github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-24 16:11:53 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

rate limiting not working on magic links #1462

New Issue
Closed
opened 2026-03-13 08:41:21 -05:00 by GiteaMirror · 13 comments
GiteaMirror commented 2026-03-13 08:41:21 -05:00
Owner
Copy Link

Originally created by @Bruh-Codes on GitHub (Jul 5, 2025).

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

  1. create a new nextjs project and install better auth. you can follow https://www.better-auth.com/docs/integrations/next
  2. config and add rate limiting https://www.better-auth.com/docs/concepts/rate-limit

Current vs. Expected behavior

  1. on multiple request rate limiting errors are not logged or does not even work.
  2. even after updating rate limit storage to database, i dont see any data in db
  3. session and everything is working i even toggled the enabled property on the reate limiting for dev environment

What version of Better Auth are you using?

^1.2.12

Provide environment information

- OS [Windows 11]
- Browser [Chrome]

Which area(s) are affected? (Select all that apply)

Client, Documentation, Package

Auth config (if applicable)

import EmailTemplate from "@/components/email-template";
import { betterAuth } from "better-auth";
import { admin } from "better-auth/plugins/admin";
import { magicLink } from "better-auth/plugins/magic-link";
import { Pool } from "pg";
import { Resend } from "resend";

const resend = new Resend(process.env.RESEND_API_KEY);

export const auth = betterAuth({
	rateLimit: {
		enabled: true,
		window: 60, // 1 minute
		max: 3, // Max 3 requests per minute
		storage: "database",
	},
	trustedOrigins: ["http://localhost:3000"],
	socialProviders: {
		// google: {
		// 	clientId: process.env.GOOGLE_CLIENT_ID!,
		// 	clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
		// },
		// twitter: {
		// 	clientId: process.env.TWITTER_CLIENT_ID!,
		// 	clientSecret: process.env.TWITTER_CLIENT_SECRET!,
		// },
	},
	plugins: [
		magicLink({
			async sendMagicLink({ email, url }) {
				console.log(url);
				// const { error } = await resend.emails.send({
				// 	from: "YieldEdu <onboarding@support.yieldedu.xyz>",
				// 	to: [email],
				// 	subject: "Your Magic Sign-In Link for YieldEdu",
				// 	react: EmailTemplate({ link: url }),
				// });
				// if (error) console.log(error);
			},
		}),

		admin({
			adminRoles: ["admin", "partner admin"],
		}),
	],
	/** if no database is provided, the user data will be stored in memory.
	 * Make sure to provide a database to persist user data **/
	database: new Pool({
		connectionString: process.env.DATABASE_URL,
	}),
});

Additional context

i even deployed just to test but it's still the same issue both on Prod and Dev

Originally created by @Bruh-Codes on GitHub (Jul 5, 2025). ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce 1. create a new nextjs project and install better auth. you can follow https://www.better-auth.com/docs/integrations/next 2. config and add rate limiting https://www.better-auth.com/docs/concepts/rate-limit ### Current vs. Expected behavior 1. on multiple request rate limiting errors are not logged or does not even work. 2. even after updating rate limit storage to database, i dont see any data in db 3. session and everything is working i even toggled the enabled property on the reate limiting for dev environment ### What version of Better Auth are you using? ^1.2.12 ### Provide environment information ```bash - OS [Windows 11] - Browser [Chrome] ``` ### Which area(s) are affected? (Select all that apply) Client, Documentation, Package ### Auth config (if applicable) ```typescript import EmailTemplate from "@/components/email-template"; import { betterAuth } from "better-auth"; import { admin } from "better-auth/plugins/admin"; import { magicLink } from "better-auth/plugins/magic-link"; import { Pool } from "pg"; import { Resend } from "resend"; const resend = new Resend(process.env.RESEND_API_KEY); export const auth = betterAuth({ rateLimit: { enabled: true, window: 60, // 1 minute max: 3, // Max 3 requests per minute storage: "database", }, trustedOrigins: ["http://localhost:3000"], socialProviders: { // google: { // clientId: process.env.GOOGLE_CLIENT_ID!, // clientSecret: process.env.GOOGLE_CLIENT_SECRET!, // }, // twitter: { // clientId: process.env.TWITTER_CLIENT_ID!, // clientSecret: process.env.TWITTER_CLIENT_SECRET!, // }, }, plugins: [ magicLink({ async sendMagicLink({ email, url }) { console.log(url); // const { error } = await resend.emails.send({ // from: "YieldEdu <onboarding@support.yieldedu.xyz>", // to: [email], // subject: "Your Magic Sign-In Link for YieldEdu", // react: EmailTemplate({ link: url }), // }); // if (error) console.log(error); }, }), admin({ adminRoles: ["admin", "partner admin"], }), ], /** if no database is provided, the user data will be stored in memory. * Make sure to provide a database to persist user data **/ database: new Pool({ connectionString: process.env.DATABASE_URL, }), }); ``` ### Additional context i even deployed just to test but it's still the same issue both on Prod and Dev
GiteaMirror commented 2026-03-13 08:41:23 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jul 5, 2025):

