Writing · Tag

Articles tagged "supabase".

10 articles on this topic.

Articles tagged "supabase"

·7 min read · supabase , supabase-vault , postgres

How to encrypt API keys and client secrets in Supabase

Use Supabase Vault to encrypt API keys and client secrets, keep metadata in Postgres, and gate decrypts behind one checked SECURITY DEFINER function.

How to encrypt API keys and client secrets in Supabase: cover image

·7 min read · chrome-extension , manifest-v3 , supabase

How to build a Chrome extension popup with Supabase Auth (step by step)

Wire Supabase Auth into an MV3 popup: bundle the UMD, persist sessions in chrome.storage, recover state on reopen. Working code included.

How to build a Chrome extension popup with Supabase Auth (step by step): cover image

·7 min read · supabase , supabase-auth , supabase-publishable-key

Migrating to Supabase publishable keys broke my Chrome extension. Here is the fix.

Supabase publishable keys return 401 from hand-rolled fetch. Migration to @supabase/supabase-js with a chrome.storage.local session adapter.

Migrating to Supabase publishable keys broke my Chrome extension. Here is the fix.: cover image

·9 min read · lovable , lovable-security , supabase

How to audit a Lovable app after the BOLA disclosure: a 6-hour rotation playbook

Audit checklist I ran on a client's Lovable app after the April 2026 BOLA disclosure, plus the key rotation and Chrome extension SDK migration.

How to audit a Lovable app after the BOLA disclosure: a 6-hour rotation playbook: cover image

·7 min read · supabase , supabase-realtime , security

Realtime broadcast scope is a security boundary, not a routing convenience

Default-public Realtime broadcasts leak message bodies to every subscriber. The private-channel flag plus RLS is the fix.

Realtime broadcast scope is a security boundary, not a routing convenience: cover image

·6 min read · security , supabase , auth-jwt

User enumeration via password reset: the bug in default forgot-password flows

Most forgot-password endpoints leak whether an email exists. Fix: return the same response always, regardless of account status.

User enumeration via password reset: the bug in default forgot-password flows: cover image

·7 min read · security , supabase , edge-functions

Origin validation in edge functions: the open redirect you ship by default

Edge functions that trust the Origin or Referer header for redirect URLs are open-redirect vulnerable. One allowlist helper closes the gap.

Origin validation in edge functions: the open redirect you ship by default: cover image

·8 min read · postgres , supabase , postgres-triggers

How to build a tamper-evident audit log in Postgres with one trigger

Build an audit log table, attach a SECURITY DEFINER trigger that captures every UPDATE and DELETE, lock it down with RLS. Forty lines of SQL.

How to build a tamper-evident audit log in Postgres with one trigger: cover image

·6 min read · supabase , postgrest , postgres

How a Postgres constraint rename silently broke production via PostgREST

PostgREST resolves onConflict against real constraint names at runtime. Rename a constraint and the upsert silently fails with a 400 nobody notices.

How a Postgres constraint rename silently broke production via PostgREST: cover image

·7 min read · supabase , supabase-auth , postgres

Two-layer identity models in Supabase: when auth and authorization disagree

auth.users gives you identity for free. Roles need a second table, a trigger, and an atomic migration. Here's where the gap breaks production.

Two-layer identity models in Supabase: when auth and authorization disagree: cover image
← All articles