ship-safe 1.0.1 → 2.0.0

package/configs/supabase/secure-client.ts

@@ -0,0 +1,225 @@
+/**
+ * Supabase Secure Client Configuration
+ * =====================================
+ *
+ * Copy this file to your project and customize for your needs.
+ *
+ * WHY THIS MATTERS:
+ * - Separates anon (public) and service_role (admin) clients
+ * - Adds type safety for environment variables
+ * - Includes helpers for common secure patterns
+ *
+ * USAGE:
+ *   // In client components (React, Vue, etc.)
+ *   import { supabase } from '@/lib/supabase';
+ *
+ *   // In server-side code (API routes, server components)
+ *   import { supabaseAdmin } from '@/lib/supabase';
+ */
+
+import { createClient, SupabaseClient } from '@supabase/supabase-js';
+
+// =============================================================================
+// ENVIRONMENT VARIABLE VALIDATION
+// =============================================================================
+
+/**
+ * Validates that required environment variables are set.
+ * Call this at app startup to fail fast if misconfigured.
+ */
+function validateEnv() {
+  const required = ['NEXT_PUBLIC_SUPABASE_URL', 'NEXT_PUBLIC_SUPABASE_ANON_KEY'];
+
+  for (const key of required) {
+    if (!process.env[key]) {
+      throw new Error(
+        `Missing required environment variable: ${key}\n` +
+        `Add it to your .env.local file.`
+      );
+    }
+  }
+}
+
+// Validate on module load (comment out if causing issues in edge runtime)
+// validateEnv();
+
+// =============================================================================
+// SUPABASE URL AND KEYS
+// =============================================================================
+
+const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL!;
+const supabaseAnonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!;
+
+// Service role key - ONLY available server-side
+// This key bypasses RLS and should NEVER be exposed to the client
+const supabaseServiceRoleKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
+
+// =============================================================================
+// CLIENT-SIDE SUPABASE CLIENT (uses anon key)
+// =============================================================================
+
+/**
+ * Public Supabase client for use in browser/client components.
+ *
+ * SECURITY NOTES:
+ * - Uses the anon key (safe to expose)
+ * - All operations are subject to RLS policies
+ * - User must be authenticated for protected operations
+ */
+export const supabase = createClient(supabaseUrl, supabaseAnonKey, {
+  auth: {
+    // Persist sessions in localStorage
+    persistSession: true,
+    // Automatically refresh tokens
+    autoRefreshToken: true,
+    // Detect session from URL (for OAuth callbacks)
+    detectSessionInUrl: true,
+  },
+});
+
+// =============================================================================
+// SERVER-SIDE SUPABASE CLIENT (uses service_role key)
+// =============================================================================
+
+/**
+ * Admin Supabase client for use in server-side code ONLY.
+ *
+ * SECURITY NOTES:
+ * - Uses the service_role key (NEVER expose to client)
+ * - Bypasses ALL Row Level Security policies
+ * - Use only in: API routes, server actions, cron jobs
+ * - Always validate user permissions before using
+ *
+ * WHEN TO USE:
+ * - Admin operations (deleting users, bulk updates)
+ * - Background jobs that need full database access
+ * - Webhooks from external services
+ *
+ * WHEN NOT TO USE:
+ * - Any client-side code
+ * - Operations where user context matters
+ * - When RLS should apply
+ */
+export const supabaseAdmin: SupabaseClient | null = supabaseServiceRoleKey
+  ? createClient(supabaseUrl, supabaseServiceRoleKey, {
+      auth: {
+        // Don't persist sessions for admin client
+        persistSession: false,
+        autoRefreshToken: false,
+      },
+    })
+  : null;
+
+/**
+ * Get admin client with error if not configured.
+ * Use this when service_role key is required.
+ */
+export function getSupabaseAdmin(): SupabaseClient {
+  if (!supabaseAdmin) {
+    throw new Error(
+      'SUPABASE_SERVICE_ROLE_KEY is not configured.\n' +
+      'This operation requires admin privileges.'
+    );
+  }
+  return supabaseAdmin;
+}
+
+// =============================================================================
+// HELPER: SERVER-SIDE CLIENT WITH USER CONTEXT
+// =============================================================================
+
+/**
+ * Creates a Supabase client that acts as a specific user.
+ * Useful for server-side operations that should respect RLS.
+ *
+ * @param accessToken - The user's JWT access token
+ * @returns Supabase client authenticated as the user
+ *
+ * USAGE:
+ *   // In API route or server action
+ *   const token = request.headers.get('Authorization')?.replace('Bearer ', '');
+ *   const userClient = createUserClient(token);
+ *   const { data } = await userClient.from('posts').select('*');
+ *   // This respects RLS - user only sees their allowed data
+ */
+export function createUserClient(accessToken: string): SupabaseClient {
+  return createClient(supabaseUrl, supabaseAnonKey, {
+    global: {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+      },
+    },
+    auth: {
+      persistSession: false,
+      autoRefreshToken: false,
+    },
+  });
+}
+
+// =============================================================================
+// HELPER: VALIDATE USER BEFORE ADMIN OPERATIONS
+// =============================================================================
+
+/**
+ * Validates that the current user has permission before admin operations.
+ * Always use this before using supabaseAdmin for user-triggered actions.
+ *
+ * @param userId - The user's ID to check
+ * @param requiredRole - The minimum role required (e.g., 'admin')
+ * @returns True if user has permission
+ *
+ * USAGE:
+ *   const hasPermission = await validateUserPermission(userId, 'admin');
+ *   if (!hasPermission) {
+ *     return new Response('Forbidden', { status: 403 });
+ *   }
+ *   // Now safe to use supabaseAdmin
+ */
+export async function validateUserPermission(
+  userId: string,
+  requiredRole: string
+): Promise<boolean> {
+  const admin = getSupabaseAdmin();
+
+  const { data: profile } = await admin
+    .from('profiles')
+    .select('role')
+    .eq('id', userId)
+    .single();
+
+  if (!profile) return false;
+
+  // Customize this based on your role hierarchy
+  const roleHierarchy: Record<string, number> = {
+    viewer: 0,
+    editor: 1,
+    admin: 2,
+    super_admin: 3,
+  };
+
+  const userRoleLevel = roleHierarchy[profile.role] ?? 0;
+  const requiredRoleLevel = roleHierarchy[requiredRole] ?? 999;
+
+  return userRoleLevel >= requiredRoleLevel;
+}
+
+// =============================================================================
+// TYPE DEFINITIONS (customize for your database)
+// =============================================================================
+
+/**
+ * Generate types with:
+ * npx supabase gen types typescript --project-id your-project > types/database.ts
+ *
+ * Then import and use:
+ * import { Database } from '@/types/database';
+ * const supabase = createClient<Database>(url, key);
+ */
+
+// Example type for user profiles
+export interface Profile {
+  id: string;
+  email: string;
+  role: 'viewer' | 'editor' | 'admin';
+  created_at: string;
+}

package/configs/supabase/security-checklist.md

@@ -0,0 +1,278 @@
+# Supabase Security Checklist
+
+**Complete this checklist before launching your Supabase-powered app.**
+
+Based on [CVE-2025-48757](https://byteiota.com/supabase-security-flaw-170-apps-exposed-by-missing-rls/) and common pentesting findings.
+
+---
+
+## Critical: Row Level Security (RLS)
+
+### 1. [ ] RLS is ENABLED on ALL tables
+
+```sql
+-- Check which tables DON'T have RLS
+SELECT schemaname, tablename
+FROM pg_tables
+WHERE schemaname = 'public'
+AND tablename NOT IN (
+  SELECT tablename::text FROM pg_class
+  WHERE relrowsecurity = true
+);
+```
+
+**If any tables appear, enable RLS immediately:**
+```sql
+ALTER TABLE table_name ENABLE ROW LEVEL SECURITY;
+```
+
+### 2. [ ] Every table has at least one policy
+
+```sql
+-- Tables with RLS enabled but NO policies (locked to everyone!)
+SELECT tablename FROM pg_tables
+WHERE schemaname = 'public'
+AND tablename IN (
+  SELECT tablename::text FROM pg_class WHERE relrowsecurity = true
+)
+AND tablename NOT IN (
+  SELECT tablename FROM pg_policies
+);
+```
+
+### 3. [ ] Policies use `auth.uid()` not hardcoded values
+
+**Good:**
+```sql
+USING (auth.uid() = user_id)
+```
+
+**Bad:**
+```sql
+USING (user_id = 'some-uuid')  -- Hardcoded!
+```
+
+### 4. [ ] INSERT policies have `WITH CHECK`
+
+```sql
+-- Without WITH CHECK, users can insert data for other users!
+CREATE POLICY "Users insert own data"
+ON your_table FOR INSERT
+WITH CHECK (auth.uid() = user_id);  -- This is required!
+```
+
+### 5. [ ] UPDATE policies have both `USING` and `WITH CHECK`
+
+```sql
+-- USING: which rows can be updated
+-- WITH CHECK: what the new values must satisfy
+CREATE POLICY "Users update own data"
+ON your_table FOR UPDATE
+USING (auth.uid() = user_id)         -- Can only update own rows
+WITH CHECK (auth.uid() = user_id);   -- Can't change user_id to someone else
+```
+
+---
+
+## Critical: API Keys
+
+### 6. [ ] `service_role` key is NEVER in frontend code
+
+```bash
+# Scan your codebase
+npx ship-safe scan .
+
+# Or manually grep
+grep -r "service_role" ./src
+grep -r "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" ./src
+```
+
+**The `service_role` key bypasses ALL RLS. It should only exist in:**
+- Server-side code (API routes, edge functions)
+- Environment variables on your server
+- Never in client bundles
+
+### 7. [ ] `anon` key is only used where RLS protects data
+
+The `anon` key is designed to be public, but only if RLS is properly configured.
+
+```typescript
+// Frontend: Use anon key (safe if RLS is set up)
+const supabase = createClient(url, anonKey);
+
+// Server: Use service_role key (for admin operations)
+const supabaseAdmin = createClient(url, serviceRoleKey);
+```
+
+---
+
+## High: Authentication Settings
+
+### 8. [ ] Email confirmations enabled (if using email auth)
+
+Dashboard > Authentication > Providers > Email
+- [ ] Confirm email = ON
+- [ ] Secure email change = ON
+
+### 9. [ ] Rate limiting on auth endpoints
+
+Supabase has built-in rate limiting, but verify:
+- Dashboard > Authentication > Rate Limits
+- Default: 30 requests per hour for signup/signin
+
+### 10. [ ] Leaked password protection enabled
+
+Dashboard > Authentication > Providers > Email
+- [ ] Check for leaked passwords = ON
+
+---
+
+## High: Database Security
+
+### 11. [ ] No sensitive tables exposed to PostgREST
+
+By default, all tables in `public` schema are exposed via REST API.
+
+```sql
+-- Move sensitive tables to a private schema
+ALTER TABLE sensitive_table SET SCHEMA private;
+
+-- Or revoke access from anon/authenticated roles
+REVOKE ALL ON sensitive_table FROM anon, authenticated;
