fix(db): bound app version upload policies

[riderx]

Summary (AI generated)

• Add a new migration that replaces app_versions SELECT/INSERT/UPDATE upload authorization with a target-app permission helper.
• Resolve API keys with separate indexed hash/plain-key lookups instead of an OR predicate.
• Preserve legacy authenticated org_users access without letting broad API keys materialize every linked app.
• Add regression coverage for app-scoped API key upload/select behavior, legacy fallback behavior, and policy shape.

Motivation (AI generated)

The upload itself finishes, then the CLI fails while finalizing app_versions metadata. The CLI path is updateOrCreateVersion(...), which performs a targeted app_versions upsert after the TUS bundle and partial files upload. The old policy could still materialize every app linked to a broad API key during that targeted write, so a key linked to many apps/orgs could hit statement_timeout after upload succeeded.

Business Impact (AI generated)

This restores reliable bundle uploads for customers using broad API keys, without moving extra work into the CLI or adding per-upload primary-side background work. The final database write now stays bounded to the target app instead of scaling with all linked apps, so this should not add meaningful database cost.

Test Plan (AI generated)

• bash scripts/check-supabase-migration-order.sh
• bun lint:backend
• bun run supabase:db:reset
• bun scripts/supabase-worktree.ts test db supabase/tests/00-supabase_test_helpers.sql --local
• bun scripts/supabase-worktree.ts test db supabase/tests/56_test_apikey_v2_scope_and_rls.sql --local
• bun run supabase:with-env -- bunx vitest run tests/app-versions-rls-dos.test.ts
• Production-shaped local repro: API key with 12,000 app-scope bindings finalized one app_versions upsert in 104 ms under a 500 ms statement_timeout.

Screenshots (AI generated)

Not applicable. Database/RLS migration only.

Generated with AI

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds security-definer API key resolution and permission-gating helpers to refactor app_versions RLS policies. The changes replace generic app-readable checks with targeted permission validation, reducing materialization overhead. Two new public functions are introduced: find_apikey_by_value for hashed-key lookup with legacy fallback, and app_versions_has_app_permission for org/app-scoped RBAC verification including 2FA and password policy enforcement. RLS policies are rewritten to use these helpers, and test coverage is expanded to validate the new behavior and performance characteristics.

Changes

API Key v2 App Versions Authorization

Layer / File(s)	Summary
API Key Resolution Helper supabase/migrations/20260528002613_fix_apikey_v2_app_versions_rls_perf.sql	find_apikey_by_value security-definer function resolves API keys via sha256-hashed lookup with legacy plain-key fallback and enforcement checks; supporting index added on group_members(user_id, group_id).
Permission-Gating Helper & Documentation supabase/migrations/20260528002613_fix_apikey_v2_app_versions_rls_perf.sql	app_versions_has_app_permission validates caller (auth user or API key), enforces org 2FA and password policies, and checks recursive RBAC role bindings scoped to target org/app; app_versions_readable_app_ids comment updated to document the new permission-check flow.
RLS Policy Enforcement supabase/migrations/20260528002613_fix_apikey_v2_app_versions_rls_perf.sql	public.app_versions RLS policies replaced with targeted SELECT (auth/API key with read), INSERT (anon API key with upload), and UPDATE (auth/anon with write/upload) checks via app_versions_has_app_permission, eliminating materialization of all readable apps.
Test Coverage Expansion supabase/tests/56_test_apikey_v2_scope_and_rls.sql	pgTAP plan expanded from 34 to 39 assertions; new tests verify helpers avoid generic RBAC calls, RLS policy avoids full app materialization, app_versions_has_app_permission correctly gates upload-scoped API key access per app, and RLS visibility works for scoped keys' own app versions.

Possibly Related PRs

• Cap-go/capgo#2061: Modifies authorization logic around app-version access by API keys and RBAC via app_versions RLS and app_versions_has_app_permission/find_apikey_by_value helpers.
• Cap-go/capgo#2073: Updates public.app_versions RLS access path by rewiring helper logic for API-key scoping and SELECT policy; this PR refactors via new helpers while #2073 uses app_versions_readable_app_ids.
• Cap-go/capgo#1948: Both PRs introduce/modify the same public.find_apikey_by_value(key_value text) authentication lookup and hashed-API-key enforcement behavior.

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description includes most required sections but is incomplete. Summary, Motivation, Business Impact, and Test Plan sections are present and marked as AI-generated, but Screenshots section lacks proper content.	Clarify the PR description by verifying AI-generated content accurately reflects the actual changes, and confirm whether the author personally validated each test plan item listed.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change: fixing database app version upload policies with bounded scope rather than unbounded app lookups.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 43 untouched benchmarks
⏩ 2 skipped benchmarks¹

---

_{Comparing codex/fix-app-version-upload-finalize-rls (e2b1366) with main (cd218a6)}

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@supabase/migrations/20260528002613_fix_apikey_v2_app_versions_rls_perf.sql`:
- Around line 304-377: Add a legacy org_users fallback for authenticated users
in public.app_versions_has_app_permission: if v_principal_type =
public.rbac_principal_user(), query public.org_users for a row with user_id =
v_principal_id and org_id = v_app_owner_org and check that org_users.user_right
>= p_min_right (or equivalent comparison used elsewhere); if such a row exists
return true immediately before the RBAC/existence recursive query (use the same
local variables v_principal_type, v_principal_id, v_app_owner_org, p_min_right
and public.rbac_principal_user() to locate the check).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 07c50112-9aac-4f93-a5f1-35c597eecbb5

📥 Commits

Reviewing files that changed from the base of the PR and between 9b93ec7 and b6c0a1d.

📒 Files selected for processing (2)

• supabase/migrations/20260528002613_fix_apikey_v2_app_versions_rls_perf.sql
• supabase/tests/56_test_apikey_v2_scope_and_rls.sql

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud