Prevent password login when social account linked

LLennox @Better Auth I'm currently have two login methods: Discord & Username/Password. ...

B

Better Auth•10/2/25, 11:59 AM

You can enforce this behavior by adding a custom check to your sign‐in flow. Better Auth doesn’t currently have a built‑in flag to disable password authentication for users who have a Discord account linked. However, you can implement a hook (such as a beforeSignIn hook) that inspects the user’s linked accounts and, if it finds Discord in the list, rejects the password sign‑in attempt.

For example, during the password sign‑in process you could check the user’s account metadata (as outlined in the Account Linking documentation [3]). If a Discord provider entry is detected in the user’s linked accounts, you’d return an error message indicating that only Discord OAuth is allowed.

This approach is similar to how restrictions are implemented using beforeSignIn hooks for other providers [21]. That way you can tailor the flow so that if a user with a linked Discord account tries to sign in via password, the sign‑in process is simply blocked.

Sources:
[3] User & Accounts | Better Auth
[21] Restrict github users based on profile information

GitHub

better-auth/better-auth

The most comprehensive authentication framework for TypeScript - better-auth/better-auth

User & Accounts | Better Auth

User and account management.

GitHub

Restrict github users based on profile information · Issue #2673 ...

Is this suited for github? Yes, this is suited for github Is your feature request related to a problem? Please describe. I want to only allow github logins from a certain organization (or even cert...

L

LennoxOP•10/2/25, 12:01 PM

@Better Auth So hooks would by my best approach? Can you give me an example? Here's my auth.ts:

import { betterAuth } from "better-auth";
import { prismaAdapter } from "better-auth/adapters/prisma";
import { PrismaClient } from "@prisma/client";
import { username, admin, oidcProvider, jwt } from "better-auth/plugins";
import { nextCookies } from "better-auth/next-js";

const prisma = new PrismaClient();

export const auth = betterAuth({
  appName: "XXX",

  database: prismaAdapter(prisma, { provider: "postgresql" }),

  emailAndPassword: {
    enabled: true,
    minPasswordLength: 4,
    maxPasswordLength: 4,
    disableSignUp: true,
  },

  socialProviders: {
    discord: {
      clientId: process.env.DISCORD_CLIENT_ID!,
      clientSecret: process.env.DISCORD_CLIENT_SECRET!,
      disableSignUp: true,
    },
  },

  plugins: [
    username(),
    admin(),
    oidcProvider({
      loginPage: "/login",
      useJWTPlugin: true,
    }),
    jwt(),
    nextCookies(), // must be last plugin to work correctly
  ],

  onAPIError: {
    throw: true,
    onError: (error, ctx) => {
      console.error("Auth error:", error);
    },
    errorURL: "/error",
  },

  // todo: add callback to disable username/password login for users that have discord linked

  jwt: { secret: process.env.JWT_SECRET! },
  oidc: { enabled: true, issuer: process.env.AUTH_ISSUER! },
});

import { betterAuth } from "better-auth";
import { prismaAdapter } from "better-auth/adapters/prisma";
import { PrismaClient } from "@prisma/client";
import { username, admin, oidcProvider, jwt } from "better-auth/plugins";
import { nextCookies } from "better-auth/next-js";

const prisma = new PrismaClient();

export const auth = betterAuth({
  appName: "XXX",

  database: prismaAdapter(prisma, { provider: "postgresql" }),

  emailAndPassword: {
    enabled: true,
    minPasswordLength: 4,
    maxPasswordLength: 4,
    disableSignUp: true,
  },

  socialProviders: {
    discord: {
      clientId: process.env.DISCORD_CLIENT_ID!,
      clientSecret: process.env.DISCORD_CLIENT_SECRET!,
      disableSignUp: true,
    },
  },

  plugins: [
    username(),
    admin(),
    oidcProvider({
      loginPage: "/login",
      useJWTPlugin: true,
    }),
    jwt(),
    nextCookies(), // must be last plugin to work correctly
  ],

  onAPIError: {
    throw: true,
    onError: (error, ctx) => {
      console.error("Auth error:", error);
    },
    errorURL: "/error",
  },

  // todo: add callback to disable username/password login for users that have discord linked

  jwt: { secret: process.env.JWT_SECRET! },
  oidc: { enabled: true, issuer: process.env.AUTH_ISSUER! },
});

import { betterAuth } from "better-auth";
import { prismaAdapter } from "better-auth/adapters/prisma";
import { PrismaClient } from "@prisma/client";
import { username, admin, oidcProvider, jwt } from "better-auth/plugins";
import { nextCookies } from "better-auth/next-js";

const prisma = new PrismaClient();

export const auth = betterAuth({
  appName: "XXX",

  database: prismaAdapter(prisma, { provider: "postgresql" }),

  emailAndPassword: {
    enabled: true,
    minPasswordLength: 4,
    maxPasswordLength: 4,
    disableSignUp: true,
  },

  socialProviders: {
    discord: {
      clientId: process.env.DISCORD_CLIENT_ID!,
      clientSecret: process.env.DISCORD_CLIENT_SECRET!,
      disableSignUp: true,
    },
  },

  plugins: [
    username(),
    admin(),
    oidcProvider({
      loginPage: "/login",
      useJWTPlugin: true,
    }),
    jwt(),
    nextCookies(), // must be last plugin to work correctly
  ],

  onAPIError: {
    throw: true,
    onError: (error, ctx) => {
      console.error("Auth error:", error);
    },
    errorURL: "/error",
  },

