auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

Password recovery fails with 500 unexpected_failure for email addresses containing apostrophes

Open roomman opened this issue 5 days ago • 1 comments

Describe the bug

The /recover endpoint returns a 500 Internal Server Error with error_code: "unexpected_failure" when requesting a password reset for a user whose email address contains an apostrophe (single quote) character.

This appears to be the same class of bug that was fixed in PR #32603 for dashboard user search, but the auth /recover endpoint was not included in that fix.

To Reproduce

  1. Create a user with an email address containing an apostrophe, e.g., joe.o'riely@example
  2. Attempt to request a password reset for that email using supabase.auth.resetPasswordForEmail("dominic.o'[email protected]")
  3. The request fails with a 500 error

Expected behaviour

Password reset email should be sent successfully. Apostrophes are valid characters in the local part of email addresses per RFC 5321.

Actual behaviour

The API returns HTTP 500 with error_code: "unexpected_failure".

Logs / Error output

  {
    "auth_event": {
      "action": "user_recovery_requested",
      "actor_id": "cf9a0a64-3fcf-4727-8024-52c3122a99cc",
      "actor_username": "joe.o'riely@example",
      "actor_via_sso": false,
      "log_type": "user"
    },
    "component": "api",
    "duration": 259929104,
    "error_code": "unexpected_failure",
    "level": "info",
    "method": "POST",
    "msg": "request completed",
    "path": "/recover",
    "status": 500,
    "time": "2026-01-14T09:24:35Z"
  }

Environment

  • Supabase hosted (cloud)
  • Client: @supabase/supabase-js v2.x
  • Affected endpoint: POST /auth/v1/recover

Additional context

  • Irish names commonly contain apostrophes (O'Sullivan, O'Brien, O'Connor, etc.)
  • UK government email addresses frequently have this pattern (e.g., firstname.o'[email protected])
  • The user exists and was created successfully - only the password recovery fails
  • PR #32603 fixed a similar apostrophe escaping issue in the dashboard search functionality, suggesting this is a pattern that may affect other endpoints

Related

  • #32603 - Fix impersonation and searching users escape single quote (merged Jan 7, 2025)

roomman avatar Jan 14 '26 09:01 roomman