
+revoke trigger on table "public"."documents" from "authenticated";
+
+revoke truncate on table "public"."documents" from "authenticated";
+
+revoke update on table "public"."documents" from "authenticated";
+
+revoke delete on table "public"."documents" from "service_role";
+
+revoke insert on table "public"."documents" from "service_role";
+
+revoke references on table "public"."documents" from "service_role";
+
+revoke select on table "public"."documents" from "service_role";
+
+revoke trigger on table "public"."documents" from "service_role";
+
+revoke truncate on table "public"."documents" from "service_role";
+
+revoke update on table "public"."documents" from "service_role";
+
+revoke delete on table "public"."knowledge_vectors" from "anon";
+
+revoke insert on table "public"."knowledge_vectors" from "anon";
+
+revoke references on table "public"."knowledge_vectors" from "anon";
+
+revoke select on table "public"."knowledge_vectors" from "anon";
+
+revoke trigger on table "public"."knowledge_vectors" from "anon";
+
+revoke truncate on table "public"."knowledge_vectors" from "anon";
+
+revoke update on table "public"."knowledge_vectors" from "anon";
+
+revoke delete on table "public"."knowledge_vectors" from "authenticated";
+
+revoke insert on table "public"."knowledge_vectors" from "authenticated";
+
+revoke references on table "public"."knowledge_vectors" from "authenticated";
+
+revoke select on table "public"."knowledge_vectors" from "authenticated";
+
+revoke trigger on table "public"."knowledge_vectors" from "authenticated";
+
+revoke truncate on table "public"."knowledge_vectors" from "authenticated";
+
+revoke update on table "public"."knowledge_vectors" from "authenticated";
+
+revoke delete on table "public"."knowledge_vectors" from "service_role";
+
+revoke insert on table "public"."knowledge_vectors" from "service_role";
+
+revoke references on table "public"."knowledge_vectors" from "service_role";
+
+revoke select on table "public"."knowledge_vectors" from "service_role";
+
+revoke trigger on table "public"."knowledge_vectors" from "service_role";
+
+revoke truncate on table "public"."knowledge_vectors" from "service_role";
+
+revoke update on table "public"."knowledge_vectors" from "service_role";
+
+revoke delete on table "public"."migrations" from "anon";
+
+revoke insert on table "public"."migrations" from "anon";
+
+revoke references on table "public"."migrations" from "anon";
+
+revoke select on table "public"."migrations" from "anon";
+
+revoke trigger on table "public"."migrations" from "anon";
+
+revoke truncate on table "public"."migrations" from "anon";
+
+revoke update on table "public"."migrations" from "anon";
+
+revoke delete on table "public"."migrations" from "authenticated";
+
+revoke insert on table "public"."migrations" from "authenticated";
+
+revoke references on table "public"."migrations" from "authenticated";
+
+revoke select on table "public"."migrations" from "authenticated";
+
+revoke trigger on table "public"."migrations" from "authenticated";
+
+revoke truncate on table "public"."migrations" from "authenticated";
+
+revoke update on table "public"."migrations" from "authenticated";
+
+revoke delete on table "public"."migrations" from "service_role";
+
+revoke insert on table "public"."migrations" from "service_role";
+
+revoke references on table "public"."migrations" from "service_role";
+
+revoke select on table "public"."migrations" from "service_role";
+
+revoke trigger on table "public"."migrations" from "service_role";
+
+revoke truncate on table "public"."migrations" from "service_role";
+
+revoke update on table "public"."migrations" from "service_role";
+
+revoke delete on table "public"."stats" from "anon";
+
+revoke insert on table "public"."stats" from "anon";
+
+revoke references on table "public"."stats" from "anon";
+
+revoke select on table "public"."stats" from "anon";
+
+revoke trigger on table "public"."stats" from "anon";
+
+revoke truncate on table "public"."stats" from "anon";
+
+revoke update on table "public"."stats" from "anon";
+
+revoke delete on table "public"."stats" from "authenticated";
+
+revoke insert on table "public"."stats" from "authenticated";
+
+revoke references on table "public"."stats" from "authenticated";
+
+revoke select on table "public"."stats" from "authenticated";
+
+revoke trigger on table "public"."stats" from "authenticated";
+
+revoke truncate on table "public"."stats" from "authenticated";
+
+revoke update on table "public"."stats" from "authenticated";
+
+revoke delete on table "public"."stats" from "service_role";
