Fix: replace raw error messages with generic errors in auth routes by FuturMix · Pull Request #19 · profullstack/b1dz.com

FuturMix · 2026-06-14T04:20:06Z

Summary

Fixes #18

Auth endpoints leak internal Supabase error messages that can enable account enumeration and information disclosure.

Changes

apps/web/src/app/api/auth/signup/route.ts: Replace error.message with generic "Signup failed"
apps/web/src/app/api/auth/reset-password/route.ts: Replace with "Password reset request failed"
apps/web/src/app/api/auth/update-password/route.ts: Replace with "Password update failed"
All three: Add console.error() for server-side debugging

Test plan

Failed signup: returns generic "Signup failed" (not Supabase internals)
Failed password reset: returns generic error
Successful flows: unaffected (no error path triggered)

🤖 Generated with Claude Code

The signup, reset-password, and update-password endpoints return raw Supabase error messages to the client. These can reveal internal details like "User already registered" (enabling account enumeration), database schema information, or rate limiting implementation details. Replace error.message with generic errors and log the original message server-side for debugging. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ralyodio merged commit 35a232b into profullstack:master Jun 15, 2026
6 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix: replace raw error messages with generic errors in auth routes#19

Fix: replace raw error messages with generic errors in auth routes#19
ralyodio merged 1 commit into
profullstack:masterfrom
FuturMix:fix/auth-error-disclosure

FuturMix commented Jun 14, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

FuturMix commented Jun 14, 2026

Summary

Changes

Test plan

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants