Organization plugin authorization fails with MongoDB adapter - 403 errors despite valid memberships #1352

New Issue

GiteaMirror · 2026-03-13T08:34:24-05:00

GiteaMirror commented

2026-03-13 08:34:24 -05:00

Originally created by @jamestagal on GitHub (Jun 13, 2025).

Is this suited for github?

Yes, this is suited for github

To Reproduce

Better Auth Organization Plugin Bug Report

Date: June 13, 2025
Reporter: @jamestagal (Benjamin Waller)
Priority: High - Core multi-tenant functionality broken

Bug Summary

The Better Auth organization plugin has fundamental authorization failures when using the MongoDB adapter. All organization listing and detail endpoints return 403 Forbidden errors despite valid authentication and proper database records.

Environment

Better Auth: 1.2.8
@polar-sh/better-auth: 1.0.1
Database Adapter: mongodbAdapter
Framework: SvelteKit 2.21.1 + Svelte 5
Node.js: 20.x
MongoDB: 6.0
Plugins: organization, polar, admin, emailOTP

Affected Components

1. Client Hooks

Organization.useListOrganizations() → Status 0 (network error)
Organization.getFullOrganization() → 403 Forbidden

2. API Endpoints

/api/auth/organization/list-organizations → 404 (endpoint missing)
/api/auth/organization/get-full-organization → 403 Forbidden

3. Error Details

{
  "code": "USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION",
  "message": "User is not a member of the organization"
}

To Reproduce

Environment Setup

npm install better-auth mongodb

1. Configure Better Auth with MongoDB adapter

// auth.js
import { betterAuth } from "better-auth";
import { organization } from "better-auth/plugins";
import { mongodbAdapter } from "better-auth/adapters/mongodb";
import { MongoClient } from "mongodb";

const client = new MongoClient("mongodb://localhost:27017/test");
await client.connect();
const db = client.db();

export const auth = betterAuth({
  database: mongodbAdapter(db),
  plugins: [organization()],
  appName: "test-app"
});

2. Create user and organization (✅ Works correctly)

// 1. Create and authenticate user
const user = await auth.api.signUp({
  email: "test@example.com",
  password: "password123", 
  name: "Test User"
});

const session = await auth.api.signIn({
  email: "test@example.com",
  password: "password123"
});

// 2. Create organization
const org = await auth.api.createOrganization({
  name: "Test Organization",
  slug: "test-org"
});

3. Verify database state (✅ Shows proper membership)

// Check MongoDB collections - these queries work perfectly
const membership = await db.collection('members').findOne({
  userId: user.id,
  organizationId: org.id
});
console.log(membership);
// Output: { userId: "...", organizationId: "...", role: "owner", id: "..." }

const organization = await db.collection('organizations').findOne({
  id: org.id
});
console.log(organization);
// Output: { id: "...", name: "Test Organization", slug: "test-org" }

4. Attempt to list organizations (❌ Fails with 403)

// Client-side hook
import { createAuthClient } from "better-auth/client";
const authClient = createAuthClient({
  baseURL: "http://localhost:3000"
});

const { data, error } = authClient.useListOrganizations();
console.log(error);
// Output: Network error (status 0)

// Direct API call
const response = await fetch("/api/auth/organization/get-full-organization", {
  headers: {
    "Cookie": session.cookies,
    "Content-Type": "application/json"
  }
});
console.log(response.status, await response.json());
// Output: 403 { "code": "USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION" }

5. Compare with working workaround

// Direct MongoDB query (works perfectly)
const userOrgs = await db.collection('members')
  .aggregate([
    { $match: { userId: user.id } },
    {
      $lookup: {
        from: 'organizations',
        localField: 'organizationId',
        foreignField: 'id', 
        as: 'organization'
      }
    },
    { $unwind: '$organization' }
  ]).toArray();

console.log(userOrgs);
// Output: Returns all user organizations correctly

Expected vs Actual Behavior

Expected:

authClient.useListOrganizations() returns user's organizations
/api/auth/organization/get-full-organization returns 200 with organization data

Actual:

Client hook returns network error (status 0)
API endpoint returns 403 "USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION"
Database queries show user IS a valid member with proper role

Key Point: The same data that causes 403 errors in Better Auth endpoints works perfectly when queried directly from MongoDB, proving the membership records are correct.

Investigation Results

✅ What We've Tested

Cookie Double-Encoding Theory:
- Implemented comprehensive cookie debugging
- Manually decoded potentially double-encoded cookies
- Result: 403 errors persist even with properly decoded cookies
- Conclusion: Cookie encoding is NOT the root cause
Database Verification:
- Confirmed all user-organization relationships exist in MongoDB
- Verified proper role assignments (owner, member, admin)
- All organization and member records have correct IDs and structure
- Result: Database state is perfect, Better Auth can't read it
Session Context:
- Verified user authentication and session validity
- Confirmed active organization ID is properly set
- Session data is available in other endpoints
- Result: Session context appears lost in organization endpoints
Access Control Configuration:
- Tested with no access control (default)
- Tested with permissive access control (return true)
- Result: No access control configuration resolves the issue

❌ What's Broken

Authorization Logic: The organization plugin fails to recognize valid memberships
MongoDB Adapter Integration: Appears to be adapter-specific issue
Session Propagation: Session context not properly available in organization endpoints
Endpoint Availability: list-organizations endpoint returns 404

Database Evidence

User Membership Records (from MongoDB):

{
  "userMemberships": [
    {
      "organizationId": "JtQad1YSOwqqYsOipBI8wpdD8sLABW5W",
      "role": "member", 
      "id": "0b89325f-02d0-45ae-9472-1809c2d47b78",
      "_id": "68499bd48487f99606ab20a6"
    },
    {
      "organizationId": "684ace0b727a4548a42ca6cd",
      "role": "owner",
      "id": "684acfbd795224e36a90df0b", 
      "_id": "684acfbd795224e36a90df0c"
    }
  ],
  "organizations": [
    {
      "id": "684ace0b727a4548a42ca6cd",
      "name": "Test Org",
      "slug": "test-org"
    },
    {
      "id": "JtQad1YSOwqqYsOipBI8wpdD8sLABW5W", 
      "name": "Capital Tigers",
      "slug": "capital-tigers"
    }
  ]
}

Better Auth Response:

{
  "status": 403,
  "data": {
    "code": "USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION",
    "message": "User is not a member of the organization"
  }
}

Current Workaround

We've implemented a server-side MongoDB aggregation to bypass the plugin:

// Works perfectly - direct MongoDB query
const userOrganizations = await db.collection('members')
  .aggregate([
    { $match: { userId: locals.user.id } },
    {
      $lookup: {
        from: 'organizations',
        localField: 'organizationId', 
        foreignField: 'id',
        as: 'organization'
      }
    },
    { $unwind: '$organization' }
  ]).toArray();

This workaround:

✅ Returns correct organization data
✅ Properly handles all user roles
✅ Maintains data consistency
❌ Loses real-time hook capabilities
❌ Requires custom implementation

What Still Works

✅ User authentication and session management
✅ Organization creation
✅ Organization switching (toggleActive)
✅ Member management (add/remove members)
✅ All other Better Auth functionality

Expected vs Actual Behavior

Expected:

const { data, error } = Organization.useListOrganizations();
// Should return: { data: [organizations], error: null }

Actual:

const { data, error } = Organization.useListOrganizations(); 
// Returns: { data: null, error: { status: 0 } }

// Direct API:
fetch('/api/auth/organization/get-full-organization')
// Returns: 403 "USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION"

Impact Assessment

Severity: High - Breaks core multi-tenant functionality
Scope: All organization listing/detail operations
Workaround: Available but loses hook benefits
Production Impact: Moderate (workaround maintains functionality)

Suggested Investigation Areas

MongoDB Adapter Integration: Review how organization queries are constructed for MongoDB
Session Context Propagation: Verify session data is available in organization endpoints
Authorization Logic: Check if authorization checks work with MongoDB document structure
Endpoint Registration: Investigate why list-organizations endpoint returns 404

Test Case for Better Auth Team

// Minimal reproduction case
import { betterAuth } from "better-auth";
import { organization } from "better-auth/plugins"; 
import { mongodbAdapter } from "better-auth/adapters/mongodb";

const auth = betterAuth({
  database: mongodbAdapter(mongoDb),
  plugins: [organization()]
});

