9 replies

Multi-Tenant Authentication Issue: User Login Conflicts with Same Email Across Different Tenants

I'm building a multi-tenant application using Better Auth with a single database approach. I'm using tenant_id to separate data between organizations. However, I'm facing a critical authentication issue when users belong to multiple organizations.

-- Users table
CREATE TABLE users (
  id UUID PRIMARY KEY,
  email VARCHAR(255) NOT NULL,
  tenant_id UUID NOT NULL,
  created_at TIMESTAMP DEFAULT NOW(),
  updated_at TIMESTAMP DEFAULT NOW()
);

-- Example data
INSERT INTO users (id, email, password, tenant_id) VALUES
('user-1', 'john@example.com', 'hashed_password_1', 'tenant-org-a'),
('user-2', 'john@example.com', 'hashed_password_2', 'tenant-org-b');

-- Users table
CREATE TABLE users (
  id UUID PRIMARY KEY,
  email VARCHAR(255) NOT NULL,
  tenant_id UUID NOT NULL,
  created_at TIMESTAMP DEFAULT NOW(),
  updated_at TIMESTAMP DEFAULT NOW()
);

-- Example data
INSERT INTO users (id, email, password, tenant_id) VALUES
('user-1', 'john@example.com', 'hashed_password_1', 'tenant-org-a'),
('user-2', 'john@example.com', 'hashed_password_2', 'tenant-org-b');

The Issue
When a user with the same email exists in multiple tenants (organizations), Better Auth's internal user lookup logic appears to randomly select one of the user records during login:

// Current behavior (what Better Auth does internally)
// SELECT * FROM users WHERE email = 'john@example.com'
// Returns: Could be either tenant-org-a or tenant-org-b user randomly

// Current behavior (what Better Auth does internally)
// SELECT * FROM users WHERE email = 'john@example.com'
// Returns: Could be either tenant-org-a or tenant-org-b user randomly

What I need:

// Desired behavior
// SELECT * FROM users WHERE email = 'john@example.com' AND tenant_id = 'tenant-org-a'
// Returns: Specific user for the correct tenant

// Desired behavior
// SELECT * FROM users WHERE email = 'john@example.com' AND tenant_id = 'tenant-org-a'
// Returns: Specific user for the correct tenant

Example Scenario
User John has accounts in:
Organization A (tenant-org-a)
Organization B (tenant-org-b)

Example Scenario
User John has accounts in:
Organization A (tenant-org-a)
Organization B (tenant-org-b)

John tries to login to Organization A's portal
Better Auth finds both user records but randomly picks one
John might get logged in as the Organization B user instead
so how solve this issue ?

Better Auth•7mo ago•

9 replies

rinshad

Multi-Tenant Authentication Issue: User Login Conflicts with Same Email Across Different Tenants

-- Users table
CREATE TABLE users (
  id UUID PRIMARY KEY,
  email VARCHAR(255) NOT NULL,
  tenant_id UUID NOT NULL,
  created_at TIMESTAMP DEFAULT NOW(),
  updated_at TIMESTAMP DEFAULT NOW()
);

-- Example data
INSERT INTO users (id, email, password, tenant_id) VALUES
('user-1', 'john@example.com', 'hashed_password_1', 'tenant-org-a'),
('user-2', 'john@example.com', 'hashed_password_2', 'tenant-org-b');

-- Users table
CREATE TABLE users (
  id UUID PRIMARY KEY,
  email VARCHAR(255) NOT NULL,
  tenant_id UUID NOT NULL,
  created_at TIMESTAMP DEFAULT NOW(),
  updated_at TIMESTAMP DEFAULT NOW()
);

-- Example data
INSERT INTO users (id, email, password, tenant_id) VALUES
('user-1', 'john@example.com', 'hashed_password_1', 'tenant-org-a'),
('user-2', 'john@example.com', 'hashed_password_2', 'tenant-org-b');

The Issue
When a user with the same email exists in multiple tenants (organizations), Better Auth's internal user lookup logic appears to randomly select one of the user records during login:

// Current behavior (what Better Auth does internally)
// SELECT * FROM users WHERE email = 'john@example.com'
// Returns: Could be either tenant-org-a or tenant-org-b user randomly

// Current behavior (what Better Auth does internally)
// SELECT * FROM users WHERE email = 'john@example.com'
// Returns: Could be either tenant-org-a or tenant-org-b user randomly

What I need:

// Desired behavior
// SELECT * FROM users WHERE email = 'john@example.com' AND tenant_id = 'tenant-org-a'
// Returns: Specific user for the correct tenant

// Desired behavior
// SELECT * FROM users WHERE email = 'john@example.com' AND tenant_id = 'tenant-org-a'
// Returns: Specific user for the correct tenant

Example Scenario
User John has accounts in:
Organization A (tenant-org-a)
Organization B (tenant-org-b)

Example Scenario
User John has accounts in:
Organization A (tenant-org-a)
Organization B (tenant-org-b)

John tries to login to Organization A's portal
Better Auth finds both user records but randomly picks one
John might get logged in as the Organization B user instead
so how solve this issue ?

Multi-Tenant Authentication Issue: User Login Conflicts with Same Email Across Different Tenants

Similar Threads

Multi-Tenant Authentication Issue: User Login Conflicts with Same Email Across Different Tenants

Similar Threads

Similar Threads

Similar Threads