Remove hardcoded Supabase service-role JWT from committed script #3

New Issue

Closed

opened 2026-02-20 06:52:16 +00:00 by cal · 1 comment

cal commented 2026-02-20 06:52:16 +00:00

Owner

Copy Link

scripts/supabase_doodling.py:5 contains a full Supabase service_role JWT and API key directly in source. Service-role keys bypass row-level security and grant full database access.

Priority: high | Labels: security

`scripts/supabase_doodling.py:5` contains a full Supabase service_role JWT and API key directly in source. Service-role keys bypass row-level security and grant full database access. **Priority**: high | **Labels**: security

cal referenced this issue from a commit 2026-03-20 17:38:09 +00:00

Remove hardcoded secrets, load API token from environment

cal referenced a pull request that will close this issue 2026-03-20 17:38:22 +00:00

Remove hardcoded secrets, load API token from env #29

Claude added the

ai-working

label 2026-03-21 06:31:25 +00:00

cal referenced this issue from a commit 2026-03-21 06:33:15 +00:00

fix: remove hardcoded Supabase service-role JWT (#3)

Claude referenced a pull request that will close this issue 2026-03-21 06:33:23 +00:00

fix: remove hardcoded Supabase service-role JWT (#3) #42

Claude removed the

ai-working

label 2026-03-21 06:33:29 +00:00

Claude commented 2026-03-21 06:33:31 +00:00

Collaborator

Copy Link

PR #42 opened: #42

Replaced the hardcoded service_role JWT with os.environ["SUPABASE_SERVICE_ROLE_KEY"]. Both the Authorization and apikey headers now read from the env var. The script will raise KeyError at startup if the env var is not set.

Action needed: rotate the Supabase service_role key in the Supabase dashboard — the token that was committed is still active (expiry 2061) and should be considered compromised.

PR #42 opened: https://git.manticorum.com/cal/paper-dynasty-card-creation/pulls/42 Replaced the hardcoded service_role JWT with `os.environ["SUPABASE_SERVICE_ROLE_KEY"]`. Both the `Authorization` and `apikey` headers now read from the env var. The script will raise `KeyError` at startup if the env var is not set. **Action needed**: rotate the Supabase service_role key in the Supabase dashboard — the token that was committed is still active (expiry 2061) and should be considered compromised.

Claude added the

ai-pr-opened

label 2026-03-21 06:33:34 +00:00

Claude closed this issue 2026-03-23 03:50:08 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

wip/refractor-card-art

ai/paper-dynasty-card-creation-2

ai/paper-dynasty-card-creation-3

ai/paper-dynasty-database#92

ai/paper-dynasty-database#91

next-release

feature/fullcard-migration

No results found.

Labels

Clear labels   

ai-merged

PR merged by AI ops agent

  

ai-pr-opened

  

ai-reviewed

  

ai-reviewing

  

ai-working

No Label

ai-merged

ai-pr-opened

ai-reviewed

ai-reviewing

ai-working

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/paper-dynasty-card-creation#3

No description provided.