Session isn't updated after changing email of a user with an unverified email

I am currently trying to implement the change email feature from better auth and stumbled upon a bug (i think). I followed the steps from this guide https://www.better-auth.com/docs/concepts/users-accounts#change-email and it works perfectly fine when changing the email of a user whose email is already verified. The user receives an approval email, if they really want to change their email. The email then changes both in the User table as well es in the Session and the follow up verification email on the newly change email also works perfectly fine.

Now the issue is with users whose emails were not verified yet. The email on the User table changes instantly (as expected) without an approval email (also expected), but the email in the session is still the old one. This then backfires when the new verification email is sent to the new email. When clicking on that url I get redirected to my callback url with the params

?error=user_not_found

?error=user_not_found

. And when I check the sessions in my redis database I can see the session with the old email. I feel like better auth is forgetting to refresh the session in this case, or am I supposed to do it manually?

Perhaps it is worth mentioning that I'm updating the email on the server side with

auth.api.changeEmail()

auth.api.changeEmail()

Solution

Ah nice, a PR has been merged which should fix this issue!
https://github.com/better-auth/better-auth/pull/1801

And for others who encountered the issue, which this post was originally about (session update in secondary storage after changing email), the solution was to update better-auth to

1.2.4-beta.7

1.2.4-beta.7

. I hope this PR will also be added to v1.2.4 once it's released!

GitHub

fix: on change email request for unverified emails should use the n...

closes #1799

Jump to solution

DukiOP•3/8/25, 6:55 PM

Perhaps to further clarifiy this. This is a screenshot of the entry in my redis DB and the red box is not being updated immediately.

DukiOP•3/8/25, 6:56 PM

I also tested it without redis as a secondary DB and it still doesn't work properly. I still get the

?error=user_not_found

?error=user_not_found

params when clicking on the verifiy link on the email sent to the new email address from the user who didn't have a verified email beforehand.

DukiOP•3/8/25, 7:04 PM

I think it's similary to this issue and I am on v1.2.2
https://github.com/better-auth/better-auth/issues/1368

Perhaps its a regression?

GitHub

Email changes do not trigger cache invalidation or updates in secon...

Is this suited for github? Yes, this is suited for github To Reproduce Create a Next.js app using the app directory with React 19. Implement authentication with MongoDB as the primary store and Red...

daveycodez•3/8/25, 7:43 PM

I think this is related to cookie cache?

NeoPrint3D•3/8/25, 7:48 PM

Not directly related to your issue, and a parch instead of a fix but I managed to do cache invalidation on a custom api route of my plugin through this specific code

await setSessionCookie(ctx, {
session,
user: newUser,
});

Shown in this example

const db = remoteDb(DATABASE_URL);
const verification = await db
.select()
.from(schema.verifications)
.where(
and(
eq(schema.verifications.value, body.code),
eq(
schema.verifications.identifier,

${body.phoneNumber}:${user.id}

${body.phoneNumber}:${user.id}

),
gt(schema.verifications.expiresAt, new Date())
)
)
.then((res) => res[0]);

if (!verification)
throw new APIError("BAD_REQUEST", {
message: "Invalid verification code",
});

const newUser = await db
.update(schema.users)
.set({ phoneNumberVerified: true, phoneNumber: body.phoneNumber })
.where(eq(schema.users.id, user.id))
.returning()
.then((res) => res[0]);

await setSessionCookie(ctx, {
session,
user: newUser,
});

NeoPrint3D•3/8/25, 7:49 PM

You might be able to do it by using hooks intercepting the new data and manually assigning them a new session

NeoPrint3D•3/8/25, 7:50 PM

That function cones from

import { setSessionCookie } from "better-auth/cookies";

DDuki I am currently trying to implement the change email feature from better auth and...

bekacru•3/8/25, 8:11 PM

which version of better auth are you using?

Bbekacru which version of better auth are you using?

DukiOP•3/8/25, 8:12 PM

1.2.2

DDuki 1.2.2

bekacru•3/8/25, 8:13 PM

update to

1.1.4-beta.7

1.1.4-beta.7

and let me know if you're facing the same issue or not

Bbekacru update to `1.1.4-beta.7` and let me know if you're facing the same issue or not

DukiOP•3/8/25, 8:20 PM

npm error notarget No matching version found for better-auth@1.1.4-beta.7.

DukiOP•3/8/25, 8:23 PM

Only beta.1 and beta.2 are available on npm
https://www.npmjs.com/package/better-auth?activeTab=versions

npm

better-auth

The most comprehensive authentication library for TypeScript.. Latest version: 1.2.3, last published: 4 days ago. Start using better-auth in your project by running

npm i better-auth

npm i better-auth

. There are 23 other projects in the npm registry using better-auth.

DukiOP•3/8/25, 8:23 PM

should I try 1.1.4?

DDuki npm error notarget No matching version found for better-auth@1.1.4-beta.7.

bekacru•3/8/25, 8:26 PM

oh sorry

1.2.4-beta.7

1.2.4-beta.7

Bbekacru oh sorry `1.2.4-beta.7`

DukiOP•3/8/25, 8:33 PM

oh! It works there. It updates the user in my redis DB, but for some reason after clicking the url in the verification email I still get the

?error=user_not_found

?error=user_not_found

params

DukiOP•3/8/25, 8:33 PM

Thus the emailVerified field remains

DukiOP•3/8/25, 8:36 PM

It is sending the email to the correct address tho, which is the newly set email address

Bbekacru oh sorry `1.2.4-beta.7`

DukiOP•3/9/25, 12:06 PM

could it be that better-auth is reading the

email

email

property from the jwt token instead of the

updateTo

updateTo

when fetching the user by email?

DukiOP•3/9/25, 12:07 PM

That's how the payload of the jwt token looks like that was sent to the verification email

DukiOP•3/12/25, 3:08 PM

@bekacru sorry for the ping, but just being curious. any updates/explanations regarding the bug in the final step, where ther user is trying to verify their new email?

DDuki @bekacru sorry for the ping, but just being curious. any updates/explanations re...

bekacru•3/12/25, 3:11 PM

It does read email but isn't this change verification payload? meaning this is to verify the change so it should read email

DukiOP•3/12/25, 3:16 PM

No its the verify email payload

DukiOP•3/12/25, 3:17 PM

Change verification wasn't send, because the old email was not verified in the first place.

DukiOP•3/12/25, 3:17 PM

But now after changing the email, the new verification email won't work.

DukiOP•3/12/25, 3:21 PM

Perhaps that's where the confusion comes in? The payload for change approval email is being used for the email verification email, because the approval step got skipped, since the user wasnt verified before, thus the change approval email was never sent (which is expected in this scenario).

eoshorizon_•3/12/25, 3:25 PM

Well, should be a simple fix, either don't allow changing emails if the user doesn't have a verified email, or check if they don't have a verified email and then change immediately

Eeoshorizon_Well, should be a simple fix, either don't allow changing emails if the user doe...

DukiOP•3/12/25, 3:27 PM

Well the immediate change is given by better-auth. It even says that in their documentation. I think it's a bug on better-auth's side because their flow isn't checking out.

DukiOP•3/12/25, 3:28 PM

So why should I do something that the library already offers out of the box

eoshorizon_•3/12/25, 3:28 PM

yea there is no check implemented in better-auth

eoshorizon_•3/12/25, 3:29 PM

ah no wait there is an check https://github.com/better-auth/better-auth/blob/384d842ec17113d1acbd3c84e7bc51b06115b161/packages/better-auth/src/api/routes/update-user.ts#L590

GitHub

better-auth/packages/better-auth/src/api/routes/update-user.ts at 3...

The most comprehensive authentication framework for TypeScript - better-auth/better-auth