Resolving 500 Status Authentication Errors

Last edited: 1/17/2025

Resolving 500 status authentication errors

A 500 error in Auth typically indicates an issue with an external dependency, such as your database or SMTP provider, rather than with Auth itself. This guide will help you explore the Auth logs to identify the underlying cause.

Prerequisites

Open the log explorer

Ensure you have access to the Dashboard's Log Explorer and set the time range appropriately:

image

Improving log readability

Logs are displayed in a table format, which can be challenging to read. Double-clicking on a row will expand it for easier viewing:

Screenshot 2024-08-14 at 1 15 26 PM

Section 1: Checking for database-level errors

Query for recent database errors

Use the following SQL query to check for any recent errors the Auth server encountered while interacting with your database:


_19
select
_19
cast(postgres_logs.timestamp as datetime) as timestamp,
_19
event_message,
_19
parsed.error_severity,
_19
parsed.user_name,
_19
parsed.query,
_19
parsed.detail,
_19
parsed.hint,
_19
parsed.sql_state_code,
_19
parsed.backend_type
_19
from
_19
postgres_logs
_19
cross join unnest(metadata) as metadata
_19
cross join unnest(metadata.parsed) as parsed
_19
where
_19
regexp_contains(parsed.error_severity, 'ERROR|FATAL|PANIC')
_19
and regexp_contains(parsed.user_name, 'supabase_auth_admin')
_19
order by timestamp desc
_19
limit 100;

If no results are returned, proceed to Section 2.

Common database-level errors

There are few known categories of auth/database level errors:

Constraint related (sql_state_code = 23503 or 23*)

If you’ve manually created a foreign key relationship between your tables and those in the auth schema, a constraint may prevent the Auth server from updating the auth.users table.

Solution

The log will show the name of the constraint. You need DROP it:


_10
ALTER TABLE <your table> DROP CONSTRAINT <constraint name>;

Alternatively, you can DROP and then recreate the constraint with a less restrictive modifier, such as SET NULL, SET DEFAULT, or CASCADE:


_10
BEGIN;
_10
ALTER TABLE <your table> DROP CONSTRAINT <constraint name>;
_10
_10
ALTER TABLE <your table> ADD CONSTRAINT <constraint name> FOREIGN KEY (<column name>)
_10
REFERENCES auth.users (<auth.users column>)
_10
ON DELETE SET NULL;
_10
COMMIT;

Ownership related (sql_state_code = 42501)

If you see an error like must be owner of..., the supabase_auth_admin role may have lost privileges over tables in the auth schema. This often results from faulty migrations by external ORMs (e.g., Prisma) or manual schema modifications.

Solution

Check ownership with this GitHub Gist. If any objects are owned by the supabase_admin role, contact Support. If they're owned by roles other than supabase_auth_admin you can change ownership back manually one-by-one:


_10
ALTER <object type (table, function, etc.)> <auth.object_name> OWNER TO supabase_auth_admin;

Alternatively, you can run the SQL script in this Github Gist to change all

If errors reference a database function, this indicates a trigger error on one of the auth tables (likely auth.users). If you do not want to keep the trigger/function, you can just quickly drop it, otherwise, continue reading to know how to fix the issue:


_10
-- delete the trigger with the following SQL:
_10
DROP FUNCTION <function name>() CASCADE;
_10
_10
-- If you'd prefer, you can drop the trigger alone with the following query:
_10
-- DROP TRIGGER <trigger_name> on auth.<table_name>;

Solutions:

Get the function's definition with this query:


_10
select pg_get_functiondef(oid)
_10
from pg_proc
_10
where proname = '<FUNCTION NAME>';

Trigger has insufficient privileges ( sql_state_code = 42501)

If the error is related to insufficient privileges, your trigger function is missing a security definer tag, which allows it to access schemas outside of auth. You must REPLACE the function with the appropriate security definer settings (example)

Trigger references a table or column that does not exist (sql_state_code = 42P01)

The trigger may be referencing a table or column that no longer exists. In that case do one of the three:

  • make sure the trigger is referencing the table using the right schema, e.g. public, auth, etc.
  • modify the trigger function to reference the appropriate database objects.
  • remove the trigger
  • recreate the database object that the trigger referenced

Corrupted schema

If you made any customizations to the auth schema, such as adding RLS, modifying table columns, or adding/dropping tables, it can break migrations done by the Auth Server. It's necessary to remove these changes and restore the auth schema to its original form.

Section 2: Checking Auth level errors

Query for Auth errors

Run this SQL query in the Log Explorer to find Auth-related errors:


_15
select
_15
cast(metadata.timestamp as datetime) as timestamp,
_15
msg,
_15
event_message,
_15
status,
_15
path,
_15
level
_15
from auth_logs
_15
cross join unnest(metadata) as metadata
_15
where
_15
-- find all errors
_15
status::INT = 500
_15
OR
_15
regexp_contains(level, 'error|fatal')
_15
order by timestamp

Database migration errors

"running db migrations: Migrator: problem creating schema migrations"

This is a continuation of the "Corrupted Schema" error from the Postgres Section. If you modified structures in the auth schema, such as columns or tables, or added restrictions, such as RLS, Auth will not be able to complete it's migrations. It's necessary to remove those modifications.

If you are running older versions of auth, you may experience a migration bug. If so, checkout this guide for a resolution. If it doesn't work, please contact Support.

SMTP errors

The logs may contain messages about gomail. It means that auth is struggling to communicate with the SMTP provider. This often implies that:

  1. Misconfigured custom domain name with your email provider.
  2. Invalid email port usage.
  3. Rate limiting by the SMTP provider.
  4. SMTP provider downtime.

The log will be able to provide some context for what is occurring, but it is important to check with your external SMTP provider to make sure everything is properly configured.

Step 3: Checking email templates

Incomplete or incorrect email templates can also cause 500 errors. If your templates have unclosed variable tags or HTML elements, or use forbidden characters, this might be the issue.

Test a simplified email template in the Auth Dashboard. If the new template works, revise your original template to avoid forbidden characters and ensure all elements/variables are properly closed.