Authentication Configuration Audit

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED

You MUST write to context files AS YOU GO, not just at the end.
Write to
.sb-pentest-context.json
IMMEDIATELY after each setting analyzed
Log to
.sb-pentest-audit.log
BEFORE and AFTER each test
DO NOT wait until the skill completes to update files

If the skill crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.

This skill analyzes the authentication configuration of a Supabase project.

When to Use This Skill

To review authentication security settings
Before production deployment
When auditing auth-related vulnerabilities
As part of comprehensive security review

Prerequisites

Supabase URL and anon key available
Detection completed

Auth Endpoints

Supabase Auth (GoTrue) exposes:

https://[project].supabase.co/auth/v1/

Endpoint	Purpose
`/auth/v1/settings`	Public settings (limited)
`/auth/v1/signup`	User registration
`/auth/v1/token`	Authentication
`/auth/v1/user`	Current user info
`/auth/v1/recover`	Password recovery

What Can Be Detected

From the public API, we can detect:

Setting	Detection Method
Email auth enabled	Attempt signup
Phone auth enabled	Check settings
OAuth providers	Check settings
Signup disabled	Attempt signup
Email confirmation	Signup response
Password requirements	Error messages

Usage

Basic Auth Audit

Audit authentication configuration

Check Specific Features

Check if signup is open and what providers are enabled

Output Format

═══════════════════════════════════════════════════════════
 AUTHENTICATION CONFIGURATION AUDIT
═══════════════════════════════════════════════════════════

 Project: abc123def.supabase.co
 Auth Endpoint: https://abc123def.supabase.co/auth/v1/

 ─────────────────────────────────────────────────────────
 Authentication Methods
 ─────────────────────────────────────────────────────────

 Email/Password: ✅ Enabled
 ├── Signup: ✅ Open (anyone can register)
 ├── Email Confirmation: ❌ NOT REQUIRED ← P1 Issue
 ├── Password Min Length: 6 characters ← P2 Consider longer
 └── Secure Password Check: Unknown

 Phone/SMS: ✅ Enabled
 └── Provider: Twilio

 Magic Link: ✅ Enabled
 └── OTP Expiry: 300 seconds (5 min)

 OAuth Providers Detected: 3
 ├── Google: ✅ Enabled
 ├── GitHub: ✅ Enabled
 └── Discord: ✅ Enabled

 Anonymous Auth: ✅ Enabled ← Review if intended

 ─────────────────────────────────────────────────────────
 Security Settings
 ─────────────────────────────────────────────────────────

 Rate Limiting:
 ├── Signup: 3/hour per IP (good)
 ├── Token: 30/hour per IP (good)
 └── Recovery: 3/hour per IP (good)

 Session Configuration:
 ├── JWT Expiry: 3600 seconds (1 hour)
 ├── Refresh Token Rotation: Unknown
 └── Inactivity Timeout: Unknown

 Security Headers:
 ├── CORS: Configured
 ├── Allowed Origins: * (wildcard) ← P2 Consider restricting
 └── Credentials: Allowed

 ─────────────────────────────────────────────────────────
 Findings
 ─────────────────────────────────────────────────────────

 🟠 P1: Email Confirmation Disabled

 Issue: Users can signup and immediately access the app
        without verifying their email address.

 Risks:
 ├── Fake accounts with invalid emails
 ├── Typosquatting (user@gmial.com)
 ├── No verified communication channel
 └── Potential for abuse

 Recommendation:
 Supabase Dashboard → Authentication → Email Templates
 → Enable "Confirm email"

 ─────────────────────────────────────────────────────────

 🟡 P2: Short Minimum Password Length

 Issue: Minimum password length is 6 characters.

 Recommendation: Increase to 8-12 characters minimum.
 Supabase Dashboard → Authentication → Settings
 → Minimum password length

 ─────────────────────────────────────────────────────────

 🟡 P2: Wildcard CORS Origin

 Issue: CORS allows requests from any origin (*).

 Recommendation: Restrict to your domains only.
 Supabase Dashboard → Authentication → URL Configuration
 → Site URL and Redirect URLs

 ─────────────────────────────────────────────────────────

 ℹ️ INFO: Anonymous Auth Enabled

 Note: Anonymous authentication is enabled.

 This is fine if intentional (guest access).
 Review if you expect all users to be authenticated.

 ─────────────────────────────────────────────────────────
 Summary
 ─────────────────────────────────────────────────────────

 Auth Methods: 5 enabled
 OAuth Providers: 3

 Findings:
 ├── P1 (High): 1 - Email confirmation disabled
 ├── P2 (Medium): 2 - Password length, CORS
 └── Info: 1 - Anonymous auth enabled

 Recommended Actions:
 1. Enable email confirmation
 2. Increase minimum password length
 3. Restrict CORS to specific domains
 4. Review if anonymous auth is needed

═══════════════════════════════════════════════════════════

Security Checklist

Email Authentication

Setting	Recommended	Risk if Wrong
Email Confirmation	✅ Required	Fake accounts
Password Length	≥8 chars	Weak passwords
Password Complexity	Enable	Easy to guess
Rate Limiting	Enable	Brute force

OAuth Configuration

Setting	Recommended	Risk if Wrong
Verified providers only	Yes	Account takeover
Proper redirect URLs	Specific URLs	OAuth redirect attacks
State parameter	Enabled	CSRF attacks

Session Security

Setting	Recommended	Risk if Wrong
Short JWT expiry	1 hour or less	Token theft
Refresh token rotation	Enabled	Token reuse
Secure cookie flags	HttpOnly, Secure, SameSite	XSS, CSRF

Context Output

json

{
  "auth_config": {
    "timestamp": "2025-01-31T12:30:00Z",
    "methods": {
      "email": {
        "enabled": true,
        "signup_open": true,
        "email_confirmation": false,
        "min_password_length": 6
      },
      "phone": {
        "enabled": true,
        "provider": "twilio"
      },
      "magic_link": {
        "enabled": true,
        "otp_expiry": 300
      },
      "oauth": {
        "enabled": true,
        "providers": ["google", "github", "discord"]
      },
      "anonymous": {
        "enabled": true
      }
    },
    "findings": [
      {
        "severity": "P1",
        "issue": "Email confirmation disabled",
        "recommendation": "Enable email confirmation in dashboard"
      }
    ]
  }
}

Common Auth Vulnerabilities

1. No Email Confirmation

javascript

// User can signup with any email
const { data, error } = await supabase.auth.signUp({
  email: 'fake@example.com',  // No verification needed
  password: 'password123'
})
// User is immediately authenticated

2. Weak Password Policy

javascript

// Weak password accepted
await supabase.auth.signUp({
  email: 'user@example.com',
  password: '123456'  // Accepted with min length 6
})

3. Open Signup When Not Needed

If your app should only have admin-created users:

sql

-- Disable public signup via dashboard
-- Or use invite-only flow

Remediation Examples

Enable Email Confirmation

Supabase Dashboard → Authentication → Email Templates
Enable "Confirm email"
Customize confirmation email template
Handle unconfirmed users in your app

Strengthen Password Requirements

Dashboard → Authentication → Settings
Set minimum length to 8+
Consider enabling password strength checks

Restrict CORS

Dashboard → Authentication → URL Configuration
Set specific Site URL
Add only your domains to Redirect URLs
Remove wildcard entries

MANDATORY: Progressive Context File Updates

⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.

Critical Rule: Write As You Go

DO NOT batch all writes at the end. Instead:

Before checking each auth method → Log the action to
```
.sb-pentest-audit.log
```
After each configuration analyzed → Immediately update
```
.sb-pentest-context.json
```
After each finding discovered → Log the severity immediately

This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.

Required Actions (Progressive)

Update
.sb-pentest-context.json
with results:

json

{
  "auth_config": {
    "timestamp": "...",
    "methods": { ... },
    "findings": [ ... ]
  }
}

Log to
.sb-pentest-audit.log
:

[TIMESTAMP] [supabase-audit-auth-config] [START] Auditing auth configuration
[TIMESTAMP] [supabase-audit-auth-config] [FINDING] P1: Email confirmation disabled
[TIMESTAMP] [supabase-audit-auth-config] [CONTEXT_UPDATED] .sb-pentest-context.json updated

If files don't exist, create them before writing.

FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.

MANDATORY: Evidence Collection

📁 Evidence Directory:

.sb-pentest-evidence/05-auth-audit/

Evidence Files to Create

File	Content
`auth-settings.json`	Complete auth configuration

Evidence Format

json

{
  "evidence_id": "AUTH-CFG-001",
  "timestamp": "2025-01-31T10:50:00Z",
  "category": "auth-audit",
  "type": "auth_configuration",

  "endpoint": "https://abc123def.supabase.co/auth/v1/",

  "configuration": {
    "email_auth": {
      "enabled": true,
      "signup_open": true,
      "email_confirmation_required": false,
      "min_password_length": 6
    },
    "phone_auth": {
      "enabled": true,
      "provider": "twilio"
    },
    "oauth_providers": ["google", "github", "discord"],
    "anonymous_auth": true
  },

  "security_settings": {
    "rate_limiting": {
      "signup": "3/hour",
      "token": "30/hour",
      "recovery": "3/hour"
    },
    "jwt_expiry": 3600,
    "cors_origins": "*"
  },

  "findings": [
    {
      "severity": "P1",
      "issue": "Email confirmation disabled",
      "impact": "Users can signup without verifying email",
      "recommendation": "Enable email confirmation"
    },
    {
      "severity": "P2",
      "issue": "Weak password policy",
      "impact": "Minimum 6 characters allows weak passwords",
      "recommendation": "Increase to 8+ characters"
    }
  ]
}

Add to curl-commands.sh

bash

# === AUTH CONFIGURATION TESTS ===
# Test signup availability
curl -X POST "$SUPABASE_URL/auth/v1/signup" \
  -H "apikey: $ANON_KEY" \
  -H "Content-Type: application/json" \
  -d '{"email": "test@example.com", "password": "test123456"}'

# Test password policy (weak password)
curl -X POST "$SUPABASE_URL/auth/v1/signup" \
  -H "apikey: $ANON_KEY" \
  -H "Content-Type: application/json" \
  -d '{"email": "weak@example.com", "password": "123456"}'

Related Skills

```
supabase-audit-auth-signup
```
— Test signup flow
```
supabase-audit-auth-users
```
— Test user enumeration
```
supabase-audit-rls
```
— Auth users need RLS protection

supabase-audit-auth-config

NPX Install

Tags

SKILL.md Content

Authentication Configuration Audit

When to Use This Skill

Prerequisites

Auth Endpoints

What Can Be Detected

Usage

Basic Auth Audit

Check Specific Features

Output Format

Security Checklist

Email Authentication

OAuth Configuration

Session Security

Context Output

Common Auth Vulnerabilities

1. No Email Confirmation

2. Weak Password Policy

3. Open Signup When Not Needed

Remediation Examples

Enable Email Confirmation

Strengthen Password Requirements

Restrict CORS

MANDATORY: Progressive Context File Updates

Critical Rule: Write As You Go

Required Actions (Progressive)

MANDATORY: Evidence Collection

Evidence Files to Create

Evidence Format

Add to curl-commands.sh

Related Skills