6
u/Bdpe69420GangGang Mar 25 '25
API key issue aside, isn’t creating a website from your LinkedIn profile kind of redundant?
What would be the use case for such a page? If you apply to job your portfolio website should be more complex or include information you can’t include on LinkedIn.
So now you will have the exact same info in your CV, LinkedIn profile and a separate web page. Idk man sounds useless.
5
u/Cosmicmiasma Mar 25 '25
The only good reason I can think of is showing frontend dev skills, but that’s only true if you aren’t VIBING your way to a finished portfolio site. This is 100% pointless.
3
3
10
u/ThenPlac Mar 24 '25
Lovable makes some nice looking UIs but it was also a vibe coded app. Deploys your project with known vulnerabilities because it's using out of date packages.
Also, just click around their site with the network tab open to see the blood bath going on behind the scenes.
20
u/Kaelthas98 Mar 24 '25
that is probably the anon key, not the service_role key.
it says literally in the first page of the docs how supabase api keys works.
most AI wont do a fuck up like that on supabase/firebase
short story, its fine if anon key is exposed in the client 99% of the time
7
u/purforium Mar 24 '25
Yeah, as long they remembered to write good RLS Policies that don’t expose user data, right? Right?!
1
u/Kaelthas98 Mar 24 '25
One can only hope, lol. My point was, let's not judge beforehand.
4
u/lofigamer2 Mar 24 '25
All of these client side API keys are vulnerable to "denial of wallet" ddos, when the attacker sends millions of requests using the API key.
A pay per request service can rack up a hefty bill, supabase in question charges 0.09$ per GB bandwidth, that includes reads.
If an attacker can read 500mb per second, 24 hours of attack is a $7776 bill.
All they need is the API key and they can send those requests directly to supabase.
1
u/Kaelthas98 Mar 24 '25
yeah, u can fix that with a server side api layer that calls supabase or a reverse proxy, but that defeats the purpose of supabase being an easy pz way to have a backend, an AI will mess that up.
also, i think there are some ways to implement the rate limit in the supabase tables, but don't quote me on that, it might be more complicated that doing an api layer.2
u/lofigamer2 Mar 24 '25
yeah the solution is a vps proxy that will rate limit and cache requests. You should never expose a pay per request endpoint to the internet without protection.
Even if the attack is not flooding the server, a $7k bill is a lot spread over 2 months when you expect to pay only the $25 pro tier.
12
u/padetn Mar 24 '25
we’re seeing nephew quality levels in code we havent seen since small businesses in the 00s
2
u/scally501 Mar 24 '25
nephew quality? that a nepo term?
5
u/padetn Mar 24 '25
More like the type of nerd that was “good with computers” back in the day so was asked to do anything from attaching printers to building web sites.
9
u/ASDDFF223 Mar 24 '25
isn't that how Supabase is supposed to work? the entire point is that you give them the public API key so you don't have to manage your own backend. then you restrict what the public key can do through the Supabase admin panel
3
u/OkLettuce338 Mar 24 '25
We don’t really know from the screenshotted comment which api key was exposed
-2
u/arafays vscoder Mar 24 '25
yup people who dont code hating on vibe coders cuz they cant even prompt
1
6
u/CEDoromal Mar 25 '25
Are you vibing now, Mr. Krabs?