supabase-extract-anon-key

Supabase Anon Key Extraction 🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED You MUST write to context files AS YOU GO , not just at the end. Write to .sb-pentest-context.json IMMEDIATELY after each discovery Log to .sb-pentest-audit.log BEFORE and AFTER each action DO NOT wait until the skill completes to update files If the skill crashes or is interrupted, all prior findings must already be saved This is not optional. Failure to write progressively is a critical error. This skill extracts the Supabase anonymous (public) API key from client-side code. When to Use This Skill After extracting the Supabase URL, to get the API key for testing To verify that only the anon key (not service key) is exposed Before running API audit skills that require authentication Prerequisites Supabase URL extracted (or will auto-invoke supabase-extract-url ) Target application accessible Understanding Anon Keys The anon key (also called public key) is: ✅ Expected to be in client-side code ✅ Safe when RLS (Row Level Security) is properly configured ⚠️ Risky if RLS is missing or misconfigured ❌ Not the same as the service_role key (which should NEVER be in client code) Key Format Supabase anon keys are JWTs: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImFiYzEyMyIsInJvbGUiOiJhbm9uIiwiaWF0IjoxNjQwMDAwMDAwLCJleHAiOjE5NTUzNjAwMDB9.xxxx Key characteristics: Starts with eyJ (base64 encoded {"alg": ) Contains "role":"anon" in payload Project reference in "ref" claim Extraction Patterns The skill searches for: 1. Direct Key Assignment const SUPABASE_KEY = 'eyJhbGci...' const SUPABASE_ANON_KEY = 'eyJhbGci...' 2. Client Initialization createClient ( url , 'eyJhbGci...' ) createClient ( url , process . env . NEXT_PUBLIC_SUPABASE_ANON_KEY ) 3. Environment Variable Patterns NEXT_PUBLIC_SUPABASE_ANON_KEY VITE_SUPABASE_ANON_KEY REACT_APP_SUPABASE_KEY SUPABASE_KEY Usage Basic Extraction Extract Supabase anon key from https://myapp.example.com If URL Already Known Extract anon key for project abc123def Output Format ═══════════════════════════════════════════════════════════ ANON KEY EXTRACTED ═══════════════════════════════════════════════════════════ Key Type: anon (public) Severity: ℹ️ Expected (verify RLS configuration) Key: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJz dXBhYmFzZSIsInJlZiI6ImFiYzEyM2RlZiIsInJvbGUiOiJhbm 9uIiwiaWF0IjoxNjQwMDAwMDAwLCJleHAiOjE5NTUzNjAwMDB9 .xxxxxxxxxxxxx Decoded Payload: ├── iss: supabase ├── ref: abc123def ├── role: anon ├── iat: 2021-12-20T00:00:00Z └── exp: 2031-12-20T00:00:00Z Found in: └── /static/js/main.js (line 1253) createClient('https://abc123def.supabase.co', 'eyJhbGci...') Next Steps: ├── Run supabase-audit-rls to test if RLS protects your data ├── Run supabase-audit-tables-read to see what's accessible └── Run supabase-extract-service-key to check for critical leaks Context updated: .sb-pentest-context.json ═══════════════════════════════════════════════════════════ Key Validation The skill validates the extracted key: Validation: ├── Format: ✅ Valid JWT structure ├── Decode: ✅ Payload readable ├── Role: ✅ Confirmed "anon" role ├── Project: ✅ Matches extracted URL (abc123def) └── Expiry: ✅ Not expired (expires 2031-12-20) Multiple Keys If multiple keys are found: ═══════════════════════════════════════════════════════════ MULTIPLE KEYS FOUND ═══════════════════════════════════════════════════════════ ⚠️ 2 potential Supabase keys detected 1. Anon Key (confirmed) └── Role: anon, Project: abc123def 2. Unknown Key └── Role: service_role ⚠️ SEE supabase-extract-service-key This may be a CRITICAL security issue! ═══════════════════════════════════════════════════════════ Context Output Saved to .sb-pentest-context.json : { "supabase" : { "anon_key" : "eyJhbGci..." , "anon_key_decoded" : { "iss" : "supabase" , "ref" : "abc123def" , "role" : "anon" , "iat" : 1640000000 , "exp" : 1955360000 } , "anon_key_sources" : [ { "file" : "/static/js/main.js" , "line" : 1253 } ] } } Security Assessment Finding Severity Description Anon key in client ℹ️ Info Expected, but test RLS Anon key expired ⚠️ P2 Key should be rotated Multiple anon keys ⚠️ P2 May indicate key rotation issues Role is not "anon" 🔴 P0 Wrong key type exposed! Common Issues ❌ Problem: Key found but won't decode ✅ Solution: May be obfuscated or split. Try: Extract anon key with deobfuscation from https://myapp.example.com ❌ Problem: Key doesn't match URL project ✅ Solution: App may use multiple Supabase projects. Both keys are recorded. ❌ Problem: No key found but Supabase detected ✅ Solution: Key may be fetched at runtime. Check network requests: Monitor network for anon key on https://myapp.example.com Best Practices Reminder For developers reading this report: Anon key in client is normal — It's designed for this RLS is critical — The anon key relies on RLS for security Never use service_role in client — Use Edge Functions instead Rotate keys periodically — Available in Supabase Dashboard MANDATORY: Progressive Context File Updates ⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end. Critical Rule: Write As You Go DO NOT batch all writes at the end. Instead: Before starting any action → Log the action to .sb-pentest-audit.log After each discovery → Immediately update .sb-pentest-context.json After each significant step → Log completion to .sb-pentest-audit.log This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved. Required Actions (Progressive) Update .sb-pentest-context.json with extracted data: { "supabase" : { "anon_key" : "eyJhbGci..." , "anon_key_decoded" : { ... } , "anon_key_sources" : [ ... ] } } Log to .sb-pentest-audit.log : [TIMESTAMP] [supabase-extract-anon-key] [START] Beginning anon key extraction [TIMESTAMP] [supabase-extract-anon-key] [SUCCESS] Anon key extracted [TIMESTAMP] [supabase-extract-anon-key] [CONTEXT_UPDATED] .sb-pentest-context.json updated If files don't exist , create them before writing. FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE. MANDATORY: Evidence Collection 📁 Evidence Directory: .sb-pentest-evidence/02-extraction/ Evidence Files to Create File Content extracted-anon-key.json Anon key with decoded JWT payload Evidence Format { "evidence_id" : "EXT-ANON-001" , "timestamp" : "2025-01-31T10:07:00Z" , "category" : "extraction" , "type" : "anon_key" , "severity" : "info" , "key_data" : { "key_prefix" : "eyJhbGciOiJIUzI1NiI..." , "key_suffix" : "...xxxx" , "full_key_length" : 256 } , "decoded_payload" : { "iss" : "supabase" , "ref" : "abc123def" , "role" : "anon" , "iat" : "2021-12-20T00:00:00Z" , "exp" : "2031-12-20T00:00:00Z" } , "source" : { "file" : "/static/js/main.js" , "line" : 1253 , "context" : "createClient('https://abc123def.supabase.co', 'eyJhbGci...')" } , "validation" : { "format_valid" : true , "role_confirmed" : "anon" , "project_matches" : true , "expired" : false } }