Classic Claude

Detailed Analysis

A Reddit user posting to r/ClaudeAI describes a specific and consequential coding error introduced by Claude while building an admin security verification feature, illustrating a recurring class of AI coding assistant failure: confidently incorrect assumptions about third-party API behavior. The user, who had been primarily using OpenAI's Codex for two weeks and returned to Claude only after exhausting their Codex credits, found that Claude had constructed an admin security check built on a flawed mental model of how Supabase handles authentication factors.

The technical error centered on Claude's assumption that passkeys and MFA WebAuthn factors would appear together in the same API response from Supabase. In practice, Supabase treats these as distinct authentication mechanisms returned through separate data paths. Claude not only made the incorrect assumption but reinforced it by generating mocked data that matched its own flawed expectation rather than the SDK's actual documented behavior. The result was a security check that silently reported no hardware keys even when a valid passkey was registered — a subtle but potentially serious security blind spot in an admin-facing feature.

This type of failure reflects a well-documented limitation in large language model coding assistants: they often synthesize plausible-sounding but factually incorrect API details, particularly when working with frameworks or SDKs that have evolved rapidly or have nuanced distinctions in their data models. Supabase's separation of passkeys from MFA factors is a specific architectural choice that may not be prominently represented in Claude's training data, leading the model to collapse them into a single, simpler mental model. The danger is compounded when the model generates test mocks that validate its own incorrect assumptions, effectively insulating the bug from detection during development.

The broader significance of this incident lies in what it reveals about the current state of AI-assisted development workflows. Security-sensitive code is precisely where hallucinated API behavior is most dangerous, since incorrect assumptions in authentication logic can produce systems that appear to function correctly under normal conditions while failing silently in edge cases. The user's framing — "Classic Claude" — suggests this is perceived as a pattern rather than an isolated incident, reflecting community-level awareness that Claude can produce authoritative-seeming code that embeds subtle domain-specific errors. As developers increasingly use multiple AI coding tools in rotation, incidents like this highlight the importance of treating AI-generated security logic with heightened scrutiny and grounding it against actual SDK documentation and integration tests rather than relying on the model's internalized assumptions.