The built-in get_logs function uses a query with a wildcard () which is rejected due to Column Level Security restrictions #23
Description
Bug report
Describe the bug
The Supabase MCP's get_logs tool fails when requesting edge function logs due to a Column Level Security restriction. The tool uses a wildcard query (SELECT * FROM function_logs) which triggers a "restricted wildcard (*) in a result column" error.
To Reproduce
- Initialize a Supabase MCP client
- Attempt to fetch edge function logs using:
mcp_Supa_Global_[username]_get_logs({ project_id: "your-project-id", service: "edge-function" })
- Observe the query fails with "restricted wildcard (*) in a result column" error
Expected behavior
The get_logs tool should successfully retrieve edge function logs by using explicit column names instead of the wildcard selector.
System information
- OS: macOS
- Version of supabase-js: Latest
- Version of Node.js: Latest
Additional context
The issue is in the getLogQuery function (from logs.js) which generates SQL for different service types. For edge functions, it uses:
case 'edge-function':
return stripIndent`
select * from function_logs
order by timestamp desc
limit ${limit}
`;This violates Column Level Security restrictions as documented at https://supabase.com/docs/guides/database/postgres/column-level-security:
"Restricted roles cannot use the wildcard operator (*) on the affected table. Instead of using SELECT * FROM <restricted_table>; or its API equivalent, you must specify the column names explicitly."
The query should be modified to explicitly list columns:
case 'edge-function':
return stripIndent`
select id, function_logs.timestamp, event_message, metadata.event_type, metadata.function_id, metadata.level
from function_logs
cross join unnest(metadata) as metadata
order by timestamp desc
limit ${limit}
`;This would allow users to access edge function logs through the MCP server without encountering Column Level Security restrictions.