Session & Token Safety
Auth Safety · AUTH-16, AUTH-25, AUTH-26 · Priority: P1
Why This Cluster Matters
Sessions that never expire, refresh tokens that can be reused after compromise, and sign-out flows that don't revoke server sessions — these are the gaps that let attackers maintain access long after a password change or account compromise.
AI code generators set up login flows but never configure session lifecycle. The default Supabase JWT lasts 1 hour with automatic refresh — meaning a stolen token grants access indefinitely unless the refresh chain is broken. AI tools don't implement session revocation because "sign out" in their code just clears the local cookie.
Checks in This Cluster
| ID | Check | Priority |
|---|---|---|
| AUTH-16 | Token/session expiration | P1 |
| AUTH-25 | Refresh token reuse detection | P2 |
| AUTH-26 | Sign-out revokes server session | P2 |
AUTH-16: Token/Session Expiration
Supabase JWTs expire after 3600 seconds (1 hour) by default, but the refresh token keeps generating new JWTs indefinitely. AI tools never configure jwt_expiry or session inactivity timeouts. A stolen session persists until the user explicitly signs out — which they won't do if they don't know they're compromised.
What to verify: Session expiration is configured appropriately for the app's risk level. Admin sessions should have shorter timeouts than regular user sessions. Inactive sessions expire automatically.
AUTH-25: Refresh Token Reuse Detection
If an attacker steals a refresh token and uses it, Supabase generates a new token pair. But the legitimate user's next refresh also succeeds — creating two active sessions from one stolen token. Without reuse detection, both sessions coexist.
Supabase supports refresh token rotation with reuse detection. When enabled, reusing an old refresh token invalidates the entire token family — forcing both the attacker and the legitimate user to re-authenticate.
What to verify: Refresh token rotation is enabled. Reuse detection is active. Token families are invalidated on suspicious reuse.
AUTH-26: Sign-Out Revokes Server Session
AI tools implement sign-out as supabase.auth.signOut() on the client — which clears the local cookie but may not revoke the server-side session. If the JWT was captured (via XSS, stolen cookie, or network interception), it remains valid until it expires naturally.
What to verify: Sign-out calls signOut({ scope: 'global' }) to revoke all sessions across all devices. For sensitive apps, consider immediate token revocation via Supabase's admin API.
References
Related Checks
- httpOnly Session Cookies — AUTH-07
- getUser() vs getSession() — AUTH-13
- Server-Side Auth for Protected Routes — AUTH-04
Is your app safe? Run Free Scan →