Supabase 认证用户安全审计：检测 IDOR 与 RLS 漏洞

supabase-audit-authenticated by yoanbernabeu/supabase-pentest-skills

100 周安装量

34 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/yoanbernabeu/supabase-pentest-skills --skill supabase-audit-authenticated

云服务测试安全

🇨🇳中文介绍

认证用户审计

🔴 关键：需要渐进式文件更新

你必须在执行过程中就写入上下文文件，而不仅仅是在最后。

每次测试后立即写入 .sb-pentest-context.json

每次操作前后记录到 .sb-pentest-audit.log

不要等到技能完成后再更新文件

如果技能崩溃或被中断，所有之前的发现必须已经保存

这不是可选的。未能渐进式写入是一个严重错误。

此技能创建一个测试用户（需明确许可）来比较认证访问与匿名访问，并检测 IDOR 漏洞。

⚠️ 重要：需要用户同意

╔═══════════════════════════════════════════════════════════════════╗
║  🔐 需要用户创建许可                                ║
╠═══════════════════════════════════════════════════════════════════╣
║                                                                   ║
║  此技能将在你的 Supabase 项目中创建一个测试用户。     ║
║                                                                   ║
║  用户将使用以下信息创建：                                   ║
║  • 邮箱：pentest-[random]@security-audit.local                   ║
║  • 密码：强随机密码（32+ 字符）                   ║
║  • 目的：测试认证访问与匿名访问             ║
║                                                                   ║
║  审计结束时，系统会询问你是否要        ║
║  删除测试用户（推荐）。                              ║
║                                                                   ║
║  你是否授权创建测试用户？                    ║
║  输入 "yes, create test user" 以继续。                         ║
║                                                                   ║
╚═══════════════════════════════════════════════════════════════════╝

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

何时使用此技能

完成匿名访问测试后
检测 IDOR（不安全的直接对象引用）漏洞
测试跨用户数据访问
验证 RLS 策略对认证用户有效
查找权限提升问题

注册必须开放（或使用邀请流程）
匿名密钥可用
已完成匿名审计（推荐）

认证测试的重要性

许多漏洞仅在认证状态下出现：

漏洞	匿名	认证
RLS 绕过（无 RLS）	✓ 可检测	✓ 可检测
IDOR	✗ 不可见	✓ 仅可见
跨用户访问	✗ 不可见	✓ 仅可见
权限提升	✗ 不可见	✓ 仅可见
过于宽松的 RLS	部分	✓ 完全检测

pentest-[8-char-random]@security-audit.local

示例：pentest-a7b3c9d2@security-audit.local

32+ 字符
大写字母、小写字母、数字、符号
加密随机

示例：Xk9$mP2#vL5@nQ8&jR4*wY7!hT3%bU6^

密码仅显示一次并保存为证据。

1. 用户创建与登录

# Create user
curl -X POST "$SUPABASE_URL/auth/v1/signup" \
  -H "apikey: $ANON_KEY" \
  -H "Content-Type: application/json" \
  -d '{"email": "pentest-xxx@security-audit.local", "password": "[STRONG_PASSWORD]"}'

# Login and get JWT
curl -X POST "$SUPABASE_URL/auth/v1/token?grant_type=password" \
  -H "apikey: $ANON_KEY" \
  -H "Content-Type: application/json" \
  -d '{"email": "pentest-xxx@security-audit.local", "password": "[STRONG_PASSWORD]"}'

2. 认证与匿名比较

测试	匿名	认证	发现
SELECT	0 行	1,247 行	🔴 仅认证暴露
自有数据	不适用	仅自有行	✅ RLS 正常工作
其他用户数据	不适用	所有行	🔴 跨用户访问

# As test user, try to access other user's data
curl "$SUPABASE_URL/rest/v1/orders?user_id=eq.[OTHER_USER_ID]" \
  -H "apikey: $ANON_KEY" \
  -H "Authorization: Bearer [TEST_USER_JWT]"

# If returns data: IDOR vulnerability!

# Get test user's ID from JWT
TEST_USER_ID=$(echo $JWT | jq -r '.sub')

# Try to access data belonging to a different user
curl "$SUPABASE_URL/rest/v1/profiles?id=neq.$TEST_USER_ID" \
  -H "Authorization: Bearer [TEST_USER_JWT]"

# If returns other users' profiles: Cross-user access!

5. 带认证的存储

# Test authenticated storage access
curl "$SUPABASE_URL/storage/v1/object/list/documents" \
  -H "apikey: $ANON_KEY" \
  -H "Authorization: Bearer [TEST_USER_JWT]"

# Compare with anonymous results

6. 带认证的实时功能

// Subscribe to table changes as authenticated user
const channel = supabase.channel('test')
  .on('postgres_changes', {
    event: '*',
    schema: 'public',
    table: 'orders'
  }, payload => console.log(payload))
  .subscribe()

// Does it receive OTHER users' order changes?

═══════════════════════════════════════════════════════════
 认证用户审计
═══════════════════════════════════════════════════════════

 ─────────────────────────────────────────────────────────
 测试用户创建
 ─────────────────────────────────────────────────────────

 状态：✅ 用户创建成功

 测试用户详情：
 ├── 邮箱：pentest-a7b3c9d2@security-audit.local
 ├── 用户 ID：550e8400-e29b-41d4-a716-446655440099
 ├── 密码：[已保存为证据 - 仅显示一次]
 └── 已获取 JWT：✅

 ─────────────────────────────────────────────────────────
 匿名与认证比较
 ─────────────────────────────────────────────────────────

 表：users
 ├── 匿名访问：0 行
 ├── 认证访问：1,247 行 ← 所有用户！
 └── 状态：🔴 P0 - 对匿名用户隐藏但对任何认证用户暴露的数据

 表：orders
 ├── 匿名访问：0 行（被阻止）
 ├── 认证访问：1 行（仅自有订单）
 └── 状态：✅ RLS 正常工作

 表：profiles
 ├── 匿名访问：0 行
 ├── 认证访问：1,247 行 ← 所有个人资料！
 ├── 预期仅自有个人资料：❌ 否
 └── 状态：🔴 P0 - 跨用户个人资料访问

 ─────────────────────────────────────────────────────────
 IDOR 测试
 ─────────────────────────────────────────────────────────

 测试：通过 ID 访问其他用户的订单
 ├── 请求：GET /orders?user_id=eq.[other-user-id]
 ├── 认证：测试用户 JWT
 ├── 响应：200 OK - 返回 15 个订单
 └── 状态：🔴 P0 - IDOR 漏洞

 证明：
 curl "$URL/rest/v1/orders?user_id=eq.other-user-uuid" \
   -H "Authorization: Bearer [test-user-jwt]"
 # 返回属于 other-user-uuid 的订单！

 测试：访问管理员端点
 ├── 请求：GET /functions/v1/admin-panel
 ├── 认证：测试用户 JWT（普通用户）
 ├── 响应：200 OK - 返回管理员数据！
 └── 状态：🔴 P0 - 权限提升

 ─────────────────────────────────────────────────────────
 带认证的存储
 ─────────────────────────────────────────────────────────

 存储桶：documents
 ├── 匿名：❌ 0 个文件（被阻止）
 ├── 认证：✅ 可见 523 个文件 ← 所有用户的文件！
 └── 状态：🔴 P1 - 认证用户看到所有文档

 存储桶：user-uploads
 ├── 匿名：❌ 0 个文件
 ├── 认证：3 个文件（仅自有文件）
 └── 状态：✅ RLS 正常工作

 ─────────────────────────────────────────────────────────
 摘要
 ─────────────────────────────────────────────────────────

 新发现（仅认证）：
 ├── 🔴 P0：users 表 - 任何认证用户可见所有用户
 ├── 🔴 P0：profiles 表 - 跨用户访问
 ├── 🔴 P0：orders 中的 IDOR - 可访问任何用户的订单
 ├── 🔴 P0：admin-panel 中的权限提升
 └── 🟠 P1：documents 存储桶 - 认证用户可见所有文件

 比较：
 ├── 发现的问题（匿名）：3
 ├── 发现的问题（认证）：8 ← 5 个新问题！
 └── 仅认证漏洞：5

 建议：
 这些问题在匿名测试中不可见！
 务必使用认证用户进行测试。

 ─────────────────────────────────────────────────────────
 清理
 ─────────────────────────────────────────────────────────

 ⚠️  测试用户仍存在于数据库中。

 是否要删除测试用户？
 邮箱：pentest-a7b3c9d2@security-audit.local

 [这需要 service_role 密钥或手动删除]

═══════════════════════════════════════════════════════════

{
  "authenticated_audit": {
    "timestamp": "2025-01-31T12:00:00Z",
    "test_user": {
      "email": "pentest-a7b3c9d2@security-audit.local",
      "user_id": "550e8400-e29b-41d4-a716-446655440099",
      "created_at": "2025-01-31T12:00:00Z",
      "deleted": false
    },
    "comparison": {
      "tables": {
        "users": {
          "anon_access": 0,
          "auth_access": 1247,
          "expected_auth_access": "own_row_only",
          "severity": "P0",
          "finding": "All users visible to any authenticated user"
        },
        "orders": {
          "anon_access": 0,
          "auth_access": 1,
          "expected_auth_access": "own_rows_only",
          "severity": null,
          "finding": "RLS working correctly"
        }
      },
      "idor_tests": [
        {
          "test": "access_other_user_orders",
          "vulnerable": true,
          "severity": "P0",
          "proof": "curl command..."
        }
      ],
      "privilege_escalation": [
        {
          "endpoint": "/functions/v1/admin-panel",
          "vulnerable": true,
          "severity": "P0"
        }
      ]
    },
    "summary": {
      "anon_issues": 3,
      "auth_issues": 8,
      "auth_only_issues": 5
    }
  }
}

正确：用户仅看到自己的数据

-- This RLS policy is correct
CREATE POLICY "Users see own data"
  ON users FOR SELECT
  USING (auth.uid() = id);

-- Result:
-- Anonymous: 0 rows
-- Authenticated: 1 row (own data)

错误：所有认证用户看到所有内容

-- This RLS policy is WRONG
CREATE POLICY "Authenticated users see all"
  ON users FOR SELECT
  USING (auth.role() = 'authenticated');  -- ❌ Too permissive!

-- Result:
-- Anonymous: 0 rows
-- Authenticated: ALL rows ← VULNERABILITY!

-- Fix: Add user ownership check
CREATE POLICY "Users see own data"
  ON users FOR SELECT
  USING (auth.uid() = id);  -- ✅ Only own row

选项 1：手动删除（仪表板）

Supabase Dashboard → Authentication → Users → Find test user → Delete

选项 2：通过 service_role 密钥（如果可用）

curl -X DELETE "$SUPABASE_URL/auth/v1/admin/users/[USER_ID]" \
  -H "apikey: $SERVICE_ROLE_KEY" \
  -H "Authorization: Bearer $SERVICE_ROLE_KEY"

选项 3：稍后处理

测试用户使用非功能性邮箱域名（security-audit.local）且无法被恶意使用。

强制要求：证据收集

📁 证据目录： .sb-pentest-evidence/05-auth-audit/authenticated-tests/

要创建的证据文件

文件	内容
`test-user-created.json`	测试用户详情（密码安全保存）
`anon-vs-auth-comparison.json`	并排比较
`idor-tests/[table].json`	IDOR 测试结果
`privilege-escalation.json`	权限提升测试

{
  "evidence_id": "AUTH-TEST-001",
  "timestamp": "2025-01-31T12:00:00Z",
  "category": "auth-audit",
  "type": "authenticated_testing",

  "test_user": {
    "email": "pentest-a7b3c9d2@security-audit.local",
    "user_id": "550e8400-...",
    "password": "[STORED SECURELY - DO NOT COMMIT]"
  },

  "comparison_test": {
    "table": "users",
    "anonymous": {
      "curl_command": "curl '$URL/rest/v1/users' -H 'apikey: $ANON_KEY'",
      "response_status": 200,
      "rows_returned": 0
    },
    "authenticated": {
      "curl_command": "curl '$URL/rest/v1/users' -H 'apikey: $ANON_KEY' -H 'Authorization: Bearer $JWT'",
      "response_status": 200,
      "rows_returned": 1247
    },
    "finding": {
      "severity": "P0",
      "issue": "All users visible to any authenticated user",
      "expected": "Only own row should be visible",
      "impact": "Full user enumeration for any authenticated user"
    }
  }
}

添加到 curl-commands.sh

# === AUTHENTICATED TESTING ===
# NOTE: Replace [JWT] with test user's JWT

# Compare anonymous vs authenticated access
curl -s "$SUPABASE_URL/rest/v1/users?select=*&limit=5" -H "apikey: $ANON_KEY"
curl -s "$SUPABASE_URL/rest/v1/users?select=*&limit=5" -H "apikey: $ANON_KEY" -H "Authorization: Bearer [JWT]"

