Skip to content

Version 2.7.0 prevents reading data on web under certain conditions #1085

New issue
New issue
Open
#1087
Open
Version 2.7.0 prevents reading data on web under certain conditions#1085
#1087
Labels
bugSomething isn't working
@Mr-Pepe

Description

@Mr-Pepe
Mr-Pepe
opened on Nov 15, 2024

Describe the bug
Under certain conditions a client with a service role key can not circumvent RLS policy restrictions on web.

To Reproduce
Add the following code to a flutter project:

// integration_test/supabase_test.dart

import 'package:flutter/material.dart';
import 'package:flutter_test/flutter_test.dart';
import 'package:integration_test/integration_test.dart';
import 'package:supabase_flutter/supabase_flutter.dart' as supabase;

void main() async {
  IntegrationTestWidgetsFlutterBinding.ensureInitialized();

  testWidgets('Analytics', (WidgetTester tester) async {
    final client1 = supabase.SupabaseClient(
      getSupabaseUrl(),
      getSupabaseKey(role: 'service'),
    );

    final client2 = supabase.SupabaseClient(
      getSupabaseUrl(),
      getSupabaseKey(),
    );

    await tester.pumpWidget(
      const MaterialApp(
        home: Scaffold(
          body: Center(child: Text('Hello')),
        ),
      ),
    );

    // Commenting out this line makes the test pass
    await client2.auth.signInAnonymously();

    // Commenting out this line makes the test pass
    await client1.from('session_events').select();

    final events = await client1.from('session_events').select();

    expect(events, isNotEmpty, reason: 'Session events empty');
  });
}
// test_driver/integration_test.dart

import 'package:flutter_driver/flutter_driver.dart';
import 'package:integration_test/integration_test_driver_extended.dart';

Future<void> main() async {
  return integrationDriver(driver: await FlutterDriver.connect());
}

Create a table "session_events" that has an RLS policy preventing everyone from reading it.

Run the test on Linux with flutter test -d linux integration_test and on Chrome with flutter drive --driver=test_driver/integration_test.dart --target=integration_test/supabase_test.dart -d web-server --browser-name chrome --no-headless. Make sure to first start ChromeDriver on port 4444.

Observed behavior

  • Run on Chrome -> The test fails
  • Run on Linux -> The test passes
  • Comment out the anonymous sign-in -> The test passes
  • Comment out the first read -> The test passes
  • Run on Chrome with version 2.6.0 -> Test passes

Version (please complete the following information):

├── supabase 2.4.0
│   ├── functions_client 2.3.3
│   ├── gotrue 2.9.0
│   ├── postgrest 2.2.0
│   ├── realtime_client 2.3.0
│   ├── storage_client 2.1.0
├── supabase_flutter 2.7.0
│   ├── supabase...

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions