Disable access to any requests using service_role based on IP
This would be sick if possible, is it possible I can disable access to the service_role API key based on whichever IP sends a request? That way I can only limit to my VPS?
8 Replies
There is a pre request function available for PostgREST that can see the headers so technically it could filter out any request with service_role in authorization header and check the ip header.
But it would not work for auth, storage and realtime.
I mean, that's better than people being able to malicously delete any data from the public table
Is it even worth going that extra mile to implement that?
Why would they have your service role key?
Just out of fear if it were to ever get accidently leaked
It would be overhead per request. I've not seen anyone worry about this in 3 years of helping.
Okay, maybe I'm worrying about it too much then
In that case thanks
I think so.
But it I think it could be done for the DB. But not for storage or auth which could still destroy your app. IF it leaks and IF someone wants to write code to specifically attack you after finding it before you do.
But it I think it could be done for the DB. But not for storage or auth which could still destroy your app. IF it leaks and IF someone wants to write code to specifically attack you after finding it before you do.
Any safety measures to prevent that ever becoming a reality?
I only reference the service_role once in my app, but even then it's gaurded by a
import('server-only') so like I'm pretty confident that won't be exposted.. but doesn't hurt to know