Authentication Configuration Audit 🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED You MUST write to context files AS YOU GO , not just at the end. Write to .sb-pentest-context.json IMMEDIATELY after each setting analyzed Log to .sb-pentest-audit.log BEFORE and AFTER each test DO NOT wait until the skill completes to update files If the skill crashes or is interrupted, all prior findings must already be saved This is not optional. Failure to write progressively is a critical error. This skill analyzes the authentication configuration of a Supabase project. When to Use This Skill To review authentication security settings Before production deployment When auditing auth-related vulnerabilities As part of comprehensive security review Prerequisites Supabase URL and anon key available Detection completed Auth Endpoints Supabase Auth (GoTrue) exposes: https://[project].supabase.co/auth/v1/ Endpoint Purpose /auth/v1/settings Public settings (limited) /auth/v1/signup User registration /auth/v1/token Authentication /auth/v1/user Current user info /auth/v1/recover Password recovery What Can Be Detected From the public API, we can detect: Setting Detection Method Email auth enabled Attempt signup Phone auth enabled Check settings OAuth providers Check settings Signup disabled Attempt signup Email confirmation Signup response Password requirements Error messages Usage Basic Auth Audit Audit authentication configuration Check Specific Features Check if signup is open and what providers are enabled Output Format ═══════════════════════════════════════════════════════════ AUTHENTICATION CONFIGURATION AUDIT ═══════════════════════════════════════════════════════════ Project: abc123def.supabase.co Auth Endpoint: https://abc123def.supabase.co/auth/v1/ ───────────────────────────────────────────────────────── Authentication Methods ───────────────────────────────────────────────────────── Email/Password: ✅ Enabled ├── Signup: ✅ Open (anyone can register) ├── Email Confirmation: ❌ NOT REQUIRED ← P1 Issue ├── Password Min Length: 6 characters ← P2 Consider longer └── Secure Password Check: Unknown Phone/SMS: ✅ Enabled └── Provider: Twilio Magic Link: ✅ Enabled └── OTP Expiry: 300 seconds (5 min) OAuth Providers Detected: 3 ├── Google: ✅ Enabled ├── GitHub: ✅ Enabled └── Discord: ✅ Enabled Anonymous Auth: ✅ Enabled ← Review if intended ───────────────────────────────────────────────────────── Security Settings ───────────────────────────────────────────────────────── Rate Limiting: ├── Signup: 3/hour per IP (good) ├── Token: 30/hour per IP (good) └── Recovery: 3/hour per IP (good) Session Configuration: ├── JWT Expiry: 3600 seconds (1 hour) ├── Refresh Token Rotation: Unknown └── Inactivity Timeout: Unknown Security Headers: ├── CORS: Configured ├── Allowed Origins: * (wildcard) ← P2 Consider restricting └── Credentials: Allowed ───────────────────────────────────────────────────────── Findings ───────────────────────────────────────────────────────── 🟠 P1: Email Confirmation Disabled Issue: Users can signup and immediately access the app without verifying their email address. Risks: ├── Fake accounts with invalid emails ├── Typosquatting (user@gmial.com) ├── No verified communication channel └── Potential for abuse Recommendation: Supabase Dashboard → Authentication → Email Templates → Enable "Confirm email" ───────────────────────────────────────────────────────── 🟡 P2: Short Minimum Password Length Issue: Minimum password length is 6 characters. Recommendation: Increase to 8-12 characters minimum. Supabase Dashboard → Authentication → Settings → Minimum password length ───────────────────────────────────────────────────────── 🟡 P2: Wildcard CORS Origin Issue: CORS allows requests from any origin (). Recommendation: Restrict to your domains only. Supabase Dashboard → Authentication → URL Configuration → Site URL and Redirect URLs ───────────────────────────────────────────────────────── ℹ️ INFO: Anonymous Auth Enabled Note: Anonymous authentication is enabled. This is fine if intentional (guest access). Review if you expect all users to be authenticated. ───────────────────────────────────────────────────────── Summary ───────────────────────────────────────────────────────── Auth Methods: 5 enabled OAuth Providers: 3 Findings: ├── P1 (High): 1 - Email confirmation disabled ├── P2 (Medium): 2 - Password length, CORS └── Info: 1 - Anonymous auth enabled Recommended Actions: 1. Enable email confirmation 2. Increase minimum password length 3. Restrict CORS to specific domains 4. Review if anonymous auth is needed ═══════════════════════════════════════════════════════════ Security Checklist Email Authentication Setting Recommended Risk if Wrong Email Confirmation ✅ Required Fake accounts Password Length ≥8 chars Weak