valtik-baas-audit

Detect managed Backend-as-a-Service (BaaS) platforms on a live website and flag common platform-specific misconfigurations — read-only, from the client-side bundle alone. No authenticated access required, no exploit traffic sent.

Supported platforms:

• Supabase — service_role JWT leak, Postgres DSN leak, storage RLS hints
• Convex — deploy key leak, env var hygiene
• Clerk — sk_live_ secret key leak, unsafe_metadata RBAC misuse
• Firebase — legacy RTDB exposure, anonymous auth + Firestore rule hints, apiKey lockdown
• Auth0 — AUTH0_CLIENT_SECRET leak, postMessage handler on custom login, tenant metadata
• Appwrite — server API key leak, open collection permissions
• Hasura — x-hasura-admin-secret leak, client-set role header bypass
• PocketBase — admin UI exposure, open collection API rules

Install / run

Requires Node 20+.

# One-off
npx valtik-baas-audit https://target.com

# Install globally
npm install -g valtik-baas-audit
baas-audit https://target.com

Usage

Usage: valtik-baas-audit <url> [options]

Arguments:
  url                 Target website URL (e.g., https://example.com)

Options:
  --json              Machine-readable output
  --platforms <list>  Comma-separated subset to check
                      (supabase, convex, clerk, firebase, auth0,
                       appwrite, hasura, pocketbase)
  --depth <n>         How many JS bundles to fetch (default: 3)
  --timeout <s>       HTTP timeout in seconds (default: 10)
  --fail-on <level>   Exit non-zero on >= (low|medium|high|critical)
  --user-agent <ua>   Custom UA (default: valtik-baas-audit/<version>)
  --output <file>     Write full JSON report to this path
  --no-save           Do not write a default ./baas-audit-*.json file
  --verbose           Print every platform checked, even if absent
  --help              Show help

Example

$ npx valtik-baas-audit https://target.example

BaaS AUDIT  target: https://target.example

  Detected Platforms (2):
    ● Supabase   https://abcdef123456.supabase.co
    ● Clerk      pk_live_ZXhhbXBsZWtl... (publishable key)

  Findings (3):

    [ CRITICAL ]  Supabase service_role JWT exposed in client bundle
      Found in: https://target.example/_next/static/chunks/page-abc.js
      Evidence: role=service_role; ref=abcdef123456 — eyJhbGciOiJIUzI1NiIs...
      Fix:      Rotate this key in Supabase dashboard immediately. Move
                the service_role key to server-only env vars. Never ship
                it to the browser — it bypasses all Row Level Security.
      Ref:      https://valtikstudios.com/blog/supabase-rls-bypass

    [HIGH]  Clerk unsafe_metadata appears to gate authorization
      Found in: https://target.example/_next/static/chunks/auth-xyz.js
      Evidence: user.unsafeMetadata.role === "admin"
      Fix:      unsafe_metadata is writable by the signed-in user from
                the browser. Never read role/plan/isAdmin from it.
      Ref:      https://valtikstudios.com/blog/clerk-unsafe-metadata

  Summary:  1 CRITICAL  1 HIGH
  Exit: 0

In JSON mode (--json), the structured payload is printed to stdout:

{
  "tool": "valtik-baas-audit",
  "version": "0.1.0",
  "target": "https://target.example",
  "timestamp": "2026-04-18T22:15:00.000Z",
  "platforms": [
    {
      "id": "supabase",
      "name": "Supabase",
      "detected": true,
      "signals": ["supabase.co URL (1 project ref(s))", "@supabase/* library import"],
      "instances": [{ "id": "abcdef123456", "label": "https://abcdef123456.supabase.co" }],
      "findings": [ /* ... */ ]
    }
  ],
  "summary": {
    "detectedPlatforms": ["supabase", "clerk"],
    "totalFindings": 3,
    "bySeverity": { "critical": 1, "high": 1, "medium": 0, "low": 0, "info": 1 }
  },
  "errors": []
}

What it does (and does not) do

Does

• GET the target URL once, extract inline scripts and <script src>
• Fetch up to --depth same-origin JS bundles with a 1 req/sec courtesy delay
• Pattern-match the combined corpus against 8 platform signatures
• Decode any JWTs it finds to check the role claim (Supabase)
• Flag misconfigurations that are visible client-side only

Does not

• Submit any authentication attempts
• Hit administrative endpoints or attempt any exploit payload
• Scrape beyond the landing page's own script assets
• Touch cross-origin 3rd-party JS (e.g. CDN scripts hosted off your domain)

This is a detection tool. A clean run does not mean your BaaS deployment is secure — only that nothing obvious is leaking at the HTML/JS layer. Row Level Security policies, admin endpoints, webhook signing, and actual authorization logic require deeper testing.

Want a real audit?

valtik-baas-audit is the free 10% — pattern matching against public assets. Valtik Studios performs full authenticated audits of managed BaaS deployments (Supabase RLS review, Clerk org/role audit, Convex function chain review, Firebase rules + IAM, Hasura permission review, webhook signing verification, token lifecycle abuse).

Hire us: valtikstudios.com

Development

git clone https://github.com/TreRB/baas-audit
cd baas-audit
npm install
npm test
node src/cli.js --help

Tests use Node's built-in node:test runner against synthetic bundles in test/fixtures/. No network calls during tests.

Adding a new platform

1. Drop a new file in src/detect/, exporting a detect(collected) function that returns { id, name, detected, signals, findings, instances }.
2. Add it to src/detect/index.js DETECTORS.
3. Add a fixture bundle and tests.

Disclaimer

Run this only against targets you are authorized to test. All traffic is read-only and limited to public pages, but you are still responsible for respecting the target's terms of service and applicable laws.

License

MIT — see LICENSE. Copyright (c) 2026 Valtik Studios LLC.