From f2379326287c009c89b05a290a18c6b84c36f142 Mon Sep 17 00:00:00 2001
From: FuturMix <dev@futurmix.ai>
Date: Sun, 14 Jun 2026 12:19:30 +0800
Subject: [PATCH] fix: replace raw error messages with generic errors in auth
 routes

The signup, reset-password, and update-password endpoints return raw
Supabase error messages to the client. These can reveal internal details
like "User already registered" (enabling account enumeration), database
schema information, or rate limiting implementation details.

Replace error.message with generic errors and log the original message
server-side for debugging.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 apps/web/src/app/api/auth/reset-password/route.ts  | 5 ++++-
 apps/web/src/app/api/auth/signup/route.ts          | 5 ++++-
 apps/web/src/app/api/auth/update-password/route.ts | 5 ++++-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/apps/web/src/app/api/auth/reset-password/route.ts b/apps/web/src/app/api/auth/reset-password/route.ts
index 953a7a2..87bf599 100644
--- a/apps/web/src/app/api/auth/reset-password/route.ts
+++ b/apps/web/src/app/api/auth/reset-password/route.ts
@@ -10,7 +10,10 @@ export async function POST(req: NextRequest) {
     redirectTo: `${siteOrigin(req)}/auth/callback?next=/reset-password`,
   });
 
-  if (error) return Response.json({ error: error.message }, { status: 400 });
+  if (error) {
+    console.error('[reset-password] error:', error.message);
+    return Response.json({ error: 'Password reset request failed' }, { status: 400 });
+  }
 
   return withAuthCookies(response, { ok: true });
 }
diff --git a/apps/web/src/app/api/auth/signup/route.ts b/apps/web/src/app/api/auth/signup/route.ts
index 101c16b..8773145 100644
--- a/apps/web/src/app/api/auth/signup/route.ts
+++ b/apps/web/src/app/api/auth/signup/route.ts
@@ -13,7 +13,10 @@ export async function POST(req: NextRequest) {
     options: { emailRedirectTo: `${siteOrigin(req)}/auth/callback?next=/dashboard` },
   });
 
-  if (error) return Response.json({ error: error.message }, { status: 400 });
+  if (error) {
+    console.error('[signup] error:', error.message);
+    return Response.json({ error: 'Signup failed' }, { status: 400 });
+  }
 
   // With email confirmation enabled, Supabase deliberately returns an IDENTICAL
   // response for a brand-new email and an already-registered one — no error, no
diff --git a/apps/web/src/app/api/auth/update-password/route.ts b/apps/web/src/app/api/auth/update-password/route.ts
index 79de7e3..ce4b5f4 100644
--- a/apps/web/src/app/api/auth/update-password/route.ts
+++ b/apps/web/src/app/api/auth/update-password/route.ts
@@ -11,7 +11,10 @@ export async function POST(req: NextRequest) {
   if (userError || !user) return Response.json({ error: 'reset session expired; request another password reset email' }, { status: 401 });
 
   const { error } = await supabase.auth.updateUser({ password: body.password });
-  if (error) return Response.json({ error: error.message }, { status: 400 });
+  if (error) {
+    console.error('[update-password] error:', error.message);
+    return Response.json({ error: 'Password update failed' }, { status: 400 });
+  }
 
   return withAuthCookies(response, { ok: true });
 }