# PocketBase Security Audit - Find Open API Rules Free (`renzomacar/pocketbase-security-auditor`) Actor Audit any PocketBase instance for collections with empty (public) list/view/create/update/delete rules and over-permissive endpoints. Active anon fetch confirms live leaks. HTML report with paste-ready collection rule snippets. Free. - **URL**: https://apify.com/renzomacar/pocketbase-security-auditor.md - **Developed by:** [Renzo Madueno](https://apify.com/renzomacar) (community) - **Categories:** Developer tools - **Stats:** 1 total users, 0 monthly users, 0.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## PocketBase Security Auditor **If any of your PocketBase collection rules are empty (the default!) or use the `@request.auth.id != ""` pattern, anyone with a free account can read or modify every record in those collections right now.** This actor finds those leaks in 30 seconds. > Scan any PocketBase instance for over-permissive API rules. Get a shareable HTML report. **Active probe fetches data anonymously to PROVE leaks live, not just infer them.** ### Why this exists PocketBase API rules are easy to write and easy to leave too open. The patterns I see over and over in production: - **Empty rule** — leaving `listRule` blank means the collection is fully public. - **`@request.auth.id != ""`** — looks restrictive but lets ANY logged-in user read or write the entire collection. - **`true` literal** — leftover from local dev, evaluates to "always allow." This actor surfaces all three across every collection in one click. ### What it checks | ## | Check | Severity | |---|---|---| | 1 | API rule is empty (collection fully public) | **CRITICAL** | | 2 | API rule is `@request.auth.id != ""` (any logged-in user passes) | HIGH | | 3 | API rule contains `true` literal | HIGH | | 4 | Auth collection has open signup + lax create rule | HIGH | | 5 | OAuth2 misconfig | MEDIUM | | 6 | Email auth without verification | MEDIUM | ### Output - **HTML report** (key `REPORT`) — self-contained Tailwind + Chart.js. Top banner shows X of N suspected leaks confirmed live. Every finding has a fix snippet. - **Dataset** — every finding as a row. - **SUMMARY** — counts + active-probe stats for monitoring pipelines. ### How to get an admin password You created one when you initialized PocketBase. Reset via the PB CLI on the host: `./pocketbase admin update `. The password is used only for this run. Never persisted. ### Apply fixes This actor never modifies your PocketBase instance. Each finding ships with a fix snippet you paste back into the PocketBase admin UI. For an agent loop (audit + preview + apply + re-audit) inside Claude Code / Cursor / Cline, see the sibling MCP server: https://github.com/Perufitlife/pocketbase-security-mcp ### Want a written report + Q&A support? Free actor → you find leaks. **$29 lite tier** (top 3 critical fixes + written summary) or **$99 full audit** (every collection rule + 30-day Q&A + paste-ready bundle, 24h delivery). The CTA links inside the HTML report take you to Stripe. ### License + source MIT. Open source: https://github.com/Perufitlife/pocketbase-security-skill ### Sister auditors (same family) - **Supabase** — https://apify.com/renzomacar/supabase-security-auditor - **Firebase** — https://apify.com/renzomacar/firebase-security-auditor - **Appwrite** — https://apify.com/renzomacar/appwrite-security-auditor - **Hasura/Nhost** — https://apify.com/renzomacar/nhost-security-auditor # Actor input Schema ## `pocketbaseUrl` (type: `string`): Base URL of your PocketBase instance, e.g. https://my.pocketbase.io ## `adminEmail` (type: `string`): Email of a PocketBase admin (superuser). Required for /api/collections. ## `adminPassword` (type: `string`): Admin password. Used only for this run, never persisted. ## `activeProbe` (type: `boolean`): When ON (default), the auditor sends an anonymous GET to suspect collections to PROVE the leak live (not just infer from rule metadata). ## `outputFormat` (type: `string`): html-report saves a self-contained HTML to KV store key REPORT. json pushes only structured rows to the dataset. both does both. ## Actor input object example ```json { "pocketbaseUrl": "https://my.pocketbase.io", "activeProbe": true, "outputFormat": "html-report" } ```` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "pocketbaseUrl": "https://my.pocketbase.io" }; // Run the Actor and wait for it to finish const run = await client.actor("renzomacar/pocketbase-security-auditor").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "pocketbaseUrl": "https://my.pocketbase.io" } # Run the Actor and wait for it to finish run = client.actor("renzomacar/pocketbase-security-auditor").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "pocketbaseUrl": "https://my.pocketbase.io" }' | apify call renzomacar/pocketbase-security-auditor --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=renzomacar/pocketbase-security-auditor", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "PocketBase Security Audit - Find Open API Rules Free", "description": "Audit any PocketBase instance for collections with empty (public) list/view/create/update/delete rules and over-permissive endpoints. Active anon fetch confirms live leaks. HTML report with paste-ready collection rule snippets. Free.", "version": "0.1", "x-build-id": "O1qar4Jm67t8PKJYb" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/renzomacar~pocketbase-security-auditor/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-renzomacar-pocketbase-security-auditor", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/renzomacar~pocketbase-security-auditor/runs": { "post": { "operationId": "runs-sync-renzomacar-pocketbase-security-auditor", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/renzomacar~pocketbase-security-auditor/run-sync": { "post": { "operationId": "run-sync-renzomacar-pocketbase-security-auditor", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "pocketbaseUrl", "adminEmail", "adminPassword" ], "properties": { "pocketbaseUrl": { "title": "PocketBase URL", "type": "string", "description": "Base URL of your PocketBase instance, e.g. https://my.pocketbase.io" }, "adminEmail": { "title": "Admin email", "type": "string", "description": "Email of a PocketBase admin (superuser). Required for /api/collections." }, "adminPassword": { "title": "Admin password", "type": "string", "description": "Admin password. Used only for this run, never persisted." }, "activeProbe": { "title": "Active probe (anonymous fetch)", "type": "boolean", "description": "When ON (default), the auditor sends an anonymous GET to suspect collections to PROVE the leak live (not just infer from rule metadata).", "default": true }, "outputFormat": { "title": "Output format", "enum": [ "html-report", "json", "both" ], "type": "string", "description": "html-report saves a self-contained HTML to KV store key REPORT. json pushes only structured rows to the dataset. both does both.", "default": "html-report" } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```