Session isn't updated after changing email of a user with an unverified email
I am currently trying to implement the change email feature from better auth and stumbled upon a bug (i think). I followed the steps from this guide https://www.better-auth.com/docs/concepts/users-accounts#change-email and it works perfectly fine when changing the email of a user whose email is already verified. The user receives an approval email, if they really want to change their email. The email then changes both in the User table as well es in the Session and the follow up verification email on the newly change email also works perfectly fine.
Now the issue is with users whose emails were not verified yet. The email on the User table changes instantly (as expected) without an approval email (also expected), but the email in the session is still the old one. This then backfires when the new verification email is sent to the new email. When clicking on that url I get redirected to my callback url with the params
?error=user_not_found. And when I check the sessions in my redis database I can see the session with the old email. I feel like better auth is forgetting to refresh the session in this case, or am I supposed to do it manually?
Perhaps it is worth mentioning that I'm updating the email on the server side with auth.api.changeEmail()
Solution:Jump to solution
Ah nice, a PR has been merged which should fix this issue!
https://github.com/better-auth/better-auth/pull/1801
And for others who encountered the issue, which this post was originally about (session update in secondary storage after changing email), the solution was to update better-auth to
1.2.4-beta.7. I hope this PR will also be added to v1.2.4 once it's released!...25 Replies
Perhaps to further clarifiy this. This is a screenshot of the entry in my redis DB and the red box is not being updated immediately.
I also tested it without redis as a secondary DB and it still doesn't work properly. I still get the
?error=user_not_found params when clicking on the verifiy link on the email sent to the new email address from the user who didn't have a verified email beforehand.I think it's similary to this issue and I am on v1.2.2
https://github.com/better-auth/better-auth/issues/1368
Perhaps its a regression?
GitHub
Email changes do not trigger cache invalidation or updates in secon...
Is this suited for github? Yes, this is suited for github To Reproduce Create a Next.js app using the app directory with React 19. Implement authentication with MongoDB as the primary store and Red...
I think this is related to cookie cache?
Not directly related to your issue, and a parch instead of a fix but I managed to do cache invalidation on a custom api route of my plugin through this specific code
await setSessionCookie(ctx, {
session,
user: newUser,
});
Shown in this example
const db = remoteDb(DATABASE_URL);
const verification = await db
.select()
.from(schema.verifications)
.where(
and(
eq(schema.verifications.value, body.code),
eq(
schema.verifications.identifier,
${body.phoneNumber}:${user.id}
),
gt(schema.verifications.expiresAt, new Date())
)
)
.then((res) => res[0]);
if (!verification)
throw new APIError("BAD_REQUEST", {
message: "Invalid verification code",
});
const newUser = await db
.update(schema.users)
.set({ phoneNumberVerified: true, phoneNumber: body.phoneNumber })
.where(eq(schema.users.id, user.id))
.returning()
.then((res) => res[0]);
await setSessionCookie(ctx, {
session,
user: newUser,
});
You might be able to do it by using hooks intercepting the new data and manually assigning them a new session
That function cones from
import { setSessionCookie } from "better-auth/cookies";which version of better auth are you using?
1.2.2
update to
1.1.4-beta.7 and let me know if you're facing the same issue or notnpm error notarget No matching version found for [email protected].
Only beta.1 and beta.2 are available on npm
https://www.npmjs.com/package/better-auth?activeTab=versions
npm
better-auth
The most comprehensive authentication library for TypeScript.. Latest version: 1.2.3, last published: 4 days ago. Start using better-auth in your project by running
npm i better-auth. There are 23 other projects in the npm registry using better-auth.should I try 1.1.4?
oh sorry
1.2.4-beta.7oh! It works there. It updates the user in my redis DB, but for some reason after clicking the url in the verification email I still get the
?error=user_not_found params
Thus the emailVerified field remains 0
It is sending the email to the correct address tho, which is the newly set email address 🤔
could it be that better-auth is reading the email property from the jwt token instead of the updateTo when fetching the user by email?That's how the payload of the jwt token looks like that was sent to the verification email
@bekacru sorry for the ping, but just being curious. any updates/explanations regarding the bug in the final step, where ther user is trying to verify their new email?
It does read email but isn't this change verification payload? meaning this is to verify the change so it should read email
No its the verify email payload
Change verification wasn't send, because the old email was not verified in the first place.
But now after changing the email, the new verification email won't work.
Perhaps that's where the confusion comes in? The payload for change approval email is being used for the email verification email, because the approval step got skipped, since the user wasnt verified before, thus the change approval email was never sent (which is expected in this scenario).
Well, should be a simple fix, either don't allow changing emails if the user doesn't have a verified email, or check if they don't have a verified email and then change immediately
Well the immediate change is given by better-auth. It even says that in their documentation. I think it's a bug on better-auth's side because their flow isn't checking out.
So why should I do something that the library already offers out of the box
yea there is no check implemented in better-auth
ah no wait there is an check https://github.com/better-auth/better-auth/blob/384d842ec17113d1acbd3c84e7bc51b06115b161/packages/better-auth/src/api/routes/update-user.ts#L590
GitHub
better-auth/packages/better-auth/src/api/routes/update-user.ts at 3...
The most comprehensive authentication framework for TypeScript - better-auth/better-auth
Yea and it says here that it does too
https://www.better-auth.com/docs/concepts/users-accounts#change-email
User & Accounts | Better Auth
User and account management.
Which is why I think it's a potential bug
Solution
Ah nice, a PR has been merged which should fix this issue!
https://github.com/better-auth/better-auth/pull/1801
And for others who encountered the issue, which this post was originally about (session update in secondary storage after changing email), the solution was to update better-auth to
1.2.4-beta.7. I hope this PR will also be added to v1.2.4 once it's released!thanks bekacru! 🫶