passwords Password Complexity Enable Easy to guess Rate Limiting Enable Brute force OAuth Configuration Setting Recommended Risk if Wrong Verified providers only Yes Account takeover Proper redirect URLs Specific URLs OAuth redirect attacks State parameter Enabled CSRF attacks Session Security Setting Recommended Risk if Wrong Short JWT expiry 1 hour or less Token theft Refresh token rotation Enabled Token reuse Secure cookie flags HttpOnly, Secure, SameSite XSS, CSRF Context Output { "auth_config" : { "timestamp" : "2025-01-31T12:30:00Z" , "methods" : { "email" : { "enabled" : true , "signup_open" : true , "email_confirmation" : false , "min_password_length" : 6 } , "phone" : { "enabled" : true , "provider" : "twilio" } , "magic_link" : { "enabled" : true , "otp_expiry" : 300 } , "oauth" : { "enabled" : true , "providers" : [ "google" , "github" , "discord" ] } , "anonymous" : { "enabled" : true } } , "findings" : [ { "severity" : "P1" , "issue" : "Email confirmation disabled" , "recommendation" : "Enable email confirmation in dashboard" } ] } } Common Auth Vulnerabilities 1. No Email Confirmation // User can signup with any email const { data , error } = await supabase . auth . signUp ( { email : 'fake@example.com' , // No verification needed password : 'password123' } ) // User is immediately authenticated 2. Weak Password Policy // Weak password accepted await supabase . auth . signUp ( { email : 'user@example.com' , password : '123456' // Accepted with min length 6 } ) 3. Open Signup When Not Needed If your app should only have admin-created users: -- Disable public signup via dashboard -- Or use invite-only flow Remediation Examples Enable Email Confirmation Supabase Dashboard → Authentication → Email Templates Enable "Confirm email" Customize confirmation email template Handle unconfirmed users in your app Strengthen Password Requirements Dashboard → Authentication → Settings Set minimum length to 8+ Consider enabling password strength checks Restrict CORS Dashboard → Authentication → URL Configuration Set specific Site URL Add only your domains to Redirect URLs Remove wildcard entries MANDATORY: Progressive Context File Updates ⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end. Critical Rule: Write As You Go DO NOT batch all writes at the end. Instead: Before checking each auth method → Log the action to .sb-pentest-audit.log After each configuration analyzed → Immediately update .sb-pentest-context.json After each finding discovered → Log the severity immediately This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved. Required Actions (Progressive) Update .sb-pentest-context.json with results: { "auth_config" : { "timestamp" : "..." , "methods" : { ... } , "findings" : [ ... ] } } Log to .sb-pentest-audit.log : [TIMESTAMP] [supabase-audit-auth-config] [START] Auditing auth configuration [TIMESTAMP] [supabase-audit-auth-config] [FINDING] P1: Email confirmation disabled [TIMESTAMP] [supabase-audit-auth-config] [CONTEXT_UPDATED] .sb-pentest-context.json updated If files don't exist , create them before writing. FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE. MANDATORY: Evidence Collection 📁 Evidence Directory: .sb-pentest-evidence/05-auth-audit/ Evidence Files to Create File Content auth-settings.json Complete auth configuration Evidence Format { "evidence_id" : "AUTH-CFG-001" , "timestamp" : "2025-01-31T10:50:00Z" , "category" : "auth-audit" , "type" : "auth_configuration" , "endpoint" : "https://abc123def.supabase.co/auth/v1/" , "configuration" : { "email_auth" : { "enabled" : true , "signup_open" : true , "email_confirmation_required" : false , "min_password_length" : 6 } , "phone_auth" : { "enabled" : true , "provider" : "twilio" } , "oauth_providers" : [ "google" , "github" , "discord" ] , "anonymous_auth" : true } , "security_settings" : { "rate_limiting" : { "signup" : "3/hour" , "token" : "30/hour" , "recovery" : "3/hour" } , "jwt_expiry" : 3600 , "cors_origins" : "" } , "findings" : [ { "severity" : "P1" , "issue" : "Email confirmation disabled" , "impact" : "Users can signup without verifying email" , "recommendation" : "Enable email confirmation" } , { "severity" : "P2" , "issue" : "Weak password policy" , "impact" : "Minimum 6 characters allows weak passwords" , "recommendation" : "Increase to 8+ characters" } ] } Add to curl-commands.sh

=== AUTH CONFIGURATION TESTS ===

Test signup availability

curl -X POST " $SUPABASE_URL /auth/v1/signup" \ -H "apikey: $ANON_KEY " \ -H "Content-Type: application/json" \ -d '{"email": "test@example.com", "password": "test123456"}'

Test password policy (weak password)

curl -X POST " $SUPABASE_URL /auth/v1/signup" \ -H "apikey: $ANON_KEY " \ -H "Content-Type: application/json" \ -d '{"email": "weak@example.com", "password": "123456"}'