RLS Security Check

Analyze Supabase Row Level Security policies for gaps and weaknesses.

Usage: /vibe-check:rls

Instructions

Step 1: Locate Supabase Files

Check for Supabase project structure:

supabase/
├── config.toml
├── migrations/
│   ├── 20240101000000_init.sql
│   └── ...
└── seed.sql

If no supabase/ folder, check for:

• .sql files in project root
• prisma/ folder (different approach needed)
• Direct Supabase client usage without migrations

Step 2: Parse Migration Files

Read all .sql files in supabase/migrations/.

Extract:

1. CREATE TABLE statements - list of tables
2. ALTER TABLE ... ENABLE ROW LEVEL SECURITY - tables with RLS
3. CREATE POLICY statements - policy definitions

Step 3: Identify RLS Gaps

Missing RLS (HIGH): Tables with CREATE TABLE but no corresponding:

ALTER TABLE table_name ENABLE ROW LEVEL SECURITY;

Overly Permissive Policies (HIGH):

CREATE POLICY "..." ON table_name FOR ALL USING (true);
CREATE POLICY "..." ON table_name FOR ALL WITH CHECK (true);

Missing Operation Policies (MEDIUM): Table has SELECT policy but missing INSERT/UPDATE/DELETE policies.

No User Scoping (MEDIUM): Policies that don't reference auth.uid():

CREATE POLICY "..." USING (status = 'published');  -- No user check

Step 4: Check config.toml

Read supabase/config.toml for security settings:

[auth]
enable_signup = true  # Should be false if invite-only

Flag if:

• enable_signup = true in production configs
• Missing rate limiting settings
• Weak JWT expiry settings

Step 5: Offer Browser Verification

After static analysis, use AskUserQuestion to offer:

Want me to verify RLS policies in your live Supabase dashboard?
Requires: Claude Chrome extension + logged into Supabase

Options:
- Yes, check via browser
- No, skip (I'll check manually)

If yes, use Claude Chrome extension:

1. Get project URL from supabase/.env or ask user
2. Navigate to https://supabase.com/dashboard/project/[ref]/auth/policies
3. Use read_page to extract RLS status for each table
4. Compare with migration expectations
5. Report discrepancies

Step 6: Provide Manual Verification Guide

Always include:

Manual RLS Verification:

1. Go to Supabase Dashboard → Table Editor
2. Click each table → "View Policies" (shield icon)
3. Verify:
   - RLS is "Enabled" (green badge)
   - Policies exist for SELECT/INSERT/UPDATE/DELETE as needed
   - Conditions reference auth.uid() appropriately

SQL Query to check RLS status:
SELECT schemaname, tablename, rowsecurity
FROM pg_tables
WHERE schemaname = 'public';

Output Format

[HIGH] Missing RLS on table: profiles
File: supabase/migrations/001_init.sql:45
Issue: Table created without Row Level Security
Risk: Any authenticated user can read/write all rows

Fix:
ALTER TABLE profiles ENABLE ROW LEVEL SECURITY;

CREATE POLICY "Users can view own profile"
  ON profiles FOR SELECT
  USING (auth.uid() = user_id);

CREATE POLICY "Users can update own profile"
  ON profiles FOR UPDATE
  USING (auth.uid() = user_id);

Common RLS Patterns

User-owned data:

USING (auth.uid() = user_id)

Public read, owner write:

FOR SELECT USING (true)
FOR INSERT/UPDATE/DELETE USING (auth.uid() = user_id)

Role-based:

USING (
  auth.uid() IN (
    SELECT user_id FROM user_roles WHERE role = 'admin'
  )
)