// Analyze Supabase authentication configuration for security weaknesses and misconfigurations.
Orchestrate a complete Supabase security audit with guided step-by-step execution and ownership confirmation.
Test Row Level Security (RLS) policies for common bypass vulnerabilities and misconfigurations.
List and test exposed PostgreSQL RPC functions for security issues and potential RLS bypass.
List all tables exposed via the Supabase PostgREST API to identify the attack surface.
Attempt to read data from exposed tables to verify actual data exposure and RLS effectiveness.
Test if user signup is open and identify potential abuse vectors in the registration process.
| name | supabase-audit-auth-config |
| description | Analyze Supabase authentication configuration for security weaknesses and misconfigurations. |
🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED
You MUST write to context files AS YOU GO, not just at the end.
- Write to
.sb-pentest-context.jsonIMMEDIATELY after each setting analyzed- Log to
.sb-pentest-audit.logBEFORE and AFTER each test- DO NOT wait until the skill completes to update files
- If the skill crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.
This skill analyzes the authentication configuration of a Supabase project.
Supabase Auth (GoTrue) exposes:
https://[project].supabase.co/auth/v1/
| Endpoint | Purpose |
|---|---|
/auth/v1/settings | Public settings (limited) |
/auth/v1/signup | User registration |
/auth/v1/token | Authentication |
/auth/v1/user | Current user info |
/auth/v1/recover | Password recovery |
From the public API, we can detect:
| Setting | Detection Method |
|---|---|
| Email auth enabled | Attempt signup |
| Phone auth enabled | Check settings |
| OAuth providers | Check settings |
| Signup disabled | Attempt signup |
| Email confirmation | Signup response |
| Password requirements | Error messages |
Audit authentication configuration
Check if signup is open and what providers are enabled
═══════════════════════════════════════════════════════════
AUTHENTICATION CONFIGURATION AUDIT
═══════════════════════════════════════════════════════════
Project: abc123def.supabase.co
Auth Endpoint: https://abc123def.supabase.co/auth/v1/
─────────────────────────────────────────────────────────
Authentication Methods
─────────────────────────────────────────────────────────
Email/Password: ✅ Enabled
├── Signup: ✅ Open (anyone can register)
├── Email Confirmation: ❌ NOT REQUIRED ← P1 Issue
├── Password Min Length: 6 characters ← P2 Consider longer
└── Secure Password Check: Unknown
Phone/SMS: ✅ Enabled
└── Provider: Twilio
Magic Link: ✅ Enabled
└── OTP Expiry: 300 seconds (5 min)
OAuth Providers Detected: 3
├── Google: ✅ Enabled
├── GitHub: ✅ Enabled
└── Discord: ✅ Enabled
Anonymous Auth: ✅ Enabled ← Review if intended
─────────────────────────────────────────────────────────
Security Settings
─────────────────────────────────────────────────────────
Rate Limiting:
├── Signup: 3/hour per IP (good)
├── Token: 30/hour per IP (good)
└── Recovery: 3/hour per IP (good)
Session Configuration:
├── JWT Expiry: 3600 seconds (1 hour)
├── Refresh Token Rotation: Unknown
└── Inactivity Timeout: Unknown
Security Headers:
├── CORS: Configured
├── Allowed Origins: * (wildcard) ← P2 Consider restricting
└── Credentials: Allowed
─────────────────────────────────────────────────────────
Findings
─────────────────────────────────────────────────────────
🟠 P1: Email Confirmation Disabled
Issue: Users can signup and immediately access the app
without verifying their email address.
Risks:
├── Fake accounts with invalid emails
├── Typosquatting (user@gmial.com)
├── No verified communication channel
└── Potential for abuse
Recommendation:
Supabase Dashboard → Authentication → Email Templates
→ Enable "Confirm email"
─────────────────────────────────────────────────────────
🟡 P2: Short Minimum Password Length
Issue: Minimum password length is 6 characters.
Recommendation: Increase to 8-12 characters minimum.
Supabase Dashboard → Authentication → Settings
→ Minimum password length
─────────────────────────────────────────────────────────
🟡 P2: Wildcard CORS Origin
Issue: CORS allows requests from any origin (*).
Recommendation: Restrict to your domains only.
Supabase Dashboard → Authentication → URL Configuration
→ Site URL and Redirect URLs
─────────────────────────────────────────────────────────
ℹ️ INFO: Anonymous Auth Enabled
Note: Anonymous authentication is enabled.
This is fine if intentional (guest access).
Review if you expect all users to be authenticated.