// 1. Create user (works)
const user = await auth.api.signUp({
  email: "test@example.com", 
  password: "password123",
  name: "Test User"
});

// 2. Create organization (works)  
const org = await auth.api.createOrganization({
  name: "Test Org",
  slug: "test-org"
});

// 3. List organizations (fails with 403)
const result = await auth.api.getFullOrganization({
  headers: request.headers // includes valid session
});
// Expected: Organization data
// Actual: 403 "USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION"

// 4. Verify database (works)
const membership = await mongoDb.collection('members').findOne({
  userId: user.id,
  organizationId: org.id  
});
// Returns: Valid membership record with proper role

Additional Context

This issue appears to be specific to MongoDB adapter
Cookie encoding was thoroughly investigated and ruled out
All database relationships are properly structured
Issue affects all organization authorization checks
Other Better Auth features work perfectly

Status: Confirmed Bug - Awaiting Better Auth Team Response
Workaround: Production-ready server-side alternative implemented
Priority: High - Core functionality affected

Current vs. Expected behavior

Following the steps from the previous section, I expected the authClient.useListOrganizations() hook to return the user's organizations and the /api/auth/organization/get-full-organization endpoint to return 200 with organization data.

Instead, I observed:

Client hook returns network error (status 0)
API endpoint returns 403 "USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION"
Database queries show user IS a valid member with proper role

Key Evidence: The same membership data that causes 403 errors in Better Auth endpoints works perfectly when queried directly from MongoDB, proving the membership records are correct and the authorization logic is failing.

What version of Better Auth are you using?

1.2.8

Provide environment information

- OS: macOS (Darwin 23.6.0)
- Browser: Chrome/Safari (affects both)
- Framework: SvelteKit 2.21.1 + Svelte 5
- Node.js: 20.x
- Database: MongoDB 6.0
- Additional packages: @polar-sh/better-auth@1.0.1

Which area(s) are affected? (Select all that apply)

Client, Other

Auth config (if applicable)

import { betterAuth } from "better-auth";
import { organization } from "better-auth/plugins";
import { mongodbAdapter } from "better-auth/adapters/mongodb";
import { MongoClient } from "mongodb";

const client = new MongoClient("mongodb://localhost:27017/test");
await client.connect();
const db = client.db();

export const auth = betterAuth({
  appName: "test-app",
  database: mongodbAdapter(db),
  plugins: [
    organization({
      creatorRole: "owner",
      membershipLimit: 100
    })
  ],
  session: { 
    modelName: "sessions"
  },
  account: { 
    modelName: "accounts" 
  },
  verification: { 
    modelName: "verifications" 
  }
});

Additional context

MongoDB Adapter Specific: Issue appears specific to MongoDB adapter - other adapters may work fine
Cookie Investigation: Thoroughly tested cookie double-encoding theory and ruled it out as root cause
Production Impact: High - breaks core multi-tenant functionality
Workaround Available: Direct MongoDB aggregation queries work perfectly, proving data integrity
Reproducible: Both locally and online, all browsers affected
Session Context: User authentication works perfectly for all other operations
Database State: All relationships properly stored - user memberships, organizations, and roles are correct

The organization plugin's authorization logic fails to recognize valid user memberships when using MongoDB adapter, despite organization creation and all other auth operations working correctly.

