I built the same security auditor 5 times this week — once each for Supabase, PocketBase, Appwrit…

1 / 2

I built the same security auditor 5 times this week — once each for Supabase, PocketBase, Appwrite, Hasura/Nhost, and Firebase. Here is what I learned.

DEV Community·Perufitlife·24 days ago

#EfNJPZbc

#whats #firebase #supabase #security #five #role

Reading 0:00

15s threshold

Five days ago I shipped a Supabase security auditor. Today I shipped the fifth in the family — Firebase. Same pattern, five different backends. Here's the timeline, the patterns I keep seeing, and what's actually different about each one. The rough timeline May 5 — Supabase auditor (the original). Detects RLS-disabled tables, public buckets, exposed SECURITY DEFINER functions. May 9 morning — PocketBase. Detects empty API rules, the @request.auth.id != "" trap, true literals. May 9 mid-morning — Appwrite. Detects any and users role grants, document security misconfig. May 9 late morning — Hasura/Nhost. Detects anonymous role with open SELECT, user role missing row filter, public introspection. May 9 afternoon — Firebase. Detects the infamous match /{document=**} { if true; } , expired test-mode rules, auth-without-ownership. Each one is its own repo + npm package + MCP server + Apify actor. Pure Node.js, zero deps, MIT.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

I built the same security auditor 5 times this week — once each for Supabase, PocketBase, Appwrite, Hasura/Nhost, and Firebase. Here is what I learned.