Hi @Bruh-Codes! I'm Dosu and I’m helping the better-auth team.

This is a known issue with Better Auth: rate limiting often fails if the IP address is not resolved, which is common in development and sometimes in production behind certain proxies. When the IP is missing, rate limiting is silently skipped and nothing is logged or stored in the database, which matches what you're seeing. This is especially relevant for magic link endpoints, which rely on the same mechanism see details.

To fix this, you need to ensure every request has a valid IP address. In local/dev, you can add middleware to set a default IP (like 127.0.0.1) if none is found. For example, in Next.js API routes or middleware, you can set a header such as x-real-ip to 127.0.0.1 if it's missing. Also, make sure your Better Auth config includes the correct IP header(s):

advanced: {
  ipAddress: {
    ipAddressHeaders: ["x-real-ip", "x-forwarded-for"],
    disableIpTracking: false
  }
}

If you're behind a proxy (like Vercel, Netlify, or custom Nginx), ensure the real client IP is forwarded and available in one of these headers.

For database storage, Better Auth expects a rateLimit table/model. If you don't see any data, it's likely because the rate limiter never triggers due to the missing IP, not a DB bug see code.

If you want to test rate limiting, try making requests with a valid IP header set and confirm that the rateLimit table is created/populated. If you use custom rate limit rules, note that they now take priority over plugin defaults see PR.

Let me know if you want a code snippet for the middleware or have questions about your DB schema.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Join Discord Share on X

@dosubot[bot] commented on GitHub (Jul 5, 2025): <!-- Greeting --> Hi @Bruh-Codes! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team. <!-- Answer --> This is a known issue with Better Auth: rate limiting often fails if the IP address is not resolved, which is common in development and sometimes in production behind certain proxies. When the IP is missing, rate limiting is silently skipped and nothing is logged or stored in the database, which matches what you're seeing. This is especially relevant for magic link endpoints, which rely on the same mechanism [see details](https://github.com/better-auth/better-auth/issues/2633). To fix this, you need to ensure every request has a valid IP address. In local/dev, you can add middleware to set a default IP (like 127.0.0.1) if none is found. For example, in Next.js API routes or middleware, you can set a header such as `x-real-ip` to `127.0.0.1` if it's missing. Also, make sure your Better Auth config includes the correct IP header(s): ```js advanced: { ipAddress: { ipAddressHeaders: ["x-real-ip", "x-forwarded-for"], disableIpTracking: false } } ``` If you're behind a proxy (like Vercel, Netlify, or custom Nginx), ensure the real client IP is forwarded and available in one of these headers. For database storage, Better Auth expects a `rateLimit` table/model. If you don't see any data, it's likely because the rate limiter never triggers due to the missing IP, not a DB bug [see code](https://github.com/better-auth/better-auth/blob/57baf02f84a45be794b069fcce3bc8f528c6208e/packages/better-auth/src/api/rate-limiter/index.ts). If you want to test rate limiting, try making requests with a valid IP header set and confirm that the `rateLimit` table is created/populated. If you use custom rate limit rules, note that they now take priority over plugin defaults [see PR](https://github.com/better-auth/better-auth/pull/3008). Let me know if you want a code snippet for the middleware or have questions about your DB schema. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/d36cfce5-2445-4872-a7b0-d00e405f34c7?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/d36cfce5-2445-4872-a7b0-d00e405f34c7?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/d36cfce5-2445-4872-a7b0-d00e405f34c7?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/d36cfce5-2445-4872-a7b0-d00e405f34c7?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/d36cfce5-2445-4872-a7b0-d00e405f34c7?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/d36cfce5-2445-4872-a7b0-d00e405f34c7?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/d36cfce5-2445-4872-a7b0-d00e405f34c7?feedback_type=other)</sup>&nbsp;&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/3264)
GiteaMirror commented 2026-03-13 08:41:24 -05:00
Author
Owner
Copy Link

