How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

Authentication vs Authorization: A 2026 Developer's Guide

You're probably in the middle of building something that already has “auth” checked off the list.

Users can sign in. Sessions persist. Tokens are issued. The dashboard loads. From the product side, it feels finished.

From the security side, that's usually where the significant work starts. Teams routinely ship a solid login flow and still leave customer records readable, admin actions callable, or backend functions exposed because they treated authentication and authorization as the same control. In Supabase and Firebase, that mistake doesn't stay theoretical for long. It turns into permissive RLS, weak Firestore rules, token trust without policy checks, and client code that assumes hidden UI equals denied access.

Who Are You vs What Can You Do

A common app flow looks fine on the surface. A user signs in, gets redirected to their workspace, and the frontend starts fetching data. Developers often call that entire process “auth”, but two separate decisions are happening.

Authentication answers who are you? It verifies identity. That might happen with an email and password, a magic link, biometrics, or a third-party identity provider.

Authorization answers what can you do? It decides whether that authenticated identity can read a row, call a function, open an admin screen, update a record, or export data.

If you blur those together, you get dangerous assumptions:

Signed in does not mean trusted.
A valid token does not mean broad access.
A hidden button does not mean a blocked action.

That distinction matters technically, and it matters legally. In the UK, the Data Protection Act 2018 and the UK GDPR made access governance a clear legal and technical obligation when they came into force on 25 May 2018, requiring organisations to secure personal data and limit access based on necessity, as noted in this UK-focused explanation of authentication vs authorization.

Where teams usually go wrong

The most common development error isn't failing to add login. It's stopping at login.

A team wires up Supabase Auth or Firebase Authentication, sees a user object in the client, and then lets that identity flow straight into data access with weak policy checks. That's how you end up with “any authenticated user can read all invoices” or “any signed-in user can call an admin RPC”.

Practical rule: authentication should establish identity, then a separate layer should enforce least-privilege access for every resource and action.

If your app uses roles, permissions, or ownership checks, you're already in authorization territory. If you need a refresher on organising those controls, this guide to role-based access control is a useful baseline.

The short version is simple. Authentication gets the user into the system. Authorization keeps them in the right lane.

A Detailed Comparison of Core Concepts

The cleanest way to understand authentication vs authorization is to compare them across the places where developers implement them: login flows, middleware, tokens, database rules, and API handlers.

| Criterion | Authentication (AuthN) | Authorization (AuthZ) | |---|---|---| | Goal | Verify identity | Enforce permissions | | Core question | Are you really this user? | Are you allowed to do this action? | | Process | Validate credentials or proof of identity | Evaluate roles, ownership, attributes, and policy rules | | Primary actor | User, service, or device claiming an identity | Policy engine, middleware, database rules, or API checks | | Typical input | Password, OTP, session, token, biometric, magic link | Role, claim, team membership, record ownership, request context | | Typical output | Authenticated session or token | Allow, deny, or limited scope of access | | Failure mode | Account takeover, session abuse, spoofed identity | Privilege escalation, IDOR, overbroad data exposure | | Where it often lives | Identity provider, auth service, sign-in endpoints | Backend code, database policies, Firestore rules, edge functions |

A comparison chart showing the differences between authentication and authorization in cybersecurity, detailing purposes, questions, and processes.

Goal and process

Authentication is a proof step. The system checks something the user presents and decides whether the identity claim is valid. In modern stacks, that usually ends with a session cookie or JWT.

Authorization is a policy step. The system takes that identity and checks whether the request should be allowed. That check might happen in several layers at once: route middleware, database policy, storage rule, or function guard.

What works well is keeping those concerns separate in code. A route handler should not “trust the token” and skip policy logic. A frontend component should not assume that because the user is signed in, the backend will automatically scope results correctly.

Actors and data flow

Authentication focuses on the subject making the claim. Authorization focuses on the relationship between that subject and a resource.

That resource might be:

A database row owned by one user
A document shared with a team
An admin endpoint limited to operators
A billing action restricted to account owners

In practice, that means your login code and your access-control code should rarely be identical or even adjacent.

A useful way to think about it is operationally. Teams often track auth reliability as a distinct IAM concern. CloudEagle notes that authentication success rate is a core operational metric alongside provisioning time and compliance rate in its IAM metrics framework, which is why it makes sense to treat sign-in reliability separately from access enforcement in daily engineering work, as described in these IAM key metrics.

Where developers misread the boundary

The boundary gets blurry in frontend-heavy apps because the user experience compresses both steps into one moment. The user clicks “Log in”, then sees or doesn't see features. But the server, database, and rules engine still need separate logic.

That's especially true when teams build fast and rely on generated code, AI output, or copied snippets. Even the vocabulary around bug reports and product QA can get muddy, so a glossary of web app feedback terms helps when teams need shared language between engineering, design, and review.

For Firebase teams, the easiest place to see this distinction fail is in client auth that's implemented correctly while Firestore rules remain overly broad. This breakdown of Firebase authentication security covers that failure pattern in more depth.

Authentication proves identity once. Authorization should keep proving permission, request by request.

Real World Examples in Modern Stacks

Theory becomes useful when you map it to the exact tools you already run.

A professional developer writing authentication code for a Supabase application at a clean, modern workspace desk.

Supabase example

In Supabase, authentication usually starts with a sign-in call like this:

const { data, error } = await supabase.auth.signInWithPassword({
  email,
  password,
})

That code answers one question only. Is this user who they claim to be?

It does not answer whether that user can read every row in projects, update another user's profile, or execute a sensitive Postgres function. That part belongs to authorization, usually through Row Level Security.

A basic ownership policy looks like this:

create policy "Users can read their own profile"
on profiles
for select
using (auth.uid() = user_id);

That's the line many teams skip. They assume a valid Supabase session means the database will somehow infer ownership. It won't. Without explicit policy, the app can expose far more than intended.

Firebase example

Firebase has the same split, just in different places.

Authentication might look like this:

await signInWithEmailAndPassword(auth, email, password)

Again, that proves identity. It doesn't define access.

Authorization lives in Firestore Security Rules or Realtime Database rules. A common ownership rule in Firestore looks like this:

match /users/{userId} {
  allow read, write: if request.auth != null && request.auth.uid == userId;
}

If a team stops at Firebase Authentication and leaves document rules broad, any authenticated user may be able to read or overwrite records they should never touch. The client app may still look fine because the UI only fetches expected paths, but an attacker doesn't use your UI as designed.

Mobile app and API flow

Mobile teams often run into a third version of the same mistake.

The app signs in through an identity provider, receives a JWT, and sends that token in an API request:

Authorization: Bearer <token>

At that point, authentication has happened. The backend has enough information to know who sent the request.

Authorization starts when the API asks questions like:

Does this user own this resource?
Are they in the right tenant or workspace?
Do they hold the required role for this action?
Is this endpoint limited to internal operators?

If the backend only validates the token signature and expiry, then returns data based on user-supplied IDs, the system is authenticated but not properly authorized.

A JWT is not permission by itself. It is identity material that your backend must interpret through policy.

What good implementations have in common

Across Supabase, Firebase, and custom APIs, secure implementations share a few habits:

Ownership is enforced server-side. The client can suggest resource IDs. It must not decide access.
Policies are close to the data. RLS and Firestore rules reduce the chance that one missed API check exposes everything.
Sensitive functions have explicit guards. RPCs, callable functions, and admin routes should check role and context every time.
Frontend visibility is treated as UX, not security. Hiding an admin button helps usability. It does not protect the endpoint.

If you're reviewing an existing app, an access control review is often the fastest way to find whether those checks exist where they need to.

Common Bugs and How Attackers Exploit Them

Most damaging auth bugs aren't exotic. They come from ordinary shortcuts, defaults, and assumptions that survived release pressure.

An infographic listing five common cybersecurity vulnerabilities including broken authentication, broken authorization, and sensitive data exposure.

The reason this matters isn't abstract. The UK Cyber Security Breaches Survey 2024 found that 50% of businesses reported a cyber breach or attack in the previous 12 months, and phishing affected 84% of businesses that identified a breach, which is why limiting what a compromised account can do matters as much as protecting the login itself, as noted in this summary of authentication vs authorization and breach risk.

Broken authorization in database policies

This is the Supabase failure pattern I see most often. RLS is enabled, but the policy says “authenticated users can select” without checking ownership, tenancy, or role.

That sounds safer than public access, but it often means any signed-in user can read all rows in a table.

Risk: one valid low-privilege account can become a data-exfiltration tool if row ownership or tenant scoping is missing.

The same class of bug appears in Firebase when rules allow reads or writes for any authenticated user instead of the right authenticated user.

Public or weakly protected functions

RPCs, edge functions, and serverless handlers are another weak spot. Teams protect the app screens, then leave the underlying function callable with a session or, worse, no meaningful check at all.

Typical examples include:

Admin maintenance functions exposed to any signed-in user
Bulk export endpoints that trust a client-supplied account ID
Callable functions that verify login but never verify role

The attacker path is simple. Open DevTools, inspect requests, and call the function directly.

Client-side only access control

A hidden menu item isn't authorization. Neither is disabling a button for non-admin users.

When the backend doesn't re-check access, the client becomes the only gate. That's easy to bypass with a crafted request, modified mobile traffic, or a replayed API call.

If a user can change a request parameter and reach another customer's record, the problem isn't the UI. It's missing object-level authorization.

Leaked keys and hardcoded secrets

Not every auth bug starts with a login form. Frontend bundles and shipped mobile apps often expose API keys, service endpoints, and secret-like values that were never meant to leave the server.

Sometimes the key is harmless because it's designed for public use with strict downstream rules. Sometimes it makes a broader surface accessible because the team assumed obscurity was enough.

