profullstack · FuturMix · Jun 14, 2026
diff --git a/apps/web/src/app/api/auth/reset-password/route.ts b/apps/web/src/app/api/auth/reset-password/route.ts
@@ -10,7 +10,10 @@ export async function POST(req: NextRequest) {
     redirectTo: `${siteOrigin(req)}/auth/callback?next=/reset-password`,
   });
 
-  if (error) return Response.json({ error: error.message }, { status: 400 });
+  if (error) {
+    console.error('[reset-password] error:', error.message);
+    return Response.json({ error: 'Password reset request failed' }, { status: 400 });
+  }
 
   return withAuthCookies(response, { ok: true });
 }
diff --git a/apps/web/src/app/api/auth/signup/route.ts b/apps/web/src/app/api/auth/signup/route.ts
@@ -13,7 +13,10 @@ export async function POST(req: NextRequest) {
     options: { emailRedirectTo: `${siteOrigin(req)}/auth/callback?next=/dashboard` },
   });
 
-  if (error) return Response.json({ error: error.message }, { status: 400 });
+  if (error) {
+    console.error('[signup] error:', error.message);
+    return Response.json({ error: 'Signup failed' }, { status: 400 });
+  }
 
   // With email confirmation enabled, Supabase deliberately returns an IDENTICAL
   // response for a brand-new email and an already-registered one — no error, no

diff --git a/apps/web/src/app/api/auth/update-password/route.ts b/apps/web/src/app/api/auth/update-password/route.ts
@@ -11,7 +11,10 @@ export async function POST(req: NextRequest) {
   if (userError || !user) return Response.json({ error: 'reset session expired; request another password reset email' }, { status: 401 });
 
   const { error } = await supabase.auth.updateUser({ password: body.password });
-  if (error) return Response.json({ error: error.message }, { status: 400 });
+  if (error) {
+    console.error('[update-password] error:', error.message);
+    return Response.json({ error: 'Password update failed' }, { status: 400 });
+  }
 
   return withAuthCookies(response, { ok: true });
 }