Skip to content

Bug: Auth endpoints leak internal error messages #18

Open
#19
Open
Bug: Auth endpoints leak internal error messages#18
#19
@FuturMix

Description

@FuturMix
FuturMix
opened on Jun 14, 2026

Summary

Three auth endpoints return raw Supabase error.message to the client:

  • apps/web/src/app/api/auth/signup/route.ts (line 16)
  • apps/web/src/app/api/auth/reset-password/route.ts (line 13)
  • apps/web/src/app/api/auth/update-password/route.ts (line 14)

Impact

  • Signup: Messages like "User already registered" enable account enumeration
  • Reset/update password: Internal Supabase errors may reveal schema details, rate limit configs, or other system internals

Fix

Replace error.message with generic error strings; log the original message server-side.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions