Resolving 500 Status Authentication Errors

[TheOtherBrian1]

Resolving 500 Status Authentication Errors

A 500 error in Auth typically indicates an issue with an external dependency, such as your database or SMTP provider, rather than with Auth itself. This guide will help you explore the Auth logs to identify the underlying cause.

Prerequisites

Open the Log Explorer

Ensure you have access to the Dashboard's Log Explorer and set the time range appropriately:

Improving log readability

Logs are displayed in a table format, which can be challenging to read. Double-clicking on a row will expand it for easier viewing:

Section 1: Checking for Database-Level Errors

Query for Recent Database Errors

Use the following SQL query to check for any recent errors the Auth server encountered while interacting with your database:

select
    cast(postgres_logs.timestamp as datetime) as timestamp,
    event_message,
    parsed.error_severity,
    parsed.user_name,
    parsed.query,
    parsed.detail,
    parsed.hint,
    parsed.sql_state_code,
    parsed.backend_type
from
    postgres_logs
    cross join unnest(metadata) as metadata
    cross join unnest(metadata.parsed) as parsed
where
    regexp_contains(parsed.error_severity, 'ERROR|FATAL|PANIC')
      and
    regexp_contains(parsed.user_name, 'supabase_auth_admin')
order by
    timestamp desc
limit 100;

If no results are returned, proceed to Section 2.

Common Database-Level Errors

There are few known categories of auth/database level errors:

Constraint Related (sql_state_code = 23503 or 23*)

If you’ve manually created a foreign key relationship between your tables and those in the auth schema, a constraint may prevent the Auth server from updating the auth.users table.

Solution

The log will show the name of the constraint. You need DROP it:

ALTER TABLE <your table> DROP CONSTRAINT <constraint name>;

Alternatively, you can DROP and then recreate the constraint with a less restrictive modifier, such as SET NULL, SET DEFAULT, or CASCADE:

BEGIN;
ALTER TABLE <your table> DROP CONSTRAINT <constraint name>;

ALTER TABLE <your table> ADD CONSTRAINT <constraint name> FOREIGN KEY (<column name>) 
          REFERENCES auth.users (<auth.users column>)
          ON DELETE SET NULL;
COMMIT;

Ownership related (sql_state_code = 42501)

If you see an error like "must be owner of...", the supabase_auth_admin role may have lost privileges over tables in the auth schema. This often results from faulty migrations by external ORMs (e.g., Prisma) or manual schema modifications.

Solution

Check ownership with this GitHub Gist. If any objects are owned by the supabase_admin role, contact Support. If they're owned by roles other than supabase_auth_admin you can change ownership back manually one-by-one:

ALTER <object type (table, function, etc.)> <auth.object_name> OWNER TO supabase_auth_admin;

Alternatively, you can run the SQL script in this Github Gist to change all

Trigger related:

If errors reference a database function, this indicates a trigger error on one of the auth tables (likely auth.users). If you do not want to keep the trigger/function, you can just quickly drop it, otherwise, continue reading to know how to fix the issue:

-- delete the trigger with the following SQL:
DROP FUNCTION <function name>() CASCADE;

-- If you'd prefer, you can drop the trigger alone with the following query: 
-- DROP TRIGGER <trigger_name> on auth.<table_name>; 

Solutions:

Get the function's definition with this query:

select pg_get_functiondef(oid)
from pg_proc
where proname = '<FUNCTION NAME>';

You can then recreate the function with the appropriate modifications.

Trigger has insufficient privileges ( sql_state_code = 42501)

If the error is related to insufficient privileges, your trigger function is missing a security definer tag, which allows it to access schemas outside of auth. You must REPLACE the function with the appropriate security definer settings (example)

Trigger references a table or column that does not exist (sql_state_code = 42P01)

The trigger may be referencing a table or column that no longer exists. In that case, you can:

• make sure the trigger is referencing the table using the right schema, e.g. public, auth, etc.
• modify the trigger function to reference the appropriate database objects.
• remove the trigger
• recreate the database object that the trigger referenced

Corrupted Schema

If you customize the auth schema, such as adding RLS, modifying table columns, or adding/dropping tables, it can break the Auth Server's migrations. With the exception of non-unique indexes and correctly implemented triggers, it's necessary to remove these changes and restore the auth schema to its original form.

Section 2: Checking Auth level errors

Query for Auth Errors

Run this SQL query in the Log Explorer to find 500+ Auth-related errors:

select
  cast(metadata.timestamp as datetime) as timestamp,
  msg,
  event_message,
  status,
  path,
  level
from auth_logs
cross join unnest(metadata) as metadata
where
   -- find all errors
   status::INT = 500
    OR
  regexp_contains(level, 'error|fatal')
order by timestamp

As an aside, you can find all errors with this query:

select
  method,
  path,
  remote_addr AS IP,
  msg
from auth_logs
cross join unnest(metadata) as metadata
WHERE error IS NOT NULL;

Database Migration Errors

"running db migrations: Migrator: problem creating schema migrations"

This is a continuation of the "Corrupted Schema" error from the Postgres Section. If you modify structures in the auth schema, such as columns or tables, or add restrictions, such as RLS, Auth will not be able to complete its migrations. It's necessary to remove those modifications.

If you are running older versions of auth, you may experience a migration bug. If so, check out this guide for a resolution. If you are still facing errors, please contact Support.

SMTP errors

The logs may contain messages about gomail. It means that auth is struggling to communicate with the SMTP provider. This often implies that:

1. Misconfigured custom domain name with your email provider.
2. Invalid email port usage.
3. Rate limiting by the SMTP provider.
4. SMTP provider downtime.

The log will be able to provide some context for what is occurring, but it is important to check with your external SMTP provider to make sure everything is properly configured.

504 timeout errors

The email or phone client was misconfigured. The request is timing out because the endpoint is inaccessible.

Step 3: Checking Email Templates

Incomplete or incorrect email templates can also cause 500 errors. If your templates have unclosed variable tags or HTML elements or use forbidden characters, this might be the issue.

Test a simplified email template in the Auth Dashboard. If the new template works, revise your original template to avoid forbidden characters and ensure all elements/variables are properly closed.