  // todo: add callback to disable username/password login for users that have discord linked

  jwt: { secret: process.env.JWT_SECRET! },
  oidc: { enabled: true, issuer: process.env.AUTH_ISSUER! },
});

import { betterAuth } from "better-auth";
import { prismaAdapter } from "better-auth/adapters/prisma";
import { PrismaClient } from "@prisma/client";
import { username, admin, oidcProvider, jwt } from "better-auth/plugins";
import { nextCookies } from "better-auth/next-js";

const prisma = new PrismaClient();

export const auth = betterAuth({
  appName: "XXX",

  database: prismaAdapter(prisma, { provider: "postgresql" }),

  emailAndPassword: {
    enabled: true,
    minPasswordLength: 4,
    maxPasswordLength: 4,
    disableSignUp: true,
  },

  socialProviders: {
    discord: {
      clientId: process.env.DISCORD_CLIENT_ID!,
      clientSecret: process.env.DISCORD_CLIENT_SECRET!,
      disableSignUp: true,
    },
  },

  plugins: [
    username(),
    admin(),
    oidcProvider({
      loginPage: "/login",
      useJWTPlugin: true,
    }),
    jwt(),
    nextCookies(), // must be last plugin to work correctly
  ],

  onAPIError: {
    throw: true,
    onError: (error, ctx) => {
      console.error("Auth error:", error);
    },
    errorURL: "/error",
  },

  // todo: add callback to disable username/password login for users that have discord linked

  jwt: { secret: process.env.JWT_SECRET! },
  oidc: { enabled: true, issuer: process.env.AUTH_ISSUER! },
});

LLennox @Better Auth So hooks would by my best approach? Can you give me an example? Her...

B

Better Auth•10/2/25, 12:01 PM

Here's an example of how you can add a hook to intercept an API request for further custom logic. Using hooks is a great way to modify incoming requests (or outgoing responses) and enforce additional checks. For instance, if you want to disable username/password logins for users that have a Discord account linked, you could write a before‑hook like this:

```ts
import { betterAuth, createAuthMiddleware } from "better-auth";
import { prismaAdapter } from "better-auth/adapters/prisma";
import { PrismaClient } from "@prisma/client";
import { username, admin, oidcProvider, jwt } from "better-auth/plugins";
import { nextCookies } from "better-auth/next-js";
import { APIError } from "better-call";

const prisma = new PrismaClient();

export const auth = betterAuth({
appName: "XXX",
database: prismaAdapter(prisma, { provider: "postgresql" }),

emailAndPassword: {
enabled: true,
minPasswordLength: 4,
maxPasswordLength: 4,
disableSignUp: true,
},

socialProviders: {
discord: {
clientId: process.env.DISCORD_CLIENT_ID!,
clientSecret: process.env.DISCORD_CLIENT_SECRET!,
disableSignUp: true,
},
},

plugins: [
username(),
admin(),
oidcProvider({
loginPage: "/login",
useJWTPlugin: true,
}),
jwt(),
nextCookies(), // must be last plugin to work correctly
],

// Adding a before hook to modify request context
hooks: {
before: createAuthMiddleware(async (ctx) => {
// For example, prevent email login if the user has a Discord account linked.
// You'd typically check some user field here; this is just a demo check.
if (ctx.path.includes("/sign-in/email")) {
// Imagine you've stored a flag in the request or body indicating a Discord link.
// For example, if ctx.body.discordLinked is true, then throw an error.
if (ctx.body && ctx.body.discordLinked)

B

Better Auth•10/2/25, 12:01 PM

{
throw new APIError("DISABLED_LOGIN", {
message: "Username/Password login is disabled for users with Discord linked.",
});
}
}
// Always return the context, modified or not.
return ctx;
}),
},

onAPIError: {
throw: true,
onError: (error, ctx) => {
console.error("Auth error:", error);
},
errorURL: "/error",
},

jwt: { secret: process.env.JWT_SECRET! },
oidc: { enabled: true, issuer: process.env.AUTH_ISSUER! },
});

``

In this example, we use the

``

In this example, we use the

createAuthMiddleware

 function (as seen in some of our examples [[5]](https://github.com/better-auth/better-auth/issues/1094), [[12]](https://github.com/better-auth/better-auth/issues/3409)) to inject logic before certain API endpoints are processed. The hook checks if the request is coming in for email-based sign-in and examines a hypothetical flag (

 function (as seen in some of our examples [[5]](https://github.com/better-auth/better-auth/issues/1094), [[12]](https://github.com/better-auth/better-auth/issues/3409)) to inject logic before certain API endpoints are processed. The hook checks if the request is coming in for email-based sign-in and examines a hypothetical flag (

 function (as seen in some of our examples [[5]](https://github.com/better-auth/better-auth/issues/1094), [[12]](https://github.com/better-auth/better-auth/issues/3409)) to inject logic before certain API endpoints are processed. The hook checks if the request is coming in for email-based sign-in and examines a hypothetical flag (

 function (as seen in some of our examples [[5]](https://github.com/better-auth/better-auth/issues/1094), [[12]](https://github.com/better-auth/better-auth/issues/3409)) to inject logic before certain API endpoints are processed. The hook checks if the request is coming in for email-based sign-in and examines a hypothetical flag (

discordLinked

) on the request body. If that flag is present, it throws an

) on the request body. If that flag is present, it throws an

APIError`, effectively halting the login process for those users.

This approach lets you customize your authentication flow on a per-request basis, adding the flexibility to enforce additional constraints or business logic, which is one of the strengths of Better Auth hooks. Feel free to adjust the condition and error handling according to your application's requirements.

Sources:
[5] Can't return data from before hook
[12] i cant set different basePath for each of my clients because the server instance require a basePath

GitHub

Can't return data from before hook · Issue #1094 · better-auth/be...

Is this suited for github? Yes, this is suited for github To Reproduce Create a (next.js) backend Try to modify a request using the before hook, like described here: https://www.better-auth.com/doc...

GitHub

better-auth/better-auth

The most comprehensive authentication framework for TypeScript - better-auth/better-auth

L

LennoxOP•10/2/25, 12:07 PM

@Better Auth I have the plan that only administrators can create new users. They shoul'd not have to set a password but rather create the raw users first. In case a user wants to log in they can request a admin to give them a pin number that allows them to log in with their userid and pin. How would I do that? I think email/password (+username plugin) seems like a bad solution for this because it forces me to set a password

LLennox @Better Auth I have the plan that only administrators can create new users. They...

B

Better Auth•10/2/25, 12:08 PM

Hi there! In Better Auth, you can approach this by taking inspiration from two related feature requests:

• The first request is for supporting passwordless user creation via the admin plugin [1]. This would let administrators create “raw” user accounts without needing to set a password upfront.
• The second idea is from our passwordless sign-up flow [5]. While that request is focused on using email OTP for passwordless sign-ins, you could adapt that concept: after an admin creates the user without a password, you can implement a custom endpoint where the admin supplies a PIN that the user later uses for login.

In practice, you’d have your admin create the user with an API call that doesn’t require a password. Then, when a user requests access, your system can verify the supplied PIN (which effectively acts as a minimal “password”) in a tailored login endpoint. This custom workflow would bypass the rigid email/password format and let you implement the PIN mechanism securely.

Do note that this approach would likely involve extending or customizing your Better Auth implementation slightly, as the core system is primarily built around email/password (with optional username support) and magic link flows. It’s a smart use case, and aligning it with the concepts from [1] and [5] should keep you close to the Better Auth philosophy.

Hope that helps!

Sources:
[1] Admin plugin: support creating users without passwords
[5] Sign up users without setting a password

GitHub

better-auth/better-auth

The most comprehensive authentication framework for TypeScript - better-auth/better-auth

GitHub

better-auth/better-auth

The most comprehensive authentication framework for TypeScript - better-auth/better-auth

GitHub

Admin plugin: support creating users without passwords · Issue #42...

Is this suited for github? Yes, this is suited for github Is your feature request related to a problem? Please describe. I'm building an internal app for a small to medium-sized company that do...

