fix: setup least priviliged user for realtime

[filipecabaco]

What kind of change does this PR introduce?

setup least priviliged user for realtime

[github-actions]

Supabase CLI preview

npx --yes https://pkg.pr.new/supabase/cli/supabase@b1fe92316b77cd9a0702dbd272d4ae806833427b

Preview package for commit b1fe923.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 20b5d9d794

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Create the realtime role before altering it

On a fresh local database this post-init SQL runs before the Realtime container can apply any of its own setup, and the supabase/postgres images currently referenced by the CLI (for example 17.6.1.136) do not create supabase_realtime_admin in their bundled Postgres migrations. As a result this new ALTER USER fails with role "supabase_realtime_admin" does not exist, causing the db container to abort before supabase start can become healthy; create/guard the role first and mirror the fix in the stack Docker schema copy.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Update the stale realtime image assertion

Changing DEFAULT_VERSIONS.realtime here also changes the image selected by StackBuilder.unit.test.ts because that test passes DEFAULT_VERSIONS.realtime, but its fallback-registry assertions are still hard-coded to supabase/realtime:v2.78.10. In CI with dependencies installed, the stack unit suite will now fail even though the builder chooses the new v2.109.1 image; update those expected image strings with the version bump.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Point Realtime at the least-privilege user

For the v2.109.1 Realtime image bumped in this change, the runtime connection username is still taken from DB_USER in config/runtime.exs; adding DB_USER_REALTIME here does not change the Repo credentials while DB_USER remains postgres. In those local stacks Realtime continues running all runtime DB traffic as the superuser, so the least-privilege change is ineffective unless the consumed DB user/password settings are switched or the image actually reads these new variables.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b1fe92316b

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Install realtime grants before switching tenant connections

When this env is present, Realtime v2.109.1 seeds db_user_realtime and all non-migration tenant DB connections prefer supabase_realtime_admin; however the upstream migration that grants this role access to the realtime schema is gated behind the use_supabase_realtime_admin feature flag, which defaults off, and the role created in this change only has LOGIN/REPLICATION/CREATEROLE. In the default local stack, the first tenant connection/subscription then tries to read realtime.schema_migrations as a role with no schema/table grants and fails with permission denied, so either run/enable the setup grants before setting this env or leave it unset here and in the stack service until those grants are installed.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Gate realtime admin usage by Postgres version

When users keep a supported db.major_version of 14 or the CLI's default PG15 image (supabase/postgres:15.8.1.085), Realtime v2.109's compatibility matrix still requires the superuser path because those Postgres images lack the policy-grant/log-parameter delegation needed by supabase_realtime_admin. Setting DB_USER_REALTIME unconditionally makes the seeded tenant use the least-privilege role for runtime DB connections on those older supported stacks, so subscriptions can fail even after the role exists; only set these env vars for PG17/PG15.14.1.018+ images, or leave Realtime on the existing superuser credentials for older versions.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Promote existing realtime admin roles before using them

On existing local volumes that have already run Realtime's 202404 tenant migration, supabase_realtime_admin already exists but was created as NOLOGIN NOREPLICATION; this IF NOT EXISTS path skips the new LOGIN/REPLICATION attributes and only changes the password. After the startup env switches runtime connections to that role, upgraded stacks fail to authenticate as supabase_realtime_admin, so alter the role attributes even when it already exists and mirror that in the stack init copies.

Useful? React with 👍 / 👎.

[leandrocp]

The mentioned "202404 tenant migration" is https://github.com/supabase/realtime/blob/main/lib/realtime/tenants/repo/migrations/20240401105812_create_realtime_admin_and_move_ownership.ex but that role is being updated by a later migration https://github.com/supabase/realtime/blob/main/lib/realtime/tenants/repo/migrations/20260606120000_setup_supabase_realtime_admin.ex which does ALTER ROLE supabase_realtime_admin WITH NOINHERIT CREATEROLE LOGIN REPLICATION

That migration is currently gated behind a feature flag in Realtime while we rollout the new permission schema but it's safe to create to CREATE ROLE supabase_realtime_admin WITH NOINHERIT CREATEROLE LOGIN REPLICATION here.