From b9823cd75bc6000a9d44be0b8cf42facbd1404ba Mon Sep 17 00:00:00 2001
From: Bereket Engida <86073083+Bekacru@users.noreply.github.com>
Date: Thu, 24 Apr 2025 18:13:41 +0300
Subject: [PATCH] fix(two-factor): verification deletion on otp should use the
 correct ID (#2425)

---
 .../better-auth/src/plugins/two-factor/otp/index.ts    | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/packages/better-auth/src/plugins/two-factor/otp/index.ts b/packages/better-auth/src/plugins/two-factor/otp/index.ts
index e466a3ca7a..012ba8dfb6 100644
--- a/packages/better-auth/src/plugins/two-factor/otp/index.ts
+++ b/packages/better-auth/src/plugins/two-factor/otp/index.ts
@@ -255,9 +255,11 @@ export const otp2fa = (options?: OTPOptions) => {
 				);
 			const [otp, counter] = toCheckOtp?.value?.split("!") ?? [];
 			if (!toCheckOtp || toCheckOtp.expiresAt < new Date()) {
-				await ctx.context.internalAdapter.deleteVerificationValue(
-					`2fa-otp-${key}`,
-				);
+				if (toCheckOtp) {
+					await ctx.context.internalAdapter.deleteVerificationValue(
+						toCheckOtp.id,
+					);
+				}
 				throw new APIError("BAD_REQUEST", {
 					message: TWO_FACTOR_ERROR_CODES.OTP_HAS_EXPIRED,
 				});
@@ -265,7 +267,7 @@ export const otp2fa = (options?: OTPOptions) => {
 			const allowedAttempts = options?.allowedAttempts || 5;
 			if (parseInt(counter) >= allowedAttempts) {
 				await ctx.context.internalAdapter.deleteVerificationValue(
-					`2fa-otp-${key}`,
+					toCheckOtp.id,
 				);
 				throw new APIError("BAD_REQUEST", {
 					message: TWO_FACTOR_ERROR_CODES.TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE,