Capgo - Information Disclosure via Unauthenticated /replication Endpoint

An attacker sends a GET request to `https://api.capgo.app/replication` without any authentication credentials [ref_id=1]. The server responds with a JSON payload containing internal PostgreSQL replication slot names (which reveal backend components, providers, and regions), WAL/LSN positions (`confirmed_flush_lsn`, `restart_lsn`), per-slot lag metrics, and overall status [ref_id=1]. If an exception occurs, the error handler additionally returns raw database error fields such as `error_detail` and `error_hint`, further increasing information disclosure risk [ref_id=1].

The unauthenticated `/replication` endpoint is defined in `supabase/functions/_backend/public/replication.ts` with only CORS middleware (`app.use('*', useCors)`) and no authentication middleware [ref_id=1]. The route returns raw PostgreSQL replication slot telemetry including `slot_name`, `confirmed_flush_lsn`, `restart_lsn`, per-slot lag metrics, and overall status, and the error handler exposes database error fields (`error_message`, `error_code`, `error_detail`, `error_hint`) to the client [ref_id=1].

The advisory recommends restricting the `/replication` endpoint to authenticated admin-only access or an IP allowlist for internal monitoring [ref_id=1]. If a public health endpoint is required, it should return only minimal status (e.g., `{status, checked_at}`) and remove slot names, LSNs, and detailed telemetry, and must not return raw database error fields (`error_detail`, `error_hint`) to clients [ref_id=1]. The patch does not show the exact code changes, but the remediation guidance is to add authentication middleware or an IP allowlist and sanitize the response payload.