supabase_auth_admin can CREATE roles

[steve-chavez]

Problem

The manager of the auth schema, supabase_auth_admin can create new roles on the database.

-- See https://github.com/supabase/postgres/blob/develop/nix/tests/expected/auth.out#L31
-- attributes of the supabase_auth_admin
select
  rolcreaterole  ,
  rolcanlogin    ,
  rolsuper       ,
  rolinherit     ,
  rolcreatedb    ,
  rolreplication ,
  rolconnlimit   ,
  rolbypassrls   ,
  rolvaliduntil
from pg_roles r
where r.rolname = 'supabase_auth_admin';
 rolcreaterole | rolcanlogin | rolsuper | rolinherit | rolcreatedb | rolreplication | rolconnlimit | rolbypassrls | rolvaliduntil 
---------------+-------------+----------+------------+-------------+----------------+--------------+--------------+---------------
 t             | t           | f        | f          | f           | f              |           -1 | f            | 
(1 row)

This is likely unneeded, and following the principle of least privilege, supabase_auth_admin shouldn't be able to.

Solution

Remove this privilege for suapbase_auth_admin.