fix(security): add org membership checks to prevent cross-tenant data leakage in SECURITY DEFINER functions

[ghost]

Summary

Add auth.uid() + org_users membership verification to 8 SECURITY DEFINER functions that accept an org_id parameter but never check that the caller belongs to the target organization.

Any authenticated user could read metrics, plan info, storage stats, and billing data for ANY organization by passing an arbitrary org_id to these functions.

Affected Functions

Function	Return on unauthorized	Impact
get_app_metrics(org_id, start_date, end_date)	Empty result set	MAU, bandwidth, storage, installs per app leaked
get_current_plan_max_org(orgid)	Empty result set	Plan limits leaked
get_current_plan_name_org(orgid)	NULL	Stripe plan name leaked
get_plan_usage_percent_detailed(orgid)	Empty result set	Usage percentages leaked
get_plan_usage_percent_detailed(orgid, cycle_start, cycle_end)	Empty result set	Custom-range usage percentages leaked
get_total_app_storage_size_orgs(org_id, app_id)	0	Per-app storage size leaked
get_total_storage_size_org(org_id)	0	Total org storage leaked
is_good_plan_v5_org(orgid)	FALSE	Billing/plan fitness leaked

Implementation

Each function now includes a cross-tenant guard at the top of its body:

IF NOT EXISTS (
    SELECT 1 FROM public.org_users
    WHERE org_users.org_id = <param>
      AND org_users.user_id = (SELECT auth.uid())
) THEN
    RETURN;  -- empty/null/false depending on return type
END IF;

Migration

• 20260303100000_add_org_membership_checks.sql — CREATE OR REPLACE FUNCTION for all 8 functions

Closes #1737

Test plan

1. As User A (member of Org-1), call SELECT * FROM get_plan_usage_percent_detailed('org-1-uuid') — should return usage data normally.
2. As User B (member of Org-2), call SELECT * FROM get_plan_usage_percent_detailed('org-1-uuid') — should return empty result set.
3. Repeat for all 8 functions with cross-org org_id — all should return empty/null/0/false.
4. Verify frontend Usage.vue and supabase.ts still work correctly (they always pass the user's own org_id).
5. Verify get_app_metrics(org_id) single-arg wrapper still works (delegates to the 3-arg version which has the check).

Screenshots

N/A — backend-only changes (SQL migration). No UI changes.

Checklist

• My code follows the code style of this project and passes bun run lint:backend && bun run lint.
• My change requires a change to the documentation.
• I have tested my code manually, and I have provided steps how to reproduce my tests.
• My change has adequate test coverage via the test plan above.

Summary by CodeRabbit

• New Features
  • Enhanced organization data access controls with built-in membership verification for metrics, plan usage, and storage tracking.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds org membership verification guards to eight existing PostgreSQL SECURITY DEFINER functions, ensuring that authenticated users can only access metrics, plan details, and storage data for organizations they belong to, preventing cross-tenant information disclosure.

Changes

Cohort / File(s)

Summary

Org-Scoped Metrics & Plan Functions supabase/migrations/20260303100000_add_org_membership_checks.sql

Eight new SECURITY DEFINER functions added: get_app_metrics, get_current_plan_max_org, get_current_plan_name_org, get_plan_usage_percent_detailed (2 overloads), get_total_app_storage_size_orgs, get_total_storage_size_org, and is_good_plan_v5_org. Each function verifies org membership via public.org_users before querying sensitive billing, metrics, and storage data. Functions return empty results if user lacks authorization.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• fix: secure get_total_metrics rpc #1671: Adds org membership checks and hardened permissions to get_total_metrics, which is called by the org-scoped functions introduced in this PR.

Poem

🐰 Eight guards we place, oh so keen,
No peeking at neighbors' billing scene!
Org membership checks, standing tall,
Protecting each tenant's data from all.
Security strengthened, warren stays free! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding org membership checks to SECURITY DEFINER functions to prevent cross-tenant data leakage.
Description check	✅ Passed	The description includes a comprehensive summary, detailed impact analysis, implementation details, migration file reference, and a thorough test plan with specific reproduction steps.
Linked Issues check	✅ Passed	The PR fully addresses the security vulnerability documented in issue #1737 by adding org_users membership checks to all eight affected SECURITY DEFINER functions.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the cross-tenant information disclosure vulnerability in the eight SECURITY DEFINER functions; no unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 SQLFluff (4.0.4)

supabase/migrations/20260303100000_add_org_membership_checks.sql

User Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects:
ansi, athena, bigquery, clickhouse, databricks, db2, doris, duckdb, exasol, flink, greenplum, hive, impala, mariadb, materialize, mysql, oracle, postgres, redshift, snowflake, soql, sparksql, sqlite, starrocks, teradata, trino, tsql, vertica

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@supabase/migrations/20260303100000_add_org_membership_checks.sql`:
- Around line 3-17: Update the migration comment header so the function count
matches the list: change "These 7 info-disclosure functions" to "These 8
info-disclosure functions" (or remove the numeric count entirely) so it
correctly reflects the eight listed functions (get_app_metrics,
get_current_plan_max_org, get_current_plan_name_org,
get_plan_usage_percent_detailed (both overloads count as one or two as
appropriate), get_total_app_storage_size_orgs, get_total_storage_size_org,
is_good_plan_v5_org).

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between effb8b6 and 2020d8a.

📒 Files selected for processing (1)

• supabase/migrations/20260303100000_add_org_membership_checks.sql

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix the header count mismatch in the migration comment.

Line 3 says “7 info-disclosure functions,” but Lines 10-17 list 8.

✏️ Proposed fix

--- a/supabase/migrations/20260303100000_add_org_membership_checks.sql
+++ b/supabase/migrations/20260303100000_add_org_membership_checks.sql
@@
--- These 7 info-disclosure functions accept an org_id parameter but never verify
+-- These 8 info-disclosure functions accept an org_id parameter but never verify

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@supabase/migrations/20260303100000_add_org_membership_checks.sql` around
lines 3 - 17, Update the migration comment header so the function count matches
the list: change "These 7 info-disclosure functions" to "These 8 info-disclosure
functions" (or remove the numeric count entirely) so it correctly reflects the
eight listed functions (get_app_metrics, get_current_plan_max_org,
get_current_plan_name_org, get_plan_usage_percent_detailed (both overloads count
as one or two as appropriate), get_total_app_storage_size_orgs,
get_total_storage_size_org, is_good_plan_v5_org).

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[riderx]

AI SPAM