New
Introducing React Doctor for Enterprise
Menu
What Is React Doctor?
Quickstart
CLI to CI
How to Fix Issues
GitHub Actions Setup
Updating CI
Other CI Providers
Migrating to CI v2
Config Files
ESLint & oxlint Plugins
CLI Reference
GitHub Action Reference
Node.js API
Changelog
Modified MIT License
Terms of Service
Privacy Policy
Data Use
Security
Support
Rules reference

react-doctor/artifact-baas-authority-surface

Shipping Firebase/Supabase client config with your collection and authorization-field names in a browser bundle hands attackers a map of your data model, which is dangerous when server-side rules do not enforce access.

  • Category: Security
  • Severity: warn
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: browser artifacts only (generated bundles, .map, public/, dist/assets, .next/static, out/, storybook-static); server build output (.next/server, .output/server) skipped

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires only in a browser-shipped artifact (a generated/minified bundle, a .map, or a file under public/, dist/assets/, .next/static/, out/, or storybook-static/) that contains BOTH Firebase/Supabase client config (e.g. initializeApp/getFirestore/createClient within ~700 chars of apiKey/authDomain/projectId/databaseURL/storageBucket/supabase/SUPABASE_URL) AND an authority surface: a collection(...) reference to sensitive collections (users, orgs, sessions, documents, profiles, …), a from(...) table (users, profiles, organizations, memberships), or an authorization-field name like ownerId/creatorId/providerId/orgId/tenantId/workspaceId/role/roles/isAdmin. FALSE POSITIVE to suppress: the BaaS config is genuinely public AND every collection/field is fully enforced by server-side Firestore/Storage rules or Supabase RLS, so the shipped names are only a low-value reconnaissance map rather than an access path. Note the collection/field list is partly tuned to regression fixtures, so an arbitrary collection name may not match.

Fix prompt

Use this once validation confirms the diagnostic is real.

Client config is never secret, so enforce the authorization boundary on the server: write Firestore/Storage security rules (or Supabase RLS policies) that tie every read and write to request.auth.uid, immutable ownership, and tenant or role membership, so knowing the collection names and field shape grants nothing. Keep owner, tenant, and role fields server-derived and immutable from the client. Code-splitting admin-only screens out of the public bundle reduces what attackers can learn, but enforcing the rules matters more.