github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 07:18:56 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

Too much server-side APIs requires session in admin plugin #1610

New Issue
Open
opened 2026-03-13 08:51:21 -05:00 by GiteaMirror · 9 comments
GiteaMirror commented 2026-03-13 08:51:21 -05:00
Owner
Copy Link

Originally created by @typed-sigterm on GitHub (Jul 31, 2025).

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

https://www.better-auth.com/docs/plugins/admin#usage

Current vs. Expected behavior

Current: Even if on server side, only createUser can be called without sessions. We must direct interact with DB if we want to operate as system (I'm not sure if I missed something).

Expected: Don't require header when calling on server side.

What version of Better Auth are you using?

1.3.4

Provide environment information

N/A

Which area(s) are affected? (Select all that apply)

Backend, Types

Auth config (if applicable)

Additional context

No response

Originally created by @typed-sigterm on GitHub (Jul 31, 2025). ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce https://www.better-auth.com/docs/plugins/admin#usage ### Current vs. Expected behavior Current: Even if on server side, only `createUser` can be called without sessions. We must direct interact with DB if we want to operate as system (I'm not sure if I missed something). Expected: Don't require `header` when calling on server side. ### What version of Better Auth are you using? 1.3.4 ### Provide environment information ```bash N/A ``` ### Which area(s) are affected? (Select all that apply) Backend, Types ### Auth config (if applicable) ```typescript ``` ### Additional context _No response_
GiteaMirror added the plugin label 2026-03-13 08:51:21 -05:00
GiteaMirror commented 2026-03-13 08:51:22 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jul 31, 2025):

Hi @typed-sigterm! I'm Dosu and I’m helping the better-auth team.

The session requirement for most admin plugin APIs (except createUser) is intentional and enforced in Better Auth v1.3.4. This applies even for server-side calls—headers with a valid session are needed for operations like impersonation, listing users, or stopping impersonation. There isn't a built-in way to bypass this for system-level/server-side automation; the only alternatives are to interact directly with the database or programmatically create a privileged session for automation tasks. This design enforces security and role-based access control, and matches both the documentation and codebase behavior (example, test code). If you need sessionless system APIs, you’d need to implement a custom solution or monitor for future changes.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

@dosubot[bot] commented on GitHub (Jul 31, 2025): <!-- Greeting --> Hi @typed-sigterm! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team. <!-- Answer --> The session requirement for most admin plugin APIs (except `createUser`) is intentional and enforced in Better Auth v1.3.4. This applies even for server-side calls—headers with a valid session are needed for operations like impersonation, listing users, or stopping impersonation. There isn't a built-in way to bypass this for system-level/server-side automation; the only alternatives are to interact directly with the database or programmatically create a privileged session for automation tasks. This design enforces security and role-based access control, and matches both the documentation and codebase behavior ([example](https://github.com/better-auth/better-auth/issues/3015), [test code](https://github.com/better-auth/better-auth/pull/883)). If you need sessionless system APIs, you’d need to implement a custom solution or monitor for future changes. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/f46b5b3d-35cc-4fb8-a299-dc45ad2de7e6?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/f46b5b3d-35cc-4fb8-a299-dc45ad2de7e6?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/f46b5b3d-35cc-4fb8-a299-dc45ad2de7e6?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/f46b5b3d-35cc-4fb8-a299-dc45ad2de7e6?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/f46b5b3d-35cc-4fb8-a299-dc45ad2de7e6?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/f46b5b3d-35cc-4fb8-a299-dc45ad2de7e6?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/f46b5b3d-35cc-4fb8-a299-dc45ad2de7e6?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/3717)
GiteaMirror commented 2026-03-13 08:51:23 -05:00
Author
Owner
Copy Link

@typed-sigterm commented on GitHub (Jul 31, 2025):

@dosu So I'm opening this, looking for possible improvements.

