Skip to content

Fix: grant service_role write access to usage-submit tables#141

Closed
ohong wants to merge 1 commit into
mainfrom
oh-fix-service-role-grants
Closed

Fix: grant service_role write access to usage-submit tables#141
ohong wants to merge 1 commit into
mainfrom
oh-fix-service-role-grants

Conversation

@ohong

@ohong ohong commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Problem

The real-Supabase integration test (__tests__/integration/usage-submit.test.ts) fails on every open PR — and on pure main when re-run today — with:

500 {"error":"Failed to upsert device_usage for <date>: permission denied for table device_usage"}

This is environmental drift, not caused by any PR. device_usage (and daily_usage, posts) were only GRANTed to authenticated; the server's service-role client relied on Postgres default privileges. Newer local Supabase images (pulled fresh by supabase start) enforce table GRANTs for service_role instead, so the usage-submit write path is denied.

Fix

One migration granting service_role explicit write access to the three tables the submit route writes. Idempotent no-op on hosted Supabase (service_role already holds these).

Validation

CI on this branch runs the real-Supabase integration job — green here proves the fix. Unblocks #124, #130, #131.

🤖 Generated with Claude Code

The service client (POST /api/usage/submit) writes daily_usage, device_usage,
and posts, but those tables were only GRANTed to `authenticated` — service_role
relied on Postgres default privileges. Newer local Supabase images enforce
table GRANTs for service_role, so a freshly-booted `supabase start` stack
returns 'permission denied for table device_usage', failing the real-Supabase
integration test on every PR. Hosted Supabase already has these grants, so
this is a no-op there.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@vercel

vercel Bot commented Jul 3, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
straude Ready Ready Preview, Comment Jul 3, 2026 5:03am

Request Review

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@ohong, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 51 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 22cf54c0-62be-4c67-821c-d9e05273d850

📥 Commits

Reviewing files that changed from the base of the PR and between f62d7bd and b655bfc.

📒 Files selected for processing (1)
  • supabase/migrations/20260703000000_grant_service_role_usage_tables.sql
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch oh-fix-service-role-grants

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@ohong

ohong commented Jul 3, 2026

Copy link
Copy Markdown
Owner Author

Superseded — folded the grant migration into #130 (the DB/infra-hardening PR) so it lands within an already-authorized merge and unblocks #130's own CI.

@ohong ohong closed this Jul 3, 2026
@ohong ohong deleted the oh-fix-service-role-grants branch July 3, 2026 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant