Fix SECURITY DEFINER IDOR in get_following_feed RPC

[ohong]

Motivation

• Close an IDOR/privacy bypass where the SECURITY DEFINER RPC public.get_following_feed trusted a caller-supplied p_user_id and could bypass RLS to leak private posts and daily_usage data.
• Reduce the risk of bulk data exfiltration by clamping an unbounded p_limit parameter.

Description

• Bind the caller session to a local variable with v_auth_user := auth.uid() and reject requests where v_auth_user IS NULL OR v_auth_user <> p_user_id using RAISE EXCEPTION ... ERRCODE = '42501' to prevent authenticated IDOR access.
• Clamp p_limit server-side with v_limit := LEAST(GREATEST(COALESCE(p_limit, 20), 1), 100) and use LIMIT v_limit to cap page sizes.
• Preserve the existing feed selection query and the GRANT EXECUTE to authenticated so intended client behavior is unchanged for legitimate callers.

Testing

• No automated tests were run.

---

Codex Task

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
straude	Ready	Preview, Comment	Jun 9, 2026 7:59pm

[coderabbitai]

Warning

Review limit reached

@ohong, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 46 minutes and 48 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7fa7a15c-2e53-468d-aeb6-93b4f8caaa4f

📥 Commits

Reviewing files that changed from the base of the PR and between f88fdf7 and 99e8c36.

📒 Files selected for processing (1)

• supabase/migrations/20260301000000_get_following_feed.sql

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/propose-fix-for-security-definer-vulnerability

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ohong]

Closing as superseded by #126. Both PRs fix the same get_following_feed IDOR, but this PR edits the already-applied migration 20260301000000_get_following_feed.sql in place — Postgres/Supabase won't re-run a migration whose file changed after it was applied, so the fix would silently not take effect on existing databases. #126 ships the same auth check (plus the page-size clamp from this PR) as a new migration 20260504090000, which applies correctly everywhere. The good idea here — clamping p_limit to 1..100 — was carried into #126, so nothing is lost.