[codex] Add Supabase Cloudflare network restriction helper#2361
Conversation
|
Warning Review limit reached
More reviews will be available in 20 minutes and 10 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
Comment |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Merging this PR will not alter performance
Comparing 
Footnotes
|
|
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
sanphandinh
left a comment
sanphandinh
left a comment
There was a problem hiding this comment.
Reviewed this from the ops/security angle.
What I checked:
bash -n scripts/update_supabase_network_restrictions.shpasses.scripts/update_supabase_network_restrictions.sh --helprenders cleanly.- Dry run with a real project ref fetched Cloudflare ranges and did not execute Supabase writes:
bash scripts/update_supabase_network_restrictions.sh --project-ref xvwzpoazmxkqosrdewyv --dry-run --yes
It produced 22 CIDRs and printed the expectednetwork-restrictions getandnetwork-restrictions update --db-allow-cidr ...commands. - The approach matches Cloudflare Hyperdrive docs: Hyperdrive connects using Cloudflare IP address ranges, and those ranges are the right allowlist input for database firewalls.
No blocker from my pass. One small hardening suggestion before relying on the env-file fallback in automation: get_env_value() returns the raw value after KEY=, so a common .env line such as SUPABASE_URL="https://xvwzpoazmxkqosrdewyv.supabase.co" keeps the surrounding quotes. extract_project_ref_from_url() then fails the host regex for URL-style values because the host ends with ". Database URLs using the postgres.<ref> username path still work, but API URL fallback can fail. It would be safer to strip one layer of matching single/double quotes, and optionally ignore inline comments, before passing the value to extract_project_ref_from_url().
Given the default mode is replace, I also like that the script prints the current restrictions and requires confirmation unless --yes is set.
2 participants
Summary (AI generated)
scripts/update_supabase_network_restrictions.shto apply current Cloudflare IPv4 and IPv6 CIDRs to Supabase database network restrictions.bun run supabase:allow-cloudflareas the package script entrypoint.Motivation (AI generated)
Capgo needs an operational way to close direct Postgres access to Supabase while still allowing Cloudflare Hyperdrive to reach the database through Cloudflare egress ranges.
Business Impact (AI generated)
This improves database security posture by making it easier to restrict Supabase Postgres connectivity to Cloudflare-controlled paths, reducing direct exposure while preserving Hyperdrive-based operations.
Test Plan (AI generated)
bash -n scripts/update_supabase_network_restrictions.shbun -e 'JSON.parse(await Bun.file("package.json").text()); console.log("package.json ok")'bun run supabase:allow-cloudflare -- --project-ref xvwzpoazmxkqosrdewyv --dry-run --ipv4-onlybun run supabase:allow-cloudflare -- --project-ref xvwzpoazmxkqosrdewyv --dry-run --ipv6-onlybun run typecheckGenerated with AI