Insecure defaults and copied snippets

Generated code speeds teams up, but it also spreads weak assumptions. A copied rule, a tutorial policy, or an AI-generated middleware check can leave a production system with broad access and no auditability.

The bug is usually one of these:

Overbroad default role
Missing ownership check
Trust in client-supplied IDs
No logging around sensitive decisions

Attackers don't need a novel exploit for any of this. They need one account, one leaked credential, or one route you forgot to defend.

Testing and Mitigation Best Practices

The fix isn't “add more auth”. The fix is to build distinct controls for identity and permission, then test both like they can fail independently.

Start with least privilege

For authorization, broad allow rules are where trouble starts. Build policies from the narrowest legitimate use case outward.

In Supabase, that usually means writing RLS around ownership, team membership, or a small set of trusted roles. In Firebase, it means rules that bind access to request.auth.uid, document relationships, or verified claims instead of generic authenticated access.

A practical pattern is:

Use roles for broad access categories. Admin, editor, viewer.
Use attributes for exceptions and finer constraints. Tenant, project, region, resource owner.
Deny by default. Add explicit allow paths only where needed.

That matches the guidance from Harness, which recommends treating authentication and authorization as separate layers, using roles first and attributes where needed, then centralising decision logic with strong logging and audit trails in its guide to authentication vs authorization.

Secure the function layer

Database rules help, but they won't save a function that bypasses them or runs with high privileges without guardrails.

Review every RPC, serverless endpoint, and admin handler for:

Identity check. Is the caller authenticated?
Role check. Is the caller permitted to use this function?
Scope check. Does the function constrain records to the caller's legitimate data?
Audit trail. Will you know who called it and what happened?

If your function accepts a userId, orgId, or similar identifier from the client, that value should be treated as untrusted until the server verifies the caller is allowed to act on it.

Test like an attacker would

Manual review still matters. Try requests as an unauthenticated user, a basic user, and a user from the wrong tenant. Change identifiers. Call hidden routes directly. Fetch records your UI never links to.

Good auth testing includes negative cases:

Signed in but wrong role
Signed in but wrong tenant
Signed in but wrong object owner
No session at all
Expired or malformed token

Engineering habit: every permission rule should have a test that proves access is denied, not just a test that proves the happy path works.

This is especially important for fast-moving teams and solo builders shipping AI-assisted code. If that's your setup, this piece on auditing AI code for solo founders is a useful companion because it focuses on the security gaps generated code tends to leave behind.

Centralise decisions where possible

Scattered checks rot quickly. One route uses middleware, another trusts the client, a third relies on a helper nobody remembers to call.

Centralised policy logic, consistent logging, and reviewable rules make mistakes easier to catch. That's true whether your enforcement point is Postgres RLS, Firestore rules, API middleware, or a dedicated policy layer.

How AuditYourApp Automates Security Assurance

Manual review catches a lot, but modern stacks create too many places for auth mistakes to hide. Supabase projects can leak through permissive RLS or exposed RPCs. Firebase apps can ship with broad rules that look fine in the UI. Mobile apps can expose hardcoded keys and backend assumptions through the packaged client.

Screenshot from https://audityour.app

AuditYour.App is built around those exact failure modes. Instead of stopping at static checks, it scans for exposed Row Level Security rules, public or weakly protected RPCs, leaked API keys, and hardcoded secrets in frontend bundles and mobile apps. That matters because many auth failures only become obvious when a tool follows the same path an attacker would.

One capability that stands out is RLS logic fuzzing. That goes beyond flagging a suspicious policy and tries to prove whether read or write leakage is verifiably possible. For teams working with Supabase, that's much closer to the core question: not “does this policy look odd?” but “can another user see or change data they shouldn't?”

The output is practical. Findings include concrete explanations and remediation guidance, which is what teams need when they're cleaning up a production project rather than writing a textbook-perfect auth model from scratch.

The result is faster assurance for the places where authentication vs authorization mistakes usually slip through. Database policy, function exposure, and client-side secret handling.

Adopting a Continuous Security Mindset

Authentication and authorization aren't features you finish once. They change every time you add a new route, a new role, a new function, a new collection, or a new mobile release.

That's why strong teams treat access control like test coverage. It has to survive refactors, copied code, generated code, and product changes. If you're evaluating identity building blocks, looking at an open-source authentication option can help you separate identity infrastructure from the permission model you still need to enforce yourself.

The durable habit is continuous review. Check policies when schemas change. Re-test functions when roles evolve. Scan shipped clients for leaked secrets. Verify that hidden UI still maps to blocked server actions.

Secure apps don't come from a perfect login screen. They come from repeated proof that the right user gets the right access, and nobody gets more.

If you want a fast way to check whether your Supabase, Firebase, or mobile app has exactly these auth and access-control mistakes, AuditYour.App can scan for exposed RLS, public RPCs, leaked keys, and hardcoded secrets without setup, so you can catch the bug before a user or attacker does.