home / skills / yoanbernabeu / supabase-pentest-skills / supabase-audit-auth-config
This skill analyzes Supabase authentication configuration for security weaknesses, generates progressive context updates, and surfaces actionable remediation.
npx playbooks add skill yoanbernabeu/supabase-pentest-skills --skill supabase-audit-auth-configReview the files below or copy the command above to add this skill to your agents.
---
name: supabase-audit-auth-config
description: Analyze Supabase authentication configuration for security weaknesses and misconfigurations.
---
# Authentication Configuration Audit
> π΄ **CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED**
>
> You MUST write to context files **AS YOU GO**, not just at the end.
> - Write to `.sb-pentest-context.json` **IMMEDIATELY after each setting analyzed**
> - Log to `.sb-pentest-audit.log` **BEFORE and AFTER each test**
> - **DO NOT** wait until the skill completes to update files
> - If the skill crashes or is interrupted, all prior findings must already be saved
>
> **This is not optional. Failure to write progressively is a critical error.**
This skill analyzes the authentication configuration of a Supabase project.
## When to Use This Skill
- To review authentication security settings
- Before production deployment
- When auditing auth-related vulnerabilities
- As part of comprehensive security review
## Prerequisites
- Supabase URL and anon key available
- Detection completed
## Auth Endpoints
Supabase Auth (GoTrue) exposes:
```
https://[project].supabase.co/auth/v1/
```
| Endpoint | Purpose |
|----------|---------|
| `/auth/v1/settings` | Public settings (limited) |
| `/auth/v1/signup` | User registration |
| `/auth/v1/token` | Authentication |
| `/auth/v1/user` | Current user info |
| `/auth/v1/recover` | Password recovery |
## What Can Be Detected
From the public API, we can detect:
| Setting | Detection Method |
|---------|------------------|
| Email auth enabled | Attempt signup |
| Phone auth enabled | Check settings |
| OAuth providers | Check settings |
| Signup disabled | Attempt signup |
| Email confirmation | Signup response |
| Password requirements | Error messages |
## Usage
### Basic Auth Audit
```
Audit authentication configuration
```
### Check Specific Features
```
Check if signup is open and what providers are enabled
```
## Output Format
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
AUTHENTICATION CONFIGURATION AUDIT
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Project: abc123def.supabase.co
Auth Endpoint: https://abc123def.supabase.co/auth/v1/
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Authentication Methods
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Email/Password: β
Enabled
βββ Signup: β
Open (anyone can register)
βββ Email Confirmation: β NOT REQUIRED β P1 Issue
βββ Password Min Length: 6 characters β P2 Consider longer
βββ Secure Password Check: Unknown
Phone/SMS: β
Enabled
βββ Provider: Twilio
Magic Link: β
Enabled
βββ OTP Expiry: 300 seconds (5 min)
OAuth Providers Detected: 3
βββ Google: β
Enabled
βββ GitHub: β
Enabled
βββ Discord: β
Enabled
Anonymous Auth: β
Enabled β Review if intended
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Security Settings
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Rate Limiting:
βββ Signup: 3/hour per IP (good)
βββ Token: 30/hour per IP (good)
βββ Recovery: 3/hour per IP (good)
Session Configuration:
βββ JWT Expiry: 3600 seconds (1 hour)
βββ Refresh Token Rotation: Unknown
βββ Inactivity Timeout: Unknown
Security Headers:
βββ CORS: Configured
βββ Allowed Origins: * (wildcard) β P2 Consider restricting
βββ Credentials: Allowed
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Findings
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π P1: Email Confirmation Disabled
Issue: Users can signup and immediately access the app
without verifying their email address.
Risks:
βββ Fake accounts with invalid emails
βββ Typosquatting ([email protected])
βββ No verified communication channel
βββ Potential for abuse
Recommendation:
Supabase Dashboard β Authentication β Email Templates
β Enable "Confirm email"
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π‘ P2: Short Minimum Password Length
Issue: Minimum password length is 6 characters.
Recommendation: Increase to 8-12 characters minimum.
Supabase Dashboard β Authentication β Settings
β Minimum password length
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π‘ P2: Wildcard CORS Origin
Issue: CORS allows requests from any origin (*).
Recommendation: Restrict to your domains only.
Supabase Dashboard β Authentication β URL Configuration
β Site URL and Redirect URLs
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βΉοΈ INFO: Anonymous Auth Enabled
Note: Anonymous authentication is enabled.
This is fine if intentional (guest access).
Review if you expect all users to be authenticated.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Summary
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Auth Methods: 5 enabled
OAuth Providers: 3
Findings:
βββ P1 (High): 1 - Email confirmation disabled
βββ P2 (Medium): 2 - Password length, CORS
βββ Info: 1 - Anonymous auth enabled
Recommended Actions:
1. Enable email confirmation
2. Increase minimum password length
3. Restrict CORS to specific domains
4. Review if anonymous auth is needed
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
## Security Checklist
### Email Authentication
| Setting | Recommended | Risk if Wrong |
|---------|-------------|---------------|
| Email Confirmation | β
Required | Fake accounts |
| Password Length | β₯8 chars | Weak passwords |
| Password Complexity | Enable | Easy to guess |
| Rate Limiting | Enable | Brute force |
### OAuth Configuration
| Setting | Recommended | Risk if Wrong |
|---------|-------------|---------------|
| Verified providers only | Yes | Account takeover |
| Proper redirect URLs | Specific URLs | OAuth redirect attacks |
| State parameter | Enabled | CSRF attacks |
### Session Security
| Setting | Recommended | Risk if Wrong |
|---------|-------------|---------------|
| Short JWT expiry | 1 hour or less | Token theft |
| Refresh token rotation | Enabled | Token reuse |
| Secure cookie flags | HttpOnly, Secure, SameSite | XSS, CSRF |
## Context Output
```json
{
"auth_config": {
"timestamp": "2025-01-31T12:30:00Z",
"methods": {
"email": {
"enabled": true,
"signup_open": true,
"email_confirmation": false,
"min_password_length": 6
},
"phone": {
"enabled": true,
"provider": "twilio"
},
"magic_link": {
"enabled": true,
"otp_expiry": 300
},
"oauth": {
"enabled": true,
"providers": ["google", "github", "discord"]
},
"anonymous": {
"enabled": true
}
},
"findings": [
{
"severity": "P1",
"issue": "Email confirmation disabled",
"recommendation": "Enable email confirmation in dashboard"
}
]
}
}
```
## Common Auth Vulnerabilities
### 1. No Email Confirmation
```javascript
// User can signup with any email
const { data, error } = await supabase.auth.signUp({
email: '[email protected]', // No verification needed
password: 'password123'
})
// User is immediately authenticated
```
### 2. Weak Password Policy
```javascript
// Weak password accepted
await supabase.auth.signUp({
email: '[email protected]',
password: '123456' // Accepted with min length 6
})
```
### 3. Open Signup When Not Needed
If your app should only have admin-created users:
```sql
-- Disable public signup via dashboard
-- Or use invite-only flow
```
## Remediation Examples
### Enable Email Confirmation
1. Supabase Dashboard β Authentication β Email Templates
2. Enable "Confirm email"
3. Customize confirmation email template
4. Handle unconfirmed users in your app
### Strengthen Password Requirements
1. Dashboard β Authentication β Settings
2. Set minimum length to 8+
3. Consider enabling password strength checks
### Restrict CORS
1. Dashboard β Authentication β URL Configuration
2. Set specific Site URL
3. Add only your domains to Redirect URLs
4. Remove wildcard entries
## MANDATORY: Progressive Context File Updates
β οΈ **This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.**
### Critical Rule: Write As You Go
**DO NOT** batch all writes at the end. Instead:
1. **Before checking each auth method** β Log the action to `.sb-pentest-audit.log`
2. **After each configuration analyzed** β Immediately update `.sb-pentest-context.json`
3. **After each finding discovered** β Log the severity immediately
This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.
