// Analyze Supabase authentication configuration for security weaknesses and misconfigurations.
Orchestrate a complete Supabase security audit with guided step-by-step execution and ownership confirmation.
Test Row Level Security (RLS) policies for common bypass vulnerabilities and misconfigurations.
List and test exposed PostgreSQL RPC functions for security issues and potential RLS bypass.
List all tables exposed via the Supabase PostgREST API to identify the attack surface.
Attempt to read data from exposed tables to verify actual data exposure and RLS effectiveness.
Test if user signup is open and identify potential abuse vectors in the registration process.
| name | supabase-audit-auth-config |
| description | Analyze Supabase authentication configuration for security weaknesses and misconfigurations. |
š“ CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED
You MUST write to context files AS YOU GO, not just at the end.
- Write to
.sb-pentest-context.jsonIMMEDIATELY after each setting analyzed- Log to
.sb-pentest-audit.logBEFORE and AFTER each test- DO NOT wait until the skill completes to update files
- If the skill crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.
This skill analyzes the authentication configuration of a Supabase project.
Supabase Auth (GoTrue) exposes:
https://[project].supabase.co/auth/v1/
| Endpoint | Purpose |
|---|---|
/auth/v1/settings | Public settings (limited) |
/auth/v1/signup | User registration |
/auth/v1/token | Authentication |
/auth/v1/user | Current user info |
/auth/v1/recover | Password recovery |
From the public API, we can detect:
| Setting | Detection Method |
|---|---|
| Email auth enabled | Attempt signup |
| Phone auth enabled | Check settings |
| OAuth providers | Check settings |
| Signup disabled | Attempt signup |
| Email confirmation | Signup response |
| Password requirements | Error messages |
Audit authentication configuration
Check if signup is open and what providers are enabled
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
AUTHENTICATION CONFIGURATION AUDIT
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Project: abc123def.supabase.co
Auth Endpoint: https://abc123def.supabase.co/auth/v1/
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Authentication Methods
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Email/Password: ā
Enabled
āāā Signup: ā
Open (anyone can register)
āāā Email Confirmation: ā NOT REQUIRED ā P1 Issue
āāā Password Min Length: 6 characters ā P2 Consider longer
āāā Secure Password Check: Unknown
Phone/SMS: ā
Enabled
āāā Provider: Twilio
Magic Link: ā
Enabled
āāā OTP Expiry: 300 seconds (5 min)
OAuth Providers Detected: 3
āāā Google: ā
Enabled
āāā GitHub: ā
Enabled
āāā Discord: ā
Enabled
Anonymous Auth: ā
Enabled ā Review if intended
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Security Settings
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Rate Limiting:
āāā Signup: 3/hour per IP (good)
āāā Token: 30/hour per IP (good)
āāā Recovery: 3/hour per IP (good)
Session Configuration:
āāā JWT Expiry: 3600 seconds (1 hour)
āāā Refresh Token Rotation: Unknown
āāā Inactivity Timeout: Unknown
Security Headers:
āāā CORS: Configured
āāā Allowed Origins: * (wildcard) ā P2 Consider restricting
āāā Credentials: Allowed
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Findings
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
š P1: Email Confirmation Disabled
Issue: Users can signup and immediately access the app
without verifying their email address.
Risks:
āāā Fake accounts with invalid emails
āāā Typosquatting (user@gmial.com)
āāā No verified communication channel
āāā Potential for abuse
Recommendation:
Supabase Dashboard ā Authentication ā Email Templates
ā Enable "Confirm email"
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
š” P2: Short Minimum Password Length
Issue: Minimum password length is 6 characters.
Recommendation: Increase to 8-12 characters minimum.
Supabase Dashboard ā Authentication ā Settings
ā Minimum password length
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
š” P2: Wildcard CORS Origin
Issue: CORS allows requests from any origin (*).
Recommendation: Restrict to your domains only.
Supabase Dashboard ā Authentication ā URL Configuration
ā Site URL and Redirect URLs
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā¹ļø INFO: Anonymous Auth Enabled
Note: Anonymous authentication is enabled.
This is fine if intentional (guest access).
Review if you expect all users to be authenticated.
