fix(db): harden get_following_feed against impersonation

[ohong]

Motivation

• The public.get_following_feed RPC was declared SECURITY DEFINER but trusted the caller-supplied p_user_id, allowing callers to impersonate other users and bypass RLS to read private posts and daily_usage JSON.
• This posed a high-severity confidentiality exposure because the function returns joined user and usage data and was granted to authenticated without revoking PUBLIC.

Description

• Add a new migration supabase/migrations/20260504090000_harden_get_following_feed_rpc_auth.sql that CREATE OR REPLACE FUNCTION public.get_following_feed(...) and preserves the original signature and result shape.
• Inside the function the migration reads v_caller_id := auth.uid(), rejects unauthenticated callers, and raises Forbidden if p_user_id is distinct from v_caller_id, then uses v_caller_id in the feed predicate.
• The migration tightens execute privileges by running REVOKE EXECUTE ON FUNCTION public.get_following_feed(...) FROM PUBLIC; and then GRANT EXECUTE ... TO authenticated;.

Testing

• Confirmed the vulnerable RPC definition was present with rg -n "get_following_feed|harden_get_feed" supabase/migrations, which succeeded.
• Inspected the new migration file with nl -ba supabase/migrations/20260504090000_harden_get_following_feed_rpc_auth.sql to verify the checks and predicate changes, which succeeded.
• Added and committed the migration with git add and git commit -m "fix(db): harden get_following_feed auth checks", which produced a successful commit.

---

Codex Task

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
straude	Ready	Preview, Comment	Jun 11, 2026 6:35am

[coderabbitai]

Warning

Review limit reached

@ohong, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 57 minutes and 4 seconds. Learn how PR review limits work.

Your organization has reached its usage spending cap. Adjust your spending cap in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 241896f6-4282-4274-839b-13c89781a66a

📥 Commits

Reviewing files that changed from the base of the PR and between f88fdf7 and 40bf709.

📒 Files selected for processing (1)

• supabase/migrations/20260504090000_harden_get_following_feed_rpc_auth.sql

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-rpc-to-prevent-unauthorized-access

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ohong]

Merged. Adds migration 20260504090000_harden_get_following_feed_rpc_auth.sql that closes the SECURITY DEFINER IDOR in public.get_following_feed: the function now derives the caller from auth.uid(), rejects unauthenticated callers and any p_user_id that doesn't match the caller (ERRCODE 42501), and uses the verified caller id in the feed predicate. It also REVOKE EXECUTE ... FROM PUBLIC and re-grants only to authenticated. I added a server-side page-size clamp (LEAST(GREATEST(COALESCE(p_limit,20),1),100)) — carried over from the alternative #127 — so this single migration fully supersedes it. This is the correct approach over editing the original migration in place (which would never re-run on already-migrated databases). Verified via the migration-safety unit suite and CI's supabase start integration job, which applies the migration to a real Postgres. claude-review fails org-wide on billing config, unrelated.