@ping-maxwell commented on GitHub (Jul 5, 2025):

@Bruh-Codes Can you confirm that you're not facing what the bot described?
I recommend testing on prod that has a reverse proxy or if you can add some middleware to hard-code an IP into requests for testing purposes.

@ping-maxwell commented on GitHub (Jul 5, 2025): @Bruh-Codes Can you confirm that you're not facing what the bot described? I recommend testing on prod that has a reverse proxy or if you can add some middleware to hard-code an IP into requests for testing purposes.
GiteaMirror commented 2026-03-13 08:41:24 -05:00
Author
Owner
Copy Link

@Bruh-Codes commented on GitHub (Jul 5, 2025):

@ping-maxwell I tried updating my middleware to include an ip but the problem is still persisting. below is my middleware configuration.

//MIDDLEWARE


import { NextRequest, NextResponse } from "next/server";
import { getSessionCookie } from "better-auth/cookies";

export async function middleware(request: NextRequest) {
	const sessionCookie = getSessionCookie(request);

	// Set x-real-ip header for local development if not present
	if (
		process.env.NODE_ENV === "development" &&
		!request.headers.has("x-real-ip")
	) {
		request.headers.set("x-real-ip", "127.0.0.1");
	}

	if (!sessionCookie) {
		return NextResponse.redirect(new URL("/signin", request.url));
	}

	return NextResponse.next();
}

export const config = {
	matcher: ["/dashboard:path*"],
};


//AUTH config


import EmailTemplate from "@/components/email-template";
import { betterAuth, string } from "better-auth";
import { admin } from "better-auth/plugins/admin";
import { anonymous } from "better-auth/plugins/anonymous";
import { magicLink } from "better-auth/plugins/magic-link";
import { Pool } from "pg";
import { Resend } from "resend";

const resend = new Resend(process.env.RESEND_API_KEY);

export const auth = betterAuth({
	user: {
		additionalFields: {
			OCId: {
				type: "string",
			},
			ethAddress: {
				type: "string",
			},
		},
	},

	session: {
		additionalFields: {
			OCId: {
				type: "string",
			},
			ethAddress: {
				type: "string",
			},
		},
	},
	account: {
		accountLinking: {
			enabled: true,
			trustedProviders: ["google", "twitter"],
		},
	},
	rateLimit: {
		enabled: true,
		window: 60, // 1 minute
		max: 3, // Max 3 requests per minute
		storage: "database",
	},
	trustedOrigins: ["http://localhost:3000"],
	socialProviders: {
		google: {
			clientId: process.env.GOOGLE_CLIENT_ID!,
			clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
		},
		twitter: {
			clientId: process.env.TWITTER_CLIENT_ID!,
			clientSecret: process.env.TWITTER_CLIENT_SECRET!,
		},
	},
	advanced: {
		ipAddress: {
			ipAddressHeaders: ["x-forwarded-for", "x-real-ip"],
			disableIpTracking: false,
		},
	},
	plugins: [
		magicLink({
			async sendMagicLink({ email, url }) {
				console.log(url);
				// const { error } = await resend.emails.send({
				// 	from: "YieldEdu <onboarding@support.yieldedu.xyz>",
				// 	to: [email],
				// 	subject: "Your Magic Sign-In Link for YieldEdu",
				// 	react: EmailTemplate({ link: url }),
				// });
				// if (error) console.log(error);
			},
		}),
		anonymous({
			emailDomainName: "OCId-User",
		}),

