Forget Password endpoint always returns status code 200

When I call the forget password endpoint on both postman and my next.js app, I always get status code 200, no error, even if the user doesn't exist. In my next.js logs I can see the user not found error being registered, but my code which looks like this:

async function onSubmit(event: React.SyntheticEvent) {
        event.preventDefault()
        setIsLoading(true)
        setError("")

        const { data, error } = await authClient.forgetPassword({
            email: email,
            redirectTo: "/reset-password",
        });

        setIsLoading(false)


        console.log(data,error);
        
        if (error) {
            setError(error.message!)
            return
        }
        
        toast.success("Reset link sent to your email!")
        //router.push("/auth")
    }

async function onSubmit(event: React.SyntheticEvent) {
        event.preventDefault()
        setIsLoading(true)
        setError("")

        const { data, error } = await authClient.forgetPassword({
            email: email,
            redirectTo: "/reset-password",
        });

        setIsLoading(false)


        console.log(data,error);
        
        if (error) {
            setError(error.message!)
            return
        }
        
        toast.success("Reset link sent to your email!")
        //router.push("/auth")
    }

async function onSubmit(event: React.SyntheticEvent) {
        event.preventDefault()
        setIsLoading(true)
        setError("")

        const { data, error } = await authClient.forgetPassword({
            email: email,
            redirectTo: "/reset-password",
        });

        setIsLoading(false)


        console.log(data,error);
        
        if (error) {
            setError(error.message!)
            return
        }
        
        toast.success("Reset link sent to your email!")
        //router.push("/auth")
    }

async function onSubmit(event: React.SyntheticEvent) {
        event.preventDefault()
        setIsLoading(true)
        setError("")

        const { data, error } = await authClient.forgetPassword({
            email: email,
            redirectTo: "/reset-password",
        });

        setIsLoading(false)


        console.log(data,error);
        
        if (error) {
            setError(error.message!)
            return
        }
        
        toast.success("Reset link sent to your email!")
        //router.push("/auth")
    }

Has data with value {status: true} and error is null

Is this normal behaviour?

Solution

I would say for security

Jump to solution

Solution

FFredTheNoob When I call the forget password endpoint on both postman and my next.js app, I a...

lonelyplanet•2/19/25, 12:20 PM

I would say for security

lonelyplanet•2/19/25, 12:21 PM

If it wasn't like that i could go does email x@example.com have an account just by calling forgot password i could find out because if they did i would get a 200 if they didnt i would get a error.

lonelyplanet•2/19/25, 12:23 PM

I was right after checking source code

if (!user) {
  ctx.context.logger.error("Reset Password: User not found", { email });
  //only on the server status is false for the client it's always true
  //to avoid leaking information
  return ctx.json(
    {
      status: false,
    },
    {
      body: {
          status: true,
        },
      },
    );
}

if (!user) {
  ctx.context.logger.error("Reset Password: User not found", { email });
  //only on the server status is false for the client it's always true
  //to avoid leaking information
  return ctx.json(
    {
      status: false,
    },
    {
      body: {
          status: true,
        },
      },
    );
}

lonelyplanet•2/19/25, 12:23 PM

https://github.com/better-auth/better-auth/blob/main/packages/better-auth/src/api/routes/forget-password.ts

GitHub

better-auth/packages/better-auth/src/api/routes/forget-password.ts ...

The most comprehensive authentication framework for TypeScript - better-auth/better-auth

FredTheNoobOP•2/19/25, 12:38 PM

I see, that makes sense. Thank you

if (!user) { ctx.context.logger.error("Reset Password: User not found", { email }); //only on the server status is false for the client it's always true //to avoid leaking information return ctx.json( { status: false, }, { body: { status: true, }, }, ); }

Forget Password endpoint always returns status code 200

Similar Threads

Similar Threads

Similar Threads