Supabase Auto-Grants EXECUTE Back to anon After REVOKE — The Hidden Trap and Fix

You create a SECURITY DEFINER function in Supabase, add REVOKE ALL ON FUNCTION FROM PUBLIC to your migration for security — and then discover that calling the function with the anon key does not return permission denied. It just works. Every time.

The cause is Supabase's default ACL auto-grant. After each migration run, Supabase internally re-grants EXECUTE on public-schema functions to both anon and authenticated. Your REVOKE gets overwritten by the very next migration.

Functions like confirm_transaction or consume_wallet_challenge that bypass RLS are likely callable by anon right now. This guide explains why it happens and provides an idempotent REVOKE migration pattern using to_regprocedure() that survives future migrations.