fix(plugin): prevent user from being created on compromised password

Kinfe123 · web-flow · commit e777bef777c4 · 2025-04-13T15:53:13.000+03:00
diff --git a/packages/better-auth/src/plugins/haveibeenpwned/index.ts b/packages/better-auth/src/plugins/haveibeenpwned/index.ts
@@ -2,6 +2,7 @@ import { APIError } from "../../api";
 import { createHash } from "@better-auth/utils/hash";
 import { betterFetch } from "@better-fetch/fetch";
 import type { BetterAuthPlugin } from "../../types";
+import { createAuthMiddleware } from "../../api";
 
 const ERROR_CODES = {
 	PASSWORD_COMPROMISED:
@@ -63,6 +64,24 @@ export interface HaveIBeenPwnedOptions {
 export const haveIBeenPwned = (options?: HaveIBeenPwnedOptions) =>
 	({
 		id: "haveIBeenPwned",
+		hooks: {
+			before: [
+				{
+					matcher(ctx) {
+						return ctx.path === "/sign-up/email";
+					},
+					handler: createAuthMiddleware(async (ctx) => {
+						if (ctx.body?.password) {
+							await checkPasswordCompromise(
+								ctx.body.password,
+								options?.customPasswordCompromisedMessage,
+							);
+						}
+						return ctx;
+					}),
+				},
+			],
+		},
 		init(ctx) {
 			return {
 				context: {