+```
+
+### 12. [ ] Functions with `SECURITY DEFINER` are reviewed
+
+```sql
+-- List all SECURITY DEFINER functions
+SELECT proname, prosecdef
+FROM pg_proc
+WHERE prosecdef = true;
+```
+
+`SECURITY DEFINER` functions run with the privileges of the creator, not the caller. Review each one for:
+- SQL injection vulnerabilities
+- Proper input validation
+- Necessary privilege escalation
+
+### 13. [ ] HTTP extension not exposed to anon users
+
+```sql
+-- Check if http extension functions are callable by anon
+SELECT routine_name
+FROM information_schema.routine_privileges
+WHERE grantee = 'anon'
+AND routine_schema = 'extensions';
+```
+
+If `http_get`, `http_post` appear, attackers can make SSRF requests.
+
+---
+
+## Medium: Storage Security
+
+### 14. [ ] Storage buckets have proper policies
+
+Dashboard > Storage > Policies
+
+Each bucket should have:
+- SELECT policy (who can download)
+- INSERT policy (who can upload)
+- UPDATE policy (who can replace)
+- DELETE policy (who can remove)
+
+### 15. [ ] File type validation on uploads
+
+```typescript
+const { error } = await supabase.storage
+  .from('avatars')
+  .upload(path, file, {
+    contentType: 'image/png',  // Explicit content type
+    upsert: false              // Prevent overwrites
+  });
+```
+
+### 16. [ ] File size limits configured
+
+Dashboard > Storage > Settings
+- Set max file size per bucket
+- Consider implementing client-side validation too
+
+---
+
+## Medium: Realtime Security
+
+### 17. [ ] Realtime only enabled on necessary tables
+
+Dashboard > Database > Replication
+
+Only enable realtime for tables that need it. Each enabled table:
+- Increases server load
+- Broadcasts changes to subscribed clients
+- Must have RLS to protect data
+
+### 18. [ ] Broadcast/Presence channels authenticated
+
+```typescript
+// Require authentication for realtime channels
+const channel = supabase.channel('room', {
+  config: {
+    broadcast: { self: true },
+    presence: { key: user.id }
+  }
+});
+```
+
+---
+
+## Bonus: Monitoring & Alerts
+
+### 19. [ ] Database logs enabled
+
+Dashboard > Database > Logs
+- Enable query logging for debugging
+- Set up alerts for failed auth attempts
+
+### 20. [ ] Supabase email alerts configured
+
+Dashboard > Settings > Alerts
+- Database approaching limits
+- High error rates
+- Unusual activity
+
+---
+
+## Quick Commands
+
+```sql
+-- Enable RLS on all public tables at once (CAREFUL!)
+DO $$
+DECLARE
+  t text;
+BEGIN
+  FOR t IN
+    SELECT tablename FROM pg_tables WHERE schemaname = 'public'
+  LOOP
+    EXECUTE format('ALTER TABLE %I ENABLE ROW LEVEL SECURITY', t);
+  END LOOP;
+END
+$$;
+
+-- List all policies
+SELECT * FROM pg_policies;
+
+-- Check RLS status for all tables
+SELECT
+  schemaname,
+  tablename,
+  rowsecurity
+FROM pg_tables
+JOIN pg_class ON tablename = relname
+WHERE schemaname = 'public';
+```
+
+---
+
+**Remember: Supabase makes it easy to build fast, but security is still your responsibility.**
+
+Run `npx ship-safe scan .` to check for leaked keys before every deploy.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ship-safe",
-  "version": "1.0.1",
+  "version": "2.0.0",
   "description": "Security toolkit for vibe coders and indie hackers. Secure your MVP in 5 minutes.",
   "main": "cli/index.js",
   "bin": {
@@ -23,7 +23,16 @@
     "indie-hacker",
     "vibe-coding",
     "mvp",
-    "cli"
+    "cli",
+    "supabase",
+    "firebase",
+    "llm-security",
+    "prompt-injection",
+    "rate-limiting",
+    "owasp",
+    "jwt",
+    "cors",
+    "rls"
   ],
   "author": "ship-safe contributors",
   "license": "MIT",

