supabase-audit-auth-config
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAuthentication Configuration Audit
身份验证配置审计
🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIREDYou MUST write to context files AS YOU GO, not just at the end.
- Write to
IMMEDIATELY after each setting analyzed.sb-pentest-context.json- Log to
BEFORE and AFTER each test.sb-pentest-audit.log- DO NOT wait until the skill completes to update files
- If the skill crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.
This skill analyzes the authentication configuration of a Supabase project.
🔴 严重:需要逐步更新文件你必须逐步写入上下文文件,而不是只在最后写入。
- 分析完每个设置后立即写入
.sb-pentest-context.json- 在每次测试之前和之后记录到
.sb-pentest-audit.log- 不要等到技能完成后再更新文件
- 如果技能崩溃或被中断,所有之前的发现必须已保存
这不是可选要求。不逐步写入属于严重错误。
本技能用于分析Supabase项目的身份验证配置。
When to Use This Skill
何时使用此技能
- To review authentication security settings
- Before production deployment
- When auditing auth-related vulnerabilities
- As part of comprehensive security review
- 审查身份验证安全设置时
- 生产部署前
- 审计与身份验证相关的漏洞时
- 作为全面安全审查的一部分
Prerequisites
前提条件
- Supabase URL and anon key available
- Detection completed
- 已获取Supabase URL和匿名密钥
- 已完成检测
Auth Endpoints
身份验证端点
Supabase Auth (GoTrue) exposes:
https://[project].supabase.co/auth/v1/| Endpoint | Purpose |
|---|---|
| Public settings (limited) |
| User registration |
| Authentication |
| Current user info |
| Password recovery |
Supabase Auth (GoTrue) 暴露以下端点:
https://[project].supabase.co/auth/v1/| 端点 | 用途 |
|---|---|
| 公开设置(有限) |
| 用户注册 |
| 身份验证 |
| 当前用户信息 |
| 密码恢复 |
What Can Be Detected
可检测内容
From the public API, we can detect:
| Setting | Detection Method |
|---|---|
| Email auth enabled | Attempt signup |
| Phone auth enabled | Check settings |
| OAuth providers | Check settings |
| Signup disabled | Attempt signup |
| Email confirmation | Signup response |
| Password requirements | Error messages |
通过公开API,我们可以检测:
| 设置 | 检测方法 |
|---|---|
| 邮箱身份验证已启用 | 尝试注册 |
| 电话身份验证已启用 | 检查设置 |
| OAuth提供商 | 检查设置 |
| 注册已禁用 | 尝试注册 |
| 邮箱确认 | 注册响应 |
| 密码要求 | 错误消息 |
Usage
使用方法
Basic Auth Audit
基础身份验证审计
Audit authentication configurationAudit authentication configurationCheck Specific Features
检查特定功能
Check if signup is open and what providers are enabledCheck if signup is open and what providers are enabledOutput Format
输出格式
═══════════════════════════════════════════════════════════
AUTHENTICATION CONFIGURATION AUDIT
═══════════════════════════════════════════════════════════
Project: abc123def.supabase.co
Auth Endpoint: https://abc123def.supabase.co/auth/v1/
─────────────────────────────────────────────────────────
Authentication Methods
─────────────────────────────────────────────────────────
Email/Password: ✅ Enabled
├── Signup: ✅ Open (anyone can register)
├── Email Confirmation: ❌ NOT REQUIRED ← P1 Issue
├── Password Min Length: 6 characters ← P2 Consider longer
└── Secure Password Check: Unknown
Phone/SMS: ✅ Enabled
└── Provider: Twilio
Magic Link: ✅ Enabled
└── OTP Expiry: 300 seconds (5 min)
OAuth Providers Detected: 3
├── Google: ✅ Enabled
├── GitHub: ✅ Enabled
└── Discord: ✅ Enabled
Anonymous Auth: ✅ Enabled ← Review if intended
─────────────────────────────────────────────────────────
Security Settings
─────────────────────────────────────────────────────────
Rate Limiting:
├── Signup: 3/hour per IP (good)
├── Token: 30/hour per IP (good)
└── Recovery: 3/hour per IP (good)
Session Configuration:
├── JWT Expiry: 3600 seconds (1 hour)
├── Refresh Token Rotation: Unknown
└── Inactivity Timeout: Unknown
Security Headers:
├── CORS: Configured
├── Allowed Origins: * (wildcard) ← P2 Consider restricting
└── Credentials: Allowed
─────────────────────────────────────────────────────────
Findings
─────────────────────────────────────────────────────────
🟠 P1: Email Confirmation Disabled
Issue: Users can signup and immediately access the app
without verifying their email address.
