Broken Authentication in Bolt.new Apps
Bolt.new generates authentication UIs that look professional but enforce access control only through component rendering. The underlying APIs remain unprotected, letting attackers bypass login screens entirely.
Scan Your Bolt AppHow It Happens
Bolt generates auth flows using Supabase Auth or Firebase Auth. The login and signup forms work correctly, but the AI implements authorization by conditionally rendering components rather than enforcing access at the database or API layer. A typical pattern is a route guard that checks if a user is logged in and redirects to the login page if not. This check happens in JavaScript and is trivially bypassed by calling the API endpoints directly without going through the UI. Bolt also tends to store sensitive configuration like admin user IDs in frontend code. An attacker reads these IDs from the JavaScript bundle and understands the authorization model, then crafts requests that impersonate privileged roles.
Impact
Client-side-only authentication means any user who can call the API can access protected resources. In a Bolt app with admin features, regular users can access admin endpoints, modify other users' data, or escalate their own privileges. Because Bolt generates predictable API patterns, attackers familiar with one Bolt app can quickly identify similar vulnerabilities in others. Common endpoint patterns and table structures make exploitation straightforward. For multi-tenant Bolt apps, broken auth can lead to cross-tenant data access, where users of one organization can read or modify data belonging to another organization.
How to Detect
Log in as a regular user and capture all API requests the app makes. Then try accessing the same endpoints that admin pages use. If the API returns data without checking your role, authorization is broken. Review the Bolt-generated code for patterns like if (user.role === "admin") in React components. These are UI-only checks that provide no real security. Vibe App Scanner tests API endpoints with different authentication levels and flags any that return data or accept mutations without proper server-side authorization.
How to Fix
Implement authorization in RLS policies, not in React components. Every table that contains sensitive data should have policies that verify the user's identity and role before allowing access. Use Supabase RPC functions with SECURITY DEFINER for complex authorization logic. These functions run server-side and can perform multi-step permission checks that the client cannot bypass. Remove admin user IDs and role mappings from frontend code. Store role information in the database behind RLS policies that only allow users to read their own role. Add rate limiting to authentication endpoints to prevent brute force attacks. Use Supabase Edge Functions or middleware to throttle login attempts by IP address.
Frequently Asked Questions
Does Bolt.new support proper authentication?
Bolt generates working authentication flows (login/signup), but it typically doesn't generate proper authorization (access control). You need to add server-side checks manually through RLS policies or API middleware.
Is Firebase Auth more secure than Supabase Auth in Bolt apps?
Both are equally secure for authentication. The issue is authorization, which needs to be implemented through Firestore Security Rules (Firebase) or RLS policies (Supabase). Bolt often skips both.
How can I test if my Bolt app has broken authentication?
Create two accounts with different permission levels. Use the lower-privilege account to call API endpoints that should be restricted to the higher-privilege account. If the calls succeed, your authorization is broken.
Related Security Resources
Is Your App Vulnerable?
VAS automatically scans for broken authentication and other security issues in Bolt apps. Get actionable results with step-by-step fixes.
Scans from $5, results in minutes.