package/snippets/README.md

@@ -6,40 +6,73 @@ This folder contains drop-in code snippets for securing your application. Each s
 
 ---
 
-## Coming Soon
+## Available Snippets
 
-- **Rate Limiting**
-  - Express.js middleware
-  - Next.js API route wrapper
-  - Upstash Redis implementation
+### Rate Limiting
 
-- **Authentication**
-  - Secure session configuration
-  - JWT validation middleware
-  - OAuth state parameter handling
+| File | Description |
+|------|-------------|
+| [upstash-ratelimit.ts](./rate-limiting/upstash-ratelimit.ts) | Production-ready rate limiting with Upstash Redis. Includes different limiters for API, auth, and AI endpoints. |
+| [nextjs-middleware.ts](./rate-limiting/nextjs-middleware.ts) | In-memory rate limiting at the Next.js middleware level. Good for development or simple deployments. |
 
-- **Input Validation**
-  - Zod schemas for common patterns
-  - SQL injection prevention
-  - XSS sanitization
+**Quick Start:**
+```typescript
+import { apiRatelimit } from './rate-limiting/upstash-ratelimit';
 
-- **API Security**
-  - CORS configuration
-  - API key validation
-  - Webhook signature verification (Stripe, GitHub)
+const { success } = await apiRatelimit.limit(userId);
+if (!success) {
+  return new Response('Too Many Requests', { status: 429 });
+}
+```
 
 ---
 
-## Contributing
+### Authentication
 
-Have a security snippet that saved your app? Add it here!
+| File | Description |
+|------|-------------|
+| [jwt-checklist.md](./auth/jwt-checklist.md) | Complete JWT security checklist. Covers algorithms, token lifetime, storage, validation, and revocation. |
 
-1. Create a new file: `snippets/your-snippet-name.{js,ts,py}`
-2. Add extensive comments explaining:
-   - What attack this prevents
-   - How to integrate it
-   - Common gotchas
-3. Open a PR
+**Key Points:**
+- Use RS256/ES256, not HS256 with weak secrets
+- Access tokens: 15-60 minutes max
+- Store in httpOnly cookies, not localStorage
+- Always validate issuer and audience claims
+
+---
+
+### API Security
+
+| File | Description |
+|------|-------------|
+| [cors-config.ts](./api-security/cors-config.ts) | CORS configurations for Next.js, Express, Fastify, Hono, and Vercel Edge. |
+| [input-validation.ts](./api-security/input-validation.ts) | Zod schemas and validation patterns for API endpoints. Includes file upload validation. |
+| [api-security-checklist.md](./api-security/api-security-checklist.md) | Comprehensive API security checklist based on OWASP API Security Top 10. |
+
+**Quick Start (CORS):**
+```typescript
+const ALLOWED_ORIGINS = ['https://yourapp.com'];
+
+// Only allow specific origins
+if (origin && ALLOWED_ORIGINS.includes(origin)) {
+  headers['Access-Control-Allow-Origin'] = origin;
+}
+```
+
+**Quick Start (Validation):**
+```typescript
+import { z } from 'zod';
+
+const schema = z.object({
+  email: z.string().email().max(255),
+  password: z.string().min(8).max(128),
+});
+
+const result = schema.safeParse(body);
+if (!result.success) {
+  return Response.json({ error: result.error.issues }, { status: 400 });
+}
+```
 
 ---
 
@@ -56,3 +89,34 @@ Each snippet follows this format:
 
 [actual code with inline comments]
 ```
+
+---
+
+## Related Resources
+
+- **[/configs](../configs/)** - Framework configs (Next.js headers, Supabase RLS, Firebase rules)
+- **[/ai-defense](../ai-defense/)** - AI/LLM security (prompt injection, cost protection)
+- **[/checklists](../checklists/)** - Security checklists (launch day)
+
+---
+
+## Contributing
+
+Have a security snippet that saved your app? Add it here!
+
+1. Create a new file in the appropriate subfolder
+2. Add extensive comments explaining:
+   - What attack this prevents
+   - How to integrate it
+   - Common gotchas
+3. Open a PR
+
+---
+
+## What's Next
+
+Future additions planned:
+- Webhook signature verification (Stripe, GitHub)
+- OAuth state parameter handling
+- CSRF protection patterns
+- Content Security Policy builder