← Home

Authentication Not Working in AI-Generated Apps

Every user can see everyone else's data. Sessions expire randomly. OAuth doesn't redirect. Why AI tools fail at security.

⏱ 5 min read
//the problem

Zero permissions — the default state of AI-generated apps

AI-generated apps share one thing in common: zero privacy rules. Every logged-in user can see every other user's data. AI tools simply don't configure this — because nobody asks for it.

Most founders don't discover this until someone points it out — or until something embarrassing happens. A customer logs in and sees orders, contact details, and notes belonging to other customers. This isn't an edge case. It's the default behavior.

Supabase Auth, NextAuth, Firebase Auth — AI tools wire these up quickly. Login works. But sessions expire randomly, OAuth doesn't redirect properly after login, tokens don't refresh. The user is "logged in" for 10 minutes, then has to log in again. Or the opposite — they stay logged in forever, even after logging out.

//why AI gets this wrong

Why security can't be an afterthought

True story: a developer was asked to implement RBAC (Role-Based Access Control) on an app with literally zero permissions. He estimated 2 weeks. Management said: "The AI guy says he can do it in 1-2 days." They gave him the day before production release.

He refused. Said it would be unethical to pretend you can secure an application in one day when it requires real work. And he was right — security isn't a feature you bolt on at the end. It's a foundation that must exist from the start.

AI tools can wire up login. But login is not security. Security is Row-Level Security in the database, proper session management, access policies on endpoints. AI doesn't configure these because it requires understanding who should see which data — and that's a business question, not a technical one.

//quick fix

How to fix authentication and permissions

  1. Enable Row-Level Security (RLS). In Supabase, it's a few clicks. Define policies: a user sees only their own data. An admin sees everything. Without RLS, the database is wide open — every logged-in user has access to everything.
  2. Fix the auth configuration. Check session expiry times, OAuth callback URLs, token refresh. These settings must be consistent between frontend and backend. AI often sets them in one place but forgets the other.
  3. Secure your endpoints. Every API endpoint must verify that the user is logged in and has permission to access the requested data. It's not enough to check "is there a token" — you need to verify that token grants access to this specific data.
  4. Define roles from the start. Who is a user? Who is an admin? Who is a moderator? These roles must exist in the database and be respected at every level — frontend, API, and database.
Warning

If your app is already in production without RLS — every logged-in user can probably see everyone else's data. This isn't a theoretical risk. It's the current state of your application.

//related topics

Read also

//next step

Users seeing each other's data?

This is urgent. We'll implement Row-Level Security, fix sessions and permissions — before anyone else notices.

Book a free call →
Free consultation No obligation Reply within 24h