fix: use correct supabase auth

Yostra · cursoragent · Yostra · commit aaf21e41b22f · 2026-06-13T00:41:14.000+02:00
Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/packages/sync-engine/src/supabase/edge-functions/stripe-setup.ts b/packages/sync-engine/src/supabase/edge-functions/stripe-setup.ts
@@ -3,6 +3,7 @@ import { runMigrationsFromContent } from '../../database/migrate.ts'
 import { VERSION } from '../../version.ts'
 import { embeddedMigrations } from '../../database/migrations-embedded.ts'
 import { parseSchemaComment } from '../schemaComment.ts'
+import { authenticateWithSupabase } from '../managementAuth.ts'
 import postgres from 'postgres'
 
 // Name of the vault secret used to authenticate callers of this function.
@@ -123,6 +124,11 @@ Deno.serve(async (req) => {
     }
   }
 
+  const supabaseAuthError = await authenticateWithSupabase(MGMT_API_BASE, projectRef, accessToken)
+  if (supabaseAuthError) {
+    return new Response('Unauthorized', { status: 401 })
+  }
+
   // Handle GET requests for status
   if (req.method === 'GET') {
     const dbUrl = Deno.env.get('SUPABASE_DB_URL')
diff --git a/packages/sync-engine/src/supabase/managementAuth.ts b/packages/sync-engine/src/supabase/managementAuth.ts
@@ -0,0 +1,55 @@
+// Verifies a management access token can operate on a specific project, mirroring
+// how the install script targets the project ref directly via the Management API.
+
+export async function canAccessProject(
+  mgmtApiBase: string,
+  projectRef: string,
+  accessToken: string
+): Promise<boolean> {
+  const response = await fetch(`${mgmtApiBase}/v1/projects/${projectRef}`, {
+    method: 'GET',
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      'Content-Type': 'application/json',
+    },
+  })
+  return response.ok
+}
+
+// Fallback for branch deployments, whose ref is exposed via the branches endpoint
+// rather than /v1/projects/{ref}.
+export async function canAccessBranch(
+  mgmtApiBase: string,
+  projectRef: string,
+  accessToken: string
+): Promise<boolean> {
+  const response = await fetch(`${mgmtApiBase}/v1/branches/${projectRef}`, {
+    method: 'GET',
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      'Content-Type': 'application/json',
+    },
+  })
+  return response.ok
+}
+
+// Returns null when the token may operate on projectRef, otherwise an error string.
+export async function authenticateWithSupabase(
+  mgmtApiBase: string,
+  projectRef: string,
+  accessToken: string | null
+): Promise<string | null> {
+  if (!accessToken) {
+    return 'Unauthorized: Invalid credentials'
+  }
+
+  if (await canAccessProject(mgmtApiBase, projectRef, accessToken)) {
+    return null
+  }
+
+  if (await canAccessBranch(mgmtApiBase, projectRef, accessToken)) {
+    return null
+  }
+
+  return 'Unauthorized: Invalid credentials'
+}
diff --git a/packages/sync-engine/src/tests/unit/managementAuth.test.ts b/packages/sync-engine/src/tests/unit/managementAuth.test.ts
@@ -0,0 +1,78 @@
+import { describe, it, expect, afterEach, vi } from 'vitest'
+import { authenticateWithSupabase } from '../../supabase/managementAuth'
+
+const MGMT_API_BASE = 'https://api.supabase.com'
+const PROJECT_REF = 'lgiudgtkdioaxbczoqhq'
+const VALID_TOKEN = 'sbp_valid_token'
+
+// Stubs global fetch so response.ok is driven by the requested URL.
+function mockFetchByUrl(isOk: (url: string) => boolean) {
+  const mockFetch = vi.fn().mockImplementation((url: string) => Promise.resolve({ ok: isOk(url) }))
+  global.fetch = mockFetch
+  return mockFetch
+}
+
+describe('authenticateWithSupabase', () => {
+  afterEach(() => {
+    vi.restoreAllMocks()
+  })
+
+  it('rejects a missing token without calling the management API', async () => {
+    const mockFetch = mockFetchByUrl(() => true)
+
+    const error = await authenticateWithSupabase(MGMT_API_BASE, PROJECT_REF, null)
+
+    expect(error).toBe('Unauthorized: Invalid credentials')
+    expect(mockFetch).not.toHaveBeenCalled()
+  })
+
+  it('rejects a fabricated token (the reported attack)', async () => {
+    // A bogus token gets a 401 from the management API, so response.ok is false.
+    const mockFetch = mockFetchByUrl(() => false)
+
+    const error = await authenticateWithSupabase(MGMT_API_BASE, PROJECT_REF, 'fake_attacker_token')
+
+    expect(error).toBe('Unauthorized: Invalid credentials')
+    // Both the project and branch checks are attempted before rejecting.
+    expect(mockFetch).toHaveBeenCalledTimes(2)
+  })
+
+  it('accepts a token that can access the project', async () => {
+    mockFetchByUrl((url) => url.endsWith(`/v1/projects/${PROJECT_REF}`))
+
+    const error = await authenticateWithSupabase(MGMT_API_BASE, PROJECT_REF, VALID_TOKEN)
+
+    expect(error).toBeNull()
+  })
+
+  it('accepts a branch ref reachable via /v1/branches as a fallback', async () => {
+    const mockFetch = mockFetchByUrl((url) => url.includes('/v1/branches/'))
+
+    const error = await authenticateWithSupabase(MGMT_API_BASE, PROJECT_REF, VALID_TOKEN)
+
+    expect(error).toBeNull()
+    // Direct project check ran first and failed, then the branch check passed.
+    expect(mockFetch).toHaveBeenCalledTimes(2)
+    expect(mockFetch).toHaveBeenLastCalledWith(
+      `${MGMT_API_BASE}/v1/branches/${PROJECT_REF}`,
+      expect.objectContaining({
+        method: 'GET',
+        headers: expect.objectContaining({ Authorization: `Bearer ${VALID_TOKEN}` }),
+      })
+    )
+  })
+
+  it('queries the exact project ref with the bearer token', async () => {
+    const mockFetch = mockFetchByUrl(() => true)
+
+    await authenticateWithSupabase(MGMT_API_BASE, PROJECT_REF, VALID_TOKEN)
+
+    expect(mockFetch).toHaveBeenCalledWith(
+      `${MGMT_API_BASE}/v1/projects/${PROJECT_REF}`,
+      expect.objectContaining({
+        method: 'GET',
+        headers: expect.objectContaining({ Authorization: `Bearer ${VALID_TOKEN}` }),
+      })
+    )
+  })
+})
