[GH-ISSUE #3690] Regression: Active subscription detection may select wrong subscription if multiple are present #18320

New Issue

GiteaMirror · 2026-04-15T16:44:48-05:00

GiteaMirror commented

2026-04-15 16:44:48 -05:00

Originally created by @fml-aprc on GitHub (Jul 29, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/3690

Is this suited for github?

Yes, this is suited for github

To Reproduce

Description
Since commit c2fb1aa3, the logic for retrieving the active subscription has changed. Previously, the code would strictly look for the subscription matching subscriptionToUpdate?.stripeSubscriptionId or ctx.body.subscriptionId among active subscriptions.
Now, it fetches all subscriptions with status active or trialing, and if no subscriptionToUpdate?.stripeSubscriptionId is provided, it simply picks the first result (.find(... ? sub.id === ... : true)).

Steps to Reproduce

Create several active/trialing subscriptions for the same Stripe customer.
Call the feature without providing a subscriptionToUpdate?.stripeSubscriptionId.
Notice that the chosen subscription may not be the expected one.

const activeSubscriptions = await client.subscriptions
  .list({
    customer: customerId,
  })
  .then((res) =>
    res.data.filter(
      (sub) => sub.status === "active" || sub.status === "trialing",
    ),
);

const activeSubscription = activeSubscriptions.find((sub) =>
  subscriptionToUpdate?.stripeSubscriptionId
    ? sub.id === subscriptionToUpdate?.stripeSubscriptionId
    : true, // <== Here the first subscription is selected
  );

Current vs. Expected behavior

If a customer has several active or trialing subscriptions and no subscriptionToUpdate?.stripeSubscriptionId is provided, the current logic just picks the first subscription returned by Stripe.
This can result in selecting the wrong subscription, leading to unexpected behavior when updating or managing subscriptions.

What version of Better Auth are you using?

1.3.4

Provide environment information

- OS Mac OS
- Browser Chrome

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  emailAndPassword: {  
    enabled: true,
    organization(),
    stripe(),
  },
});

Additional context

No response

Originally created by @fml-aprc on GitHub (Jul 29, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/3690 ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce **Description** Since commit c2fb1aa3, the logic for retrieving the active subscription has changed. Previously, the code would strictly look for the subscription matching subscriptionToUpdate?.stripeSubscriptionId or ctx.body.subscriptionId among active subscriptions. Now, it fetches all subscriptions with status active or trialing, and if no subscriptionToUpdate?.stripeSubscriptionId is provided, it simply picks the first result (.find(... ? sub.id === ... : true)). **Steps to Reproduce** Create several active/trialing subscriptions for the same Stripe customer. Call the feature without providing a subscriptionToUpdate?.stripeSubscriptionId. Notice that the chosen subscription may not be the expected one. ```js const activeSubscriptions = await client.subscriptions .list({ customer: customerId, }) .then((res) => res.data.filter( (sub) => sub.status === "active" || sub.status === "trialing", ), ); const activeSubscription = activeSubscriptions.find((sub) => subscriptionToUpdate?.stripeSubscriptionId ? sub.id === subscriptionToUpdate?.stripeSubscriptionId : true, // <== Here the first subscription is selected ); ``` ### Current vs. Expected behavior If a customer has several active or trialing subscriptions and no subscriptionToUpdate?.stripeSubscriptionId is provided, the current logic just picks the first subscription returned by Stripe. This can result in selecting the wrong subscription, leading to unexpected behavior when updating or managing subscriptions. ### What version of Better Auth are you using? 1.3.4 ### Provide environment information ```bash - OS Mac OS - Browser Chrome ``` ### Which area(s) are affected? (Select all that apply) Backend ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ emailAndPassword: { enabled: true, organization(), stripe(), }, }); ``` ### Additional context _No response_

GiteaMirror added the locked bug labels 2026-04-15 16:44:48 -05:00

GiteaMirror closed this issue

2026-04-15 16:44:49 -05:00

GiteaMirror commented

2026-04-15 16:44:50 -05:00

@dosubot[bot] commented on GitHub (Jul 29, 2025):

Hi @fml-aprc! I'm Dosu and I’m helping the better-auth team.

You’re correct—since commit c2fb1aa3, the logic for selecting an active subscription changed. Now, if multiple active or trialing subscriptions exist and no specific subscription ID is provided, the code just picks the first one returned by Stripe, which can easily select the wrong subscription and cause unexpected behavior when managing or updating subscriptions. This affects endpoints like upgradeSubscription, cancelSubscription, restoreSubscription, and subscriptionSuccess, as well as webhook handling—all of which use similar logic and lack safeguards for this ambiguity (source).

To avoid this, you should require an explicit subscription ID whenever there’s more than one active or trialing subscription for a customer. If no ID is provided and multiple matches exist, throw an error or prompt for selection instead of defaulting to the first result. This will prevent silent mis-selection and make the behavior predictable. There’s currently no test coverage for this edge case, so adding tests that simulate multiple active/trialing subscriptions and assert that ambiguous selection is not allowed would help prevent future regressions.