+
+revoke insert on table "public"."stats" from "service_role";
+
+revoke references on table "public"."stats" from "service_role";
+
+revoke select on table "public"."stats" from "service_role";
+
+revoke trigger on table "public"."stats" from "service_role";
+
+revoke truncate on table "public"."stats" from "service_role";
+
+revoke update on table "public"."stats" from "service_role";
+
+revoke delete on table "public"."summaries" from "anon";
+
+revoke insert on table "public"."summaries" from "anon";
+
+revoke references on table "public"."summaries" from "anon";
+
+revoke select on table "public"."summaries" from "anon";
+
+revoke trigger on table "public"."summaries" from "anon";
+
+revoke truncate on table "public"."summaries" from "anon";
+
+revoke update on table "public"."summaries" from "anon";
+
+revoke delete on table "public"."summaries" from "authenticated";
+
+revoke insert on table "public"."summaries" from "authenticated";
+
+revoke references on table "public"."summaries" from "authenticated";
+
+revoke select on table "public"."summaries" from "authenticated";
+
+revoke trigger on table "public"."summaries" from "authenticated";
+
+revoke truncate on table "public"."summaries" from "authenticated";
+
+revoke update on table "public"."summaries" from "authenticated";
+
+revoke delete on table "public"."summaries" from "service_role";
+
+revoke insert on table "public"."summaries" from "service_role";
+
+revoke references on table "public"."summaries" from "service_role";
+
+revoke select on table "public"."summaries" from "service_role";
+
+revoke trigger on table "public"."summaries" from "service_role";
+
+revoke truncate on table "public"."summaries" from "service_role";
+
+revoke update on table "public"."summaries" from "service_role";
+
+revoke delete on table "public"."users_old" from "anon";
+
+revoke insert on table "public"."users_old" from "anon";
+
+revoke references on table "public"."users_old" from "anon";
+
+revoke select on table "public"."users_old" from "anon";
+
+revoke trigger on table "public"."users_old" from "anon";
+
+revoke truncate on table "public"."users_old" from "anon";
+
+revoke update on table "public"."users_old" from "anon";
+
+revoke delete on table "public"."users_old" from "authenticated";
+
+revoke insert on table "public"."users_old" from "authenticated";
+
+revoke references on table "public"."users_old" from "authenticated";
+
+revoke select on table "public"."users_old" from "authenticated";
+
+revoke trigger on table "public"."users_old" from "authenticated";
+
+revoke truncate on table "public"."users_old" from "authenticated";
+
+revoke update on table "public"."users_old" from "authenticated";
+
+revoke delete on table "public"."users_old" from "service_role";
+
+revoke insert on table "public"."users_old" from "service_role";
+
+revoke references on table "public"."users_old" from "service_role";
+
+revoke select on table "public"."users_old" from "service_role";
+
+revoke trigger on table "public"."users_old" from "service_role";
+
+revoke truncate on table "public"."users_old" from "service_role";
+
+revoke update on table "public"."users_old" from "service_role";
+
+revoke delete on table "public"."vectors_old" from "anon";
+
+revoke insert on table "public"."vectors_old" from "anon";
+
+revoke references on table "public"."vectors_old" from "anon";
+
+revoke select on table "public"."vectors_old" from "anon";
+
+revoke trigger on table "public"."vectors_old" from "anon";
+
+revoke truncate on table "public"."vectors_old" from "anon";
+
+revoke update on table "public"."vectors_old" from "anon";
+
+revoke delete on table "public"."vectors_old" from "authenticated";
+
+revoke insert on table "public"."vectors_old" from "authenticated";
+
+revoke references on table "public"."vectors_old" from "authenticated";
+
+revoke select on table "public"."vectors_old" from "authenticated";
+
+revoke trigger on table "public"."vectors_old" from "authenticated";
+
+revoke truncate on table "public"."vectors_old" from "authenticated";
+
+revoke update on table "public"."vectors_old" from "authenticated";
+
+revoke delete on table "public"."vectors_old" from "service_role";
+
+revoke insert on table "public"."vectors_old" from "service_role";
+
+revoke references on table "public"."vectors_old" from "service_role";
+
+revoke select on table "public"."vectors_old" from "service_role";
+
+revoke trigger on table "public"."vectors_old" from "service_role";
+
+revoke truncate on table "public"."vectors_old" from "service_role";