@typed-sigterm commented on GitHub (Jul 31, 2025): @dosu So I'm opening this, looking for possible improvements.
GiteaMirror commented 2026-03-13 08:51:23 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jul 31, 2025):

You're right—currently, all privileged admin plugin APIs (except createUser) require a session, even for server-side calls, and there's no built-in config or hook to bypass this requirement. This is a deliberate security design enforced by middleware in the codebase to ensure accountability and prevent unauthorized access reference.

Possible improvement directions could include: adding a "trusted automation" or system mode for privileged server-side calls, supporting custom privileged endpoints, or allowing a configurable bypass for specific contexts. Each of these would need careful design to avoid introducing security risks.

Until such a feature exists, the main workarounds are to interact directly with the database for system-level automation, or to create your own plugin endpoints that wrap the adapter functions with your own authorization logic. The plugin system does support before/after hooks and custom middlewares, so it's technically possible to extend, but there's no documented or recommended pattern for bypassing session checks on built-in admin endpoints reference.

If you have a specific use case or proposal in mind for how a system-level bypass should work, sharing that could help guide future improvements!

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

@dosubot[bot] commented on GitHub (Jul 31, 2025): <!-- Answer --> You're right—currently, all privileged admin plugin APIs (except `createUser`) require a session, even for server-side calls, and there's no built-in config or hook to bypass this requirement. This is a deliberate security design enforced by middleware in the codebase to ensure accountability and prevent unauthorized access [reference](https://github.com/better-auth/better-auth/blob/33b0635c4dc1a28ce217b4eadecc4ed24092f12e/packages/better-auth/src/plugins/admin/admin.ts). Possible improvement directions could include: adding a "trusted automation" or system mode for privileged server-side calls, supporting custom privileged endpoints, or allowing a configurable bypass for specific contexts. Each of these would need careful design to avoid introducing security risks. Until such a feature exists, the main workarounds are to interact directly with the database for system-level automation, or to create your own plugin endpoints that wrap the adapter functions with your own authorization logic. The plugin system does support before/after hooks and custom middlewares, so it's technically possible to extend, but there's no documented or recommended pattern for bypassing session checks on built-in admin endpoints [reference](https://github.com/better-auth/better-auth/blob/33b0635c4dc1a28ce217b4eadecc4ed24092f12e/packages/better-auth/src/types/plugins.ts). If you have a specific use case or proposal in mind for how a system-level bypass should work, sharing that could help guide future improvements! <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/cb0ef1a7-a46c-4d9c-bf0c-b54d4982ab4a?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/cb0ef1a7-a46c-4d9c-bf0c-b54d4982ab4a?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/cb0ef1a7-a46c-4d9c-bf0c-b54d4982ab4a?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/cb0ef1a7-a46c-4d9c-bf0c-b54d4982ab4a?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/cb0ef1a7-a46c-4d9c-bf0c-b54d4982ab4a?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/cb0ef1a7-a46c-4d9c-bf0c-b54d4982ab4a?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/cb0ef1a7-a46c-4d9c-bf0c-b54d4982ab4a?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/3717)
GiteaMirror commented 2026-03-13 08:51:24 -05:00
Author
Owner
Copy Link

@airtonix commented on GitHub (Aug 9, 2025):

Other frameworks (Django, NestJS) would allow a team to create cli tools to help manage the database.

Could some insight be given as to why BetterAuth thought it would be beneficial to design admin plugin is such a way as to make this kind of affordance impossible?

Currently, I feel that we'd probably end up re inventing BetterAuth by creating our own abstractions to allow system management of the db records.

@airtonix commented on GitHub (Aug 9, 2025): Other frameworks (Django, NestJS) would allow a team to create cli tools to help manage the database. Could some insight be given as to why BetterAuth thought it would be beneficial to design admin plugin is such a way as to make this kind of affordance impossible? Currently, I feel that we'd probably end up re inventing BetterAuth by creating our own abstractions to allow system management of the db records.
GiteaMirror commented 2026-03-13 08:51:24 -05:00
Author
Owner
Copy Link

@Kinfe123 commented on GitHub (Aug 9, 2025):

Most admin plugin functions still depend on session data to run core logic, even if a session isn’t strictly required. Sessionless admin features might be worth exploring later, but for now these cases are best handled within your own implementation.

