From 2c2b990aa20154b121f413009f4359199c4e825d Mon Sep 17 00:00:00 2001
From: Bereket Engida <Bekacru@gmail.com>
Date: Thu, 20 Nov 2025 14:27:45 -0800
Subject: [PATCH] reafctor(haveibeenpwned): add try catch and timeout

---
 .../src/plugins/haveibeenpwned/index.ts       | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/packages/better-auth/src/plugins/haveibeenpwned/index.ts b/packages/better-auth/src/plugins/haveibeenpwned/index.ts
index fe3de044e5..bc2a237df0 100644
--- a/packages/better-auth/src/plugins/haveibeenpwned/index.ts
+++ b/packages/better-auth/src/plugins/haveibeenpwned/index.ts
@@ -29,6 +29,7 @@ async function checkPasswordCompromise(
 					"Add-Padding": "true",
 					"User-Agent": "BetterAuth Password Checker",
 				},
+				timeout: 5000, // 5s timeout
 			},
 		);
 
@@ -81,15 +82,19 @@ export const haveIBeenPwned = (options?: HaveIBeenPwnedOptions | undefined) => {
 					password: {
 						...ctx.password,
 						async hash(password) {
-							const c = await getCurrentAuthContext();
-							if (!c.path || !paths.includes(c.path)) {
+							try {
+								const c = await getCurrentAuthContext();
+								if (!c.path || !paths.includes(c.path)) {
+									return ctx.password.hash(password);
+								}
+								await checkPasswordCompromise(
+									password,
+									options?.customPasswordCompromisedMessage,
+								);
+								return ctx.password.hash(password);
+							} catch (e) {
 								return ctx.password.hash(password);
 							}
-							await checkPasswordCompromise(
-								password,
-								options?.customPasswordCompromisedMessage,
-							);
-							return ctx.password.hash(password);
 						},
 					},
 				},