GitHub

Sign up users without setting a password · Issue #1433 · better-a...

Is this suited for github? Yes, this is suited for github Is your feature request related to a problem? Please describe. I want to go passwordless using email OTP but let users sign up using a sign...

L

LennoxOP•10/2/25, 12:13 PM

@Better Auth would it be possible to create a custom provider that can read the two fields from my prisma db? here's an example what my Users model currently looks like:

model User {
  id              String    @id
  name            String
  email           String
  emailVerified   Boolean   @default(false)
  image           String?
  createdAt       DateTime  @default(now())
  updatedAt       DateTime  @default(now()) @updatedAt
  username        String? // PassportNumber as String
  displayUsername String? // Firstname_Lastname
  sessions        Session[]
  accounts        Account[]

  gutachten         Gutachten[] @relation("CitizenGutachten")
  authoredGutachten Gutachten[] @relation("AuthorGutachten")
  auditLogs         AuditLog[]  @relation("UserActions")

  role       String?
  banned     Boolean?  @default(false)
  banReason  String?
  banExpires DateTime?

  oauthapplications OauthApplication[]
  oauthaccesstokens OauthAccessToken[]
  oauthconsents     OauthConsent[]

  @@unique([email])
  @@unique([username])
  @@map("user")
}

model User {
  id              String    @id
  name            String
  email           String
  emailVerified   Boolean   @default(false)
  image           String?
  createdAt       DateTime  @default(now())
  updatedAt       DateTime  @default(now()) @updatedAt
  username        String? // PassportNumber as String
  displayUsername String? // Firstname_Lastname
  sessions        Session[]
  accounts        Account[]

  gutachten         Gutachten[] @relation("CitizenGutachten")
  authoredGutachten Gutachten[] @relation("AuthorGutachten")
  auditLogs         AuditLog[]  @relation("UserActions")

  role       String?
  banned     Boolean?  @default(false)
  banReason  String?
  banExpires DateTime?

  oauthapplications OauthApplication[]
  oauthaccesstokens OauthAccessToken[]
  oauthconsents     OauthConsent[]

  @@unique([email])
  @@unique([username])
  @@map("user")
}

model User {
  id              String    @id
  name            String
  email           String
  emailVerified   Boolean   @default(false)
  image           String?
  createdAt       DateTime  @default(now())
  updatedAt       DateTime  @default(now()) @updatedAt
  username        String? // PassportNumber as String
  displayUsername String? // Firstname_Lastname
  sessions        Session[]
  accounts        Account[]

  gutachten         Gutachten[] @relation("CitizenGutachten")
  authoredGutachten Gutachten[] @relation("AuthorGutachten")
  auditLogs         AuditLog[]  @relation("UserActions")

  role       String?
  banned     Boolean?  @default(false)
  banReason  String?
  banExpires DateTime?

  oauthapplications OauthApplication[]
  oauthaccesstokens OauthAccessToken[]
  oauthconsents     OauthConsent[]

  @@unique([email])
  @@unique([username])
  @@map("user")
}

model User {
  id              String    @id
  name            String
  email           String
  emailVerified   Boolean   @default(false)
  image           String?
  createdAt       DateTime  @default(now())
  updatedAt       DateTime  @default(now()) @updatedAt
  username        String? // PassportNumber as String
  displayUsername String? // Firstname_Lastname
  sessions        Session[]
  accounts        Account[]

  gutachten         Gutachten[] @relation("CitizenGutachten")
  authoredGutachten Gutachten[] @relation("AuthorGutachten")
  auditLogs         AuditLog[]  @relation("UserActions")

  role       String?
  banned     Boolean?  @default(false)
  banReason  String?
  banExpires DateTime?

  oauthapplications OauthApplication[]
  oauthaccesstokens OauthAccessToken[]
  oauthconsents     OauthConsent[]

  @@unique([email])
  @@unique([username])
  @@map("user")
}

LLennox @Better Auth would it be possible to create a custom provider that can read the ...

B

Better Auth•10/2/25, 12:13 PM

Yes, you can absolutely create a custom provider that reads custom fields (like your "username" and "displayUsername") from your Prisma database. To do so, you would typically extend your Better Auth configuration by using a custom provider's getUserInfo function or the mapProfileToUser callback. In that function, you can fetch and then return those additional fields as part of the user object. This way, when Better Auth creates or updates the user record, it will include your custom fields if you've also configured them in the user.additionalFields option.

For example, your auth configuration for the user could include:

export const auth = betterAuth({
  database: prismaAdapter(prisma, {
    provider: "postgresql",
  }),
  user: {
    additionalFields: {
      username: { type: "string", required: false, input: true },
      displayUsername: { type: "string", required: false, input: true },
    },
  },
  plugins: [
    customOAuth({
      config: [
        {
          providerId: "your-provider",
          // Other provider options...
          getUserInfo: async (tokens) => {
            // Fetch user info from your external provider/API
            const data = await fetchUserData(tokens);
            return {
              id: data.id,
              name: data.name,
              email: data.email,
              emailVerified: data.emailVerified,
              username: data.username,           // custom field
              displayUsername: data.displayUsername, // custom field
              image: data.image,
              createdAt: new Date(),
              updatedAt: new Date(),
            };
          },
        },
      ],
    }),
  ],
});

export const auth = betterAuth({
  database: prismaAdapter(prisma, {
    provider: "postgresql",
  }),
  user: {
    additionalFields: {
      username: { type: "string", required: false, input: true },
      displayUsername: { type: "string", required: false, input: true },
    },
  },
  plugins: [
    customOAuth({
      config: [
        {
          providerId: "your-provider",
          // Other provider options...
          getUserInfo: async (tokens) => {
            // Fetch user info from your external provider/API
            const data = await fetchUserData(tokens);
            return {
              id: data.id,
              name: data.name,
              email: data.email,
              emailVerified: data.emailVerified,
              username: data.username,           // custom field
              displayUsername: data.displayUsername, // custom field
              image: data.image,
              createdAt: new Date(),
              updatedAt: new Date(),
            };
          },
        },
      ],
    }),
  ],
});

export const auth = betterAuth({
  database: prismaAdapter(prisma, {
    provider: "postgresql",
  }),
  user: {
    additionalFields: {
      username: { type: "string", required: false, input: true },
      displayUsername: { type: "string", required: false, input: true },
    },
  },
  plugins: [
    customOAuth({
      config: [
        {
          providerId: "your-provider",
          // Other provider options...
          getUserInfo: async (tokens) => {
            // Fetch user info from your external provider/API
            const data = await fetchUserData(tokens);
            return {
              id: data.id,
              name: data.name,
              email: data.email,
              emailVerified: data.emailVerified,
              username: data.username,           // custom field
              displayUsername: data.displayUsername, // custom field
              image: data.image,
              createdAt: new Date(),
              updatedAt: new Date(),
            };
          },
        },
      ],
    }),
  ],
});

export const auth = betterAuth({
  database: prismaAdapter(prisma, {
    provider: "postgresql",
  }),
  user: {
    additionalFields: {
      username: { type: "string", required: false, input: true },
      displayUsername: { type: "string", required: false, input: true },
    },
  },
  plugins: [
    customOAuth({
      config: [
        {
          providerId: "your-provider",
          // Other provider options...
          getUserInfo: async (tokens) => {
            // Fetch user info from your external provider/API
            const data = await fetchUserData(tokens);
            return {
              id: data.id,
              name: data.name,
              email: data.email,
              emailVerified: data.emailVerified,
              username: data.username,           // custom field
              displayUsername: data.displayUsername, // custom field
              image: data.image,
              createdAt: new Date(),
              updatedAt: new Date(),
            };
          },
        },
      ],
    }),
  ],
});

This approach ensures that your custom provider returns the extra fields, which the Prisma adapter will then try to persist into your User table. Just make sure that your Prisma schema is aligned with what

B

Better Auth•10/2/25, 12:13 PM

Better Auth expects (or customize the mapping accordingly) using the additionalFields and modelName options if needed [7], [14].

Sources:
[7] User's additionalFields doesn't work for OAuth
[14] Migrating from NextAuth.js to Better Auth | Better Auth

GitHub

better-auth/better-auth

The most comprehensive authentication framework for TypeScript - better-auth/better-auth

GitHub

User's additionalFields doesn't work for OAuth · Issue #371 · bet...

Describe the bug I added a field to the user scheme: cid. I use the generic OAuth plugin with a custom getUserInfo function, but when I return the user with all the fields and my additional one, I ...

Migrating from NextAuth.js to Better Auth | Better Auth

A step-by-step guide to transitioning from NextAuth.js to Better Auth.

L

LennoxOP•10/2/25, 12:17 PM

@Better Auth I don't have a oauth provider. its planned to later use THIS system as a OICD provider. I'd need a credentials input or sth like this where I could send "pin" and "passportNumber". Then I'd get rid of username and displayUsernam (fields from username plugin) and create seperate fields for firstname, lastname and pin (maybe rather pinhash)

LLennox @Better Auth I don't have a oauth provider. its planned to later use THIS system...

B

Better Auth•10/2/25, 12:17 PM

Hey there! You can absolutely tailor your user schema to suit your needs. If you plan to later use Better Auth as an OIDC provider and want to handle credentials like a "pin" and "passportNumber" instead of using the default username fields, here's what you can do:

• Remove the username plugin from your configuration so you don’t include the default username and displayUsername fields [2].
• Extend your user schema with your custom fields—such as firstName, lastName, and a field for your pin (or preferably a hashed version, like pinHash)—using the additionalFields config in Better Auth. This approach is demonstrated in our documentation where you can add extra columns to the user table [1].
• Consider adding a hook (like a before hook) to hash the pin before saving it to the database for better security.

These adjustments set you up for a clean, custom authentication flow that can be integrated into your future OIDC provider setup. Let us know if you need more details on setting this up!

Sources:
[1] Database | Better Auth
[2] Username | Better Auth

Database | Better Auth

Learn how to use a database with Better Auth.

Username | Better Auth

Username plugin

L

LennoxOP•10/2/25, 12:18 PM

@Better Auth what code would i use for the user frontend to log in?

LLennox @Better Auth what code would i use for the user frontend to log in?

B

Better Auth•10/2/25, 12:18 PM

Below is an example using the React client. First, initialize your auth client by importing the framework‑specific package. Then you can call the sign‑in method (here, using email/password) on the client. For example:

import { createAuthClient } from "better-auth/react";

// Initialize your client with the base URL of your auth server
export const authClient = createAuthClient({
  baseURL: "http://localhost:8080", // change this to your auth server URL if needed
});

// Example function to handle login
const handleLogin = async (email: string, password: string) => {
  const { data, error } = await authClient.signIn.email({
    email,
    password,
    callbackURL: "/dashboard", // URL to redirect after login
  });

  if (error) {
    console.error("Failed to log in:", error.message);
  } else {
    console.log("Login successful:", data);
    // Redirect to the dashboard or perform any post-login actions
  }
};

import { createAuthClient } from "better-auth/react";

// Initialize your client with the base URL of your auth server
export const authClient = createAuthClient({
  baseURL: "http://localhost:8080", // change this to your auth server URL if needed
});

// Example function to handle login
const handleLogin = async (email: string, password: string) => {
  const { data, error } = await authClient.signIn.email({
    email,
    password,
    callbackURL: "/dashboard", // URL to redirect after login
  });

  if (error) {
    console.error("Failed to log in:", error.message);
  } else {
    console.log("Login successful:", data);
    // Redirect to the dashboard or perform any post-login actions
  }
};

import { createAuthClient } from "better-auth/react";

// Initialize your client with the base URL of your auth server
export const authClient = createAuthClient({
  baseURL: "http://localhost:8080", // change this to your auth server URL if needed
});

// Example function to handle login
const handleLogin = async (email: string, password: string) => {
  const { data, error } = await authClient.signIn.email({
    email,
    password,
    callbackURL: "/dashboard", // URL to redirect after login
  });

  if (error) {
    console.error("Failed to log in:", error.message);
  } else {
    console.log("Login successful:", data);
    // Redirect to the dashboard or perform any post-login actions
  }
};

import { createAuthClient } from "better-auth/react";

// Initialize your client with the base URL of your auth server
export const authClient = createAuthClient({
  baseURL: "http://localhost:8080", // change this to your auth server URL if needed
});

// Example function to handle login
