Capgo - Policy Enforcement Bypass in Webhook Management Endpoints via Non-Expiring API Keys

An attacker who possesses a legacy non-expiring API key can bypass the `require_apikey_expiration` organization policy on webhook management endpoints. The attacker sends standard HTTP requests to list, create, or delete webhooks for an organization that has enabled the expiration policy. Because `checkWebhookPermission` does not call `apikeyHasOrgRightWithPolicy`, the request succeeds instead of returning a 401 `org_requires_expiring_key` error. This allows continued privileged automation using keys the organization intended to disallow.

The vulnerability resides in `supabase/functions/_backend/public/webhooks/index.ts` where `checkWebhookPermission` calls `hasOrgRightApikey` and `apikeyHasOrgRight` but omits `apikeyHasOrgRightWithPolicy`. This weaker check is then used by `supabase/functions/_backend/public/webhooks/post.ts` for webhook creation, and the same pattern applies to listing and deletion endpoints. By contrast, stricter organization routes (e.g., `organization/get.ts`, `organization/put.ts`) correctly invoke the policy helper that enforces expiration requirements.

The advisory identifies that `checkWebhookPermission` must be updated to call `apikeyHasOrgRightWithPolicy` instead of (or in addition to) the current checks. The correct helper, shown in `supabase/functions/_backend/utils/supabase.ts` lines 267–285, invokes `checkApikeyMeetsOrgPolicy` which returns `org_requires_expiring_key` when the org requires expiration and the key lacks `expires_at`. Applying this policy check to the webhook permission path would make it consistent with the stricter organization endpoints that already enforce the expiration requirement.