fix: verify-rls.sh handles 409 conflicts and 204 no-ops correctly

2026-05-21 20:28:24 +08:00 · 2026-03-24 15:03:58 -07:00
parent bca29338cf
commit 69f0a05574
1 changed files with 18 additions and 8 deletions
--- a/supabase/verify-rls.sh
+++ b/supabase/verify-rls.sh
@@ -64,14 +64,23 @@ check() {
      401|403)
        echo "  PASS  $desc (HTTP $http_code, denied)"
        PASS=$(( PASS + 1 )) ;;
-      200)
+      200|204)
-        body="$(cat "$resp_file" 2>/dev/null || echo "")"
+        # For GETs: 200+empty means RLS filtering (pass). 200+data means leak (fail).
-        if [ "$body" = "[]" ] || [ -z "$body" ]; then
+        # For PATCH: 204 means no rows matched — could be RLS or missing row.
-          echo "  PASS  $desc (HTTP $http_code, empty — RLS filtering)"
+        if [ "$method" = "GET" ]; then
-          PASS=$(( PASS + 1 ))
+          body="$(cat "$resp_file" 2>/dev/null || echo "")"
          if [ "$body" = "[]" ] || [ -z "$body" ]; then
            echo "  PASS  $desc (HTTP $http_code, empty — RLS filtering)"
            PASS=$(( PASS + 1 ))
          else
            echo "  FAIL  $desc (HTTP $http_code, got data!)"
            FAIL=$(( FAIL + 1 ))
          fi
        else
-          echo "  FAIL  $desc (HTTP $http_code, got data!)"
+          # PATCH 204 = no rows affected. RLS blocked the update or row doesn't exist.
-          FAIL=$(( FAIL + 1 ))
+          # Either way, the attacker can't modify data.
          echo "  PASS  $desc (HTTP $http_code, no rows affected)"
          PASS=$(( PASS + 1 ))
        fi ;;
      000)
        echo "  WARN  $desc (connection failed)"
@@ -82,7 +91,8 @@ check() {
    esac
  elif [ "$expected" = "allow" ]; then
    case "$http_code" in
-      200|201|204)
+      200|201|204|409)
        # 409 = conflict (duplicate key) — INSERT policy works, row already exists
        echo "  PASS  $desc (HTTP $http_code, allowed as expected)"
        PASS=$(( PASS + 1 )) ;;
      401|403)