[Follow-up #159] Fix migration idempotency and step-up security regressions

[adm01-debug]

Motivation

• Prevent accidental account takeover and environment-specific failures by removing hardcoded credentials and unsafe assumptions from versioned migrations.
• Make migrations idempotent so applying this migration batch on existing databases does not fail due to duplicate relations or policies.
• Repair step-up RPCs so they populate required columns and validate password attempts before marking a challenge verified.

Description

• Replaced the unsafe hardcoded-password migration supabase/migrations/20260518122107_reset_comercial01_password_test.sql with a no-op placeholder and explanatory comment to avoid overwriting real accounts.
• Made supabase/migrations/20260522113233_lote_a_02_user_known_devices.sql idempotent by switching to CREATE TABLE IF NOT EXISTS, CREATE INDEX IF NOT EXISTS, and guarding policy creation with pg_policies checks.
• Made supabase/migrations/20260522113250_lote_a_03_password_reset_requests.sql idempotent by using CREATE TABLE IF NOT EXISTS, CREATE INDEX IF NOT EXISTS, and wrapping policy creation in DO $$ ... END $$ checks against pg_policies.
• Made supabase/migrations/20260522113832_lote_b_01_edge_rate_limits.sql idempotent by using CREATE TABLE IF NOT EXISTS, CREATE INDEX IF NOT EXISTS, and guarded policy creation.
• Removed the hardcoded organization UUID in supabase/migrations/20260518121325_backfill_user_organizations_orphans.sql and changed it to select an existing organization dynamically to avoid FK failures in other environments.
• Fixed supabase/migrations/20260522113351_lote_a_06_funcoes_step_up.sql so start_step_up_challenge inserts a generated otp_hash and verify_step_up_password validates _password_attempt against auth.users.encrypted_password, rejects empty attempts and unauthenticated calls before setting password_verified=true.

Testing

• Reviewed diffs with git diff and confirmed changes were staged and committed successfully with the message fix: harden migrations and step-up rpcs from review findings.
• Searched the migrations with rg to verify the hardcoded password literal was removed and that CREATE TABLE/CREATE INDEX usages were changed to IF NOT EXISTS and policy creation was guarded, and the queries returned the expected updated lines.
• Displayed updated files with nl and visually inspected the modified functions and migration statements to ensure otp_hash is written and password checks were added.
• No automated DB migration execution tests were run in this environment; recommend running the migration batch against a staging database and executing step-up RPCs to validate runtime behavior before merging.

---

Codex Task

---

Summary by cubic

Makes migrations idempotent and removes unsafe hardcoded credentials. Repairs step-up RPCs to store an otp_hash and verify passwords securely before marking challenges verified. Follow-up to #159.

• Bug Fixes

  • Guarded RLS policy creation with pg_policies and used IF NOT EXISTS for tables/indexes in user_known_devices, password_reset_requests, and edge_rate_limits.
  • Replaced the hardcoded password reset migration with a no-op; backfilled orphaned users by selecting an existing organization via lateral query and using NOT EXISTS.
  • Step-up RPCs: generate/store otp_hash, require auth, reject empty attempts, fetch user, validate against auth.users.encrypted_password, and set password_verified=true only for active (unconsumed, unexpired) challenges.

• Migration

  • Safe to run on existing databases; repeated runs won’t fail or duplicate policies.
  • Validate step-up flow in staging: start challenge; invalid password returns false; valid password verifies only if the challenge is active.

^{Written for commit c4ea35d. Summary will update on new commits. Review in cubic}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
we-dream-big	Error		May 24, 2026 3:31pm

[supabase]

This pull request has been ignored for the connected project doufsxqlfjyuvxuezpln due to reaching the limit of concurrent preview branches.
Go to Project Integrations Settings ↗︎ if you wish to update this limit.

---

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

[coderabbitai]

Warning

Review limit reached

@adm01-debug, we couldn't start this review because you've used your available PR reviews for now.

Your plan currently allows 1 review/hour. Refill in 9 minutes and 46 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 68447d48-9cac-445c-946c-d3bc8fc70710

📥 Commits

Reviewing files that changed from the base of the PR and between a4832fc and c4ea35d.

📒 Files selected for processing (5)

• supabase/migrations/20260518121325_backfill_user_organizations_orphans.sql
• supabase/migrations/20260522113233_lote_a_02_user_known_devices.sql
• supabase/migrations/20260522113250_lote_a_03_password_reset_requests.sql
• supabase/migrations/20260522113351_lote_a_06_funcoes_step_up.sql
• supabase/migrations/20260522113832_lote_b_01_edge_rate_limits.sql

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-codex-review-issues-in-teste-2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR hardens Supabase database migrations to be safe to replay across environments (idempotent DDL/policy creation and removal of unsafe hardcoded credentials), and updates step-up auth RPCs to better enforce challenge integrity.

Changes:

• Replaced a hardcoded test-user password reset migration with a no-op placeholder.
• Made several new security-related tables/policies idempotent (IF NOT EXISTS + guarded CREATE POLICY).
• Updated step-up RPCs to always populate otp_hash and to validate password attempts before marking a challenge as password-verified; removed a hardcoded organization UUID from orphan backfill.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
supabase/migrations/20260518122107_reset_comercial01_password_test.sql	Removes unsafe hardcoded password reset and replaces with a no-op placeholder.
supabase/migrations/20260522113233_lote_a_02_user_known_devices.sql	Makes user_known_devices table/index/policy creation idempotent.
supabase/migrations/20260522113250_lote_a_03_password_reset_requests.sql	Makes password_reset_requests table/index/policy creation idempotent.
supabase/migrations/20260522113351_lote_a_06_funcoes_step_up.sql	Adjusts step-up RPCs to generate/store otp_hash and validate password attempts.
supabase/migrations/20260518121325_backfill_user_organizations_orphans.sql	Removes hardcoded org UUID; selects an existing organization dynamically.
supabase/migrations/20260522113832_lote_b_01_edge_rate_limits.sql	Makes edge_rate_limits table/index/policy creation idempotent.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.