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Summary
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Auth Methods: 5 enabled
OAuth Providers: 3
Findings:
āāā P1 (High): 1 - Email confirmation disabled
āāā P2 (Medium): 2 - Password length, CORS
āāā Info: 1 - Anonymous auth enabled
Recommended Actions:
1. Enable email confirmation
2. Increase minimum password length
3. Restrict CORS to specific domains
4. Review if anonymous auth is needed
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
| Setting | Recommended | Risk if Wrong |
|---|---|---|
| Email Confirmation | ā Required | Fake accounts |
| Password Length | ā„8 chars | Weak passwords |
| Password Complexity | Enable | Easy to guess |
| Rate Limiting | Enable | Brute force |
| Setting | Recommended | Risk if Wrong |
|---|---|---|
| Verified providers only | Yes | Account takeover |
| Proper redirect URLs | Specific URLs | OAuth redirect attacks |
| State parameter | Enabled | CSRF attacks |
| Setting | Recommended | Risk if Wrong |
|---|---|---|
| Short JWT expiry | 1 hour or less | Token theft |
| Refresh token rotation | Enabled | Token reuse |
| Secure cookie flags | HttpOnly, Secure, SameSite | XSS, CSRF |
{
"auth_config": {
"timestamp": "2025-01-31T12:30:00Z",
"methods": {
"email": {
"enabled": true,
"signup_open": true,
"email_confirmation": false,
"min_password_length": 6
},
"phone": {
"enabled": true,
"provider": "twilio"
},
"magic_link": {
"enabled": true,
"otp_expiry": 300
},
"oauth": {
"enabled": true,
"providers": ["google", "github", "discord"]
},
"anonymous": {
"enabled": true
}
},
"findings": [
{
"severity": "P1",
"issue": "Email confirmation disabled",
"recommendation": "Enable email confirmation in dashboard"
}
]
}
}
// User can signup with any email
const { data, error } = await supabase.auth.signUp({
email: 'fake@example.com', // No verification needed
password: 'password123'
})
// User is immediately authenticated
// Weak password accepted
await supabase.auth.signUp({
email: 'user@example.com',
password: '123456' // Accepted with min length 6
})
If your app should only have admin-created users:
-- Disable public signup via dashboard
-- Or use invite-only flow
ā ļø This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.
DO NOT batch all writes at the end. Instead:
.sb-pentest-audit.log.sb-pentest-context.jsonThis ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.
Update .sb-pentest-context.json with results:
{
"auth_config": {
"timestamp": "...",
"methods": { ... },
"findings": [ ... ]
}
}
Log to .sb-pentest-audit.log:
[TIMESTAMP] [supabase-audit-auth-config] [START] Auditing auth configuration
[TIMESTAMP] [supabase-audit-auth-config] [FINDING] P1: Email confirmation disabled
[TIMESTAMP] [supabase-audit-auth-config] [CONTEXT_UPDATED] .sb-pentest-context.json updated
If files don't exist, create them before writing.
FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.
š Evidence Directory: .sb-pentest-evidence/05-auth-audit/
| File | Content |
|---|---|
auth-settings.json | Complete auth configuration |
{
"evidence_id": "AUTH-CFG-001",
"timestamp": "2025-01-31T10:50:00Z",
"category": "auth-audit",
"type": "auth_configuration",
"endpoint": "https://abc123def.supabase.co/auth/v1/",
"configuration": {
"email_auth": {
"enabled": true,
"signup_open": true,
"email_confirmation_required": false,
"min_password_length": 6
},
"phone_auth": {
"enabled": true,
"provider": "twilio"
},
"oauth_providers": ["google", "github", "discord"],
"anonymous_auth": true
},
"security_settings": {
"rate_limiting": {
"signup": "3/hour",
"token": "30/hour",
"recovery": "3/hour"
},
"jwt_expiry": 3600,
"cors_origins": "*"
},
"findings": [
{
"severity": "P1",
"issue": "Email confirmation disabled",
"impact": "Users can signup without verifying email",
"recommendation": "Enable email confirmation"
},
{
"severity": "P2",
"issue": "Weak password policy",
"impact": "Minimum 6 characters allows weak passwords",
"recommendation": "Increase to 8+ characters"
}
]
}
# === AUTH CONFIGURATION TESTS ===
# Test signup availability
curl -X POST "$SUPABASE_URL/auth/v1/signup" \
-H "apikey: $ANON_KEY" \
-H "Content-Type: application/json" \
-d '{"email": "test@example.com", "password": "test123456"}'
# Test password policy (weak password)
curl -X POST "$SUPABASE_URL/auth/v1/signup" \
-H "apikey: $ANON_KEY" \
-H "Content-Type: application/json" \
-d '{"email": "weak@example.com", "password": "123456"}'
supabase-audit-auth-signup ā Test signup flowsupabase-audit-auth-users ā Test user enumerationsupabase-audit-rls ā Auth users need RLS protection