# IDOR test - access other user's data
curl -s "$SUPABASE_URL/rest/v1/orders?user_id=eq.[OTHER_USER_ID]" \
  -H "apikey: $ANON_KEY" \
  -H "Authorization: Bearer [JWT]"

# Cross-user profile access
curl -s "$SUPABASE_URL/rest/v1/profiles?id=neq.[TEST_USER_ID]" \
  -H "apikey: $ANON_KEY" \
  -H "Authorization: Bearer [JWT]"

强制要求：渐进式上下文文件更新

⚠️ 此技能必须在执行过程中渐进式更新跟踪文件，而不仅仅是在最后。

关键规则：边执行边写入

不要在最后批量写入所有内容。而是：

用户创建前 → 将同意和操作记录到 .sb-pentest-audit.log
用户创建后 → 立即将用户详情保存到上下文和证据
每次比较测试后 → 用结果更新 .sb-pentest-context.json
每次 IDOR 测试后 → 立即保存证据

这确保了如果技能被中断、崩溃或超时，所有到该点为止的发现都会被保留。

必需的操作（渐进式）

记录用户创建：

[TIMESTAMP] [supabase-audit-authenticated] [CONSENT] User authorized test user creation [TIMESTAMP] [supabase-audit-authenticated] [CREATED] Test user pentest-xxx@security-audit.local
立即将测试用户保存到上下文：

{ "authenticated_audit": { "test_user": { "email": "...", "user_id": "...", "created_at": "..." } } }
发现每个发现时记录：

[TIMESTAMP] [supabase-audit-authenticated] [FINDING] P0: IDOR in orders table

未能渐进式更新上下文文件是不可接受的。

supabase-audit-auth-signup — 首先测试注册是否开放
supabase-audit-tables-read — 与匿名结果比较
supabase-audit-rls — 深入分析 RLS 策略
supabase-audit-functions — 测试带认证的函数访问
supabase-report — 在报告中包含仅认证发现

🇺🇸English

Authenticated User Audit

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED

You MUST write to context files AS YOU GO , not just at the end.

Write to .sb-pentest-context.json IMMEDIATELY after each test

Log to .sb-pentest-audit.log BEFORE and AFTER each action

DO NOT wait until the skill completes to update files

If the skill crashes or is interrupted, all prior findings must already be saved

This is not optional. Failure to write progressively is a critical error.

This skill creates a test user (with explicit permission) to compare authenticated vs anonymous access and detect IDOR vulnerabilities.

⚠️ IMPORTANT: User Consent Required

╔═══════════════════════════════════════════════════════════════════╗
║  🔐 USER CREATION CONSENT REQUIRED                                ║
╠═══════════════════════════════════════════════════════════════════╣
║                                                                   ║
║  This skill will CREATE A TEST USER in your Supabase project.     ║
║                                                                   ║
║  The user will be created with:                                   ║
║  • Email: pentest-[random]@security-audit.local                   ║
║  • Password: Strong random password (32+ chars)                   ║
║  • Purpose: Testing authenticated access vs anonymous             ║
║                                                                   ║
║  At the end of the audit, you will be asked if you want to        ║
║  DELETE the test user (recommended).                              ║
║                                                                   ║
║  Do you authorize the creation of a test user?                    ║
║  Type "yes, create test user" to proceed.                         ║
║                                                                   ║
╚═══════════════════════════════════════════════════════════════════╝

DO NOT proceed without explicit user consent.

When to Use This Skill

After completing anonymous access tests
To detect IDOR (Insecure Direct Object Reference) vulnerabilities
To test cross-user data access
To verify RLS policies work for authenticated users
To find privilege escalation issues

Prerequisites

Signup must be open (or use invite flow)
Anon key available
Anonymous audit completed (recommended)

Why Authenticated Testing Matters

Many vulnerabilities only appear with authentication:

Vulnerability	Anonymous	Authenticated
RLS bypass (no RLS)	✓ Detectable	✓ Detectable
IDOR	✗ Not visible	✓ Only visible
Cross-user access	✗ Not visible	✓ Only visible
Privilege escalation	✗ Not visible	✓ Only visible
Overly permissive RLS	Partial	✓ Full detection

Test User Creation

Email Format

pentest-[8-char-random]@security-audit.local

Example: pentest-a7b3c9d2@security-audit.local

Password Generation

Strong password with:

32+ characters
Uppercase, lowercase, numbers, symbols
Cryptographically random

Example: Xk9$mP2#vL5@nQ8&jR4*wY7!hT3%bU6^

The password is displayed ONCE and saved to evidence.