Let me know if you want a code snippet or more details on how to implement this check.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Jul 29, 2025):  Hi @fml-aprc! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team.  You’re correct—since commit c2fb1aa3, the logic for selecting an active subscription changed. Now, if multiple active or trialing subscriptions exist and no specific subscription ID is provided, the code just picks the first one returned by Stripe, which can easily select the wrong subscription and cause unexpected behavior when managing or updating subscriptions. This affects endpoints like upgradeSubscription, cancelSubscription, restoreSubscription, and subscriptionSuccess, as well as webhook handling—all of which use similar logic and lack safeguards for this ambiguity [(source)](https://github.com/better-auth/better-auth/blob/ed574aa2fbd21c1b9e28d4554993067b159a568b/packages/stripe/src/index.ts). To avoid this, you should require an explicit subscription ID whenever there’s more than one active or trialing subscription for a customer. If no ID is provided and multiple matches exist, throw an error or prompt for selection instead of defaulting to the first result. This will prevent silent mis-selection and make the behavior predictable. There’s currently no test coverage for this edge case, so adding tests that simulate multiple active/trialing subscriptions and assert that ambiguous selection is not allowed would help prevent future regressions. Let me know if you want a code snippet or more details on how to implement this check.  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/6c9cbad3-0817-42d9-ba9f-98031fcacb4d?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/6c9cbad3-0817-42d9-ba9f-98031fcacb4d?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/6c9cbad3-0817-42d9-ba9f-98031fcacb4d?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/6c9cbad3-0817-42d9-ba9f-98031fcacb4d?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/6c9cbad3-0817-42d9-ba9f-98031fcacb4d?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/6c9cbad3-0817-42d9-ba9f-98031fcacb4d?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/6c9cbad3-0817-42d9-ba9f-98031fcacb4d?feedback_type=other)</sup>  [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/3690)

GiteaMirror commented

2026-04-15 16:44:51 -05:00

@fml-aprc commented on GitHub (Jul 29, 2025):

The problem is that you can't create new subscription (with another organization for exemple).
Existing subscription will automatically be selected as active subscription...

@fml-aprc commented on GitHub (Jul 29, 2025): The problem is that you can't create new subscription (with another organization for exemple). Existing subscription will automatically be selected as active subscription...

GiteaMirror commented

2026-04-15 16:44:52 -05:00

@dosubot[bot] commented on GitHub (Jul 29, 2025):

This happens because the current logic always selects the first active subscription for a Stripe customer, so if you try to create a new subscription (for another organization, for example), it just reuses the existing one instead of letting you create a separate subscription.

To support multiple subscriptions per user (e.g., one per organization), you need to enable organization-level Stripe customers. In your Stripe plugin config, set createOrganizationCustomer: true. This makes each organization get its own Stripe customer and subscriptions, so creating a new subscription for a different org won’t conflict with the user’s existing subscriptions. You should also implement the authorizeReference function to control which users can manage subscriptions for which organizations.

Example config:

stripe({
  // ...other options
  createCustomerOnSignUp: false,
  createOrganizationCustomer: true,
  subscription: {
    // ...other subscription options
    authorizeReference: async ({ user, referenceId, action }) => {
      // Check if user is allowed to manage subscriptions for this org
      // e.g., check membership in your DB
      return true; // or your own logic
    },
  },
})

When creating or managing a subscription, pass the organization’s ID as referenceId. This ensures the subscription is scoped to the org, not the user. If you don’t set up authorizeReference, passing a custom referenceId will throw an error see details.

This setup solves the problem of always selecting the user’s existing subscription and lets you create/manage subscriptions per organization.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Jul 29, 2025):  This happens because the current logic always selects the first active subscription for a Stripe customer, so if you try to create a new subscription (for another organization, for example), it just reuses the existing one instead of letting you create a separate subscription. To support multiple subscriptions per user (e.g., one per organization), you need to enable organization-level Stripe customers. In your Stripe plugin config, set `createOrganizationCustomer: true`. This makes each organization get its own Stripe customer and subscriptions, so creating a new subscription for a different org won’t conflict with the user’s existing subscriptions. You should also implement the `authorizeReference` function to control which users can manage subscriptions for which organizations. Example config: ```ts stripe({ // ...other options createCustomerOnSignUp: false, createOrganizationCustomer: true, subscription: { // ...other subscription options authorizeReference: async ({ user, referenceId, action }) => { // Check if user is allowed to manage subscriptions for this org // e.g., check membership in your DB return true; // or your own logic }, }, }) ``` When creating or managing a subscription, pass the organization’s ID as `referenceId`. This ensures the subscription is scoped to the org, not the user. If you don’t set up `authorizeReference`, passing a custom `referenceId` will throw an error [see details](https://github.com/better-auth/better-auth/pull/2794). This setup solves the problem of always selecting the user’s existing subscription and lets you create/manage subscriptions per organization.  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/1bb551eb-05fb-4991-948a-12809801f6e1?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/1bb551eb-05fb-4991-948a-12809801f6e1?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/1bb551eb-05fb-4991-948a-12809801f6e1?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/1bb551eb-05fb-4991-948a-12809801f6e1?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/1bb551eb-05fb-4991-948a-12809801f6e1?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/1bb551eb-05fb-4991-948a-12809801f6e1?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/1bb551eb-05fb-4991-948a-12809801f6e1?feedback_type=other)</sup>  [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/3690)

GiteaMirror commented

2026-04-15 16:44:53 -05:00

@landoncolburn commented on GitHub (Aug 2, 2025):

This response by @dosubot is a hallucination. 'createOrganizationCustomer' doesn't exist in the Stripe plugin.

@landoncolburn commented on GitHub (Aug 2, 2025): This response by @dosubot is a hallucination. 'createOrganizationCustomer' doesn't exist in the Stripe plugin.

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#18320