https://supabase.com/ logo
Join Discord
Powered by
Can we reset these two? I shared the links with so...
# off-topic
u
Can we reset these two? I shared the links with some folks and I'd like to reset them
s
There is no need to reset these as they are publicly available in your application anyway. These aren't secret information, only the 
service_role
secret
you would have to worry about sharing.
u
I get what you're saying but through those keys people can upload users into the table
That's all you need to add new users plus a bit of guesswork on what the table rows would be called like
I have found a workaround which is to create a new database as it generates a new key and url
But in my opinion we should have an option to manually reset those two without having to delete our tables.
s
No they can't do that unless they have your domain url, which is what is used to whitelist the keys
So unless you are working in localhost, it's not an actual issue, because those keys are exposed in any app that you put online
u
I must be missing something
For example in order to create new users in my database from within the front end of my app all I had to do is to provide that information and I can add users. Anyone with the public url and the key can use it to spam my table with hundreds of users, that is what I mean.
Because all you need to add columns to a table are those two variables, let me know if you understand what I'm trying to say.
s
No they would need to have your domain name too, the Additional Redirect URLs field is used as a sort of whitelist to verify the key against. So with just the public url and key there isn't much someone could do.
No you can't modify tables with this, you can only insert/update/delete/select data from the table, but that is that you pass the above which I stated
Here is more info on what you should do when going live to keep your app secure https://supabase.io/docs/going-into-prod
u
Thank you for the help Silent, much apreciated.
PreviousNext
Powered by