Fix get_user_id test context for SQL tests

[riderx]

Summary (AI generated)

• Revoke parameterized API-key oracle helper execute rights from authenticated, keeping get_user_id (both overloads) and get_org_perm_for_apikey available only to service_role.
• Update pgTAP coverage to validate the stricter model across contexts: anonymous and authenticated callers are denied while service_role is allowed.
• Ensure direct get_user_id utility coverage executes under service_role in supabase/tests/10_utility_functions.sql.

Motivation (AI generated)

Granting authenticated access to key-disclosure helpers preserves an API-key oracle for all logged-in users. Restricting these RPCs to service role only closes that gap and aligns privileges with internal-only usage.

Business Impact (AI generated)

This reduces key-identity leakage risk and strengthens API security posture without changing public endpoint behavior. It also keeps CI stable by matching tests to current permission controls.

Test Plan (AI generated)

• Run bun lint:backend.
• Re-run targeted Supabase SQL suites: 07_auth_functions.sql, 10_utility_functions.sql, 19_test_identity_functions.sql, 45_test_apikey_oracle_permissions.sql.
• Validate no remaining use of get_user_id/get_org_perm_for_apikey by non-service-role callers in SQL tests.

Generated with AI

Summary by CodeRabbit

• Security

  • Restricted API key–related functions to the service role only and removed public execution rights.

• Tests

  • Added and updated tests to verify access control for anonymous, authenticated, and service-role contexts, including new checks run under service-role authentication.

[coderabbitai]

📝 Walkthrough

Walkthrough

Revokes PUBLIC EXECUTE on API-key oracle functions and grants EXECUTE to service_role only via a migration; updates tests to authenticate as service_role; adds a new pgTAP test that verifies access control for anonymous, authenticated, and service-role callers.

Changes

Cohort / File(s)	Summary
Migration — API key oracle permissions supabase/migrations/20260308203222_restrict_apikey_oracle_public_access.sql	Revokes EXECUTE on public.get_user_id(apikey text), public.get_user_id(apikey text, app_id text), and public.get_org_perm_for_apikey(apikey text, app_id text) from PUBLIC and grants EXECUTE to service_role only.
Existing tests — authenticate as service_role supabase/tests/07_auth_functions.sql, supabase/tests/19_test_identity_functions.sql, supabase/tests/10_utility_functions.sql	Adds tests.authenticate_as_service_role() calls to set service-role context before invoking API-key oracle functions.
New access-control test suite supabase/tests/45_test_apikey_oracle_permissions.sql	Adds pgTAP tests (plan(8)) that assert permission-denied for anonymous calls and verify successful results for authenticated and service-role contexts when calling the three API-key oracle functions.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Restrict API-key oracle RPCs from anon #1704: Also adjusts EXECUTE privileges for public.get_user_id variants and public.get_org_perm_for_apikey, shifting access away from public/anon.
• fix(security): revoke anon access to apikey oracle RPCs #1670: Restricts anonymous/public execution on the same API-key oracle RPCs, closely related permission changes.
• fix: make is_allowed_capgkey support hashed API keys #1366: Changes get_user_id lookup logic (hashed API keys); relevant to tests and behavior exercised by these permission changes.

Poem

🐰 I hopped through schemas, soft and light,
I nudged the gates and set them right,
Keys for few, not all who peep —
Tests now guard the burrow deep. 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: fixing test context for get_user_id SQL tests by ensuring they run under service-role permissions.
Description check	✅ Passed	The description includes summary, motivation, business impact, and test plan sections; however, it's mostly AI-generated and lacks specific manual testing steps or verification details.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch riderx/fix-rpc-auth-tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 SQLFluff (4.0.4)

supabase/migrations/20260308203222_restrict_apikey_oracle_public_access.sql

User Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects:
ansi, athena, bigquery, clickhouse, databricks, db2, doris, duckdb, exasol, flink, greenplum, hive, impala, mariadb, materialize, mysql, oracle, postgres, redshift, snowflake, soql, sparksql, sqlite, starrocks, teradata, trino, tsql, vertica

supabase/tests/45_test_apikey_oracle_permissions.sql

User Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects:
ansi, athena, bigquery, clickhouse, databricks, db2, doris, duckdb, exasol, flink, greenplum, hive, impala, mariadb, materialize, mysql, oracle, postgres, redshift, snowflake, soql, sparksql, sqlite, starrocks, teradata, trino, tsql, vertica

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

supabase/tests/45_test_apikey_oracle_permissions.sql (1)

31-52: Consider adding a test for the two-argument get_user_id with service role.

