fix: redact sensitive auth and bridge logs#137
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Warning Review limit reached
Your plan currently allows 2 reviews/hour. Refill in 15 minutes and 15 seconds. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more review capacity refills, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
This pull request has been ignored for the connected project Preview Branches by Supabase. |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Pull request overview
This PR reduces exposure of sensitive data (PII/credentials/payload contents) by redacting and summarizing logs across the login flow and Supabase edge-function “bridge” functions.
Changes:
- Auth UI: removes email/user-id from login logging and avoids dumping caught errors to console.
- External DB bridge: logs filter-validation failures and RPC/CRUD operations using metadata-only summaries (counts/keys), omitting payloads/IDs.
- CRM DB bridge: removes credential/payload previews from logs and standardizes error logs to minimal
{ code, message }.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
supabase/functions/external-db-bridge/index.ts |
Replaces payload/ID-heavy logs with summarized metadata; adds invalid-filter summarization and reduces RPC/CRUD log verbosity. |
supabase/functions/crm-db-bridge/index.ts |
Redacts user-id/credential info from logs; standardizes write/select error logging; removes payload preview logging. |
src/pages/auth/Auth.tsx |
Removes PII from auth logs and avoids logging raw caught errors while preserving existing control flow (including fail-open redirect). |
Comments suppressed due to low confidence (2)
supabase/functions/external-db-bridge/index.ts:1365
- The insert error log still prints
insertError.detailsandinsertError.hint. PostgREST errordetailscommonly embeds the offending values (e.g., unique constraint violations include the key/value), which can reintroduce sensitive data into logs even after the payload redaction. Consider logging only a minimal{ code, message }(and optionally a request-id) and avoid emittingdetails/hintto server logs.
console.log(`Inserting into ${table}: field_count=${Object.keys(insertData).length}`);
const { data: insertResult, error: insertError } = await externalSupabase.from(table).insert(insertData).select().single();
if (insertError) {
console.error('Insert error:', insertError.message, insertError.details, insertError.hint);
supabase/functions/external-db-bridge/index.ts:1396
- The update error log still prints
updateError.detailsandupdateError.hint, which can include raw field values (e.g., constraint errors). Since this PR is tightening log redaction, consider emitting only{ code, message }(or a sanitized subset) in logs to avoid leaking data viadetails/hint.
console.log(`Updating ${table}: field_count=${Object.keys(updateData).length}`);
const { data: updateResult, error: updateError } = await externalSupabase.from(table).update(updateData).eq('id', id).select().maybeSingle();
if (updateError) {
console.error('Update error:', updateError.message, updateError.details, updateError.hint);
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
1478
to
+1482
| console.error('Upsert error:', error.message, error.details, error.hint); | ||
| return jsonResponse({ error: error.message, details: error.details, hint: error.hint }, 400, corsHeaders); | ||
| } | ||
|
|
||
| console.log(`Upserted record in ${table}:`, result?.id); | ||
| console.log(`Upserted record in ${table}`); |
Copilot stopped work on behalf of
adm01-debug due to an error
May 23, 2026 12:59
adm01-debug
added a commit
that referenced
this pull request
May 23, 2026
…nt em paginas admin/auth 19 correcoes em 16 arquivos. Producao (7 guardas de setState pos-unmount): - useSecurityData, AdminSegurancaAcessoPage: useRef mountedRef + cleanup (polling 30s) - PermissionsPage, RolePermissionsPage, RolesPage, StorageTestPage: guarda isCancelled - Auth.tsx: guarda cancelled em loadInfo (resolvido vs #137) Setup de testes: - tests/setup.ts: stub global no-op de WebSocket (readyState=CLOSED) elimina o erro do undici/Realtime no jsdom Correcao de tipo: - StorageTestPage: onClick={() => fetchFiles()} (TS2322) Testes corrigidos (drift apos edicoes Lovable): - BridgeStatusBanner, DevInfraGateMatrix, DevOnlyBridgeOverlay, MagicUp, ProductSparkline, simulation-orchestrator, quote-calculations, quote-stepper-ui Gate TS: zero regressoes.
adm01-debug
added a commit
that referenced
this pull request
May 23, 2026
…nt em paginas admin/auth 19 correcoes em 16 arquivos. Producao (7 guardas de setState pos-unmount): - useSecurityData, AdminSegurancaAcessoPage: useRef mountedRef + cleanup (polling 30s) - PermissionsPage, RolePermissionsPage, RolesPage, StorageTestPage: guarda isCancelled - Auth.tsx: guarda cancelled em loadInfo (resolvido vs #137) Setup de testes: - tests/setup.ts: stub global no-op de WebSocket (readyState=CLOSED) elimina o erro do undici/Realtime no jsdom Correcao de tipo: - StorageTestPage: onClick={() => fetchFiles()} (TS2322) Testes corrigidos (drift apos edicoes Lovable): - BridgeStatusBanner, DevInfraGateMatrix, DevOnlyBridgeOverlay, MagicUp, ProductSparkline, simulation-orchestrator, quote-calculations, quote-stepper-ui Gate TS: zero regressoes.
adm01-debug
added a commit
that referenced
this pull request
May 23, 2026
…nt em paginas admin/auth 19 correcoes em 16 arquivos. Producao (7 guardas de setState pos-unmount): - useSecurityData, AdminSegurancaAcessoPage: useRef mountedRef + cleanup (polling 30s) - PermissionsPage, RolePermissionsPage, RolesPage, StorageTestPage: guarda isCancelled - Auth.tsx: guarda cancelled em loadInfo (resolvido vs #137) Setup de testes: - tests/setup.ts: stub global no-op de WebSocket (readyState=CLOSED) elimina o erro do undici/Realtime no jsdom Correcao de tipo: - StorageTestPage: onClick={() => fetchFiles()} (TS2322) Testes corrigidos (drift apos edicoes Lovable): - BridgeStatusBanner, DevInfraGateMatrix, DevOnlyBridgeOverlay, MagicUp, ProductSparkline, simulation-orchestrator, quote-calculations, quote-stepper-ui Gate TS: zero regressoes.
adm01-debug
added a commit
that referenced
this pull request
May 23, 2026
…nt em paginas admin/auth (#154) 19 correcoes em 16 arquivos. Producao (7 guardas de setState pos-unmount): - useSecurityData, AdminSegurancaAcessoPage: useRef mountedRef + cleanup (polling 30s) - PermissionsPage, RolePermissionsPage, RolesPage, StorageTestPage: guarda isCancelled - Auth.tsx: guarda cancelled em loadInfo (resolvido vs #137) Setup de testes: - tests/setup.ts: stub global no-op de WebSocket (readyState=CLOSED) elimina o erro do undici/Realtime no jsdom Correcao de tipo: - StorageTestPage: onClick={() => fetchFiles()} (TS2322) Testes corrigidos (drift apos edicoes Lovable): - BridgeStatusBanner, DevInfraGateMatrix, DevOnlyBridgeOverlay, MagicUp, ProductSparkline, simulation-orchestrator, quote-calculations, quote-stepper-ui Gate TS: zero regressoes.
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resumo
Validacao
npx.cmd eslint src/pages/auth/Auth.tsxgit diff --checknpm.cmd run buildcomVITE_SUPABASE_URLeVITE_SUPABASE_PUBLISHABLE_KEYexplicitasObservacao
node scripts/typecheck-edge-functions.mjsnao rodou localmente porquedenonao esta no PATH.lint:baselinecom status null no Windows; o push foi feito comHUSKY=0apos as validacoes acima, deixando a validacao principal para o CI.Summary by cubic
Redacted sensitive data from auth and bridge logs. Replaced payloads, identifiers, and credential details with metadata-only logging to reduce PII exposure.
supabaseCRM bridge: replaced user-id logging with role-only; standardized insert/update/delete errors to code/message; SELECT logs now report counts and error presence; removed credential prefixes/length/last4 from startup logs.supabaseexternal DB bridge: summarized invalid filter logs to field/reason/type; SELECT/RPC logs show key counts, not values; insert/update/delete/upsert logs report field counts and omit IDs/payloads; reduced orderBy fallback context to field and filter key counts.Written for commit 6cad72c. Summary will update on new commits. Review in cubic