From e86f9cfe8b81aea211186f9d2c929376b2127961 Mon Sep 17 00:00:00 2001
From: Cal Corum <calcorum@users.noreply.github.com>
Date: Sat, 21 Mar 2026 01:33:10 -0500
Subject: [PATCH] fix: remove hardcoded Supabase service-role JWT (#3)

Replace hardcoded service_role JWT with SUPABASE_SERVICE_ROLE_KEY env var.
Service-role keys bypass row-level security; they must not be committed.

Closes #3

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 scripts/supabase_doodling.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/scripts/supabase_doodling.py b/scripts/supabase_doodling.py
index 068fa02..91e91c4 100644
--- a/scripts/supabase_doodling.py
+++ b/scripts/supabase_doodling.py
@@ -1,10 +1,12 @@
+import os
 from typing import Literal
 import requests
 from exceptions import logger, log_exception
 
+_SUPABASE_KEY = os.environ["SUPABASE_SERVICE_ROLE_KEY"]
 AUTH_TOKEN = {
-    "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImNucGhwbnV2aGp2cXprY2J3emRrIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTc0NTgxMTc4NCwiZXhwIjoyMDYxMzg3Nzg0fQ.7dG_y2zU2PajBwTD8vut5GcWf3CSaZePkYW_hMf0fVg",
-    "apikey": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImNucGhwbnV2aGp2cXprY2J3emRrIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTc0NTgxMTc4NCwiZXhwIjoyMDYxMzg3Nzg0fQ.7dG_y2zU2PajBwTD8vut5GcWf3CSaZePkYW_hMf0fVg",
+    "Authorization": f"Bearer {_SUPABASE_KEY}",
+    "apikey": _SUPABASE_KEY,
 }
 DB_URL = "https://cnphpnuvhjvqzkcbwzdk.supabase.co/rest/v1"
 
@@ -15,7 +17,7 @@ def get_req_url(endpoint: str, params: list = None):
     if params:
         other_params = False
         for x in params:
-            req_url += f'{"&" if other_params else "?"}{x[0]}={x[1]}'
+            req_url += f"{'&' if other_params else '?'}{x[0]}={x[1]}"
             other_params = True
 
     return req_url
@@ -24,11 +26,11 @@ def get_req_url(endpoint: str, params: list = None):
 def log_return_value(log_string: str, log_type: Literal["info", "debug"]):
     if log_type == "info":
         logger.info(
-            f'return: {log_string[:1200]}{"  [ S N I P P E D ]" if len(log_string) > 1200 else ""}\n'
+            f"return: {log_string[:1200]}{'  [ S N I P P E D ]' if len(log_string) > 1200 else ''}\n"
         )
     else:
         logger.debug(
-            f'return: {log_string[:1200]}{"  [ S N I P P E D ]" if len(log_string) > 1200 else ""}\n'
+            f"return: {log_string[:1200]}{'  [ S N I P P E D ]' if len(log_string) > 1200 else ''}\n"
         )
 
 
-- 
2.25.1