Tests Performed

1. User Creation & Login

# Create user
curl -X POST "$SUPABASE_URL/auth/v1/signup" \
  -H "apikey: $ANON_KEY" \
  -H "Content-Type: application/json" \
  -d '{"email": "pentest-xxx@security-audit.local", "password": "[STRONG_PASSWORD]"}'

# Login and get JWT
curl -X POST "$SUPABASE_URL/auth/v1/token?grant_type=password" \
  -H "apikey: $ANON_KEY" \
  -H "Content-Type: application/json" \
  -d '{"email": "pentest-xxx@security-audit.local", "password": "[STRONG_PASSWORD]"}'

2. Authenticated vs Anonymous Comparison

For each table:

Test	Anonymous	Authenticated	Finding
SELECT	0 rows	1,247 rows	🔴 Auth-only exposure
Own data	N/A	Only own row	✅ RLS working
Other users' data	N/A	All rows	🔴 Cross-user access

3. IDOR Testing

# As test user, try to access other user's data
curl "$SUPABASE_URL/rest/v1/orders?user_id=eq.[OTHER_USER_ID]" \
  -H "apikey: $ANON_KEY" \
  -H "Authorization: Bearer [TEST_USER_JWT]"

# If returns data: IDOR vulnerability!

4. Cross-User Access

# Get test user's ID from JWT
TEST_USER_ID=$(echo $JWT | jq -r '.sub')

# Try to access data belonging to a different user
curl "$SUPABASE_URL/rest/v1/profiles?id=neq.$TEST_USER_ID" \
  -H "Authorization: Bearer [TEST_USER_JWT]"

# If returns other users' profiles: Cross-user access!

5. Storage with Authentication

# Test authenticated storage access
curl "$SUPABASE_URL/storage/v1/object/list/documents" \
  -H "apikey: $ANON_KEY" \
  -H "Authorization: Bearer [TEST_USER_JWT]"

# Compare with anonymous results

6. Realtime with Authentication

// Subscribe to table changes as authenticated user
const channel = supabase.channel('test')
  .on('postgres_changes', {
    event: '*',
    schema: 'public',
    table: 'orders'
  }, payload => console.log(payload))
  .subscribe()

// Does it receive OTHER users' order changes?

Output Format

═══════════════════════════════════════════════════════════
 AUTHENTICATED USER AUDIT
═══════════════════════════════════════════════════════════

 ─────────────────────────────────────────────────────────
 Test User Creation
 ─────────────────────────────────────────────────────────

 Status: ✅ User created successfully

 Test User Details:
 ├── Email: pentest-a7b3c9d2@security-audit.local
 ├── User ID: 550e8400-e29b-41d4-a716-446655440099
 ├── Password: [Saved to evidence - shown once]
 └── JWT obtained: ✅

 ─────────────────────────────────────────────────────────
 Anonymous vs Authenticated Comparison
 ─────────────────────────────────────────────────────────

 Table: users
 ├── Anonymous access: 0 rows
 ├── Authenticated access: 1,247 rows ← ALL USERS!
 └── Status: 🔴 P0 - Data hidden from anon but exposed to any auth user

 Table: orders
 ├── Anonymous access: 0 rows (blocked)
 ├── Authenticated access: 1 row (own orders only)
 └── Status: ✅ RLS working correctly

 Table: profiles
 ├── Anonymous access: 0 rows
 ├── Authenticated access: 1,247 rows ← ALL PROFILES!
 ├── Own profile only expected: ❌ NO
 └── Status: 🔴 P0 - Cross-user profile access

 ─────────────────────────────────────────────────────────
 IDOR Testing
 ─────────────────────────────────────────────────────────

 Test: Access other user's orders by ID
 ├── Request: GET /orders?user_id=eq.[other-user-id]
 ├── Auth: Test user JWT
 ├── Response: 200 OK - 15 orders returned
 └── Status: 🔴 P0 - IDOR VULNERABILITY

 Proof:
 curl "$URL/rest/v1/orders?user_id=eq.other-user-uuid" \
   -H "Authorization: Bearer [test-user-jwt]"
 # Returns orders belonging to other-user-uuid!

 Test: Access admin endpoints
 ├── Request: GET /functions/v1/admin-panel
 ├── Auth: Test user JWT (regular user)
 ├── Response: 200 OK - Admin data returned!
 └── Status: 🔴 P0 - PRIVILEGE ESCALATION

 ─────────────────────────────────────────────────────────
 Storage with Authentication
 ─────────────────────────────────────────────────────────

 Bucket: documents
 ├── Anonymous: ❌ 0 files (blocked)
 ├── Authenticated: ✅ 523 files visible ← ALL USERS' FILES!
 └── Status: 🔴 P1 - Auth users see all documents

 Bucket: user-uploads
 ├── Anonymous: ❌ 0 files
 ├── Authenticated: 3 files (own files only)
 └── Status: ✅ RLS working correctly

 ─────────────────────────────────────────────────────────
 Summary
 ─────────────────────────────────────────────────────────

 New Findings (Auth-only):
 ├── 🔴 P0: users table - all users visible to any auth user
 ├── 🔴 P0: profiles table - cross-user access
 ├── 🔴 P0: IDOR in orders - can access any user's orders
 ├── 🔴 P0: Privilege escalation in admin-panel
 └── 🟠 P1: documents bucket - all files visible to auth users

 Comparison:
 ├── Issues found (Anonymous): 3
 ├── Issues found (Authenticated): 8 ← 5 NEW ISSUES!
 └── Auth-only vulnerabilities: 5

 Recommendation:
 These issues were NOT visible in anonymous testing!
 Always test with authenticated users.

 ─────────────────────────────────────────────────────────
 Cleanup
 ─────────────────────────────────────────────────────────

 ⚠️  Test user still exists in database.

 Do you want to delete the test user?
 Email: pentest-a7b3c9d2@security-audit.local

 [This requires service_role key or manual deletion]

═══════════════════════════════════════════════════════════

Context Output

{
  "authenticated_audit": {
    "timestamp": "2025-01-31T12:00:00Z",
    "test_user": {
      "email": "pentest-a7b3c9d2@security-audit.local",
      "user_id": "550e8400-e29b-41d4-a716-446655440099",
      "created_at": "2025-01-31T12:00:00Z",
      "deleted": false
    },
    "comparison": {
      "tables": {
        "users": {
          "anon_access": 0,
          "auth_access": 1247,
          "expected_auth_access": "own_row_only",
          "severity": "P0",
          "finding": "All users visible to any authenticated user"
        },
        "orders": {
          "anon_access": 0,
          "auth_access": 1,
          "expected_auth_access": "own_rows_only",
          "severity": null,
          "finding": "RLS working correctly"
        }
      },
      "idor_tests": [
        {
          "test": "access_other_user_orders",
          "vulnerable": true,
          "severity": "P0",
          "proof": "curl command..."
        }
      ],
      "privilege_escalation": [
        {
          "endpoint": "/functions/v1/admin-panel",
          "vulnerable": true,
          "severity": "P0"
        }
      ]
    },
    "summary": {
      "anon_issues": 3,
      "auth_issues": 8,
      "auth_only_issues": 5
    }
  }
}

RLS Policy Examples

Correct: Users see only their own data

-- This RLS policy is correct
CREATE POLICY "Users see own data"
  ON users FOR SELECT
  USING (auth.uid() = id);

-- Result:
-- Anonymous: 0 rows
-- Authenticated: 1 row (own data)

Incorrect: All authenticated users see everything

-- This RLS policy is WRONG
CREATE POLICY "Authenticated users see all"
  ON users FOR SELECT
  USING (auth.role() = 'authenticated');  -- ❌ Too permissive!

-- Result:
-- Anonymous: 0 rows
-- Authenticated: ALL rows ← VULNERABILITY!

Correct fix:

-- Fix: Add user ownership check
CREATE POLICY "Users see own data"
  ON users FOR SELECT
  USING (auth.uid() = id);  -- ✅ Only own row

Cleanup Options

Option 1: Manual deletion (Dashboard)

Supabase Dashboard → Authentication → Users → Find test user → Delete

Option 2: Via service_role key (if available)

curl -X DELETE "$SUPABASE_URL/auth/v1/admin/users/[USER_ID]" \
  -H "apikey: $SERVICE_ROLE_KEY" \
  -H "Authorization: Bearer $SERVICE_ROLE_KEY"

Option 3: Leave for later

The test user uses a non-functional email domain (security-audit.local) and cannot be used maliciously.

MANDATORY: Evidence Collection

📁 Evidence Directory: .sb-pentest-evidence/05-auth-audit/authenticated-tests/

Evidence Files to Create

File	Content
`test-user-created.json`	Test user details (password saved securely)
`anon-vs-auth-comparison.json`	Side-by-side comparison
`idor-tests/[table].json`	IDOR test results
`privilege-escalation.json`	Privilege escalation tests

Evidence Format

{
  "evidence_id": "AUTH-TEST-001",
  "timestamp": "2025-01-31T12:00:00Z",
  "category": "auth-audit",
  "type": "authenticated_testing",

  "test_user": {
    "email": "pentest-a7b3c9d2@security-audit.local",
    "user_id": "550e8400-...",
    "password": "[STORED SECURELY - DO NOT COMMIT]"
  },

  "comparison_test": {
    "table": "users",
    "anonymous": {
      "curl_command": "curl '$URL/rest/v1/users' -H 'apikey: $ANON_KEY'",
      "response_status": 200,
      "rows_returned": 0
    },
    "authenticated": {
      "curl_command": "curl '$URL/rest/v1/users' -H 'apikey: $ANON_KEY' -H 'Authorization: Bearer $JWT'",
      "response_status": 200,
      "rows_returned": 1247
    },
    "finding": {
      "severity": "P0",
      "issue": "All users visible to any authenticated user",
      "expected": "Only own row should be visible",
      "impact": "Full user enumeration for any authenticated user"
    }
  }
}

Add to curl-commands.sh

# === AUTHENTICATED TESTING ===
# NOTE: Replace [JWT] with test user's JWT

# Compare anonymous vs authenticated access
curl -s "$SUPABASE_URL/rest/v1/users?select=*&limit=5" -H "apikey: $ANON_KEY"
curl -s "$SUPABASE_URL/rest/v1/users?select=*&limit=5" -H "apikey: $ANON_KEY" -H "Authorization: Bearer [JWT]"

# IDOR test - access other user's data
curl -s "$SUPABASE_URL/rest/v1/orders?user_id=eq.[OTHER_USER_ID]" \
  -H "apikey: $ANON_KEY" \
  -H "Authorization: Bearer [JWT]"

# Cross-user profile access
curl -s "$SUPABASE_URL/rest/v1/profiles?id=neq.[TEST_USER_ID]" \
  -H "apikey: $ANON_KEY" \
  -H "Authorization: Bearer [JWT]"

MANDATORY: Progressive Context File Updates

⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.

Critical Rule: Write As You Go

DO NOT batch all writes at the end. Instead:

Before user creation → Log consent and action to .sb-pentest-audit.log
After user created → Immediately save user details to context and evidence
After each comparison test → Update .sb-pentest-context.json with results
After each IDOR test → Save evidence immediately

This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.

Required Actions (Progressive)

Log user creation:

[TIMESTAMP] [supabase-audit-authenticated] [CONSENT] User authorized test user creation [TIMESTAMP] [supabase-audit-authenticated] [CREATED] Test user pentest-xxx@security-audit.local
Save test user to context immediately:

{ "authenticated_audit": { "test_user": { "email": "...", "user_id": "...", "created_at": "..." } } }
Log each finding as discovered:

[TIMESTAMP] [supabase-audit-authenticated] [FINDING] P0: IDOR in orders table

FAILURE TO UPDATE CONTEXT FILES PROGRESSIVELY IS NOT ACCEPTABLE.

Related Skills

supabase-audit-auth-signup — Test if signup is open first
supabase-audit-tables-read — Compare with anonymous results
supabase-audit-rls — Deep dive into RLS policies
supabase-audit-functions — Test function access with auth
supabase-report — Include auth-only findings in report

Weekly Installs

Repository

yoanbernabeu/su…t-skills

GitHub Stars

First Seen

Jan 31, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykFail

Installed on

claude-code74

codex68

opencode67

gemini-cli63

github-copilot59

cursor59

Supabase Postgres 最佳实践指南 - 8大类别性能优化规则与SQL示例

78,800 周安装