─────────────────────────────────────────────────────────
Summary
─────────────────────────────────────────────────────────
Auth Methods: 5 enabled
OAuth Providers: 3
Findings:
├── P1 (High): 1 - Email confirmation disabled
├── P2 (Medium): 2 - Password length, CORS
└── Info: 1 - Anonymous auth enabled
Recommended Actions:
1. Enable email confirmation
2. Increase minimum password length
3. Restrict CORS to specific domains
4. Review if anonymous auth is needed
═══════════════════════════════════════════════════════════
| Setting | Recommended | Risk if Wrong |
|---|---|---|
| Email Confirmation | ✅ Required | Fake accounts |
| Password Length | ≥8 chars | Weak passwords |
| Password Complexity | Enable | Easy to guess |
| Rate Limiting | Enable | Brute force |
| Setting | Recommended | Risk if Wrong |
|---|---|---|
| Verified providers only | Yes | Account takeover |
| Proper redirect URLs | Specific URLs | OAuth redirect attacks |
| State parameter | Enabled | CSRF attacks |
| Setting | Recommended | Risk if Wrong |
|---|---|---|
| Short JWT expiry | 1 hour or less | Token theft |
| Refresh token rotation | Enabled | Token reuse |
| Secure cookie flags | HttpOnly, Secure, SameSite | XSS, CSRF |
{
"auth_config": {
"timestamp": "2025-01-31T12:30:00Z",
"methods": {
"email": {
"enabled": true,
"signup_open": true,
"email_confirmation": false,
"min_password_length": 6
},
"phone": {
"enabled": true,
"provider": "twilio"
},
"magic_link": {
"enabled": true,
"otp_expiry": 300
},
"oauth": {
"enabled": true,
"providers": ["google", "github", "discord"]
},
"anonymous": {
"enabled": true
}
},
"findings": [
{
"severity": "P1",
"issue": "Email confirmation disabled",
"recommendation": "Enable email confirmation in dashboard"
}
]
}
}
// User can signup with any email
const { data, error } = await supabase.auth.signUp({
email: 'fake@example.com', // No verification needed
password: 'password123'
})
// User is immediately authenticated
// Weak password accepted
await supabase.auth.signUp({
email: 'user@example.com',
password: '123456' // Accepted with min length 6
})
If your app should only have admin-created users:
-- Disable public signup via dashboard
-- Or use invite-only flow
⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.
DO NOT batch all writes at the end. Instead:
.sb-pentest-audit.log.sb-pentest-context.jsonThis ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.
Update .sb-pentest-context.json with results:
{
"auth_config": {
"timestamp": "...",
"methods": { ... },
"findings": [ ... ]
}
}
Log to .sb-pentest-audit.log:
[TIMESTAMP] [supabase-audit-auth-config] [START] Auditing auth configuration
[TIMESTAMP] [supabase-audit-auth-config] [FINDING] P1: Email confirmation disabled
[TIMESTAMP] [supabase-audit-auth-config] [CONTEXT_UPDATED] .sb-pentest-context.json updated
If files don't exist, create them before writing.
FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.
📁 Evidence Directory: .sb-pentest-evidence/05-auth-audit/
| File | Content |
|---|---|
auth-settings.json | Complete auth configuration |
{
"evidence_id": "AUTH-CFG-001",
"timestamp": "2025-01-31T10:50:00Z",
"category": "auth-audit",
"type": "auth_configuration",
"endpoint": "https://abc123def.supabase.co/auth/v1/",
"configuration": {
"email_auth": {
"enabled": true,
"signup_open": true,
"email_confirmation_required": false,
"min_password_length": 6
},
"phone_auth": {
"enabled": true,
"provider": "twilio"
},
"oauth_providers": ["google", "github", "discord"],
"anonymous_auth": true
},
"security_settings": {
"rate_limiting": {
"signup": "3/hour",
"token": "30/hour",
"recovery": "3/hour"
},
"jwt_expiry": 3600,
"cors_origins": "*"
},
"findings": [
{
"severity": "P1",
"issue": "Email confirmation disabled",
"impact": "Users can signup without verifying email",
"recommendation": "Enable email confirmation"
},
{
"severity": "P2",
"issue": "Weak password policy",
"impact": "Minimum 6 characters allows weak passwords",
"recommendation": "Increase to 8+ characters"
}
]
}
# === AUTH CONFIGURATION TESTS ===
# Test signup availability
curl -X POST "$SUPABASE_URL/auth/v1/signup" \
-H "apikey: $ANON_KEY" \
-H "Content-Type: application/json" \
-d '{"email": "test@example.com", "password": "test123456"}'
# Test password policy (weak password)
curl -X POST "$SUPABASE_URL/auth/v1/signup" \
-H "apikey: $ANON_KEY" \
-H "Content-Type: application/json" \
-d '{"email": "weak@example.com", "password": "123456"}'
supabase-audit-auth-signup — Test signup flowsupabase-audit-auth-users — Test user enumerationsupabase-audit-rls — Auth users need RLS protection