Originally created by @jamestagal on GitHub (Jun 13, 2025). ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce # Better Auth Organization Plugin Bug Report **Date**: June 13, 2025 **Reporter**: @jamestagal (Benjamin Waller) **Priority**: High - Core multi-tenant functionality broken ## Bug Summary The Better Auth organization plugin has fundamental authorization failures when using the MongoDB adapter. All organization listing and detail endpoints return 403 Forbidden errors despite valid authentication and proper database records. ## Environment - **Better Auth**: 1.2.8 - **@polar-sh/better-auth**: 1.0.1 - **Database Adapter**: mongodbAdapter - **Framework**: SvelteKit 2.21.1 + Svelte 5 - **Node.js**: 20.x - **MongoDB**: 6.0 - **Plugins**: organization, polar, admin, emailOTP ## Affected Components ### 1. Client Hooks - `Organization.useListOrganizations()` → Status 0 (network error) - `Organization.getFullOrganization()` → 403 Forbidden ### 2. API Endpoints - `/api/auth/organization/list-organizations` → 404 (endpoint missing) - `/api/auth/organization/get-full-organization` → 403 Forbidden ### 3. Error Details ```json { "code": "USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION", "message": "User is not a member of the organization" } ``` ## To Reproduce ### Environment Setup ```bash npm install better-auth mongodb ``` ### 1. Configure Better Auth with MongoDB adapter ```javascript // auth.js import { betterAuth } from "better-auth"; import { organization } from "better-auth/plugins"; import { mongodbAdapter } from "better-auth/adapters/mongodb"; import { MongoClient } from "mongodb"; const client = new MongoClient("mongodb://localhost:27017/test"); await client.connect(); const db = client.db(); export const auth = betterAuth({ database: mongodbAdapter(db), plugins: [organization()], appName: "test-app" }); ``` ### 2. Create user and organization (✅ Works correctly) ```javascript // 1. Create and authenticate user const user = await auth.api.signUp({ email: "test@example.com", password: "password123", name: "Test User" }); const session = await auth.api.signIn({ email: "test@example.com", password: "password123" }); // 2. Create organization const org = await auth.api.createOrganization({ name: "Test Organization", slug: "test-org" }); ``` ### 3. Verify database state (✅ Shows proper membership) ```javascript // Check MongoDB collections - these queries work perfectly const membership = await db.collection('members').findOne({ userId: user.id, organizationId: org.id }); console.log(membership); // Output: { userId: "...", organizationId: "...", role: "owner", id: "..." } const organization = await db.collection('organizations').findOne({ id: org.id }); console.log(organization); // Output: { id: "...", name: "Test Organization", slug: "test-org" } ``` ### 4. Attempt to list organizations (❌ Fails with 403) ```javascript // Client-side hook import { createAuthClient } from "better-auth/client"; const authClient = createAuthClient({ baseURL: "http://localhost:3000" }); const { data, error } = authClient.useListOrganizations(); console.log(error); // Output: Network error (status 0) // Direct API call const response = await fetch("/api/auth/organization/get-full-organization", { headers: { "Cookie": session.cookies, "Content-Type": "application/json" } }); console.log(response.status, await response.json()); // Output: 403 { "code": "USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION" } ``` ### 5. Compare with working workaround ```javascript // Direct MongoDB query (works perfectly) const userOrgs = await db.collection('members') .aggregate([ { $match: { userId: user.id } }, { $lookup: { from: 'organizations', localField: 'organizationId', foreignField: 'id', as: 'organization' } }, { $unwind: '$organization' } ]).toArray(); console.log(userOrgs); // Output: Returns all user organizations correctly ``` ## Expected vs Actual Behavior **Expected:** - `authClient.useListOrganizations()` returns user's organizations - `/api/auth/organization/get-full-organization` returns 200 with organization data **Actual:** - Client hook returns network error (status 0) - API endpoint returns 403 "USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION" - Database queries show user IS a valid member with proper role **Key Point:** The same data that causes 403 errors in Better Auth endpoints works perfectly when queried directly from MongoDB, proving the membership records are correct. ## Investigation Results ### ✅ What We've Tested 1. **Cookie Double-Encoding Theory**: - Implemented comprehensive cookie debugging - Manually decoded potentially double-encoded cookies - **Result**: 403 errors persist even with properly decoded cookies - **Conclusion**: Cookie encoding is NOT the root cause 2. **Database Verification**: - Confirmed all user-organization relationships exist in MongoDB - Verified proper role assignments (owner, member, admin) - All organization and member records have correct IDs and structure - **Result**: Database state is perfect, Better Auth can't read it 3. **Session Context**: - Verified user authentication and session validity - Confirmed active organization ID is properly set - Session data is available in other endpoints - **Result**: Session context appears lost in organization endpoints 4. **Access Control Configuration**: - Tested with no access control (default) - Tested with permissive access control (return true) - **Result**: No access control configuration resolves the issue ### ❌ What's Broken 1. **Authorization Logic**: The organization plugin fails to recognize valid memberships 2. **MongoDB Adapter Integration**: Appears to be adapter-specific issue 3. **Session Propagation**: Session context not properly available in organization endpoints 4. **Endpoint Availability**: `list-organizations` endpoint returns 404 ## Database Evidence **User Membership Records** (from MongoDB): ```json { "userMemberships": [ { "organizationId": "JtQad1YSOwqqYsOipBI8wpdD8sLABW5W", "role": "member", "id": "0b89325f-02d0-45ae-9472-1809c2d47b78", "_id": "68499bd48487f99606ab20a6" }, { "organizationId": "684ace0b727a4548a42ca6cd", "role": "owner", "id": "684acfbd795224e36a90df0b", "_id": "684acfbd795224e36a90df0c" } ], "organizations": [ { "id": "684ace0b727a4548a42ca6cd", "name": "Test