Armand
BABetter Auth
•Created by Armand on 4/7/2025 in #help
Sign out after revoking current session
This will only work for the current session.
I've just tried disabling session cache and got the same result.
5 replies
BABetter Auth
•Created by Utkarsh Anand on 4/4/2025 in #help
How to revoke all sessions after reset password from forget password link?
1. Idk if there is a param like
revokeOtherSessions: true on changePassword https://www.better-auth.com/docs/concepts/session-management#revoking-sessions-on-password-change
But again that's only when you are logged in5 replies
BABetter Auth
•Created by Utkarsh Anand on 4/4/2025 in #help
How to revoke all sessions after reset password from forget password link?
2.
authClient.forgetPassword() should create a record in Verification table with the user id in value col. From there you can get your email.5 replies
BABetter Auth
•Created by Armand on 4/4/2025 in #help
First Sign In
This will trigger on sign-up not sign-in ?
In my case I can use databaseHooks -> session -> create since the user already exist
8 replies
BABetter Auth
•Created by Armand on 4/4/2025 in #help
First Sign In
Hi @daveycodez , In my application, there’s no sign-up users must be invited. To handle this, I create a
pending User and an associated Invitation. When the user accesses the invitation, they set up their email and password, which updates both the User and the Invitation status.
Now, I’m adding OAuth with Microsoft as a provider. However, I still don’t want sign-up process, users should only be able to sign in to an already invited account (matching their email).
What I'm trying to achieve is adding this new provider on the invitation page so the user can choose between Email & Password or Microsoft . If he choose OAuth I use signIn.social then I would like a callback / hook to update the User and Invitation status to set the User as valid and Invitation used etc...
Additionally, an invited user can sign in directly via Microsoft OAuth, even without using the invitation link.8 replies
BABetter Auth
•Created by Armand on 4/2/2025 in #help
Forget Password Security/Rate limits
It's my first time working with
better-auth, coming from next-auth, I'm still trying to figure out which parts should be handled by the auth framework—especially since it provides helpers like updateUser, updatePassword, etc.—and which parts should be managed directly with the ORM.8 replies
BABetter Auth
•Created by Armand on 4/2/2025 in #help
Forget Password Security/Rate limits
Got it. So I believe keeping duplicated
verification entries helps track previous attempts. And to check if an entry is valid, you compare expiresAt with the current datetime.
That said, I still think it would be a good practice to invalidate (flag) the previous entry when generating a new forgot password request. This way, the previous identifier would be invalidated, even if it hasn’t expired yet. Ofc you can get the info by computing again if it's the last verification of the value8 replies
BABetter Auth
•Created by Armand on 4/2/2025 in #help
Forget Password Security/Rate limits
Thanks for the info, In your Github issue your said
and ends up creating a new one instead which is totally not what we want, did you talk about creating a new Account or Verification?8 replies