Several auth recovery/confirmation endpoints call request.json() directly. A malformed JSON body throws before validation and falls into the generic catch block, returning a 500 instead of a client error.
Affected endpoints observed in code:
- POST /api/auth/forgot-password
- POST /api/auth/reset-password
- POST /api/auth/resend-confirmation
- POST /api/auth/confirmed after the webhook secret check
Expected behavior: malformed, empty, or non-object JSON bodies should return a 400 response and avoid Supabase/email side effects.
I am submitting a focused PR that reuses the existing safeParseBody helper and adds regression tests for malformed JSON.
Several auth recovery/confirmation endpoints call request.json() directly. A malformed JSON body throws before validation and falls into the generic catch block, returning a 500 instead of a client error.
Affected endpoints observed in code:
Expected behavior: malformed, empty, or non-object JSON bodies should return a 400 response and avoid Supabase/email side effects.
I am submitting a focused PR that reuses the existing safeParseBody helper and adds regression tests for malformed JSON.