Risks:
├── Fake accounts with invalid emails
├── Typosquatting (user@gmial.com)
├── No verified communication channel
└── Potential for abuse
Recommendation:
Supabase Dashboard → Authentication → Email Templates
→ Enable "Confirm email"
─────────────────────────────────────────────────────────
🟡 P2: Short Minimum Password Length
Issue: Minimum password length is 6 characters.
Recommendation: Increase to 8-12 characters minimum.
Supabase Dashboard → Authentication → Settings
→ Minimum password length
─────────────────────────────────────────────────────────
🟡 P2: Wildcard CORS Origin
Issue: CORS allows requests from any origin (*).
Recommendation: Restrict to your domains only.
Supabase Dashboard → Authentication → URL Configuration
→ Site URL and Redirect URLs
─────────────────────────────────────────────────────────
ℹ️ INFO: Anonymous Auth Enabled
Note: Anonymous authentication is enabled.
This is fine if intentional (guest access).
Review if you expect all users to be authenticated.
─────────────────────────────────────────────────────────
Summary
─────────────────────────────────────────────────────────
Auth Methods: 5 enabled
OAuth Providers: 3
Findings:
├── P1 (High): 1 - Email confirmation disabled
├── P2 (Medium): 2 - Password length, CORS
└── Info: 1 - Anonymous auth enabled
Recommended Actions:
1. Enable email confirmation
2. Increase minimum password length
3. Restrict CORS to specific domains
4. Review if anonymous auth is needed
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
AUTHENTICATION CONFIGURATION AUDIT
═══════════════════════════════════════════════════════════
Project: abc123def.supabase.co
Auth Endpoint: https://abc123def.supabase.co/auth/v1/
─────────────────────────────────────────────────────────
Authentication Methods
─────────────────────────────────────────────────────────
Email/Password: ✅ Enabled
├── Signup: ✅ Open (anyone can register)
├── Email Confirmation: ❌ NOT REQUIRED ← P1 Issue
├── Password Min Length: 6 characters ← P2 Consider longer
└── Secure Password Check: Unknown
Phone/SMS: ✅ Enabled
└── Provider: Twilio
Magic Link: ✅ Enabled
└── OTP Expiry: 300 seconds (5 min)
OAuth Providers Detected: 3
├── Google: ✅ Enabled
├── GitHub: ✅ Enabled
└── Discord: ✅ Enabled
Anonymous Auth: ✅ Enabled ← Review if intended
─────────────────────────────────────────────────────────
Security Settings
─────────────────────────────────────────────────────────
Rate Limiting:
├── Signup: 3/hour per IP (good)
├── Token: 30/hour per IP (good)
└── Recovery: 3/hour per IP (good)
Session Configuration:
├── JWT Expiry: 3600 seconds (1 hour)
├── Refresh Token Rotation: Unknown
└── Inactivity Timeout: Unknown
Security Headers:
├── CORS: Configured
├── Allowed Origins: * (wildcard) ← P2 Consider restricting
└── Credentials: Allowed
─────────────────────────────────────────────────────────
Findings
─────────────────────────────────────────────────────────
🟠 P1: Email Confirmation Disabled
Issue: Users can signup and immediately access the app
without verifying their email address.
Risks:
├── Fake accounts with invalid emails
├── Typosquatting (user@gmial.com)
├── No verified communication channel
└── Potential for abuse
Recommendation:
Supabase Dashboard → Authentication → Email Templates
→ Enable "Confirm email"
─────────────────────────────────────────────────────────
🟡 P2: Short Minimum Password Length
Issue: Minimum password length is 6 characters.
Recommendation: Increase to 8-12 characters minimum.
Supabase Dashboard → Authentication → Settings
→ Minimum password length
─────────────────────────────────────────────────────────
🟡 P2: Wildcard CORS Origin
Issue: CORS allows requests from any origin (*).
Recommendation: Restrict to your domains only.
Supabase Dashboard → Authentication → URL Configuration
→ Site URL and Redirect URLs
─────────────────────────────────────────────────────────
ℹ️ INFO: Anonymous Auth Enabled
Note: Anonymous authentication is enabled.
This is fine if intentional (guest access).
Review if you expect all users to be authenticated.
─────────────────────────────────────────────────────────
Summary
─────────────────────────────────────────────────────────
Auth Methods: 5 enabled
OAuth Providers: 3
Findings:
├── P1 (High): 1 - Email confirmation disabled
├── P2 (Medium): 2 - Password length, CORS
└── Info: 1 - Anonymous auth enabled
Recommended Actions:
1. Enable email confirmation
2. Increase minimum password length
3. Restrict CORS to specific domains
4. Review if anonymous auth is needed
═══════════════════════════════════════════════════════════Security Checklist
安全检查清单
Email Authentication
邮箱身份验证
| Setting | Recommended | Risk if Wrong |
|---|---|---|
| Email Confirmation | ✅ Required | Fake accounts |
| Password Length | ≥8 chars | Weak passwords |
| Password Complexity | Enable | Easy to guess |
| Rate Limiting | Enable | Brute force |
| 设置 | 推荐配置 | 错误配置的风险 |
|---|---|---|
| 邮箱确认 | ✅ 必填 | 虚假账户 |
| 密码长度 | ≥8个字符 | 弱密码 |
| 密码复杂度 | 启用 | 容易被猜测 |
| 速率限制 | 启用 | 暴力破解 |
OAuth Configuration
OAuth配置
| Setting | Recommended | Risk if Wrong |
|---|---|---|
| Verified providers only | Yes | Account takeover |
| Proper redirect URLs | Specific URLs | OAuth redirect attacks |
| State parameter | Enabled | CSRF attacks |
| 设置 | 推荐配置 | 错误配置的风险 |
|---|---|---|
| 仅使用已验证的提供商 | 是 | 账户被接管 |
| 正确的重定向URL | 特定URL | OAuth重定向攻击 |
| State参数 | 启用 | CSRF攻击 |
Session Security
会话安全
| Setting | Recommended | Risk if Wrong |
|---|---|---|
| Short JWT expiry | 1 hour or less | Token theft |
| Refresh token rotation | Enabled | Token reuse |
| Secure cookie flags | HttpOnly, Secure, SameSite | XSS, CSRF |
| 设置 | 推荐配置 | 错误配置的风险 |
|---|---|---|
| 短JWT过期时间 | 1小时或更短 | 令牌被盗 |
| 刷新令牌轮换 | 启用 | 令牌重复使用 |
| 安全Cookie标志 | HttpOnly, Secure, SameSite | XSS、CSRF |
Context Output
上下文输出
json
{
"auth_config": {
"timestamp": "2025-01-31T12:30:00Z",
"methods": {
"email": {
"enabled": true,
"signup_open": true,
"email_confirmation": false,
"min_password_length": 6
},
"phone": {
"enabled": true,
"provider": "twilio"
},
"magic_link": {
"enabled": true,
"otp_expiry": 300
},
"oauth": {
"enabled": true,
"providers": ["google", "github", "discord"]
},
"anonymous": {
"enabled": true
}
},
"findings": [
{
"severity": "P1",
"issue": "Email confirmation disabled",
"recommendation": "Enable email confirmation in dashboard"
}
]
}
}json
{
"auth_config": {
"timestamp": "2025-01-31T12:30:00Z",
"methods": {
"email": {
"enabled": true,
"signup_open": true,
"email_confirmation": false,
"min_password_length": 6
},
"phone": {
"enabled": true,
"provider": "twilio"
},
"magic_link": {
"enabled": true,
"otp_expiry": 300
},
"oauth": {
"enabled": true,
"providers": ["google", "github", "discord"]
},
"anonymous": {
"enabled": true
}
},
"findings": [
{
"severity": "P1",
"issue": "Email confirmation disabled",
"recommendation": "Enable email confirmation in dashboard"
}
]
}
}Common Auth Vulnerabilities
常见身份验证漏洞
1. No Email Confirmation
1. 无邮箱确认
javascript
// User can signup with any email
const { data, error } = await supabase.auth.signUp({
email: 'fake@example.com', // No verification needed
password: 'password123'
})
// User is immediately authenticatedjavascript
// 用户可以使用任意邮箱注册
const { data, error } = await supabase.auth.signUp({
email: 'fake@example.com', // 无需验证
password: 'password123'
})
// 用户立即获得身份验证2. Weak Password Policy
2. 弱密码策略
javascript
// Weak password accepted
await supabase.auth.signUp({
email: 'user@example.com',
password: '123456' // Accepted with min length 6
})javascript
// 接受弱密码
await supabase.auth.signUp({
email: 'user@example.com',
password: '123456' // 满足最小长度6的要求,被接受
})3. Open Signup When Not Needed
3. 不需要时开启公开注册
If your app should only have admin-created users:
sql
-- Disable public signup via dashboard
-- Or use invite-only flow如果你的应用应该只允许管理员创建用户:
sql
-- 通过仪表盘禁用公开注册
-- 或使用仅限邀请的流程Remediation Examples
修复示例
Enable Email Confirmation
启用邮箱确认
- Supabase Dashboard → Authentication → Email Templates
- Enable "Confirm email"
- Customize confirmation email template
- Handle unconfirmed users in your app
- Supabase仪表盘 → 身份验证 → 邮箱模板
- 启用“确认邮箱”
- 自定义确认邮件模板
- 在应用中处理未确认的用户
Strengthen Password Requirements
强化密码要求
- Dashboard → Authentication → Settings
- Set minimum length to 8+
- Consider enabling password strength checks
- 仪表盘 → 身份验证 → 设置
- 将最小长度设置为8以上
- 考虑启用密码强度检查
Restrict CORS
限制CORS
- Dashboard → Authentication → URL Configuration
- Set specific Site URL
- Add only your domains to Redirect URLs
- Remove wildcard entries
- 仪表盘 → 身份验证 → URL配置
- 设置特定的站点URL
- 仅将你的域名添加到重定向URL
- 移除通配符条目
MANDATORY: Progressive Context File Updates
强制要求:逐步更新上下文文件
⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.
⚠️ 本技能必须在执行过程中逐步更新跟踪文件,而不是只在最后更新。
Critical Rule: Write As You Go
关键规则:边执行边写入
DO NOT batch all writes at the end. Instead:
- Before checking each auth method → Log the action to
.sb-pentest-audit.log - After each configuration analyzed → Immediately update
.sb-pentest-context.json - After each finding discovered → Log the severity immediately
This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.
不要在最后批量写入所有内容。而是:
- 检查每个身份验证方法之前 → 将操作记录到
.sb-pentest-audit.log - 分析完每个配置后 → 立即更新
.sb-pentest-context.json - 发现每个问题后 → 立即记录其严重程度
这确保如果技能被中断、崩溃或超时,到该点为止的所有发现都已保存。
Required Actions (Progressive)
必须执行的操作(逐步)
-
Updatewith results:
.sb-pentest-context.jsonjson{ "auth_config": { "timestamp": "...", "methods": { ... }, "findings": [ ... ] } } -
Log to:
.sb-pentest-audit.log[TIMESTAMP] [supabase-audit-auth-config] [START] Auditing auth configuration [TIMESTAMP] [supabase-audit-auth-config] [FINDING] P1: Email confirmation disabled [TIMESTAMP] [supabase-audit-auth-config] [CONTEXT_UPDATED] .sb-pentest-context.json updated -
If files don't exist, create them before writing.
FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.
-
**更新**以保存结果:
.sb-pentest-context.jsonjson{ "auth_config": { "timestamp": "...", "methods": { ... }, "findings": [ ... ] } } -
记录到:
.sb-pentest-audit.log[TIMESTAMP] [supabase-audit-auth-config] [START] Auditing auth configuration [TIMESTAMP] [supabase-audit-auth-config] [FINDING] P1: Email confirmation disabled [TIMESTAMP] [supabase-audit-auth-config] [CONTEXT_UPDATED] .sb-pentest-context.json updated -
如果文件不存在,在写入前创建它们。
不更新上下文文件是不被允许的。
MANDATORY: Evidence Collection
强制要求:收集证据
📁 Evidence Directory:
.sb-pentest-evidence/05-auth-audit/📁 证据目录:
.sb-pentest-evidence/05-auth-audit/Evidence Files to Create
需要创建的证据文件
| File | Content |
|---|---|
| Complete auth configuration |
| 文件 | 内容 |
|---|---|
| 完整的身份验证配置 |
Evidence Format
证据格式
json
{
"evidence_id": "AUTH-CFG-001",
"timestamp": "2025-01-31T10:50:00Z",
"category": "auth-audit",
"type": "auth_configuration",
"endpoint": "https://abc123def.supabase.co/auth/v1/",
"configuration": {
"email_auth": {
"enabled": true,
"signup_open": true,
"email_confirmation_required": false,
"min_password_length": 6
},
"phone_auth": {
"enabled": true,
"provider": "twilio"
},
"oauth_providers": ["google", "github", "discord"],
"anonymous_auth": true
},
"security_settings": {
"rate_limiting": {
"signup": "3/hour",
"token": "30/hour",
"recovery": "3/hour"
},
"jwt_expiry": 3600,
"cors_origins": "*"
},
"findings": [
{
"severity": "P1",
"issue": "Email confirmation disabled",
"impact": "Users can signup without verifying email",
"recommendation": "Enable email confirmation"
},
{
"severity": "P2",
"issue": "Weak password policy",
"impact": "Minimum 6 characters allows weak passwords",
"recommendation": "Increase to 8+ characters"
}
]
}json
{
"evidence_id": "AUTH-CFG-001",
"timestamp": "2025-01-31T10:50:00Z",
"category": "auth-audit",
"type": "auth_configuration",
"endpoint": "https://abc123def.supabase.co/auth/v1/",
"configuration": {
"email_auth": {
"enabled": true,
"signup_open": true,
"email_confirmation_required": false,
"min_password_length": 6
},
"phone_auth": {
"enabled": true,
"provider": "twilio"
},
"oauth_providers": ["google", "github", "discord"],
"anonymous_auth": true
},
"security_settings": {
"rate_limiting": {
"signup": "3/hour",
"token": "30/hour",
"recovery": "3/hour"
},
"jwt_expiry": 3600,
"cors_origins": "*"
},
"findings": [
{
"severity": "P1",
"issue": "Email confirmation disabled",
"impact": "Users can signup without verifying email",
"recommendation": "Enable email confirmation"
},
{
"severity": "P2",
"issue": "Weak password policy",
"impact": "Minimum 6 characters allows weak passwords",
"recommendation": "Increase to 8+ characters"
}
]
}Add to curl-commands.sh
添加到curl-commands.sh
bash
undefinedbash
undefined=== AUTH CONFIGURATION TESTS ===
=== AUTH CONFIGURATION TESTS ===
Test signup availability
Test signup availability
curl -X POST "$SUPABASE_URL/auth/v1/signup"
-H "apikey: $ANON_KEY"
-H "Content-Type: application/json"
-d '{"email": "test@example.com", "password": "test123456"}'
-H "apikey: $ANON_KEY"
-H "Content-Type: application/json"
-d '{"email": "test@example.com", "password": "test123456"}'
curl -X POST "$SUPABASE_URL/auth/v1/signup"
-H "apikey: $ANON_KEY"
-H "Content-Type: application/json"
-d '{"email": "test@example.com", "password": "test123456"}'
-H "apikey: $ANON_KEY"
-H "Content-Type: application/json"
-d '{"email": "test@example.com", "password": "test123456"}'
Test password policy (weak password)
Test password policy (weak password)
curl -X POST "$SUPABASE_URL/auth/v1/signup"
-H "apikey: $ANON_KEY"
-H "Content-Type: application/json"
-d '{"email": "weak@example.com", "password": "123456"}'
-H "apikey: $ANON_KEY"
-H "Content-Type: application/json"
-d '{"email": "weak@example.com", "password": "123456"}'
undefinedcurl -X POST "$SUPABASE_URL/auth/v1/signup"
-H "apikey: $ANON_KEY"
-H "Content-Type: application/json"
-d '{"email": "weak@example.com", "password": "123456"}'
-H "apikey: $ANON_KEY"
-H "Content-Type: application/json"
-d '{"email": "weak@example.com", "password": "123456"}'
undefinedRelated Skills
相关技能
- — Test signup flow
supabase-audit-auth-signup - — Test user enumeration
supabase-audit-auth-users - — Auth users need RLS protection
supabase-audit-rls
- — 测试注册流程
supabase-audit-auth-signup - — 测试用户枚举
supabase-audit-auth-users - — 身份验证用户需要RLS保护
supabase-audit-rls