Authentication Configuration Audit
π΄ CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED
You MUST write to context files AS YOU GO, not just at the end.
- Write to
.sb-pentest-context.jsonIMMEDIATELY after each setting analyzed- Log to
.sb-pentest-audit.logBEFORE and AFTER each test- DO NOT wait until the skill completes to update files
- If the skill crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.
This skill analyzes the authentication configuration of a Supabase project.
When to Use This Skill
- To review authentication security settings
- Before production deployment
- When auditing auth-related vulnerabilities
- As part of comprehensive security review
Prerequisites
- Supabase URL and anon key available
- Detection completed
Auth Endpoints
Supabase Auth (GoTrue) exposes:
https://[project].supabase.co/auth/v1/
| Endpoint | Purpose |
|----------|---------|
| /auth/v1/settings | Public settings (limited) |
| /auth/v1/signup | User registration |
| /auth/v1/token | Authentication |
| /auth/v1/user | Current user info |
| /auth/v1/recover | Password recovery |
What Can Be Detected
From the public API, we can detect:
| Setting | Detection Method | |---------|------------------| | Email auth enabled | Attempt signup | | Phone auth enabled | Check settings | | OAuth providers | Check settings | | Signup disabled | Attempt signup | | Email confirmation | Signup response | | Password requirements | Error messages |
Usage
Basic Auth Audit
Audit authentication configuration
Check Specific Features
Check if signup is open and what providers are enabled
Output Format
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
AUTHENTICATION CONFIGURATION AUDIT
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Project: abc123def.supabase.co
Auth Endpoint: https://abc123def.supabase.co/auth/v1/
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Authentication Methods
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Email/Password: β
Enabled
βββ Signup: β
Open (anyone can register)
βββ Email Confirmation: β NOT REQUIRED β P1 Issue
βββ Password Min Length: 6 characters β P2 Consider longer
βββ Secure Password Check: Unknown
Phone/SMS: β
Enabled
βββ Provider: Twilio
Magic Link: β
Enabled
βββ OTP Expiry: 300 seconds (5 min)
OAuth Providers Detected: 3
βββ Google: β
Enabled
βββ GitHub: β
Enabled
βββ Discord: β
Enabled
Anonymous Auth: β
Enabled β Review if intended
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Security Settings
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Rate Limiting:
βββ Signup: 3/hour per IP (good)
βββ Token: 30/hour per IP (good)
βββ Recovery: 3/hour per IP (good)
Session Configuration:
βββ JWT Expiry: 3600 seconds (1 hour)
βββ Refresh Token Rotation: Unknown
βββ Inactivity Timeout: Unknown
Security Headers:
βββ CORS: Configured
βββ Allowed Origins: * (wildcard) β P2 Consider restricting
βββ Credentials: Allowed
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Findings
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π P1: Email Confirmation Disabled
Issue: Users can signup and immediately access the app
without verifying their email address.
Risks:
βββ Fake accounts with invalid emails
βββ Typosquatting (user@gmial.com)
βββ No verified communication channel
βββ Potential for abuse
Recommendation:
Supabase Dashboard β Authentication β Email Templates
β Enable "Confirm email"
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π‘ P2: Short Minimum Password Length
Issue: Minimum password length is 6 characters.
Recommendation: Increase to 8-12 characters minimum.
Supabase Dashboard β Authentication β Settings
β Minimum password length
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π‘ P2: Wildcard CORS Origin
Issue: CORS allows requests from any origin (*).
Recommendation: Restrict to your domains only.
Supabase Dashboard β Authentication β URL Configuration
β Site URL and Redirect URLs
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βΉοΈ INFO: Anonymous Auth Enabled
Note: Anonymous authentication is enabled.
This is fine if intentional (guest access).
