supabase · Adityakk9031 · Dec 1, 2025
@@ -38,6 +38,9 @@ func (a *API) requireAuthentication(w http.ResponseWriter, r *http.Request) (con
 func (a *API) requireNotAnonymous(w http.ResponseWriter, r *http.Request) (context.Context, error) {
 	ctx := r.Context()
 	claims := getClaims(ctx)
+	if claims == nil {
+		return nil, apierrors.NewForbiddenError(apierrors.ErrorCodeBadJWT, "Invalid token: missing claims")
+	}
 	if claims.IsAnonymous {
 		return nil, apierrors.NewForbiddenError(apierrors.ErrorCodeNoAuthorization, "Anonymous user not allowed to perform these actions")
 	}

@@ -109,13 +109,19 @@ func NewCleanup(config *conf.GlobalConfiguration) *Cleanup {
 // not clean up the whole database, but does a small piecemeal clean up each
 // time when called.
 func (c *Cleanup) Clean(db *storage.Connection) (int, error) {
+	// Defensive: if there are no cleanup statements configured, don't attempt modulo/indexing.
+	if len(c.cleanupStatements) == 0 {
+		return 0, nil
+	}
+
 	ctx, span := observability.Tracer("gotrue").Start(db.Context(), "database-cleanup")
 	defer span.End()
 
 	affectedRows := 0
 	defer span.SetAttributes(attribute.Int64("gotrue.cleanup.affected_rows", int64(affectedRows)))
 
 	if err := db.WithContext(ctx).Transaction(func(tx *storage.Connection) error {
+		// safe now because we checked len > 0 above
 		nextIndex := atomic.AddUint32(&c.cleanupNext, 1) % uint32(len(c.cleanupStatements)) // #nosec G115
 		statement := c.cleanupStatements[nextIndex]
 

@@ -12,6 +12,9 @@ type Pagination struct {
 }
 
 func (p *Pagination) Offset() uint64 {
+	if p == nil || p.Page == 0 {
+		return 0
+	}
 	return (p.Page - 1) * p.PerPage
 }
 
@@ -53,7 +56,8 @@ func TruncateAll(conn *storage.Connection) error {
 		}
 
 		for _, tableName := range tables {
-			if err := tx.RawQuery("DELETE FROM " + tableName + " CASCADE").Exec(); err != nil {
+			// Use TRUNCATE TABLE ... CASCADE for test teardown to remove dependent rows as well.
+			if err := tx.RawQuery("TRUNCATE TABLE " + tableName + " CASCADE").Exec(); err != nil {
 				return err
 			}
 		}

@@ -156,7 +156,9 @@ func (s *Session) UpdateOnlyRefreshInfo(tx *storage.Connection) error {
 	// TODO(kangmingtay): The underlying database type uses timestamp without timezone,
 	// so we need to convert the value to UTC before updating it.
 	// In the future, we should add a migration to update the type to contain the timezone.
-	*s.RefreshedAt = s.RefreshedAt.UTC()
+	if s.RefreshedAt != nil {
+		*s.RefreshedAt = s.RefreshedAt.UTC()
+	}
 	return tx.UpdateOnly(s, "refreshed_at", "user_agent", "ip")
 }
 

@@ -21,7 +21,10 @@ type SessionsTestSuite struct {
 }
 
 func (ts *SessionsTestSuite) SetupTest() {
-	TruncateAll(ts.db)
+	// Defensive checks to avoid nil-derefs and to ensure test DB is clean
+	require.NotNil(ts.T(), ts.db, "db connection should be initialized for tests")
+	require.NoError(ts.T(), TruncateAll(ts.db))
+
 	email := "test@example.com"
 	user, err := NewUser("", email, "secret", ts.Config.JWT.Aud, nil)
 	require.NoError(ts.T(), err)