		admin({
			adminRoles: ["admin", "partner admin"],
		}),
	],
	/** if no database is provided, the user data will be stored in memory.
	 * Make sure to provide a database to persist user data **/
	database: new Pool({
		connectionString: process.env.DATABASE_URL,
	}),
});
@Bruh-Codes commented on GitHub (Jul 5, 2025): @ping-maxwell I tried updating my middleware to include an ip but the problem is still persisting. below is my middleware configuration. ```ts //MIDDLEWARE import { NextRequest, NextResponse } from "next/server"; import { getSessionCookie } from "better-auth/cookies"; export async function middleware(request: NextRequest) { const sessionCookie = getSessionCookie(request); // Set x-real-ip header for local development if not present if ( process.env.NODE_ENV === "development" && !request.headers.has("x-real-ip") ) { request.headers.set("x-real-ip", "127.0.0.1"); } if (!sessionCookie) { return NextResponse.redirect(new URL("/signin", request.url)); } return NextResponse.next(); } export const config = { matcher: ["/dashboard:path*"], }; ``` ```ts //AUTH config import EmailTemplate from "@/components/email-template"; import { betterAuth, string } from "better-auth"; import { admin } from "better-auth/plugins/admin"; import { anonymous } from "better-auth/plugins/anonymous"; import { magicLink } from "better-auth/plugins/magic-link"; import { Pool } from "pg"; import { Resend } from "resend"; const resend = new Resend(process.env.RESEND_API_KEY); export const auth = betterAuth({ user: { additionalFields: { OCId: { type: "string", }, ethAddress: { type: "string", }, }, }, session: { additionalFields: { OCId: { type: "string", }, ethAddress: { type: "string", }, }, }, account: { accountLinking: { enabled: true, trustedProviders: ["google", "twitter"], }, }, rateLimit: { enabled: true, window: 60, // 1 minute max: 3, // Max 3 requests per minute storage: "database", }, trustedOrigins: ["http://localhost:3000"], socialProviders: { google: { clientId: process.env.GOOGLE_CLIENT_ID!, clientSecret: process.env.GOOGLE_CLIENT_SECRET!, }, twitter: { clientId: process.env.TWITTER_CLIENT_ID!, clientSecret: process.env.TWITTER_CLIENT_SECRET!, }, }, advanced: { ipAddress: { ipAddressHeaders: ["x-forwarded-for", "x-real-ip"], disableIpTracking: false, }, }, plugins: [ magicLink({ async sendMagicLink({ email, url }) { console.log(url); // const { error } = await resend.emails.send({ // from: "YieldEdu <onboarding@support.yieldedu.xyz>", // to: [email], // subject: "Your Magic Sign-In Link for YieldEdu", // react: EmailTemplate({ link: url }), // }); // if (error) console.log(error); }, }), anonymous({ emailDomainName: "OCId-User", }), admin({ adminRoles: ["admin", "partner admin"], }), ], /** if no database is provided, the user data will be stored in memory. * Make sure to provide a database to persist user data **/ database: new Pool({ connectionString: process.env.DATABASE_URL, }), }); ```
GiteaMirror commented 2026-03-13 08:41:25 -05:00
Author
Owner
Copy Link

@ping-maxwell commented on GitHub (Jul 5, 2025):

You might need to overwrite the magic link paths explicitly, since you only defined the base window and max rules, but the magic link plugin already defined it's own rules for rate-limiting so it takes precedence over base rules.
(Or I believe so at least)
Try specifying the paths and rules for them.

