auth.api.changeEmail updates email immediately even when user is verified (unlike client flow)
Steps to reproduce:
1. Set up Better Auth with
2. Call this on the server:
3. Make sure the user has a verified current email.
4. You'll notice:
* A verification email is sent to the current email
* But the user's email is updated instantly, without waiting for them to click the link
---
Expected behavior:
Just like
Actual behavior:
Email is updated immediately on the backend, even though the user was verified.
---
Version:
Environment:
Affected area:
Backend
---
Relevant config:
---
Extra context:
Feels like the server API isn’t waiting for verification before saving the new email. Might be a logic gap.
1. Set up Better Auth with
changeEmail.enabled: truesendChangeEmailVerification2. Call this on the server:
3. Make sure the user has a verified current email.
4. You'll notice:
* A verification email is sent to the current email
* But the user's email is updated instantly, without waiting for them to click the link
---
Expected behavior:
Just like
authClient.changeEmailActual behavior:
Email is updated immediately on the backend, even though the user was verified.
---
Version:
better-auth@1.2.9Environment:
Affected area:
Backend---
Relevant config:
---
Extra context:
Feels like the server API isn’t waiting for verification before saving the new email. Might be a logic gap.