Review if you expect all users to be authenticated.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Summary
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Auth Methods: 5 enabled
OAuth Providers: 3
Findings:
βββ P1 (High): 1 - Email confirmation disabled
βββ P2 (Medium): 2 - Password length, CORS
βββ Info: 1 - Anonymous auth enabled
Recommended Actions:
1. Enable email confirmation
2. Increase minimum password length
3. Restrict CORS to specific domains
4. Review if anonymous auth is needed
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Security Checklist
Email Authentication
| Setting | Recommended | Risk if Wrong | |---------|-------------|---------------| | Email Confirmation | β Required | Fake accounts | | Password Length | β₯8 chars | Weak passwords | | Password Complexity | Enable | Easy to guess | | Rate Limiting | Enable | Brute force |
OAuth Configuration
| Setting | Recommended | Risk if Wrong | |---------|-------------|---------------| | Verified providers only | Yes | Account takeover | | Proper redirect URLs | Specific URLs | OAuth redirect attacks | | State parameter | Enabled | CSRF attacks |
Session Security
| Setting | Recommended | Risk if Wrong | |---------|-------------|---------------| | Short JWT expiry | 1 hour or less | Token theft | | Refresh token rotation | Enabled | Token reuse | | Secure cookie flags | HttpOnly, Secure, SameSite | XSS, CSRF |
Context Output
{
"auth_config": {
"timestamp": "2025-01-31T12:30:00Z",
"methods": {
"email": {
"enabled": true,
"signup_open": true,
"email_confirmation": false,
"min_password_length": 6
},
"phone": {
"enabled": true,
"provider": "twilio"
},
"magic_link": {
"enabled": true,
"otp_expiry": 300
},
"oauth": {
"enabled": true,
"providers": ["google", "github", "discord"]
},
"anonymous": {
"enabled": true
}
},
"findings": [
{
"severity": "P1",
"issue": "Email confirmation disabled",
"recommendation": "Enable email confirmation in dashboard"
}
]
}
}
Common Auth Vulnerabilities
1. No Email Confirmation
// User can signup with any email
const { data, error } = await supabase.auth.signUp({
email: 'fake@example.com', // No verification needed
password: 'password123'
})
// User is immediately authenticated
2. Weak Password Policy
// Weak password accepted
await supabase.auth.signUp({
email: 'user@example.com',
password: '123456' // Accepted with min length 6
})
3. Open Signup When Not Needed
If your app should only have admin-created users:
-- Disable public signup via dashboard
-- Or use invite-only flow
Remediation Examples
Enable Email Confirmation
- Supabase Dashboard β Authentication β Email Templates
- Enable "Confirm email"
- Customize confirmation email template
- Handle unconfirmed users in your app
Strengthen Password Requirements
- Dashboard β Authentication β Settings
- Set minimum length to 8+
- Consider enabling password strength checks
Restrict CORS
- Dashboard β Authentication β URL Configuration
- Set specific Site URL
- Add only your domains to Redirect URLs
- Remove wildcard entries
MANDATORY: Progressive Context File Updates
β οΈ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.
Critical Rule: Write As You Go
DO NOT batch all writes at the end. Instead:
- Before checking each auth method β Log the action to
.sb-pentest-audit.log - After each configuration analyzed β Immediately update
.sb-pentest-context.json - After each finding discovered β Log the severity immediately
This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.
Required Actions (Progressive)
-
Update
.sb-pentest-context.jsonwith results:{ "auth_config": { "timestamp": "...", "methods": { ... }, "findings": [ ... ] } } -
Log to
.sb-pentest-audit.log:[TIMESTAMP] [supabase-audit-auth-config] [START] Auditing auth configuration [TIMESTAMP] [supabase-audit-auth-config] [FINDING] P1: Email confirmation disabled [TIMESTAMP] [supabase-audit-auth-config] [CONTEXT_UPDATED] .sb-pentest-context.json updated -
If files don't exist, create them before writing.
FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.
MANDATORY: Evidence Collection
π Evidence Directory: .sb-pentest-evidence/05-auth-audit/
Evidence Files to Create
| File | Content |
|------|---------|
| auth-settings.json | Complete auth configuration |
Evidence Format
{
"evidence_id": "AUTH-CFG-001",
"timestamp": "2025-01-31T10:50:00Z",
"category": "auth-audit",
"type": "auth_configuration",
"endpoint": "https://abc123def.supabase.co/auth/v1/",
"configuration": {
"email_auth": {
"enabled": true,
"signup_open": true,
"email_confirmation_required": false,
"min_password_length": 6
},
"phone_auth": {
"enabled": true,
"provider": "twilio"
},
"oauth_providers": ["google", "github", "discord"],
"anonymous_auth": true
},
"security_settings": {
"rate_limiting": {
"signup": "3/hour",
"token": "30/hour",
"recovery": "3/hour"
},
"jwt_expiry": 3600,
"cors_origins": "*"
},
"findings": [
{
"severity": "P1",
"issue": "Email confirmation disabled",
"impact": "Users can signup without verifying email",
"recommendation": "Enable email confirmation"
},
{
"severity": "P2",
"issue": "Weak password policy",
"impact": "Minimum 6 characters allows weak passwords",
"recommendation": "Increase to 8+ characters"
}
]
}
Add to curl-commands.sh
# === AUTH CONFIGURATION TESTS ===
# Test signup availability
curl -X POST "$SUPABASE_URL/auth/v1/signup" \
-H "apikey: $ANON_KEY" \
-H "Content-Type: application/json" \
-d '{"email": "test@example.com", "password": "test123456"}'
# Test password policy (weak password)
curl -X POST "$SUPABASE_URL/auth/v1/signup" \
-H "apikey: $ANON_KEY" \
-H "Content-Type: application/json" \
-d '{"email": "weak@example.com", "password": "123456"}'
Related Skills
supabase-audit-auth-signupβ Test signup flowsupabase-audit-auth-usersβ Test user enumerationsupabase-audit-rlsβ Auth users need RLS protection