fix: use correct supabase auth in stripe-setup edge-function#385
Merged
Conversation
matlin
suggested changes
Jun 12, 2026
matlin
left a comment
matlin
left a comment
There was a problem hiding this comment.
Looks like a good approach to ensure requests to the setup are being initiated from a privileged system. Requested some changes to make things more clear.
One question is whether the worker secret and setup secret could be shared?
Yostra
force-pushed
the
rs/fix-broken-auth
branch
from
038d1dd to
c8cb7da
Compare
Author
In theory yes, but will be confusing to use a key named |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes broken access control in the stripe-setup edge function. Since it's deployed with verify_jwt: false and only checked for a Bearer prefix, anyone knowing the project ref could trigger a destructive uninstall (drop schema, delete webhooks, cron jobs, Vault secrets).
Now the caller's token is validated against a per-install Vault secret (like stripe-worker) before any handler runs, forged tokens get 403. The Management token stripe-setup needs for its own API calls is passed separately via x-management-api-token.