### Required Actions (Progressive)
1. **Update `.sb-pentest-context.json`** with results:
```json
{
"auth_config": {
"timestamp": "...",
"methods": { ... },
"findings": [ ... ]
}
}
```
2. **Log to `.sb-pentest-audit.log`**:
```
[TIMESTAMP] [supabase-audit-auth-config] [START] Auditing auth configuration
[TIMESTAMP] [supabase-audit-auth-config] [FINDING] P1: Email confirmation disabled
[TIMESTAMP] [supabase-audit-auth-config] [CONTEXT_UPDATED] .sb-pentest-context.json updated
```
3. **If files don't exist**, create them before writing.
**FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.**
## MANDATORY: Evidence Collection
π **Evidence Directory:** `.sb-pentest-evidence/05-auth-audit/`
### Evidence Files to Create
| File | Content |
|------|---------|
| `auth-settings.json` | Complete auth configuration |
### Evidence Format
```json
{
"evidence_id": "AUTH-CFG-001",
"timestamp": "2025-01-31T10:50:00Z",
"category": "auth-audit",
"type": "auth_configuration",
"endpoint": "https://abc123def.supabase.co/auth/v1/",
"configuration": {
"email_auth": {
"enabled": true,
"signup_open": true,
"email_confirmation_required": false,
"min_password_length": 6
},
"phone_auth": {
"enabled": true,
"provider": "twilio"
},
"oauth_providers": ["google", "github", "discord"],
"anonymous_auth": true
},
"security_settings": {
"rate_limiting": {
"signup": "3/hour",
"token": "30/hour",
"recovery": "3/hour"
},
"jwt_expiry": 3600,
"cors_origins": "*"
},
"findings": [
{
"severity": "P1",
"issue": "Email confirmation disabled",
"impact": "Users can signup without verifying email",
"recommendation": "Enable email confirmation"
},
{
"severity": "P2",
"issue": "Weak password policy",
"impact": "Minimum 6 characters allows weak passwords",
"recommendation": "Increase to 8+ characters"
}
]
}
```
### Add to curl-commands.sh
```bash
# === AUTH CONFIGURATION TESTS ===
# Test signup availability
curl -X POST "$SUPABASE_URL/auth/v1/signup" \
-H "apikey: $ANON_KEY" \
-H "Content-Type: application/json" \
-d '{"email": "[email protected]", "password": "test123456"}'
# Test password policy (weak password)
curl -X POST "$SUPABASE_URL/auth/v1/signup" \
-H "apikey: $ANON_KEY" \
-H "Content-Type: application/json" \
-d '{"email": "[email protected]", "password": "123456"}'
```
## Related Skills
- `supabase-audit-auth-signup` β Test signup flow
- `supabase-audit-auth-users` β Test user enumeration
- `supabase-audit-rls` β Auth users need RLS protection
This skill analyzes a Supabase project's authentication configuration to detect misconfigurations and security weaknesses. It produces actionable findings, severity levels, and remediation steps to harden email, phone, magic link, OAuth, anonymous auth, session, and CORS settings. The audit is designed to run against the public Auth (GoTrue) endpoints and outputs structured evidence and recommendations.
The skill probes the Supabase auth/v1 endpoints to enumerate enabled auth methods and settings by attempting safe API calls and parsing public settings and responses. It detects signup availability, email confirmation behavior, password policy indicators, OAuth providers, magic link and phone settings, session parameters, and basic rate limiting and CORS behavior. Results are compiled into findings with severity, recommended fixes, and machine-readable evidence for reporting.
What inputs does the skill require?
The audit needs the Supabase project URL and an anon key to exercise public auth endpoints and collect settings.
Can it change configuration or only read and test?
The skill only reads and tests authentication behavior via public endpoints and recommends dashboard changes; it does not modify project settings.
What evidence formats are produced?
It emits a JSON evidence file describing auth configuration, a timestamped findings list, and curl commands used for testing for reproducibility.