+
+revoke update on table "public"."vectors_old" from "service_role";
+
+alter table "public"."knowledge_vectors" drop constraint "knowledge_vectors_knowledge_id_fkey";
+
+alter table "public"."knowledge_vectors" drop constraint "knowledge_vectors_vector_id_fkey";
+
+alter table "public"."notifications" drop constraint "notifications_chat_id_fkey";
+
+alter table "public"."summaries" drop constraint "summaries_document_id_fkey";
+
+alter table "public"."api_keys" drop constraint "api_keys_user_id_fkey";
+
+alter table "public"."brains_users" drop constraint "brains_users_brain_id_fkey";
+
+alter table "public"."brains_users" drop constraint "brains_users_user_id_fkey";
+
+alter table "public"."chat_history" drop constraint "chat_history_chat_id_fkey";
+
+alter table "public"."chats" drop constraint "chats_user_id_fkey";
+
+alter table "public"."onboardings" drop constraint "onboardings_user_id_fkey";
+
+alter table "public"."user_daily_usage" drop constraint "user_daily_usage_user_id_fkey";
+
+alter table "public"."users" drop constraint "users_id_fkey";
+
+alter table "public"."documents" drop constraint "documents_pkey";
+
+alter table "public"."knowledge_vectors" drop constraint "knowledge_vectors_pkey";
+
+alter table "public"."migrations" drop constraint "migrations_pkey";
+
+alter table "public"."stats" drop constraint "stats_pkey";
+
+alter table "public"."summaries" drop constraint "summaries_pkey";
+
+alter table "public"."vectors_old" drop constraint "vectors_pkey";
+
+drop index if exists "public"."documents_pkey";
+
+drop index if exists "public"."knowledge_vectors_pkey";
+
+drop index if exists "public"."migrations_pkey";
+
+drop index if exists "public"."stats_pkey";
+
+drop index if exists "public"."summaries_pkey";
+
+drop index if exists "public"."vectors_pkey";
+
+drop table "public"."documents";
+
+drop table "public"."knowledge_vectors";
+
+drop table "public"."migrations";
+
+drop table "public"."stats";
+
+drop table "public"."summaries";
+
+drop table "public"."users_old";
+
+drop table "public"."vectors_old";
+
+alter table "public"."api_brain_definition" enable row level security;
+
+alter table "public"."api_keys" enable row level security;
+
+alter table "public"."brain_subscription_invitations" enable row level security;
+
+alter table "public"."brains" enable row level security;
+
+alter table "public"."brains_users" enable row level security;
+
+alter table "public"."brains_vectors" enable row level security;
+
+alter table "public"."chat_history" enable row level security;
+
+alter table "public"."chats" enable row level security;
+
+alter table "public"."composite_brain_connections" enable row level security;
+
+alter table "public"."knowledge" enable row level security;
+
+alter table "public"."models" enable row level security;
+
+alter table "public"."notifications" enable row level security;
+
+alter table "public"."onboardings" enable row level security;
+
+alter table "public"."product_to_features" enable row level security;
+
+alter table "public"."prompts" enable row level security;
+
+alter table "public"."user_daily_usage" enable row level security;
+
+alter table "public"."user_identity" enable row level security;
+
+alter table "public"."user_settings" enable row level security;
+
+alter table "public"."users" enable row level security;
+
+alter table "public"."vectors" enable row level security;
+
+drop sequence if exists "public"."documents_id_seq";
+
+drop sequence if exists "public"."summaries_id_seq";
+
+drop sequence if exists "public"."vectors_id_seq";
+
+alter table "public"."user_identity" add constraint "user_identity_user_id_fkey" FOREIGN KEY (user_id) REFERENCES auth.users(id) ON DELETE CASCADE not valid;
+
+alter table "public"."user_identity" validate constraint "user_identity_user_id_fkey";
+
+alter table "public"."user_settings" add constraint "user_settings_user_id_fkey" FOREIGN KEY (user_id) REFERENCES auth.users(id) ON DELETE CASCADE not valid;
+
+alter table "public"."user_settings" validate constraint "user_settings_user_id_fkey";
+
+alter table "public"."api_keys" add constraint "api_keys_user_id_fkey" FOREIGN KEY (user_id) REFERENCES auth.users(id) ON DELETE CASCADE not valid;
+
+alter table "public"."api_keys" validate constraint "api_keys_user_id_fkey";
+
+alter table "public"."brains_users" add constraint "brains_users_brain_id_fkey" FOREIGN KEY (brain_id) REFERENCES brains(brain_id) ON DELETE CASCADE not valid;
+
+alter table "public"."brains_users" validate constraint "brains_users_brain_id_fkey";
+
