Capgo - Missing Authentication Middleware on GET /private/role_bindings Endpoint

An attacker sends an HTTP GET request to `/functions/v1/private/role_bindings/:org_id` without any `Authorization` header. Because the global authentication middleware is not applied to this route, the request reaches the handler, which returns `{"error":"Unauthorized"}`. While no data is currently exposed, the inconsistent enforcement across HTTP methods [ref_id=1] creates a latent authorization bypass risk if the handler logic is ever modified.

The GET route in `supabase/functions/_backend/private/role_bindings.ts` is not wrapped with `middlewareAuth`, unlike the POST and DELETE routes for the same resource. This means unauthenticated requests reach the handler instead of being rejected at the middleware layer.

The advisory recommends applying `middlewareAuth` to the GET route, either via `app.use('/', middlewareAuth)` or by wrapping the GET handler explicitly. This would align the GET route with the POST and DELETE routes, ensuring unauthenticated requests are rejected at the middleware layer before reaching the handler, eliminating the inconsistency and reducing the risk of future authorization bypass.