fix: restrict webhook secret access to admin-only

[riderx]

Summary (AI generated)

• Added migration 20260224000000_fix_webhooks_select_permission.sql to restrict SELECT access on public.webhooks to admin-level API credentials.
• Replaced the prior org member read policy with an admin-only policy to prevent non-admin/read keys from retrieving webhook signing secrets.
• Kept webhook write/update/delete policies unchanged so admin-managed create/update/delete workflows remain unaffected.

Motivation (AI generated)

A security report shows non-admin/read API keys could query /rest/v1/webhooks and read secret values. That secret enables forging signed webhook payloads. This change closes that data leak at the RLS layer.

Business Impact (AI generated)

This restores webhook integrity by preventing signed request forgery from keys with read-only permission, protecting downstream automation, billing/workflow triggers, and customer event pipelines from unauthorized event injection.

Test Plan (AI generated)

• Ran bun lint.
• Ran bun lint:backend.
• Apply migration in a non-production environment and verify non-admin/read API keys can no longer select webhook rows or secret.
• Verify admin API keys can still read webhook configuration as expected.
• Validate existing webhook delivery/test flows using admin keys remain functional.

Generated with AI

[coderabbitai]

Warning

Rate limit exceeded

@riderx has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 28 minutes and 34 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 38ce641 and dbe8294.

📒 Files selected for processing (1)

• supabase/migrations/20260224000000_fix_webhooks_select_permission.sql

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch riderx/fix-attached-task

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dbe829485f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Replace get_identity with org-scoped helper

AGENTS.md explicitly says to never use get_identity() directly in RLS policies, and this new webhook SELECT policy still does so. get_identity() does not enforce API key org scoping (limited_to_orgs), so an API key tied to an admin user can pass check_min_rights('admin', ...) based on that user’s org membership even when the key is not allowed for that org, which still exposes webhook secrets cross-org; this table should use get_identity_org_allowed(..., org_id) instead.

Useful? React with 👍 / 👎.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud