marklok is closing the back door between browser and database

User profile reads and writes no longer come from the browser talking straight to the database - they go through the backend now.

securityinfrastructure

Previously, marklok's fork let the browser query and update user profile records directly in Supabase, the hosted database service the project runs on. That pattern leans entirely on database-level rules to stop a clever user from writing fields they shouldn't. The new approach routes profile changes through a backend endpoint with an explicit list of what can be changed - a meaningful tightening for any product that handles sensitive client data.

Two caveats the team will want to revisit: the allowlist accepts users' personal AI API keys, which means those secrets could quietly land in server logs unless scrubbed; and it lets the client edit its own credit-usage counter, which a determined user could exploit to dodge billing limits. Worth watching whether marklok keeps narrowing what the browser is allowed to touch directly.

So what Legal product teams that rely on browser-to-database shortcuts should treat this fork's direction as a useful template - and its open questions as the things to get right on day one.

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from marklok/danishmike, oldest first. Source extracted verbatim from the harvested git log.

SHA	Subject	Author	Date
`a0f72526`	Refactor user profile to use backend API	Markus	2026-05-08	↗ GitHub
- Add GET and PATCH /user/profile endpoints - Update UserProfileProvider to fetch/update profile via API instead of querying Supabase directly from the frontend Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

SHA

Subject

Author

Date

a0f72526

Refactor user profile to use backend API

Markus

2026-05-08

↗ GitHub

- Add GET and PATCH /user/profile endpoints
- Update UserProfileProvider to fetch/update profile via API
  instead of querying Supabase directly from the frontend

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-207.md from inside the repo you want the changes in.