--- name: supabase-audit-auth-config description: Analyze Supabase authentication configuration for security weaknesses and misconfigurations. --- # Authentication Configuration Audit > 🔴 **CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED** > > You MUST write to context files **AS YOU GO**, not just at the end. > - Write to `.sb-pentest-context.json` **IMMEDIATELY after each setting analyzed** > - Log to `.sb-pentest-audit.log` **BEFORE and AFTER each test** > - **DO NOT** wait until the skill completes to update files > - If the skill crashes or is interrupted, all prior findings must already be saved > > **This is not optional. Failure to write progressively is a critical error.** This skill analyzes the authentication configuration of a Supabase project. ## When to Use This Skill - To review authentication security settings - Before production deployment - When auditing auth-related vulnerabilities - As part of comprehensive security review ## Prerequisites - Supabase URL and anon key available - Detection completed ## Auth Endpoints Supabase Auth (GoTrue) exposes: ``` https://[project].supabase.co/auth/v1/ ``` | Endpoint | Purpose | |----------|---------| | `/auth/v1/settings` | Public settings (limited) | | `/auth/v1/signup` | User registration | | `/auth/v1/token` | Authentication | | `/auth/v1/user` | Current user info | | `/auth/v1/recover` | Password recovery | ## What Can Be Detected From the public API, we can detect: | Setting | Detection Method | |---------|------------------| | Email auth enabled | Attempt signup | | Phone auth enabled | Check settings | | OAuth providers | Check settings | | Signup disabled | Attempt signup | | Email confirmation | Signup response | | Password requirements | Error messages | ## Usage ### Basic Auth Audit ``` Audit authentication configuration ``` ### Check Specific Features ``` Check if signup is open and what providers are enabled ``` ## Output Format ``` ═══════════════════════════════════════════════════════════ AUTHENTICATION CONFIGURATION AUDIT ═══════════════════════════════════════════════════════════ Project: abc123def.supabase.co Auth Endpoint: https://abc123def.supabase.co/auth/v1/ ───────────────────────────────────────────────────────── Authentication Methods ───────────────────────────────────────────────────────── Email/Password: ✅ Enabled ├── Signup: ✅ Open (anyone can register) ├── Email Confirmation: ❌ NOT REQUIRED ← P1 Issue ├── Password Min Length: 6 characters ← P2 Consider longer └── Secure Password Check: Unknown Phone/SMS: ✅ Enabled └── Provider: Twilio Magic Link: ✅ Enabled └── OTP Expiry: 300 seconds (5 min) OAuth Providers Detected: 3 ├── Google: ✅ Enabled ├── GitHub: ✅ Enabled └── Discord: ✅ Enabled Anonymous Auth: ✅ Enabled ← Review if intended ───────────────────────────────────────────────────────── Security Settings ───────────────────────────────────────────────────────── Rate Limiting: ├── Signup: 3/hour per IP (good) ├── Token: 30/hour per IP (good) └── Recovery: 3/hour per IP (good) Session Configuration: ├── JWT Expiry: 3600 seconds (1 hour) ├── Refresh Token Rotation: Unknown └── Inactivity Timeout: Unknown Security Headers: ├── CORS: Configured ├── Allowed Origins: * (wildcard) ← P2 Consider restricting └── Credentials: Allowed ───────────────────────────────────────────────────────── Findings ───────────────────────────────────────────────────────── 🟠 P1: Email Confirmation Disabled Issue: Users can signup and immediately access the app without verifying their email address. Risks: ├── Fake accounts with invalid emails ├── Typosquatting (user@gmial.com) ├── No verified communication channel └── Potential for abuse Recommendation: Supabase Dashboard → Authentication → Email Templates → Enable "Confirm email" ───────────────────────────────────────────────────────── 🟡 P2: Short Minimum Password Length Issue: Minimum password length is 6 characters. Recommendation: Increase to 8-12 characters minimum. Supabase Dashboard → Authentication → Settings → Minimum password length ───────────────────────────────────────────────────────── 🟡 P2: Wildcard CORS Origin Issue: CORS allows requests from any origin (*). Recommendation: Restrict to your domains only. Supabase Dashboard → Authentication → URL Configuration → Site URL and Redirect URLs ───────────────────────────────────────────────────────── ℹī¸ INFO: Anonymous Auth Enabled Note: Anonymous authentication is enabled. This is fine if intentional (guest access). Review if you expect all users to be authenticated. ───────────────────────────────────────────────────────── Summary ───────────────────────────────────────────────────────── Auth Methods: 5 enabled OAuth Providers: 3 Findings: ├── P1 (High): 1 - Email confirmation disabled ├── P2 (Medium): 2 - Password length, CORS └── Info: 1 - Anonymous auth enabled Recommended Actions: 1. Enable email confirmation 2. Increase minimum password length 3. Restrict CORS to specific domains 4. Review if anonymous auth is needed ═══════════════════════════════════════════════════════════ ``` ## Security Checklist ### Email Authentication | Setting | Recommended | Risk if Wrong | |---------|-------------|---------------| | Email Confirmation | ✅ Required | Fake accounts | | Password Length | â‰Ĩ8 chars | Weak passwords | | Password Complexity | Enable | Easy to guess | | Rate Limiting | Enable | Brute force | ### OAuth Configuration | Setting | Recommended | Risk if Wrong | |---------|-------------|---------------| | Verified providers only | Yes | Account takeover | | Proper redirect URLs | Specific URLs | OAuth redirect attacks | | State parameter | Enabled | CSRF attacks | ### Session Security | Setting | Recommended | Risk if Wrong | |---------|-------------|---------------| | Short JWT expiry | 1 hour or less | Token theft | | Refresh token rotation | Enabled | Token reuse | | Secure cookie flags | HttpOnly, Secure, SameSite | XSS, CSRF | ## Context Output ```json { "auth_config": { "timestamp": "2025-01-31T12:30:00Z", "methods": { "email": { "enabled": true, "signup_open": true, "email_confirmation": false, "min_password_length": 6 }, "phone": { "enabled": true, "provider": "twilio" }, "magic_link": { "enabled": true, "otp_expiry": 300 }, "oauth": { "enabled": true, "providers": ["google", "github", "discord"] }, "anonymous": { "enabled": true } }, "findings": [ { "severity": "P1", "issue": "Email confirmation disabled", "recommendation": "Enable email confirmation in dashboard" } ] } } ``` ## Common Auth Vulnerabilities ### 1. No Email Confirmation ```javascript // User can signup with any email const { data, error } = await supabase.auth.signUp({ email: 'fake@example.com', // No verification needed password: 'password123' }) // User is immediately authenticated ``` ### 2. Weak Password Policy ```javascript // Weak password accepted await supabase.auth.signUp({ email: 'user@example.com', password: '123456' // Accepted with min length 6 }) ``` ### 3. Open Signup When Not Needed If your app should only have admin-created users: ```sql -- Disable public signup via dashboard -- Or use invite-only flow ``` ## Remediation Examples ### Enable Email Confirmation 1. Supabase Dashboard → Authentication → Email Templates 2. Enable "Confirm email" 3. Customize confirmation email template 4. Handle unconfirmed users in your app ### Strengthen Password Requirements 1. Dashboard → Authentication → Settings 2. Set minimum length to 8+ 3. Consider enabling password strength checks ### Restrict CORS 1. Dashboard → Authentication → URL Configuration 2. Set specific Site URL 3. Add only your domains to Redirect URLs 4. Remove wildcard entries ## MANDATORY: Progressive Context File Updates ⚠ī¸ **This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.** ### Critical Rule: Write As You Go **DO NOT** batch all writes at the end. Instead: 1. **Before checking each auth method** → Log the action to `.sb-pentest-audit.log` 2. **After each configuration analyzed** → Immediately update `.sb-pentest-context.json` 3. **After each finding discovered** → Log the severity immediately This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved. ### Required Actions (Progressive) 1. **Update `.sb-pentest-context.json`** with results: ```json { "auth_config": { "timestamp": "...", "methods": { ... }, "findings": [ ... ] } } ``` 2. **Log to `.sb-pentest-audit.log`**: ``` [TIMESTAMP] [supabase-audit-auth-config] [START] Auditing auth configuration [TIMESTAMP] [supabase-audit-auth-config] [FINDING] P1: Email confirmation disabled [TIMESTAMP] [supabase-audit-auth-config] [CONTEXT_UPDATED] .sb-pentest-context.json updated ``` 3. **If files don't exist**, create them before writing. **FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.** ## MANDATORY: Evidence Collection 📁 **Evidence Directory:** `.sb-pentest-evidence/05-auth-audit/` ### Evidence Files to Create | File | Content | |------|---------| | `auth-settings.json` | Complete auth configuration | ### Evidence Format ```json { "evidence_id": "AUTH-CFG-001", "timestamp": "2025-01-31T10:50:00Z", "category": "auth-audit", "type": "auth_configuration", "endpoint": "https://abc123def.supabase.co/auth/v1/", "configuration": { "email_auth": { "enabled": true, "signup_open": true, "email_confirmation_required": false, "min_password_length": 6 }, "phone_auth": { "enabled": true, "provider": "twilio" }, "oauth_providers": ["google", "github", "discord"], "anonymous_auth": true }, "security_settings": { "rate_limiting": { "signup": "3/hour", "token": "30/hour", "recovery": "3/hour" }, "jwt_expiry": 3600, "cors_origins": "*" }, "findings": [ { "severity": "P1", "issue": "Email confirmation disabled", "impact": "Users can signup without verifying email", "recommendation": "Enable email confirmation" }, { "severity": "P2", "issue": "Weak password policy", "impact": "Minimum 6 characters allows weak passwords", "recommendation": "Increase to 8+ characters" } ] } ``` ### Add to curl-commands.sh ```bash # === AUTH CONFIGURATION TESTS === # Test signup availability curl -X POST "$SUPABASE_URL/auth/v1/signup" \ -H "apikey: $ANON_KEY" \ -H "Content-Type: application/json" \ -d '{"email": "test@example.com", "password": "test123456"}' # Test password policy (weak password) curl -X POST "$SUPABASE_URL/auth/v1/signup" \ -H "apikey: $ANON_KEY" \ -H "Content-Type: application/json" \ -d '{"email": "weak@example.com", "password": "123456"}' ``` ## Related Skills - `supabase-audit-auth-signup` — Test signup flow - `supabase-audit-auth-users` — Test user enumeration - `supabase-audit-rls` — Auth users need RLS protection