How to implement invite-only registration flow with better-auth?
Hello, I'm looking for some help on how to implement this use-case.
Here is the general user creation/registration flow I want to implement:
1. Existing admin user adds a new user by entering their email (and possibly name and role). 2. The new user receives email with a welcome message and a link (time limited) to complete account setup. 3. After clicking the link, the user is redirected to a page where they can enter a password and/or link their social account. 4. User is redirected to the app's main page. 5. Future logins for the user will be done using their password or social account.I've tried using magic links, but I got stuck on how to then add a credentials account to the user. Magic link also doesn't handle the user's role, but I can manage with setting it up later. Here is another alternative I've considered, and I'd appreciate some feedback on whether it should work and if it's a good way to do that. Use the admin API to add users and then send them a "forgot password" link with a custom message. This will then redirect them to reset the password. Any thoughts?
Solution:Jump to solution
we'll have
sendInvite functionality in the admin plugin soon but magic link or forgot password for the time being should work fine6 Replies
Solution
we'll have
sendInvite functionality in the admin plugin soon but magic link or forgot password for the time being should work fineOh nice! Thanks for taking the time to reply.
I've managed to implement it with the forgot password for now, but having it built in will be amazing!
can you explain how really did you implemented this? because in docs it says that only if user exists then it will trigger the function. or we have to create user without password when inviting ? in that way i guess it will find the user with that email
Correct.
On the client side (UI) I have an admin page for creating a user. I enter email, name and role and submit.
In handle submit I first create the user using
authClient.admin.createUser and I use generateRandomString from better-auth/crypto to generate a password (which I don't show or save anywhere).
Then I use the forgotPassword with redirectTo: "/complete-registration".
On the server I've set sendResetPassword option with a check on the callbackURL, so I send a different message if it's first login or if the user actually clicked forgot password by themselves. And of course create the relevant pages on the frontend.
It's working fine for now, but I'll gladly switch to a dedicated solution when it's available.Thanks @Stormlight ! I built the same thing using auth hooks—will check out your approach too.
In my setup I've disabled the sign-up endpoint, which is enabled by default. i.e, anyone can send post request to the endpoint, unless you change it somehow.
I've also disable the sign-up option for social login.
This setup ensures that only admin user can add users, both from ui and api.