+alter table "public"."brains_users" add constraint "brains_users_user_id_fkey" FOREIGN KEY (user_id) REFERENCES auth.users(id) ON DELETE CASCADE not valid;
+
+alter table "public"."brains_users" validate constraint "brains_users_user_id_fkey";
+
+alter table "public"."chat_history" add constraint "chat_history_chat_id_fkey" FOREIGN KEY (chat_id) REFERENCES chats(chat_id) ON DELETE CASCADE not valid;
+
+alter table "public"."chat_history" validate constraint "chat_history_chat_id_fkey";
+
+alter table "public"."chats" add constraint "chats_user_id_fkey" FOREIGN KEY (user_id) REFERENCES auth.users(id) ON DELETE CASCADE not valid;
+
+alter table "public"."chats" validate constraint "chats_user_id_fkey";
+
+alter table "public"."onboardings" add constraint "onboardings_user_id_fkey" FOREIGN KEY (user_id) REFERENCES auth.users(id) ON DELETE CASCADE not valid;
+
+alter table "public"."onboardings" validate constraint "onboardings_user_id_fkey";
+
+alter table "public"."user_daily_usage" add constraint "user_daily_usage_user_id_fkey" FOREIGN KEY (user_id) REFERENCES auth.users(id) ON DELETE CASCADE not valid;
+
+alter table "public"."user_daily_usage" validate constraint "user_daily_usage_user_id_fkey";
+
+alter table "public"."users" add constraint "users_id_fkey" FOREIGN KEY (id) REFERENCES auth.users(id) ON DELETE CASCADE not valid;
+
+alter table "public"."users" validate constraint "users_id_fkey";
+
+create policy "API_BRAIN_DEFINITION"
+on "public"."api_brain_definition"
+as permissive
+for all
+to service_role;
+
+
+create policy "API_KEYS"
+on "public"."api_keys"
+as permissive
+for all
+to service_role;
+
+
+create policy "BRAIN_SUBSCRIPTION_INVITATIONS"
+on "public"."brain_subscription_invitations"
+as permissive
+for all
+to service_role;
+
+
+create policy "BRAINS"
+on "public"."brains"
+as permissive
+for all
+to service_role;
+
+
+create policy "BRAINS_USERS"
+on "public"."brains_users"
+as permissive
+for all
+to service_role;
+
+
+create policy "BRAINS_VECTORS"
+on "public"."brains_vectors"
+as permissive
+for all
+to service_role;
+
+
+create policy "CHAT_HISTORY"
+on "public"."chat_history"
+as permissive
+for all
+to service_role;
+
+
+create policy "CHATS"
+on "public"."chats"
+as permissive
+for all
+to service_role;
+
+
+create policy "COMPOSITE_BRAIN_CONNECTIONS"
+on "public"."composite_brain_connections"
+as permissive
+for all
+to service_role;
+
+
+create policy "KNOWLEDGE"
+on "public"."knowledge"
+as permissive
+for all
+to service_role;
+
+
+create policy "MODELS"
+on "public"."models"
+as permissive
+for all
+to service_role;
+
+
+create policy "NOTIFICATIONS"
+on "public"."notifications"
+as permissive
+for all
+to service_role;
+
+
+create policy "NOTIFICATIONS"
+on "public"."onboardings"
+as permissive
+for all
+to service_role;
+
+
+create policy "PRODUCT_TO_FEATURES"
+on "public"."product_to_features"
+as permissive
+for all
+to service_role;
+
+
+create policy "PROMPTS"
+on "public"."prompts"
+as permissive
+for all
+to service_role;
+
+
+create policy "USER_DAILY_USAGE"
+on "public"."user_daily_usage"
+as permissive
+for all
+to service_role;
+
+
+create policy "USER_IDENTITY"
+on "public"."user_identity"
+as permissive
+for all
+to service_role;
+
+
+create policy "USER_SETTINGS"
+on "public"."user_settings"
+as permissive
+for all
+to service_role;
+
+
+create policy "USERS"
+on "public"."users"
+as permissive
+for all
+to public;
+
+
+create policy "VECTORS"
+on "public"."vectors"
+as permissive
+for all
+to service_role;
+
+
+
--- a/supabase/seed.sql
+++ b/supabase/seed.sql
@ -319,12 +319,6 @@ INSERT INTO "public"."users" ("id", "email") VALUES
 SELECT pg_catalog.setval('"auth"."refresh_tokens_id_seq"', 3, true);


--
-- Name: documents_id_seq; Type: SEQUENCE SET; Schema: public; Owner: postgres
--
-
-SELECT pg_catalog.setval('"public"."documents_id_seq"', 1, false);
-

 --
 -- Name: product_to_features_id_seq; Type: SEQUENCE SET; Schema: public; Owner: postgres
@ -333,25 +327,7 @@ SELECT pg_catalog.setval('"public"."documents_id_seq"', 1, false);
 SELECT pg_catalog.setval('"public"."product_to_features_id_seq"', 1, false);


--
-- Name: stats_id_seq; Type: SEQUENCE SET; Schema: public; Owner: postgres
--

-SELECT pg_catalog.setval('"public"."stats_id_seq"', 1, false);
-
-
--
-- Name: summaries_id_seq; Type: SEQUENCE SET; Schema: public; Owner: postgres
--
-
-SELECT pg_catalog.setval('"public"."summaries_id_seq"', 1, false);
-
-
--
-- Name: vectors_id_seq; Type: SEQUENCE SET; Schema: public; Owner: postgres
--
-
-SELECT pg_catalog.setval('"public"."vectors_id_seq"', 1, false);


 --