Forget Password Security/Rate limits
Is there an option to rate-limit the verification entries generated by
forgetPassword?
For example, can we prevent generating a new reset password entry for a given value id if there are already X non-expired entries for it?
Additionally, what’s the purpose of creating a new entry for the same value instead of updating the existing one or deleting the old one?
Doc: https://www.better-auth.com/docs/authentication/email-password#forget-password6 Replies
https://discord.com/channels/1288403910284935179/1356493370901659741 for your second query
GitHub
Forget Password Flow doesn't work. · Issue #2082 · better-auth/be...
Is this suited for github? Yes, this is suited for github To Reproduce Try to implement forget password flow as described in the docs Current vs. Expected behavior The problem is that forget passwo...
npm i https://pkg.pr.new/better-auth/better-auth@2083 for your first query I think you'd have to throw an error in the function that is supposed to send the email if it exceeds the rate limit that you define for it manuallyThanks for the info, In your Github issue your said
and ends up creating a new one instead which is totally not what we want, did you talk about creating a new Account or Verification?account
Got it. So I believe keeping duplicated
verification entries helps track previous attempts. And to check if an entry is valid, you compare expiresAt with the current datetime.
That said, I still think it would be a good practice to invalidate (flag) the previous entry when generating a new forgot password request. This way, the previous identifier would be invalidated, even if it hasn’t expired yet. Ofc you can get the info by computing again if it's the last verification of the value
It's my first time working with better-auth, coming from next-auth, I'm still trying to figure out which parts should be handled by the auth framework—especially since it provides helpers like updateUser, updatePassword, etc.—and which parts should be managed directly with the ORM.