For reference for which paths to use, this is the code in the magic link plugin:

Image
@ping-maxwell commented on GitHub (Jul 5, 2025): You might need to overwrite the magic link paths explicitly, since you only defined the base `window` and `max` rules, but the magic link plugin already defined it's own rules for rate-limiting so it takes precedence over base rules. (Or I believe so at least) Try specifying the paths and rules for them. For reference for which paths to use, this is the code in the magic link plugin: <img width="613" height="260" alt="Image" src="https://github.com/user-attachments/assets/aaeaf461-ea52-422f-bc95-d0b2d9f6d61a" />
GiteaMirror commented 2026-03-13 08:41:26 -05:00
Author
Owner
Copy Link

@Bruh-Codes commented on GitHub (Jul 5, 2025):

i tried doing that earlier on but it did not work. from the docs https://www.better-auth.com/docs/reference/options#ratelimit

	rateLimit: {
		enabled: true,
		window: 60, // 1 minute
		max: 3, // Max 3 requests per minute
		storage: "database",
		customRules: {
			"/sign-in/magic-link": {
				window: 60,
				max: 3,
			},
		},
	},
@Bruh-Codes commented on GitHub (Jul 5, 2025): i tried doing that earlier on but it did not work. from the docs https://www.better-auth.com/docs/reference/options#ratelimit ```ts rateLimit: { enabled: true, window: 60, // 1 minute max: 3, // Max 3 requests per minute storage: "database", customRules: { "/sign-in/magic-link": { window: 60, max: 3, }, }, }, ```
GiteaMirror commented 2026-03-13 08:41:26 -05:00
Author
Owner
Copy Link

@ping-maxwell commented on GitHub (Jul 5, 2025):

Did you set the ip in middleware when testing this earlier?
If this is the case then I'll go investigate on my end

@ping-maxwell commented on GitHub (Jul 5, 2025): Did you set the ip in middleware when testing this earlier? If this is the case then I'll go investigate on my end
GiteaMirror commented 2026-03-13 08:41:26 -05:00
Author
Owner
Copy Link

@Bruh-Codes commented on GitHub (Jul 5, 2025):

@ping-maxwell yes I did

import { NextRequest, NextResponse } from "next/server";
import { getSessionCookie } from "better-auth/cookies";

export async function middleware(request: NextRequest) {
	const sessionCookie = getSessionCookie(request);

	// Set x-real-ip header for local development if not present
	if (
		process.env.NODE_ENV === "development" &&
		!request.headers.has("x-real-ip")
	) {
		request.headers.set("x-real-ip", "127.0.0.1");
	}

	if (!sessionCookie) {
		return NextResponse.redirect(new URL("/signin", request.url));
	}

	return NextResponse.next();
}

export const config = {
	matcher: ["/dashboard:path*"],
};
@Bruh-Codes commented on GitHub (Jul 5, 2025): @ping-maxwell yes I did ```ts import { NextRequest, NextResponse } from "next/server"; import { getSessionCookie } from "better-auth/cookies"; export async function middleware(request: NextRequest) { const sessionCookie = getSessionCookie(request); // Set x-real-ip header for local development if not present if ( process.env.NODE_ENV === "development" && !request.headers.has("x-real-ip") ) { request.headers.set("x-real-ip", "127.0.0.1"); } if (!sessionCookie) { return NextResponse.redirect(new URL("/signin", request.url)); } return NextResponse.next(); } export const config = { matcher: ["/dashboard:path*"], }; ```
GiteaMirror commented 2026-03-13 08:41:28 -05:00
Author
Owner
Copy Link

@Stevemoretz commented on GitHub (Sep 5, 2025):

It doesn't work on email-otp either I had to make my own rate limit functionality.

@Stevemoretz commented on GitHub (Sep 5, 2025): It doesn't work on email-otp either I had to make my own rate limit functionality.
GiteaMirror commented 2026-03-13 08:41:28 -05:00
Author
Owner
Copy Link

@Bruh-Codes commented on GitHub (Sep 5, 2025):

Hey I realized it was working in production

On Fri, Sep 5, 2025, 1:10 PM Steve Moretz @.***> wrote:

Stevemoretz left a comment (better-auth/better-auth#3264)
https://github.com/better-auth/better-auth/issues/3264#issuecomment-3258305542

It doesn't work on email-otp either I had to make my own rate limit
functionality.


Reply to this email directly, view it on GitHub
https://github.com/better-auth/better-auth/issues/3264#issuecomment-3258305542,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/BNZK6EGTEUMFR3OWONA3QIL3RGDUXAVCNFSM6AAAAACA2NUXX2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTENJYGMYDKNJUGI
.
You are receiving this because you were mentioned.Message ID:
@.***>

@Bruh-Codes commented on GitHub (Sep 5, 2025): Hey I realized it was working in production On Fri, Sep 5, 2025, 1:10 PM Steve Moretz ***@***.***> wrote: > *Stevemoretz* left a comment (better-auth/better-auth#3264) > <https://github.com/better-auth/better-auth/issues/3264#issuecomment-3258305542> > > It doesn't work on email-otp either I had to make my own rate limit > functionality. > > — > Reply to this email directly, view it on GitHub > <https://github.com/better-auth/better-auth/issues/3264#issuecomment-3258305542>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/BNZK6EGTEUMFR3OWONA3QIL3RGDUXAVCNFSM6AAAAACA2NUXX2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTENJYGMYDKNJUGI> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >
GiteaMirror commented 2026-03-13 08:41:29 -05:00
Author
Owner
Copy Link

@ping-maxwell commented on GitHub (Sep 9, 2025):

@Bruh-Codes Is everything working fine then? May I close this issue?

@ping-maxwell commented on GitHub (Sep 9, 2025): @Bruh-Codes Is everything working fine then? May I close this issue?
GiteaMirror commented 2026-03-13 08:41:29 -05:00
Author
Owner
Copy Link

@Bruh-Codes commented on GitHub (Sep 9, 2025):

@Bruh-Codes Is everything working fine then? May I close this issue?

yes I noticed it was working on production. You did mention that we'd have to manually inset an IP through middleware when testing locally. When I did that it did not work tho. I amrequesting for an easier way to just toggle it on and it will work locally when building plus prod.

@Bruh-Codes commented on GitHub (Sep 9, 2025): > [@Bruh-Codes](https://github.com/Bruh-Codes) Is everything working fine then? May I close this issue? yes I noticed it was working on production. You did mention that we'd have to manually inset an IP through middleware when testing locally. When I did that it did not work tho. I amrequesting for an easier way to just toggle it on and it will work locally when building plus prod.
GiteaMirror commented 2026-03-13 08:41:29 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Dec 9, 2025):

Hi, @Bruh-Codes. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary

  • You reported that rate limiting for magic link requests doesn't work locally despite enabling it with database storage.
  • The root cause is missing IP addresses in local requests, which disables rate limiting silently.
  • You confirmed that manually setting IP headers in middleware did not work locally for you.
  • You later found that rate limiting works correctly in production environments.
  • You requested an easier way to enable rate limiting locally without manual IP header insertion.

Next Steps

  • Please let me know if this issue is still relevant with the latest version of better-auth by commenting here.
  • If I don’t hear back within 7 days, I will automatically close this issue.

Thanks for your understanding and contribution!

@dosubot[bot] commented on GitHub (Dec 9, 2025): Hi, @Bruh-Codes. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary** - You reported that rate limiting for magic link requests doesn't work locally despite enabling it with database storage. - The root cause is missing IP addresses in local requests, which disables rate limiting silently. - You confirmed that manually setting IP headers in middleware did not work locally for you. - You later found that rate limiting works correctly in production environments. - You requested an easier way to enable rate limiting locally without manual IP header insertion. **Next Steps** - Please let me know if this issue is still relevant with the latest version of better-auth by commenting here. - If I don’t hear back within 7 days, I will automatically close this issue. Thanks for your understanding and contribution!
GiteaMirror commented 2026-03-13 08:41:30 -05:00
Author
Owner
Copy Link

@dantman commented on GitHub (Jan 31, 2026):

If anyone using the Convex integration for Better Auth comes here searching for better auth magic link rate limits like I did.

There is a separate bug in the Convex Better Auth integration regarding rate limits https://github.com/get-convex/better-auth/issues/247

@dantman commented on GitHub (Jan 31, 2026): If anyone using the Convex integration for Better Auth comes here searching for better auth magic link rate limits like I did. There is a separate bug in the Convex Better Auth integration regarding rate limits https://github.com/get-convex/better-auth/issues/247
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#1462
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?