const handleLogin = async (email: string, password: string) => {
  const { data, error } = await authClient.signIn.email({
    email,
    password,
    callbackURL: "/dashboard", // URL to redirect after login
  });

  if (error) {
    console.error("Failed to log in:", error.message);
  } else {
    console.log("Login successful:", data);
    // Redirect to the dashboard or perform any post-login actions
  }
};

This snippet demonstrates how you create a client instance (so that all methods, including sign‑in, are available) and then use the email sign‑in method to log in the user [1][5]. If you’re using another method—like magic links or social providers—you’d call the respective sign‑in function (for example, signIn.magicLink or signIn.social).

Sources:
[1] Client | Better Auth
[5] Basic Usage | Better Auth

Client | Better Auth

Better Auth client library for authentication.

Basic Usage | Better Auth

Getting started with Better Auth

L

LennoxOP•10/2/25, 12:22 PM

@Better Auth wouldn't that require me to have a email adress for the user? or would I just add my custom checks within the hook? or is there maybe a option to create custom credential providers?

LLennox @Better Auth wouldn't that require me to have a email adress for the user? or wo...

B

Better Auth•10/2/25, 12:22 PM

Better Auth normally relies on an email address as the unique identifier for users, but you have a couple of options if you need more flexibility:

You can add your own custom checks within the hooks. For example, you can implement before hooks to perform additional validation logic or even override parts of the email validation process if you’d like to bypass or change the default behavior [23].
Alternatively, you can create a custom credentials provider. Better Auth’s modular design lets you tap into core functions like password hashing and provider handling without being locked into the global handler. This means you can essentially build a customized provider that suits your particular authentication flow [6], [11].

So in summary, you can either integrate your extra checks into the hooks or take advantage of the modular utilities to create a custom credentials provider—whichever fits your use case best.

Sources:
[6] Is it possible to have custom login logic?
[11] Add support for modular usage of core features
[23] An option to bypass email validation

GitHub

better-auth/better-auth

The most comprehensive authentication framework for TypeScript - better-auth/better-auth

GitHub

better-auth/better-auth

The most comprehensive authentication framework for TypeScript - better-auth/better-auth

GitHub

better-auth/better-auth

The most comprehensive authentication framework for TypeScript - better-auth/better-auth

GitHub

Is it possible to have custom login logic? · Issue #2805 · better...

Is this suited for github? Yes, this is suited for github Is your feature request related to a problem? Please describe. In next-auth it provides me a authorize method to do my custom logic like th...

GitHub

Add support for modular usage of core features · Issue #1494 · be...

Is this suited for github? Yes, this is suited for github Is your feature request related to a problem? Please describe. I want to integrate Better Auth into my backend, but I need more control ove...

L

LennoxOP•10/2/25, 12:28 PM

@Better Auth i think databasehooks are the wrong thing for the job. I'd need something to create a custom credentials provider that takes in passportNumber and PIN (OR you coul'd give me a example snippet on how i could bypass the email checks and rather just send passportNumber as the email field and PIN as the password field)

LLennox @Better Auth i think databasehooks are the wrong thing for the job. I'd need som...

B

Better Auth•10/2/25, 12:28 PM

Hi there! Better Auth doesn’t currently offer a separate “custom credentials provider” out‑of‑the‑box, but you can work around this by mapping your passport number and PIN to the existing email/password provider.

For example, you can simply pass the passport number as the email field and the PIN as the password when calling the sign‑up or sign‑in endpoints. Here’s a snippet that shows how you might do that:

import { betterAuth } from "better-auth";

export const auth = betterAuth({
  emailAndPassword: {
    enabled: true,
    // Optionally disable verification if you're not using real emails
    // without email verification enabled, users can sign in with passportNumber and PIN directly.
    sendVerificationEmail: async () => {},
  },
  user: {
    // Optionally, add a custom field to store the actual passport number separately,
    // while still mapping it to the email field during auth calls.
    additionalFields: {
      passportNumber: {
        type: "string",
        required: true,
        input: true,
      },
    },
  },
});

import { betterAuth } from "better-auth";

export const auth = betterAuth({
  emailAndPassword: {
    enabled: true,
    // Optionally disable verification if you're not using real emails
    // without email verification enabled, users can sign in with passportNumber and PIN directly.
    sendVerificationEmail: async () => {},
  },
  user: {
    // Optionally, add a custom field to store the actual passport number separately,
    // while still mapping it to the email field during auth calls.
    additionalFields: {
      passportNumber: {
        type: "string",
        required: true,
        input: true,
      },
    },
  },
});

import { betterAuth } from "better-auth";

export const auth = betterAuth({
  emailAndPassword: {
    enabled: true,
    // Optionally disable verification if you're not using real emails
    // without email verification enabled, users can sign in with passportNumber and PIN directly.
    sendVerificationEmail: async () => {},
  },
  user: {
    // Optionally, add a custom field to store the actual passport number separately,
    // while still mapping it to the email field during auth calls.
    additionalFields: {
      passportNumber: {
        type: "string",
        required: true,
        input: true,
      },
    },
  },
});

import { betterAuth } from "better-auth";

export const auth = betterAuth({
  emailAndPassword: {
    enabled: true,
    // Optionally disable verification if you're not using real emails
    // without email verification enabled, users can sign in with passportNumber and PIN directly.
    sendVerificationEmail: async () => {},
  },
  user: {
    // Optionally, add a custom field to store the actual passport number separately,
    // while still mapping it to the email field during auth calls.
    additionalFields: {
      passportNumber: {
        type: "string",
        required: true,
        input: true,
      },
    },
  },
});

Then, on the client side, you would do:

const { data, error } = await authClient.signUp.email({
  email: "YOUR_PASSPORT_NUMBER",  // using passport number instead of an email
  password: "YOUR_PIN",           // using PIN instead of a password
  // You can still send the passport number separately if needed:
  passportNumber: "YOUR_PASSPORT_NUMBER"
});

const { data, error } = await authClient.signUp.email({
  email: "YOUR_PASSPORT_NUMBER",  // using passport number instead of an email
  password: "YOUR_PIN",           // using PIN instead of a password
  // You can still send the passport number separately if needed:
  passportNumber: "YOUR_PASSPORT_NUMBER"
});

const { data, error } = await authClient.signUp.email({
  email: "YOUR_PASSPORT_NUMBER",  // using passport number instead of an email
  password: "YOUR_PIN",           // using PIN instead of a password
  // You can still send the passport number separately if needed:
  passportNumber: "YOUR_PASSPORT_NUMBER"
});

const { data, error } = await authClient.signUp.email({
  email: "YOUR_PASSPORT_NUMBER",  // using passport number instead of an email
  password: "YOUR_PIN",           // using PIN instead of a password
  // You can still send the passport number separately if needed:
  passportNumber: "YOUR_PASSPORT_NUMBER"
});

This approach lets you bypass the standard email checks by repurposing the email field [3]. Just be cautious if you have email verification enabled—if you don’t want that workflow for passport/PIN credentials, make sure to disable or adjust it.

If you need more granular pre- or post‑processing of the data, you might consider using database hooks to customize the payload before it’s

B

Better Auth•10/2/25, 12:28 PM

stored. However, keep in mind that hooks are generally intended for data augmentations rather than completely replacing the credentials provider’s behavior [1].

Hope that helps! Let me know if you have any other questions.

Sources:
[1] Database | Better Auth
[3] Email & Password | Better Auth

Database | Better Auth

Learn how to use a database with Better Auth.

Email & Password | Better Auth

Implementing email and password authentication with Better Auth.

BBetter Auth Hi there! Better Auth doesn’t currently offer a separate “custom credentials pro...

L

LennoxOP•10/2/25, 12:31 PM

@Better Auth for this i'd need a hook that catches the email events when loggin in and validate manually, right?

LLennox @Better Auth for this i'd need a hook that catches the email events when loggin ...

B

Better Auth•10/2/25, 12:31 PM

Yes, that's right! If you want to implement custom email verification logic when a user logs in, you can leverage Better Auth’s hook system to intercept that event. By adding a hook—such as in the sign‐in or session creation flow—you can catch the email event and then run your own validation logic manually instead of relying on the default behavior [7],[8]. This approach is useful when you need more tailored control over the verification process.

Sources:
[7] feat: add sendVerificationOnSignIn to prevent automatic resending of verification email on login with requireEmailVerification
[8] Email | Better Auth

GitHub

feat: add sendVerificationOnSignIn to prevent automatic resending o...

This pull request introduces a new configuration option, sendVerificationOnSignIn, to provide more control over email verification during the sign-in process. The changes span documentation updates...

Email | Better Auth

Learn how to use email with Better Auth.

L

LennoxOP•10/2/25, 12:36 PM

@Better Auth code example?

LLennox @Better Auth code example?

B

Better Auth•10/2/25, 12:36 PM

Here's a quick code example that shows how you might configure Better Auth for a basic email and password setup:

import { betterAuth } from "better-auth";

export const auth = betterAuth({
  appName: "My App",
  baseURL: "https://example.com", // The root URL of your app
  basePath: "/api/auth", // The path where Better Auth routes are mounted
  emailAndPassword: {
    enabled: true
  },
  trustedOrigins: [
    "http://localhost:3000",
    "https://example.com"
  ]
});

import { betterAuth } from "better-auth";

export const auth = betterAuth({
  appName: "My App",
  baseURL: "https://example.com", // The root URL of your app
  basePath: "/api/auth", // The path where Better Auth routes are mounted
  emailAndPassword: {
    enabled: true
  },
  trustedOrigins: [
    "http://localhost:3000",
    "https://example.com"
  ]
});

import { betterAuth } from "better-auth";

export const auth = betterAuth({
  appName: "My App",
  baseURL: "https://example.com", // The root URL of your app
  basePath: "/api/auth", // The path where Better Auth routes are mounted
  emailAndPassword: {
    enabled: true
  },
  trustedOrigins: [
    "http://localhost:3000",
    "https://example.com"
  ]
});

import { betterAuth } from "better-auth";

export const auth = betterAuth({
  appName: "My App",
  baseURL: "https://example.com", // The root URL of your app
  basePath: "/api/auth", // The path where Better Auth routes are mounted
  emailAndPassword: {
    enabled: true
  },
  trustedOrigins: [
    "http://localhost:3000",
    "https://example.com"
  ]
});

This example sets up the basic configuration options such as the application name, base URL, and base path, along with enabling email and password authentication and defining trusted origins [2].

Let me know if you need a more involved example or additional options for social logins or device flows!

Sources:
[2] Options | Better Auth

Options | Better Auth

Better Auth configuration options reference.

L

LennoxOP•10/2/25, 12:39 PM

@Better Auth give me an code example of a hook that allows me to input passportNumber as email and PIN as password and checks it in the custom fields of a user.

something like this:

const { data, error } = await authClient.signIn.email({
  email: "6565878670", // oassportNumber
  password: "6956", // PIN
});

const { data, error } = await authClient.signIn.email({
  email: "6565878670", // oassportNumber
  password: "6956", // PIN
});

const { data, error } = await authClient.signIn.email({
  email: "6565878670", // oassportNumber
  password: "6956", // PIN
});

const { data, error } = await authClient.signIn.email({
  email: "6565878670", // oassportNumber
  password: "6956", // PIN
});

And I need custom fields for passportNumber and PIN please.

LLennox @Better Auth give me an code example of a hook that allows me to input passportN...

B

Better Auth•10/2/25, 12:39 PM

Below is one approach where you configure your server to accept custom fields (passportNumber and PIN) and then add a database “hook” on sign‑in to validate that the credentials in the payload match the values stored on the user record. In this example, we “abuse” the email/password sign‑in endpoint by mapping passportNumber to the email field and PIN to the password field, but then checking those against your custom fields in a before‑hook. You can then call it on the client just like:

// Client-side usage:
const { data, error } = await authClient.signIn.email({
  email: "6565878670", // actually the passportNumber
  password: "6956",   // actually the PIN
});

// Client-side usage:
const { data, error } = await authClient.signIn.email({
  email: "6565878670", // actually the passportNumber
  password: "6956",   // actually the PIN
});

// Client-side usage:
const { data, error } = await authClient.signIn.email({
  email: "6565878670", // actually the passportNumber
  password: "6956",   // actually the PIN
});

// Client-side usage:
const { data, error } = await authClient.signIn.email({
  email: "6565878670", // actually the passportNumber
  password: "6956",   // actually the PIN
});

Here’s an example of how your server configuration might look:

```js
import { betterAuth } from "better-auth";

export const auth = betterAuth({
emailAndPassword: {
enabled: true,
},
user: {
// Define our custom fields.
additionalFields: {
passportNumber: {
type: "string",
required: true,
// Setting input: true allows this field to be part of the payload.
input: true,
returned: true,
},
pin: {
type: "string",
required: true,
input: true,
returned: true,
},
},
},
// Add database hooks to check our custom credentials when signing in.
// This hook intercepts the sign in process and ensures that
// the requested "email" and "password" align with the stored passportNumber and pin.
databaseHooks: {
user: {
// Before sign in (if available in your Better Auth configuration), you can validate the fields.
signIn: {
before: async (user, ctx) => {
// ctx.body contains the payload submitted by the client.
const { email: providedPassport, password: providedPIN } = ctx.body;
// Compare with stored custom fields:
if (

B

Better Auth•10/2/25, 12:39 PM

user.passportNumber !== providedPassport ||
user.pin !== providedPIN
) {
// Invalidate the sign in if they don't match.
throw new Error("Invalid passport number or PIN");
}
// Otherwise allow the sign in
return { data: user };
},
},
},
},
});
```

In this setup:

We add passportNumber and pin to the user’s additionalFields so they are part of your schema and can be returned with the session ([2]).
We use a database hook on the sign‑in process to compare the incoming values (mapped via the email and password keys) against the stored passportNumber and pin ([4]).

This approach lets you use Better Auth’s existing sign‑in mechanism while tailoring it to your application’s custom authentication needs. Adjust the hook name or behavior as needed depending on your version and any additional business logic. Happy coding!

Sources:
[2] Email & Password | Better Auth
[4] additionalFields does not save and is not show it, using authClient.signUp.email({

GitHub

better-auth/better-auth

The most comprehensive authentication framework for TypeScript - better-auth/better-auth

Email & Password | Better Auth

Implementing email and password authentication with Better Auth.

GitHub

additionalFields does not save and is not show it, using authClient...

Is this suited for github? Yes, this is suited for github To Reproduce Ex git clone https://github.com/cesarve77/better-auth cd better-auth pnpm i pnpm run dev click on sign in, fill the form and c...

L

LennoxOP•10/2/25, 1:07 PM

@Better Auth is it possible to somehow create "dummy users" that just exist for the data but don't have a account password etc.? Kind of like "guest" accounts

LLennox @Better Auth is it possible to somehow create "dummy users" that just exist for ...

B

Better Auth•10/2/25, 1:07 PM

Yes, it's possible to create user accounts without a password—essentially “dummy” or guest users—using Better Auth's passwordless flows. For example, the OTP/magic link sign-up process lets you create accounts without requiring a password [7]. Additionally, there's an ongoing effort (as seen in the feature request for the admin plugin) to support creating users directly without a password stored in the accounts table [1]. This flexibility is ideal if you want to maintain user data without enforcing a full credential-based login, and you can always provide a mechanism later for users to set or update their passwords if needed.

Sources:
[1] Admin plugin: support creating users without passwords
[7] Sign up users without setting a password

GitHub

better-auth/better-auth

The most comprehensive authentication framework for TypeScript - better-auth/better-auth

GitHub

better-auth/better-auth

The most comprehensive authentication framework for TypeScript - better-auth/better-auth

GitHub

Admin plugin: support creating users without passwords · Issue #42...

Is this suited for github? Yes, this is suited for github Is your feature request related to a problem? Please describe. I'm building an internal app for a small to medium-sized company that do...

GitHub

Sign up users without setting a password · Issue #1433 · better-a...

Is this suited for github? Yes, this is suited for github Is your feature request related to a problem? Please describe. I want to go passwordless using email OTP but let users sign up using a sign...

Prevent password login when social account linked

Similar Threads

Similar Threads

Similar Threads