Supabase Audit Auth Config

What it does

This skill analyzes the authentication configuration of a Supabase project to identify potential security vulnerabilities. It examines settings related to user registration, login, password recovery, and enabled authentication providers (email, phone, OAuth). Crucially, this skill requires progressive file updates during execution – findings must be written to context files (.sb-pentest-context.json) and audit logs (.sb-pentest-audit.log) immediately after each setting is analyzed, not at the end of the process.

When to use it

• To review authentication security settings before deploying a Supabase project to production.
• As part of an auditing workflow for auth-related vulnerabilities.
• During comprehensive security reviews of a Supabase application.
• To verify specific configuration details, such as whether signup is open and which providers are enabled.

Key capabilities

• Analyzes Supabase authentication settings via the /auth/v1/* endpoints.
• Detects if email authentication is enabled by attempting user registration.
• Checks for phone authentication enablement through settings inspection.
• Identifies configured OAuth providers by examining settings.
• Determines if signup is disabled by attempting a signup process.
• Evaluates email confirmation requirements based on signup responses.
• Assesses password complexity rules via error message analysis.

Example prompts

• "Audit authentication configuration"
• "Check if signup is open and what providers are enabled"

Tips & gotchas

• Critical: The skill requires progressive file updates to .sb-pentest-context.json and .sb-pentest-audit.log. Do not wait until the end of the process; update these files immediately after analyzing each setting. Failure to do so can lead to data loss if the skill is interrupted.
• You need a Supabase URL and anon key available for this skill to function correctly.
• A prior detection step must be completed before running the audit.