From e40a729e2a36aede4a23b0031c27c9ea9f2e1522 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filipe=20Caba=C3=A7o?= <filipecabaco@gmail.com>
Date: Thu, 19 Sep 2024 14:19:32 +0100
Subject: [PATCH 1/4] fix: Reduce postgres user grants

Reduces the permissions given to the postgres user to reduce error prone operations from users when interacting with the schema 'realtime'
---
 lib/realtime/tenants/migrations.ex              |  6 ++++--
 ...0240919140541_reduce_grants_postgres_user.ex | 17 +++++++++++++++++
 mix.exs                                         |  2 +-
 3 files changed, 22 insertions(+), 3 deletions(-)
 create mode 100644 lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex

diff --git a/lib/realtime/tenants/migrations.ex b/lib/realtime/tenants/migrations.ex
index 489431c11..62b75b932 100644
--- a/lib/realtime/tenants/migrations.ex
+++ b/lib/realtime/tenants/migrations.ex
@@ -59,7 +59,8 @@ defmodule Realtime.Tenants.Migrations do
     FixWalrusRoleHandling,
     UnloggedMessagesTable,
     LoggedMessagesTable,
-    FilterDeletePostgresChanges
+    FilterDeletePostgresChanges,
+    ReduceGrantsPostgresUser
   }
 
   @migrations [
@@ -109,7 +110,8 @@ defmodule Realtime.Tenants.Migrations do
     {20_240_618_124_746, FixWalrusRoleHandling},
     {20_240_801_235_015, UnloggedMessagesTable},
     {20_240_805_133_720, LoggedMessagesTable},
-    {20_240_827_160_934, FilterDeletePostgresChanges}
+    {20_240_827_160_934, FilterDeletePostgresChanges},
+    {20_240_919_140_541, ReduceGrantsPostgresUser}
   ]
   defstruct [:tenant_external_id, :settings]
   @spec run_migrations(map()) :: :ok | {:error, any()}
diff --git a/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex b/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex
new file mode 100644
index 000000000..49e342596
--- /dev/null
+++ b/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex
@@ -0,0 +1,17 @@
+defmodule Realtime.Tenants.Migrations.ReduceGrantsPostgresUser do
+  @moduledoc false
+  use Ecto.Migration
+
+  def change do
+    execute("revoke supabase_realtime_admin from postgres")
+
+    execute("revoke all on table realtime.schema_migrations from postgres")
+    execute("grant select on table realtime.schema_migrations to postgres with grant option")
+
+    execute("revoke all on table realtime.messages from postgres")
+    execute("grant select on table realtime.messages to postgres with grant option")
+
+    execute("revoke all on table realtime.subscription from postgres")
+    execute("grant select on table realtime.subscription to postgres with grant option")
+  end
+end
diff --git a/mix.exs b/mix.exs
index 019871674..7d1f019e0 100644
--- a/mix.exs
+++ b/mix.exs
@@ -4,7 +4,7 @@ defmodule Realtime.MixProject do
   def project do
     [
       app: :realtime,
-      version: "2.32.11",
+      version: "2.32.12",
       elixir: "~> 1.16.0",
       elixirc_paths: elixirc_paths(Mix.env()),
       start_permanent: Mix.env() == :prod,

From d4e2aed50e66429083e153354673c6f12f29823b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filipe=20Caba=C3=A7o?= <filipe@supabase.io>
Date: Tue, 24 Sep 2024 13:06:50 +0100
Subject: [PATCH 2/4] Update
 lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex

Co-authored-by: Bobbie Soedirgo <31685197+soedirgo@users.noreply.github.com>
---
 .../migrations/20240919140541_reduce_grants_postgres_user.ex    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex b/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex
index 49e342596..a2eea02a3 100644
--- a/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex
+++ b/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex
@@ -5,7 +5,7 @@ defmodule Realtime.Tenants.Migrations.ReduceGrantsPostgresUser do
   def change do
     execute("revoke supabase_realtime_admin from postgres")
 
-    execute("revoke all on table realtime.schema_migrations from postgres")
+    execute("revoke all on table realtime.schema_migrations from postgres, anon, authenticated, service_role")
     execute("grant select on table realtime.schema_migrations to postgres with grant option")
 
     execute("revoke all on table realtime.messages from postgres")

From 38c8ba1b6de625d1dc7ed562700e29c528fd1bcf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filipe=20Caba=C3=A7o?= <filipe@supabase.io>
Date: Tue, 24 Sep 2024 13:07:23 +0100
Subject: [PATCH 3/4] Update
 lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex

Co-authored-by: Bobbie Soedirgo <31685197+soedirgo@users.noreply.github.com>
---
 .../migrations/20240919140541_reduce_grants_postgres_user.ex   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex b/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex
index a2eea02a3..a9a5fcf68 100644
--- a/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex
+++ b/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex
@@ -4,6 +4,9 @@ defmodule Realtime.Tenants.Migrations.ReduceGrantsPostgresUser do
 
   def change do
     execute("revoke supabase_realtime_admin from postgres")
+    execute("alter default privileges for role supabase_admin in schema realtime revoke all on tables from postgres")
+    execute("alter default privileges for role supabase_admin in schema realtime revoke all on functions from postgres")
+    execute("alter default privileges for role supabase_admin in schema realtime revoke all on sequences from postgres")
 
     execute("revoke all on table realtime.schema_migrations from postgres, anon, authenticated, service_role")
     execute("grant select on table realtime.schema_migrations to postgres with grant option")

From 3878e86430be21e4e91c58ebe78e39d01d6eb962 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filipe=20Caba=C3=A7o?= <filipe@supabase.io>
Date: Tue, 24 Sep 2024 16:26:29 +0100
Subject: [PATCH 4/4] Update
 lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex

Co-authored-by: Bobbie Soedirgo <31685197+soedirgo@users.noreply.github.com>
---
 .../migrations/20240919140541_reduce_grants_postgres_user.ex  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex b/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex
index a9a5fcf68..4eca60088 100644
--- a/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex
+++ b/lib/realtime/tenants/repo/migrations/20240919140541_reduce_grants_postgres_user.ex
@@ -11,8 +11,8 @@ defmodule Realtime.Tenants.Migrations.ReduceGrantsPostgresUser do
     execute("revoke all on table realtime.schema_migrations from postgres, anon, authenticated, service_role")
     execute("grant select on table realtime.schema_migrations to postgres with grant option")
 
-    execute("revoke all on table realtime.messages from postgres")
-    execute("grant select on table realtime.messages to postgres with grant option")
+    execute("revoke all on table realtime.messages from postgres, anon, authenticated, service_role")
+    execute("grant select, insert on table realtime.messages to postgres with grant option")
 
     execute("revoke all on table realtime.subscription from postgres")
     execute("grant select on table realtime.subscription to postgres with grant option")