registry  /  @jskit-ai/auth-provider-supabase-core  /  0.1.100

@jskit-ai/auth-provider-supabase-core@0.1.100

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime behavior is a Supabase auth provider that uses configured Supabase endpoints, cookies, JWT verification, OAuth, OTP, and password flows.

Static reason
One or more suspicious static signals were detected.
Trigger
Application explicitly registers/imports the Supabase auth provider or invokes its auth service methods.
Impact
Expected auth network calls and cookie/session management; no exfiltration or install-time mutation identified.
Mechanism
Package-aligned Supabase authentication integration
Rationale
Static source inspection found package-aligned Supabase auth functionality and descriptor-declared app config mutations, but no npm lifecycle execution, stealth persistence, broad agent control mutation, credential exfiltration, or remote payload execution. Scanner hits are explained by normal env-based auth configuration, Supabase network calls, and password/error handling.
Evidence
package.jsonpackage.descriptor.mjssrc/server/providers/AuthSupabaseServiceProvider.jssrc/server/lib/service.jssrc/server/lib/authErrorMappers.jssrc/server/lib/devAuthBootstrap.jssrc/server/lib/supabaseClientOptions.js.envconfig/server.js
Network endpoints1
${AUTH_SUPABASE_URL}/auth/v1/.well-known/jwks.json

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks; only test script and explicit exports.
    • src/server/providers/AuthSupabaseServiceProvider.js reads env to configure Supabase auth and rejects non-supabase AUTH_PROVIDER.
    • src/server/lib/service.js creates @supabase/supabase-js clients with configured URL/key and uses jose JWKS verification for Supabase auth.
    • src/server/lib/authErrorMappers.js only maps/sanitizes auth errors; scanner secret-pattern appears to be password/error text handling.
    • src/server/lib/devAuthBootstrap.js dev bypass requires explicit env enablement, non-production, localhost request, and secret.
    • No child_process, eval/Function, filesystem writes, credential harvesting, or AI-agent control-surface mutation found in runtime source.
    Behavioral surface
    Source
    CryptoEnvironmentVarsWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 25 file(s), 129 KB of source, external domains: your-project.supabase.co

    Source & flagged code

    4 flagged · loading source
    src/server/lib/authErrorMappers.jsView file
    147patternName = generic_password severity = medium line = 147 matchedText = password...rd."
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    src/server/lib/authErrorMappers.jsView on unpkg · L147
    152patternName = generic_password severity = medium line = 152 matchedText = password...ue."
    Medium
    Secret Pattern

    Hardcoded password in src/server/lib/authErrorMappers.js

    src/server/lib/authErrorMappers.jsView on unpkg · L152
    test/auth.provider.supabase.test.jsView file
    234patternName = generic_password severity = medium line = 234 matchedText = assert.d... });
    Medium
    Secret Pattern

    Hardcoded password in test/auth.provider.supabase.test.js

    test/auth.provider.supabase.test.jsView on unpkg · L234
    311patternName = generic_password severity = medium line = 311 matchedText = password...lue"
    Medium
    Secret Pattern

    Hardcoded password in test/auth.provider.supabase.test.js

    test/auth.provider.supabase.test.jsView on unpkg · L311

    Findings

    5 Medium4 Low
    MediumSecret Patternsrc/server/lib/authErrorMappers.js
    MediumEnvironment Vars
    MediumSecret Patterntest/auth.provider.supabase.test.js
    MediumSecret Patterntest/auth.provider.supabase.test.js
    MediumSecret Patternsrc/server/lib/authErrorMappers.js
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License