Ok so here’s what happened… I’m using Supabase as the backend and I have row-level security set up so that users can only access and update their own data (very standard, very secure) In addition to this because the AI is really expensive, I have rate limits and they are at a per-user level so I can raise them for an individual user The problem is I was storing the rate limits on the user table itself 🤦♂️ And because of the way my RLS was set up, users could in theory modify their own rate limits if they hit the backend endpoints directly The solution was to make these specific rate limit columns read-only or even better just store them on a completely different table This was a super rookie mistake and I’m really thankful that the person who reported it didn’t do anything bad 🙏 But wanted to share this because I think it’s a pretty common thing people are overlooking, especially if they're using Supabase #softwaredeveloper #coding #appdesign
