Enforce Email Domain Restriction on Google

HHozay How can I achieve this? I tried doing the example from the documentation (https:...

�

🌠kkMihai ⚡•10/6/25, 4:28 PM

can you show how you do it atm?

�

🌠kkMihai ⚡•10/6/25, 4:29 PM

and what do you mean by "did not work for my case"? explain what didin't work exactly

H

HozayOP•10/6/25, 6:43 PM

This is my code:

import { betterAuth } from "better-auth";
import { Pool } from "pg";
import { createAuthMiddleware, APIError } from "better-auth/api";
import {nextCookies} from "better-auth/next-js";
import {sendEmail} from "@/app/lib/email/send-email";

export const auth = betterAuth({
    database: new Pool({
        connectionString: `postgres://${process.env.POSTGRES_USER}:${process.env.POSTGRES_PASSWORD}@postgres-db:5432/${process.env.POSTGRES_DB}`,
    }),
    socialProviders: {
        google: {
            enabled: true,
            prompt: "select_account consent",
            accessType: "offline",
            clientId: process.env.GOOGLE_CLIENT_ID as string,
            clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
        }
    },
    account: {
      accountLinking: {
          enabled: true
      }
    },
    emailVerification: {
        autoSignInAfterVerification: true,
        sendVerificationEmail: async ({url, user}) => {
            await sendEmail(url, user);
        }
    },
    plugins: [
        nextCookies(),
    ],
    hooks: {
        after: createAuthMiddleware(async (ctx) => {
            const user = ctx.context.user;
            if (user?.email && !user.email.endsWith('@ucsc.edu')) {
                throw new APIError("FORBIDDEN", {
                    message: 'Only @ucsc.edu email addresses are allowed'
                });
            }
        }),
    },
});

import { betterAuth } from "better-auth";
import { Pool } from "pg";
import { createAuthMiddleware, APIError } from "better-auth/api";
import {nextCookies} from "better-auth/next-js";
import {sendEmail} from "@/app/lib/email/send-email";

export const auth = betterAuth({
    database: new Pool({
        connectionString: `postgres://${process.env.POSTGRES_USER}:${process.env.POSTGRES_PASSWORD}@postgres-db:5432/${process.env.POSTGRES_DB}`,
    }),
    socialProviders: {
        google: {
            enabled: true,
            prompt: "select_account consent",
            accessType: "offline",
            clientId: process.env.GOOGLE_CLIENT_ID as string,
            clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
        }
    },
    account: {
      accountLinking: {
          enabled: true
      }
    },
    emailVerification: {
        autoSignInAfterVerification: true,
        sendVerificationEmail: async ({url, user}) => {
            await sendEmail(url, user);
        }
    },
    plugins: [
        nextCookies(),
    ],
    hooks: {
        after: createAuthMiddleware(async (ctx) => {
            const user = ctx.context.user;
            if (user?.email && !user.email.endsWith('@ucsc.edu')) {
                throw new APIError("FORBIDDEN", {
                    message: 'Only @ucsc.edu email addresses are allowed'
                });
            }
        }),
    },
});

import { betterAuth } from "better-auth";
import { Pool } from "pg";
import { createAuthMiddleware, APIError } from "better-auth/api";
import {nextCookies} from "better-auth/next-js";
import {sendEmail} from "@/app/lib/email/send-email";

export const auth = betterAuth({
    database: new Pool({
        connectionString: `postgres://${process.env.POSTGRES_USER}:${process.env.POSTGRES_PASSWORD}@postgres-db:5432/${process.env.POSTGRES_DB}`,
    }),
    socialProviders: {
        google: {
            enabled: true,
            prompt: "select_account consent",
            accessType: "offline",
            clientId: process.env.GOOGLE_CLIENT_ID as string,
            clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
        }
    },
    account: {
      accountLinking: {
          enabled: true
      }
    },
    emailVerification: {
        autoSignInAfterVerification: true,
        sendVerificationEmail: async ({url, user}) => {
            await sendEmail(url, user);
        }
    },
    plugins: [
        nextCookies(),
    ],
    hooks: {
        after: createAuthMiddleware(async (ctx) => {
            const user = ctx.context.user;
            if (user?.email && !user.email.endsWith('@ucsc.edu')) {
                throw new APIError("FORBIDDEN", {
                    message: 'Only @ucsc.edu email addresses are allowed'
                });
            }
        }),
    },
});

import { betterAuth } from "better-auth";
import { Pool } from "pg";
import { createAuthMiddleware, APIError } from "better-auth/api";
import {nextCookies} from "better-auth/next-js";
import {sendEmail} from "@/app/lib/email/send-email";

export const auth = betterAuth({
    database: new Pool({
        connectionString: `postgres://${process.env.POSTGRES_USER}:${process.env.POSTGRES_PASSWORD}@postgres-db:5432/${process.env.POSTGRES_DB}`,
    }),
    socialProviders: {
        google: {
            enabled: true,
            prompt: "select_account consent",
            accessType: "offline",
            clientId: process.env.GOOGLE_CLIENT_ID as string,
            clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
        }
    },
    account: {
      accountLinking: {
          enabled: true
      }
    },
    emailVerification: {
        autoSignInAfterVerification: true,
        sendVerificationEmail: async ({url, user}) => {
            await sendEmail(url, user);
        }
    },
    plugins: [
        nextCookies(),
    ],
    hooks: {
        after: createAuthMiddleware(async (ctx) => {
            const user = ctx.context.user;
            if (user?.email && !user.email.endsWith('@ucsc.edu')) {
                throw new APIError("FORBIDDEN", {
                    message: 'Only @ucsc.edu email addresses are allowed'
                });
            }
        }),
    },
});

H

HozayOP•10/6/25, 6:43 PM

I created an after hook to check if it's a UCSC account, and a user was still able to create an account with Google. Google is the only Social Provider that I am using for this app. I also tried doing the

before

before

before

before hook, but that still did not work. The if statement I used was

hooks: {
        before: createAuthMiddleware(async (ctx) => {
            if (ctx.path !== "/sign-up") {
                return;
            }
            if (!ctx.body?.email.endsWith("@ucsc.edu")) {
                throw new APIError("BAD_REQUEST", {
                    message: "Email must end with @ucsc.edu",
                });
            }
        }),
    },

hooks: {
        before: createAuthMiddleware(async (ctx) => {
            if (ctx.path !== "/sign-up") {
                return;
            }
            if (!ctx.body?.email.endsWith("@ucsc.edu")) {
                throw new APIError("BAD_REQUEST", {
                    message: "Email must end with @ucsc.edu",
                });
            }
        }),
    },

hooks: {
        before: createAuthMiddleware(async (ctx) => {
            if (ctx.path !== "/sign-up") {
                return;
            }
            if (!ctx.body?.email.endsWith("@ucsc.edu")) {
                throw new APIError("BAD_REQUEST", {
                    message: "Email must end with @ucsc.edu",
                });
            }
        }),
    },

hooks: {
        before: createAuthMiddleware(async (ctx) => {
            if (ctx.path !== "/sign-up") {
                return;
            }
            if (!ctx.body?.email.endsWith("@ucsc.edu")) {
                throw new APIError("BAD_REQUEST", {
                    message: "Email must end with @ucsc.edu",
                });
            }
        }),
    },

HHozay I created an after hook to check if it's a UCSC account, and a user was still ab...

�

🌠kkMihai ⚡•10/7/25, 10:21 AM

use a database hook and check before it creates the user
https://www.better-auth.com/docs/concepts/database#1-before-hook