Supabase + Next.js Security Specialist — Audit & FIX a live SaaS (hands-on, not a report)

Summary We run a live, production SaaS — web + mobile (music software) — built on Supabase, Next.js, and Vercel, with Stripe for payments. It was built fast to ship, and we now want a thorough, professional security pass before we scale further. We're looking for someone who knows Supabase AND the Next.js app layer deeply, to audit and directly FIX the vulnerabilities — not hand us a PDF. You'll work end-to-end: database, storage, auth, and the application/API layer. What we need audited & fixed 1. Row Level Security (RLS) Review RLS on every table in the public schema. Find any table where a user can read, write, or delete data they shouldn't. Write/correct policies so each user can only access their own data (or the correct sharing logic). 2. SECURITY DEFINER functions & views Review all SECURITY DEFINER functions and views. Lock down anything executable by anon/authenticated that shouldn't be. Fix mutable search_path and any function returning other users' data. 3. Storage buckets Audit all bucket policies (we store audio, images, avatars). Prevent unauthorized listing, download, overwrite, or deletion of objects. Strictly restrict who/what can write or delete objects in production. 4. Application / API-layer security (Next.js) — important Review every API route that uses the service-role / admin client: each must enforce authentication and ownership checks (no IDOR). Find and remove or secure any debug/internal endpoints exposed in production. Confirm no hardcoded credentials, tokens, or admin passwords in the codebase. Check that privileged actions can't be triggered by unauthorized callers. 5. Service-role key & secrets Confirm the service-role key (and any secret) is not present in client/frontend code or the browser bundle. Check git history for leaked secrets. If exposed: rotate and move everything server-side only. 6. Auth & platform hardening Review Supabase Auth config for misconfigurations. Tighten the redirect-URL allowlist (no wildcards), enable leaked-password protection, sensible OTP/JWT expiry, and rate limiting. Ensure no role or shared key allows mass-deletion of production data. 7. Webhooks & scheduled jobs Verify Stripe webhook signature validation. Ensure cron/webhook endpoints fail closed (reject unauthenticated calls), not open. 8. Dependencies Run a dependency/supply-chain check (npm audit / Snyk) and flag/patch high-risk packages. 9. Monitoring & alerting Set up (or recommend + help configure) basic monitoring/alerting so suspicious activity (mass writes/deletes, abnormal access) is detected in minutes, not days. Deliverables Vulnerabilities fixed directly in our project (we'll provide scoped access; we prefer you work on a DB branch/staging, then apply to prod with our review). Verification/proof: re-run the Supabase advisor scan and demonstrate (e.g., one account cannot access another's data) that the fixes hold. A short written summary of what was wrong and what you changed. A list of the recurring anti-patterns our team should avoid, so we stop reintroducing the same issues. Our stack Database / Auth / Storage: Supabase (Postgres) Frontend / API: Next.js, deployed on Vercel Payments: Stripe How we work / access Scoped access provided under NDA. Read-only for the audit → branch/staging for fixes → production with our review. We will not share the service-role key in plaintext. To apply Tell us about a Supabase project where you fixed RLS or storage security (real example). Briefly: how you'd approach a fast-built app like ours (Supabase + Next.js API layer). Your fixed-price quote and timeline — feel free to phase it (e.g., a critical-fix sprint first, then the full pass). Your availability to start. Please do NOT apply if your plan is to run an automated scanner and send a PDF. We want hands-on fixes by someone who knows Supabase and Next.js security deeply.