Writing · Tag

Articles tagged "supabase".

9 articles on this topic.

·7 min read · chrome-extension , manifest-v3 , supabase

How to build a Chrome extension popup with Supabase Auth (step by step)

Wire Supabase Auth into an MV3 popup: bundle the UMD, persist sessions in chrome.storage, recover state on reopen. Working code included.

How to build a Chrome extension popup with Supabase Auth (step by step): cover image

·7 min read · supabase , supabase-auth , supabase-publishable-key

Migrating to Supabase publishable keys broke my Chrome extension. Here is the fix.

Supabase publishable keys return 401 from hand-rolled fetch. Migration to @supabase/supabase-js with a chrome.storage.local session adapter.

Migrating to Supabase publishable keys broke my Chrome extension. Here is the fix.: cover image

·9 min read · lovable , lovable-security , supabase

How to audit a Lovable app after the BOLA disclosure: a 6-hour rotation playbook

Audit checklist I ran on a client's Lovable app after the April 2026 BOLA disclosure, plus the key rotation and Chrome extension SDK migration.

How to audit a Lovable app after the BOLA disclosure: a 6-hour rotation playbook: cover image

·7 min read · supabase , supabase-realtime , security

Realtime broadcast scope is a security boundary, not a routing convenience

Default-public Realtime broadcasts leak message bodies to every subscriber. The private-channel flag plus RLS is the fix.

Realtime broadcast scope is a security boundary, not a routing convenience: cover image

·6 min read · security , supabase , auth-jwt

User enumeration via password reset: the bug in default forgot-password flows

Most forgot-password endpoints leak whether an email exists. Fix: return the same response always, regardless of account status.

User enumeration via password reset: the bug in default forgot-password flows: cover image

·7 min read · security , supabase , edge-functions

Origin validation in edge functions: the open redirect you ship by default

Edge functions that trust the Origin or Referer header for redirect URLs are open-redirect vulnerable. One allowlist helper closes the gap.

Origin validation in edge functions: the open redirect you ship by default: cover image

·8 min read · postgres , supabase , postgres-triggers

How to build a tamper-evident audit log in Postgres with one trigger

Build an audit log table, attach a SECURITY DEFINER trigger that captures every UPDATE and DELETE, lock it down with RLS. Forty lines of SQL.

How to build a tamper-evident audit log in Postgres with one trigger: cover image

·6 min read · supabase , postgrest , postgres

How a Postgres constraint rename silently broke production via PostgREST

PostgREST resolves onConflict against real constraint names at runtime. Rename a constraint and the upsert silently fails with a 400 nobody notices.

How a Postgres constraint rename silently broke production via PostgREST: cover image

·7 min read · supabase , supabase-auth , postgres

Two-layer identity models in Supabase: when auth and authorization disagree

auth.users gives you identity for free. Roles need a second table, a trigger, and an atomic migration. Here's where the gap breaks production.

Two-layer identity models in Supabase: when auth and authorization disagree: cover image
← All articles