I’m seeing how many vibe-coded apps using Supabase there are nowadays that don’t even test their RLS policies and that’s a pretty terrifying thought.
Half these apps could have their entire DB exposed to public and nobody would know until it’s too late. Recently an app leaked 13k users’ data because of broken RLS.
So I built a CLI to test RLS policies before prod:
– Introspects your DB schema
– Simulates different roles (anon, authenticated, custom JWT claims)
– Tries CRUD operations on every RLS-enabled table
– Wraps everything in transactions with ROLLBACK (no actual data changes)
– Generates snapshots you can diff in CI
It’s not a substitute for proper security reviews (attackers will always find crafty exploits). But it catches the obvious messups before they leak user data.
https://github.com/Rodrigotari1/supashield
What’s your RLS testing workflow? What edge cases am I missing?
Comments URL: https://news.ycombinator.com/item?id=45607925
Points: 1
# Comments: 1
Source: github.com
