fix: create a new session on email verification if current session email doesn't match

2026-06-01 03:46:39 -05:00 · 2024-12-23 21:51:08 +03:00
parent 1c3cf20389
commit a71e9f2e3f
2 changed files with 17 additions and 7 deletions
--- a/packages/better-auth/src/api/routes/email-verification.ts
+++ b/packages/better-auth/src/api/routes/email-verification.ts
@@ -274,7 +274,7 @@ export const verifyEmail = createAuthEndpoint(
 		});
 		if (ctx.context.options.emailVerification?.autoSignInAfterVerification) {
 			const currentSession = await getSessionFromCtx(ctx);
-			if (!currentSession) {
+			if (!currentSession || currentSession.user.email !== parsed.email) {
 				const session = await ctx.context.internalAdapter.createSession(
 					user.user.id,
 					ctx.request,
--- a/packages/better-auth/src/plugins/magic-link/index.ts
+++ b/packages/better-auth/src/plugins/magic-link/index.ts
@@ -191,8 +191,9 @@ export const magicLink = (options: MagicLinkOptions) => {
 						tokenValue.id,
 					);
 					const email = tokenValue.value;
-					const user = await ctx.context.internalAdapter.findUserByEmail(email);
-					let userId: string = user?.user.id || "";
+					let user = await ctx.context.internalAdapter
+						.findUserByEmail(email)
+						.then((res) => res?.user);

 					if (!user) {
 						if (!options.disableSignUp) {
@@ -201,8 +202,8 @@ export const magicLink = (options: MagicLinkOptions) => {
 								emailVerified: true,
 								name: email,
 							});
-							userId = newUser.id;
-							if (!userId) {
+							user = newUser;
+							if (!user) {
 								throw ctx.redirect(
 									`${toRedirectTo}?error=failed_to_create_user`,
 								);
@@ -211,18 +212,27 @@ export const magicLink = (options: MagicLinkOptions) => {
 							throw ctx.redirect(`${toRedirectTo}?error=failed_to_create_user`);
 						}
 					}
+
+					if (!user.emailVerified) {
+						await ctx.context.internalAdapter.updateUser(user.id, {
+							emailVerified: true,
+						});
+					}
+
 					const session = await ctx.context.internalAdapter.createSession(
-						userId,
+						user.id,
 						ctx.headers,
 					);
+
 					if (!session) {
 						throw ctx.redirect(
 							`${toRedirectTo}?error=failed_to_create_session`,
 						);
 					}
+
 					await setSessionCookie(ctx, {
 						session,
-						user: user?.user!,
+						user,
 					});
 					if (!callbackURL) {
 						return ctx.json({