EmailOtp's forget password user enumeration #3972
-
|
Hi all! I'm using email otp plugin for forget password and when i use an non existent email i will get a error config: import { betterAuth } from "better-auth";
import { APIError } from "better-auth/api";
import { expo } from "@better-auth/expo";
import { admin, createAuthMiddleware, emailOTP } from "better-auth/plugins";
import { drizzleAdapter } from "better-auth/adapters/drizzle";
import { db } from "@/src/db";
import { registerSchema } from "./schemas/auth";
export const auth = betterAuth({
emailAndPassword: {
enabled: true, // Enable authentication using email and password.
},
hooks: {
before: createAuthMiddleware(async (ctx) => {
if (ctx.path === "/sign-up/email") {
if (ctx.body) {
const result = registerSchema.safeParse(ctx.body);
if (!result.success) {
const errorMessage = result.error.issues[0].message;
throw new APIError("BAD_REQUEST", {
message: errorMessage,
});
}
}
}
}),
},
trustedOrigins: ["bevy://"],
database: drizzleAdapter(db, {
provider: "pg", // or "pg" or "mysql"
}),
plugins: [
emailOTP({
// disableSignUp: true,
overrideDefaultEmailVerification: true,
async sendVerificationOTP({ email, otp, type }) {
console.log("=== EMAIL OTP SEND TRIGGERED ===");
console.log("Email:", email);
console.log("OTP:", otp);
console.log("Type:", type);
console.log("Timestamp:", new Date().toISOString());
if (type === "sign-in") {
console.log("📧 Sending OTP for sign-in");
// Send the OTP for sign-in
console.log("Sign-in OTP email would be sent to:", email);
} else if (type === "email-verification") {
console.log("✅ Sending OTP for email verification");
// Send the OTP for email verification
console.log("Email verification OTP would be sent to:", email);
} else {
console.log("🔐 Sending OTP for password reset");
// Send the OTP for password reset
console.log("Password reset OTP would be sent to:", email);
}
console.log("=== EMAIL OTP SEND COMPLETED ===\n");
},
}),
expo(),
admin(),
],
}); |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 5 replies
-
|
Hi @chanithecat! I'm Dosu and I’m helping the better-auth team. You're right—returning a To match this behavior in your forgot password flow, you should use the sendVerificationOTP endpoint for password resets, or adapt your flow so that when a non-existent email is submitted, you always return a generic success response (and never reveal whether the email exists). If you need to override the default endpoint, you can use a custom middleware or hook to intercept the error and replace it with a generic success response. This approach aligns with how token mode email verification works, where errors are always generic and never reveal user existence (source). If you want a code example or guidance on how to override the endpoint or add a hook, let me know! To reply, just mention @dosu. Docs are dead. Just use Dosu.
|
Beta Was this translation helpful? Give feedback.
-
@dosubot ive tried both // const { error } = await authClient.forgetPassword.emailOtp({
// email, // required
// });
//
const { error } = await authClient.emailOtp.sendVerificationOtp({
email,
type: "forget-password", // required
});and both return a user not found Started development server: http://localhost:3000
<-- POST /api/auth/forget-password/email-otp
--> POST /api/auth/forget-password/email-otp 400 2s
<-- POST /api/auth/forget-password/email-otp
--> POST /api/auth/forget-password/email-otp 400 307ms |
Beta Was this translation helpful? Give feedback.
-
|
You’re hitting the legacy /forget-password/email-otp endpoint, which always returns a 400 with "User not found" for non-existent emails—this does leak user existence and is expected behavior for that route. The privacy-preserving behavior (always returning If you’re still seeing "User not found" from sendVerificationOtp with type: "forget-password", double-check that your client is actually calling /email-otp/send-verification-otp and not the legacy endpoint. If you must support the legacy endpoint, you can add an after hook to mask the error: import { createAuthMiddleware } from "better-auth/api";
export const auth = betterAuth({
// ...your config
hooks: {
after: createAuthMiddleware(async (ctx) => {
if (
ctx.path === "/forget-password/email-otp" &&
ctx.error?.message === "User not found"
) {
return ctx.json({ success: true });
}
}),
// ...other hooks
},
// ...plugins
});This will intercept the error and always return a generic success response for that endpoint, preventing user enumeration. You can adapt the matcher logic if you want to cover other endpoints or error messages. See docs on hooks for more details. If you want to avoid this entirely, use only /email-otp/send-verification-otp with type: "forget-password" for your forgot password flow, as it’s already privacy-preserving by default (source). To reply, just mention @dosu. Share context across your team and agents. Try Dosu.
|
Beta Was this translation helpful? Give feedback.
-
|
thanks last question @dosubot any idea why my console logs arent printed in send verification function? |
Beta Was this translation helpful? Give feedback.
-
|
Your console logs in sendVerificationOTP only run if the function is actually called—which only happens when the email exists in your database. For non-existent emails, the function is never invoked (to avoid leaking user existence), so your logs won’t print in those cases. Try submitting a valid, existing email and you should see your logs as expected. If you still don’t see logs for valid users, double-check your server environment to make sure logs aren’t being suppressed or redirected, and confirm your function is being hit by adding a log at the very top. This behavior is by design to prevent user enumeration and side-channel leaks—see the plugin implementation for details. To reply, just mention @dosu. Share context across your team and agents. Try Dosu.
|
Beta Was this translation helpful? Give feedback.
-
|
im down to submit a pr is a flag like |
Beta Was this translation helpful? Give feedback.
-
|
@dosubot i tried to patch the otp plugin to do the same thing when using i also added the |
Beta Was this translation helpful? Give feedback.
-
|
The reason you see logger output in your patched requestPasswordReset endpoint but not when hitting /forget-password/email-otp is because the standard emailOTP plugin does not log anything when masking a missing user—it just quietly returns a generic success response or throws an error, depending on config. Your patch explicitly calls logger.error, but the plugin’s default code does not include a logger call in that code path for missing users (source). If you want consistent logging for masked user-not-found events, you’ll need to add explicit logger calls in all relevant code paths—either by patching the plugin or by using an after hook. For example, you can use an after hook like this: import { createAuthMiddleware } from "better-auth/api";
export const auth = betterAuth({
// ...your config
hooks: {
after: createAuthMiddleware(async (ctx) => {
if (
ctx.path === "/forget-password/email-otp" &&
ctx.error?.message === "User not found"
) {
ctx.context.logger.error("reset password: user not found", { email: ctx.body?.email });
return ctx.json({ success: true });
}
}),
},
// ...plugins
});Just be aware that logging masked events could leak information if your logs are accessible to attackers, so make sure your log handling is secure. To reply, just mention @dosu. Share context across your team and agents. Try Dosu.
|
Beta Was this translation helpful? Give feedback.
@dosubot i tried to patch the otp plugin to do the same thing when using
requestPasswordResetendpoint that returns a 200 but uses the logger to print2025-08-13T16:22:02.249Z ERROR [Better Auth]: Reset Password: User not found { email: "john.doe@example.com", }but when i hit the/forget-password/email-otpit returns a 200 but does not log like therequestPasswordReset. any idea why?i also added the
maskusernotfoundonforgetpasswordand set it to false by default.