Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Supabase permission denied for TCE using pgsodium #23131

Open
2 tasks done
ani-sha opened this issue Apr 22, 2024 · 3 comments
Open
2 tasks done

Supabase permission denied for TCE using pgsodium #23131

ani-sha opened this issue Apr 22, 2024 · 3 comments
Labels
bug Something isn't working cannot-reproduce Unable to reproduce the opener's problem after attempts to replicate database

Comments

@ani-sha
Copy link

ani-sha commented Apr 22, 2024
edited

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

I am implementing TCE on a table to encrypt some API keys but I am having issues while inserting any record into the table.

ERROR:  42501: permission denied for table key
CONTEXT:  SQL statement "SELECT *                     FROM pgsodium.decrypted_key v
  WHERE id = key_uuid AND key_type = 'aead-det'"
PL/pgSQL function pgsodium.crypto_aead_det_encrypt(bytea,bytea,uuid,bytea) line 5 at SQL statement
PL/pgSQL function api_encrypt_secret_api_key() line 3 at assignment

I tried following some discussions around permission issues #12952 to grant access to these functions.

GRANT EXECUTE ON FUNCTION pgsodium.crypto_aead_det_encrypt (bytea, bytea, uuid, bytea) TO authenticated;
GRANT EXECUTE ON FUNCTION pgsodium.crypto_aead_det_decrypt (bytea, bytea, uuid, bytea) TO authenticated;

This didn't work.

Then I tried following the simple TCE example to apply encryption on a table. But there are some permission issues which didn't resolve even after giving GRANT.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Enable pgsodium extension in supabase
  2. select * from pgsodium.create_key();
  3. select * from pgsodium.crypto_aead_det_encrypt (
    'this is the message', -- a message to encrypt
    'this is associated data', -- some authenticated associated data
    ''::uuid -- key ID
    );

Expected behavior

It should produce encrypted ciphertext using the aead-det algorithm.

Screenshots

Screenshot 2024-04-22 at 11 57 04 AM

System information

  • OS: macOs
  • Browser (if applies): Chrome

Additional context

Add any other context about the problem here.
@ani-sha ani-sha added the bug Something isn't working label Apr 22, 2024
@encima encima added database needs-analysis Issue status is unknown and/or not possible to triage with the current info cannot-reproduce Unable to reproduce the opener's problem after attempts to replicate and removed needs-analysis Issue status is unknown and/or not possible to triage with the current info labels Apr 22, 2024
@encima
Copy link
Contributor

encima commented Apr 23, 2024

Hello @ani-sha
Thanks for opening! I am not able to reproduce on Supabase Cloud (version 15.1.1.37)

Can you confirm the version you are running, please? It could be a permissions issue from a previous version and might need to be updated. If it is the latest version, then please open a Support Ticket so an engineer can check the issue.

@ani-sha
Copy link
Author

ani-sha commented Apr 23, 2024
edited

Hi @encima, I recently upgraded to 15.1.1.41 last week because I was unable to enable the pgsodium on the earlier version. But that doesn't help either. I am having the same error.
Where can I open a Support Ticket? Can you share the steps?

@encima
Copy link
Contributor

encima commented Apr 23, 2024

Sure thing, @ani-sha, you can use https://supabase.help/ to open a ticket! 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working cannot-reproduce Unable to reproduce the opener's problem after attempts to replicate database
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@encima @ani-sha