fix: pathname should be normalized when basePath is set to root

packages/better-auth/src/api/index.ts

@@ -267,8 +267,14 @@ export const router = <Option extends BetterAuthOptions>(
 		async onRequest(req) {
 			//handle disabled paths
 			const disabledPaths = ctx.options.disabledPaths || [];
-			const path = new URL(req.url).pathname.replace(basePath, "");
-			if (disabledPaths.includes(path)) {
+			const pathname = new URL(req.url).pathname;
+			const normalizedPath =
+				basePath === "/"
+					? pathname
+					: pathname.startsWith(basePath)
+						? pathname.slice(basePath.length) || "/"
+						: pathname;
+			if (disabledPaths.includes(normalizedPath)) {
 				return new Response("Not Found", { status: 404 });
 			}
 			for (const plugin of ctx.options.plugins || []) {

packages/better-auth/src/api/to-auth-endpoints.test.ts

@@ -422,11 +422,11 @@ describe("after hook", async () => {
 });
 
 describe("disabled paths", async () => {
-	const { client } = await getTestInstance({
-		disabledPaths: ["/sign-in/email"],
-	});
-
 	it("should return 404 for disabled paths", async () => {
+		const { client, auth } = await getTestInstance({
+			disabledPaths: ["/sign-in/email"],
+		});
+
 		const response = await client.$fetch("/ok");
 		expect(response.data).toEqual({ ok: true });
 		const { error } = await client.signIn.email({
@@ -435,6 +435,27 @@ describe("disabled paths", async () => {
 		});
 		expect(error?.status).toBe(404);
 	});
+
+	it("should return 404 for when base path is /", async () => {
+		const { auth } = await getTestInstance({
+			basePath: "/",
+			disabledPaths: ["/sign-in/email"],
+		});
+
+		const response2 = await auth.handler(
+			new Request("http://localhost:3000/sign-in/email", {
+				method: "POST",
+				headers: {
+					"Content-Type": "application/json",
+				},
+				body: JSON.stringify({
+					email: "test@test.com",
+					password: "test",
+				}),
+			}),
+		);
+		expect(response2).toBeInstanceOf(Response);
+	});
 });
 
 describe("debug mode stack trace", () => {