supabase_auth_admin can CREATE roles #1518
Description
Problem
The manager of the auth schema, supabase_auth_admin can create new roles on the database.
-- See https://github.com/supabase/postgres/blob/develop/nix/tests/expected/auth.out#L31 -- attributes of the supabase_auth_admin select rolcreaterole , rolcanlogin , rolsuper , rolinherit , rolcreatedb , rolreplication , rolconnlimit , rolbypassrls , rolvaliduntil from pg_roles r where r.rolname = 'supabase_auth_admin'; rolcreaterole | rolcanlogin | rolsuper | rolinherit | rolcreatedb | rolreplication | rolconnlimit | rolbypassrls | rolvaliduntil ---------------+-------------+----------+------------+-------------+----------------+--------------+--------------+--------------- t | t | f | f | f | f | -1 | f | (1 row)This is likely unneeded, and following the principle of least privilege, supabase_auth_admin shouldn't be able to.
Solution
Remove this privilege for suapbase_auth_admin.