The authenticated role tests cover both get_user_id(apikey) and get_user_id(apikey, app_id) (lines 33-45), but the service_role section only tests the single-argument version (lines 56-61). For completeness, you might add a test for get_user_id(apikey, app_id) under service_role.

🔧 Optional: Add service_role test for two-argument get_user_id

 SELECT
     is(
         get_org_perm_for_apikey('ae6e7458-c46d-4c00-aa3b-153b0b8520ea', 'com.demo.app'),
         'perm_owner',
         'service role should still call get_org_perm_for_apikey'
     );

+SELECT
+    is(
+        get_user_id('ae6e7458-c46d-4c00-aa3b-153b0b8520ea', 'com.demo.app'),
+        '6aa76066-55ef-4238-ade6-0b32334a4097',
+        'service role should still call get_user_id with app_id'
+    );
+
 SELECT tests.clear_authentication();

Note: Update plan(8) to plan(9) if adding this test.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@supabase/tests/45_test_apikey_oracle_permissions.sql` around lines 31 - 52,
Add a service_role test that calls
get_user_id('ae6e7458-c46d-4c00-aa3b-153b0b8520ea', 'com.demo.app') and asserts
the expected user id (same as the single-argument service_role test), and
increment the test harness plan from plan(8) to plan(9); locate the service_role
block in the file (near the existing get_user_id(apikey) service_role test) and
add the two-argument invocation for get_user_id and its corresponding is(...)
assertion.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@supabase/tests/45_test_apikey_oracle_permissions.sql`:
- Around line 31-52: Add a service_role test that calls
get_user_id('ae6e7458-c46d-4c00-aa3b-153b0b8520ea', 'com.demo.app') and asserts
the expected user id (same as the single-argument service_role test), and
increment the test harness plan from plan(8) to plan(9); locate the service_role
block in the file (near the existing get_user_id(apikey) service_role test) and
add the two-argument invocation for get_user_id and its corresponding is(...)
assertion.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9258340b-a9e4-4860-b61a-397dbfb15be7

📥 Commits

Reviewing files that changed from the base of the PR and between 2af3a08 and bc89446.

📒 Files selected for processing (4)

• supabase/migrations/20260308203222_restrict_apikey_oracle_public_access.sql
• supabase/tests/07_auth_functions.sql
• supabase/tests/19_test_identity_functions.sql
• supabase/tests/45_test_apikey_oracle_permissions.sql

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@supabase/tests/45_test_apikey_oracle_permissions.sql`:
- Around line 59-64: The test compares the uuid returned by get_user_id(...)
against a text literal, causing a type mismatch; update the assertion in
45_test_apikey_oracle_permissions.sql to cast the expected literal to uuid
(e.g., append ::uuid) so the comparison matches the function return type,
mirroring the approach used in 10_utility_functions.sql and ensuring
get_user_id(...) is compared as uuid.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d925803d-2c90-4999-8f80-06bb185d3ed4

📥 Commits

Reviewing files that changed from the base of the PR and between bc89446 and 807927d.

📒 Files selected for processing (3)

• supabase/migrations/20260308203222_restrict_apikey_oracle_public_access.sql
• supabase/tests/10_utility_functions.sql
• supabase/tests/45_test_apikey_oracle_permissions.sql

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Potential type mismatch: UUID vs text comparison.

get_user_id() returns uuid, but the expected value is a text literal. In 10_utility_functions.sql, the comparison uses explicit ::uuid cast. Consider adding the cast for consistency and to avoid potential comparison issues.

Proposed fix

 SELECT
     is(
         get_user_id('ae6e7458-c46d-4c00-aa3b-153b0b8520ea'),
-        '6aa76066-55ef-4238-ade6-0b32334a4097',
+        '6aa76066-55ef-4238-ade6-0b32334a4097'::uuid,
         'service role should still call get_user_id'
     );

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	SELECT
	is(
	get_user_id('ae6e7458-c46d-4c00-aa3b-153b0b8520ea'),
	'6aa76066-55ef-4238-ade6-0b32334a4097',
	'service role should still call get_user_id'
	);
	SELECT
	is(
	get_user_id('ae6e7458-c46d-4c00-aa3b-153b0b8520ea'),
	'6aa76066-55ef-4238-ade6-0b32334a4097'::uuid,
	'service role should still call get_user_id'
	);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@supabase/tests/45_test_apikey_oracle_permissions.sql` around lines 59 - 64,
The test compares the uuid returned by get_user_id(...) against a text literal,
causing a type mismatch; update the assertion in
45_test_apikey_oracle_permissions.sql to cast the expected literal to uuid
(e.g., append ::uuid) so the comparison matches the function return type,
mirroring the approach used in 10_utility_functions.sql and ensuring
get_user_id(...) is compared as uuid.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud