Writing · Tag

Articles tagged "supabase".

9 articles on this topic.

·9 min read · chrome-extension , manifest-v3 , supabase

How to build a Chrome extension popup with Supabase Auth (step by step)

Load Supabase JS into a Manifest V3 popup, persist sessions in chrome.storage, handle popup-reopen state recovery. Step by step.

How to build a Chrome extension popup with Supabase Auth (step by step): cover image

·8 min read · supabase , supabase-auth , supabase-publishable-key

Migrating to Supabase publishable keys broke my Chrome extension. Here is the fix.

Supabase's new sb_publishable_* keys return 401 when sent as raw apikey headers, and the JS SDK defaults to localStorage which a Manifest V3 Chrome extension cannot use. Here is the migration: deleting hand-rolled fetch wrappers, switching to @supabase/supabase-js, and the chrome.storage.local adapter that keeps sessions persistent.

Migrating to Supabase publishable keys broke my Chrome extension. Here is the fix.: cover image

·9 min read · lovable , lovable-security , supabase

How to audit a Lovable app after the BOLA disclosure: a 6-hour rotation playbook

Lovable's April 2026 BOLA vulnerability exposed projects created before November 2025. Here is the audit checklist I ran on a client's Supabase-backed Lovable app, the 6-hour key rotation that followed, and the Chrome-extension SDK migration nobody warned us about.

How to audit a Lovable app after the BOLA disclosure: a 6-hour rotation playbook: cover image

·8 min read · supabase , supabase-realtime , security

Realtime broadcast scope is a security boundary, not a routing convenience

Default-public Realtime broadcasts leak message bodies to every subscriber. The private-channel flag is the fix; here is when to use it.

Realtime broadcast scope is a security boundary, not a routing convenience: cover image

·7 min read · security , supabase , auth-jwt

User enumeration via password reset: the bug in default forgot-password flows

Most forgot-password endpoints leak whether an email exists. The fix is one rule: return the same response always, regardless of account status.

User enumeration via password reset: the bug in default forgot-password flows: cover image

·7 min read · security , supabase , edge-functions

Origin validation in edge functions: the open redirect you ship by default

Edge functions that trust the Origin header for redirect URLs are open-redirect vulnerable. Here's the allowlist pattern that closes the gap.

Origin validation in edge functions: the open redirect you ship by default: cover image

·7 min read · postgres , supabase , postgres-triggers

How to build a tamper-evident audit log in Postgres with one trigger

Step-by-step: build an audit log table, attach a SECURITY DEFINER trigger that captures every UPDATE and DELETE, lock it down with RLS.

How to build a tamper-evident audit log in Postgres with one trigger: cover image

·7 min read · supabase , postgrest , postgres

How a Postgres constraint rename silently broke production via PostgREST

PostgREST's `.upsert({ onConflict: 'name' })` resolves against your real constraint name. Rename the constraint and the upsert silently fails.

How a Postgres constraint rename silently broke production via PostgREST: cover image

·8 min read · supabase , supabase-auth , postgres

Two-layer identity models in Supabase: when auth and authorization disagree

Supabase Auth gives you auth.users for free. Roles need a second table, a trigger, and atomic deployment. Here's how the gap breaks production.

Two-layer identity models in Supabase: when auth and authorization disagree: cover image
← All articles