@Kinfe123 commented on GitHub (Aug 9, 2025): Most admin plugin functions still depend on session data to run core logic, even if a session isn’t strictly required. Sessionless admin features might be worth exploring later, but for now these cases are best handled within your own implementation.
GiteaMirror commented 2026-03-13 08:51:24 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Nov 8, 2025):

Hi, @typed-sigterm. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary:

  • You reported that most server-side admin plugin APIs in Better Auth v1.3.4 require a session header, except for createUser, which limits system-level automation without direct DB access.
  • The session requirement is intentional for security and role-based access control, with no built-in bypass available.
  • Workarounds include custom solutions or using privileged sessions.
  • Discussions highlighted the trade-offs between security and automation, with potential future features like a "trusted automation" mode being considered.
  • Currently, sessionless admin features require custom implementation.

Next Steps:

  • Please let me know if this issue is still relevant to the latest version of better-auth by commenting here to keep the discussion open.
  • Otherwise, this issue will be automatically closed in 7 days.

Thank you for your understanding and contribution!

@dosubot[bot] commented on GitHub (Nov 8, 2025): Hi, @typed-sigterm. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary:** - You reported that most server-side admin plugin APIs in Better Auth v1.3.4 require a session header, except for createUser, which limits system-level automation without direct DB access. - The session requirement is intentional for security and role-based access control, with no built-in bypass available. - Workarounds include custom solutions or using privileged sessions. - Discussions highlighted the trade-offs between security and automation, with potential future features like a "trusted automation" mode being considered. - Currently, sessionless admin features require custom implementation. **Next Steps:** - Please let me know if this issue is still relevant to the latest version of better-auth by commenting here to keep the discussion open. - Otherwise, this issue will be automatically closed in 7 days. Thank you for your understanding and contribution!
GiteaMirror commented 2026-03-13 08:51:25 -05:00
Author
Owner
Copy Link

@typed-sigterm commented on GitHub (Nov 8, 2025):

keep the discussion open

@typed-sigterm commented on GitHub (Nov 8, 2025): keep the discussion open
GiteaMirror commented 2026-03-13 08:51:25 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Feb 7, 2026):

Hi, @typed-sigterm. I'm Dosu (https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary

  • You reported that most server-side admin plugin APIs in Better Auth v1.3.4 require a session header, except for createUser, which limits system-level automation without direct database access.
  • The design is intentional for security, enforcing role-based access control with no current bypass.
  • Suggestions for future improvements include a "trusted automation" mode to enable sessionless admin operations.
  • Other community members have noted interest in sessionless admin features but acknowledged they currently require custom solutions.
  • The issue remains open for further discussion and potential feature proposals.

Next Steps

  • Please let me know if this issue is still relevant with the latest version of better-auth by commenting here to keep the discussion open.
  • If I do not hear back within 7 days, this issue will be automatically closed.

Thank you for your understanding and contribution!

@dosubot[bot] commented on GitHub (Feb 7, 2026): Hi, @typed-sigterm. I'm Dosu (https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary** - You reported that most server-side admin plugin APIs in Better Auth v1.3.4 require a session header, except for createUser, which limits system-level automation without direct database access. - The design is intentional for security, enforcing role-based access control with no current bypass. - Suggestions for future improvements include a "trusted automation" mode to enable sessionless admin operations. - Other community members have noted interest in sessionless admin features but acknowledged they currently require custom solutions. - The issue remains open for further discussion and potential feature proposals. **Next Steps** - Please let me know if this issue is still relevant with the latest version of better-auth by commenting here to keep the discussion open. - If I do not hear back within 7 days, this issue will be automatically closed. Thank you for your understanding and contribution!
GiteaMirror commented 2026-03-13 08:51:25 -05:00
Author
Owner
Copy Link

@typed-sigterm commented on GitHub (Feb 10, 2026):

keep open

@typed-sigterm commented on GitHub (Feb 10, 2026): keep open
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label plugin
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#1610
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?