supabase
PUT /USER is abusable
Bug report
Hi i just notice that the PUT /USER endpoint can be abused for adding putting data.
is it intended?
this can be abused by anyone just because everyone authenticated can access this endpoint and they can flood the /PUT user endpoint to set user data. But I think this could be disabled using RLS policy but seeing this is a default behavior might not be a good idea.
Thanks for the report, while this conscience design decision makes Supabase powerful you make a good point that it puts some responsibility on users to have good RLS policies. I'll discuss with team to see if there are opportunities for better documentation / user education. I don't think that changing defaults is on the table though.