Org", "slug": "test-org" }, { "id": "JtQad1YSOwqqYsOipBI8wpdD8sLABW5W", "name": "Capital Tigers", "slug": "capital-tigers" } ] } ``` **Better Auth Response**: ```json { "status": 403, "data": { "code": "USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION", "message": "User is not a member of the organization" } } ``` ## Current Workaround We've implemented a server-side MongoDB aggregation to bypass the plugin: ```javascript // Works perfectly - direct MongoDB query const userOrganizations = await db.collection('members') .aggregate([ { $match: { userId: locals.user.id } }, { $lookup: { from: 'organizations', localField: 'organizationId', foreignField: 'id', as: 'organization' } }, { $unwind: '$organization' } ]).toArray(); ``` This workaround: - ✅ Returns correct organization data - ✅ Properly handles all user roles - ✅ Maintains data consistency - ❌ Loses real-time hook capabilities - ❌ Requires custom implementation ## What Still Works - ✅ User authentication and session management - ✅ Organization creation - ✅ Organization switching (`toggleActive`) - ✅ Member management (add/remove members) - ✅ All other Better Auth functionality ## Expected vs Actual Behavior **Expected**: ```javascript const { data, error } = Organization.useListOrganizations(); // Should return: { data: [organizations], error: null } ``` **Actual**: ```javascript const { data, error } = Organization.useListOrganizations(); // Returns: { data: null, error: { status: 0 } } // Direct API: fetch('/api/auth/organization/get-full-organization') // Returns: 403 "USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION" ``` ## Impact Assessment - **Severity**: High - Breaks core multi-tenant functionality - **Scope**: All organization listing/detail operations - **Workaround**: Available but loses hook benefits - **Production Impact**: Moderate (workaround maintains functionality) ## Suggested Investigation Areas 1. **MongoDB Adapter Integration**: Review how organization queries are constructed for MongoDB 2. **Session Context Propagation**: Verify session data is available in organization endpoints 3. **Authorization Logic**: Check if authorization checks work with MongoDB document structure 4. **Endpoint Registration**: Investigate why `list-organizations` endpoint returns 404 ## Test Case for Better Auth Team ```javascript // Minimal reproduction case import { betterAuth } from "better-auth"; import { organization } from "better-auth/plugins"; import { mongodbAdapter } from "better-auth/adapters/mongodb"; const auth = betterAuth({ database: mongodbAdapter(mongoDb), plugins: [organization()] }); // 1. Create user (works) const user = await auth.api.signUp({ email: "test@example.com", password: "password123", name: "Test User" }); // 2. Create organization (works) const org = await auth.api.createOrganization({ name: "Test Org", slug: "test-org" }); // 3. List organizations (fails with 403) const result = await auth.api.getFullOrganization({ headers: request.headers // includes valid session }); // Expected: Organization data // Actual: 403 "USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION" // 4. Verify database (works) const membership = await mongoDb.collection('members').findOne({ userId: user.id, organizationId: org.id }); // Returns: Valid membership record with proper role ``` ## Additional Context - This issue appears to be specific to MongoDB adapter - Cookie encoding was thoroughly investigated and ruled out - All database relationships are properly structured - Issue affects all organization authorization checks - Other Better Auth features work perfectly --- **Status**: Confirmed Bug - Awaiting Better Auth Team Response **Workaround**: Production-ready server-side alternative implemented **Priority**: High - Core functionality affected ### Current vs. Expected behavior Following the steps from the previous section, I expected the `authClient.useListOrganizations()` hook to return the user's organizations and the `/api/auth/organization/get-full-organization` endpoint to return 200 with organization data. Instead, I observed: - Client hook returns network error (status 0) - API endpoint returns 403 "USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION" - Database queries show user IS a valid member with proper role **Key Evidence**: The same membership data that causes 403 errors in Better Auth endpoints works perfectly when queried directly from MongoDB, proving the membership records are correct and the authorization logic is failing. ### What version of Better Auth are you using? 1.2.8 ### Provide environment information ```bash - OS: macOS (Darwin 23.6.0) - Browser: Chrome/Safari (affects both) - Framework: SvelteKit 2.21.1 + Svelte 5 - Node.js: 20.x - Database: MongoDB 6.0 - Additional packages: @polar-sh/better-auth@1.0.1 ``` ### Which area(s) are affected? (Select all that apply) Client, Other ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth"; import { organization } from "better-auth/plugins"; import { mongodbAdapter } from "better-auth/adapters/mongodb"; import { MongoClient } from "mongodb"; const client = new MongoClient("mongodb://localhost:27017/test"); await client.connect(); const db = client.db(); export const auth = betterAuth({ appName: "test-app", database: mongodbAdapter(db), plugins: [ organization({ creatorRole: "owner", membershipLimit: 100 }) ], session: { modelName: "sessions" }, account: { modelName: "accounts" }, verification: { modelName: "verifications" } }); ``` ### Additional context - **MongoDB Adapter Specific**: Issue appears specific to MongoDB adapter - other adapters may work fine - **Cookie Investigation**: Thoroughly tested cookie double-encoding theory and ruled it out as root cause - **Production Impact**: High - breaks core multi-tenant functionality - **Workaround Available**: Direct MongoDB aggregation queries work perfectly, proving data integrity - **Reproducible**: Both locally and online, all browsers affected - **Session Context**: User authentication works perfectly for all other operations - **Database State**: All relationships properly stored - user memberships, organizations, and roles are correct The organization plugin's authorization logic fails to recognize valid user memberships when using MongoDB adapter, despite organization creation and all other auth operations working correctly.

GiteaMirror added the svelte bug labels 2026-03-13 08:34:24 -05:00

GiteaMirror closed this issue

2026-03-13 08:34:24 -05:00

GiteaMirror commented

2026-03-13 08:34:26 -05:00

@dosubot[bot] commented on GitHub (Sep 12, 2025):

Hi, @jamestagal. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary:

You reported that the Better Auth organization plugin fails authorization with the MongoDB adapter.
This results in 403 Forbidden errors on organization endpoints despite valid user memberships.
The issue breaks multi-tenant functionality in version 1.2.8, specifically with SvelteKit 2.21.1 and mongodbAdapter.
Error messages include "USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION."
There has been no further activity or comments on this issue.

Next Steps:

Please let me know if this issue is still relevant with the latest version of better-auth by commenting here.
If I do not hear back within 7 days, I will automatically close this issue.

Thank you for your understanding and contribution!

@dosubot[bot] commented on GitHub (Sep 12, 2025): Hi, @jamestagal. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary:** - You reported that the Better Auth organization plugin fails authorization with the MongoDB adapter. - This results in 403 Forbidden errors on organization endpoints despite valid user memberships. - The issue breaks multi-tenant functionality in version 1.2.8, specifically with SvelteKit 2.21.1 and mongodbAdapter. - Error messages include "USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION." - There has been no further activity or comments on this issue. **Next Steps:** - Please let me know if this issue is still relevant with the latest version of better-auth by commenting here. - If I do not hear back within 7 days, I will automatically close this issue. Thank you for your understanding and contribution!

GiteaMirror referenced this issue

2026-04-13 03:52:09 -05:00

[GH-ISSUE #1352] forget password endpoint returning always 200 OK #8704

GiteaMirror referenced this issue

2026-04-15 15:27:20 -05:00

[GH-ISSUE #1352] forget password endpoint returning always 200 OK #17335

GiteaMirror referenced this issue

2026-04-17 16:24:54 -05:00

[GH-ISSUE #1352] forget password endpoint returning always 200 OK #26027

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#1352