github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-24 16:11:53 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #6414] Semantic Inconsistency in emailVerified Field and Password Reset Behavior #19140

New Issue
Closed
opened 2026-04-15 17:56:26 -05:00 by GiteaMirror · 3 comments
GiteaMirror commented 2026-04-15 17:56:26 -05:00
Owner
Copy Link

Originally created by @ipipi2024 on GitHub (Nov 30, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/6414

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

Formal Letter of Concern Regarding Logical Inconsistency in emailVerified Behavior

Ipule Pipi
Creator, Nilexia
Email: ipulepipi60@gmail.com
Date: 11/29/2025

Better Auth Team
Better Auth, Inc.

Subject: Formal Complaint Regarding Semantic Inconsistency in emailVerified and Password Reset Behavior

Dear Better Auth Team,
I am writing to formally raise a concern regarding a logical and architectural inconsistency within Better Auth’s default handling of the emailVerified field—specifically as it relates to the password reset flow.

After extensive analysis and practical testing within my application, it has become clear that the current behavior produces contradictory semantics, violates modeling principles, and results in objectively poor user experience. I believe this issue deserves attention at a framework-design level.

Description of the Issue
Better Auth automatically provides a boolean field named emailVerified in the user schema. By standard system modeling principles and by the universal interpretation of naming semantics, such a field should represent:

“Has this user ever proven ownership of the email associated with their account?”

However, Better Auth does not update this field when a user completes a password reset using a link sent to that same email address. Despite successfully proving email ownership through the reset process, the user is still required to separately complete a verification step.

This results in the following flawed user flow:

  1. User signs up → emailVerified = false
  2. User does not click the verification link
  3. User resets their password through a link sent to their email
  4. User attempts to sign in
  5. Better Auth blocks sign-in and demands “verify your email,” despite the user having just proven email ownership through password reset

This flow is unintuitive, redundant, and logically inconsistent. It forces developers to manually correct behavior that should logically be handled by the framework.

Core Logical Inconsistency
The issue arises because Better Auth simultaneously:

  1. Defines a field named emailVerified, implying email ownership verification,
    yet
  2. Does not commit to the semantics that the name implies, and
  3. Refuses to automatically update it when email ownership is proven.

If a field is named emailVerified, it must strictly reflect email verification—not onboarding completion, trust level, or any other unrelated process. Any other interpretation violates established naming conventions and data modeling standards.

If flexibility were the goal, Better Auth should not have chosen such a semantically specific field name or should have allowed developers to define custom verification fields.

Recommended Solutions
I respectfully recommend one of the following solutions:

  1. Auto-verify on password reset (if reset occurs via email)
    onPasswordReset → set emailVerified = true
    This is logically coherent

  2. Allow custom verification schemas or rename the field
    If Better Auth intends not to define strict semantics for this field, it should not assign a semantically-loaded name such as emailVerified. A more flexible or developer-defined model would prevent confusion.

Conclusion
In its current form, the emailVerified behavior presents a contradiction between naming and functionality. It results in poor user experience, violates semantic expectations, and forces unnecessary overrides by developers.

I kindly request that the Better Auth team review this design inconsistency . Addressing this issue would significantly improve both developer clarity and overall user experience.

Thank you

Best,
Ipule Pipi

Formal Letter of Concern Regarding Logical Inconsistency in emailVerified Behavior.pdf

Current vs. Expected behavior

Formal Letter of Concern Regarding Logical Inconsistency in emailVerified Behavior.pdf

What version of Better Auth are you using?

1.3.34

System info

Really nothing here.

Which area(s) are affected? (Select all that apply)

Client

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  emailAndPassword: {  
    enabled: true
  },
});

Additional context

Everything is in the pdf or text.

Originally created by @ipipi2024 on GitHub (Nov 30, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/6414 ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce Formal Letter of Concern Regarding Logical Inconsistency in emailVerified Behavior Ipule Pipi Creator, Nilexia Email: ipulepipi60@gmail.com Date: 11/29/2025 Better Auth Team Better Auth, Inc. Subject: Formal Complaint Regarding Semantic Inconsistency in emailVerified and Password Reset Behavior Dear Better Auth Team, I am writing to formally raise a concern regarding a logical and architectural inconsistency within Better Auth’s default handling of the emailVerified field—specifically as it relates to the password reset flow. After extensive analysis and practical testing within my application, it has become clear that the current behavior produces contradictory semantics, violates modeling principles, and results in objectively poor user experience. I believe this issue deserves attention at a framework-design level. Description of the Issue Better Auth automatically provides a boolean field named emailVerified in the user schema. By standard system modeling principles and by the universal interpretation of naming semantics, such a field should represent: “Has this user ever proven ownership of the email associated with their account?” However, Better Auth does not update this field when a user completes a password reset using a link sent to that same email address. Despite successfully proving email ownership through the reset process, the user is still required to separately complete a verification step. This results in the following flawed user flow: 1. User signs up → emailVerified = false 2. User does not click the verification link 3. User resets their password through a link sent to their email 4. User attempts to sign in 5. Better Auth blocks sign-in and demands “verify your email,” despite the user having just proven email ownership through password reset This flow is unintuitive, redundant, and logically inconsistent. It forces developers to manually correct behavior that should logically be handled by the framework. Core Logical Inconsistency The issue arises because Better Auth simultaneously: 1. Defines a field named emailVerified, implying email ownership verification, yet 2. Does not commit to the semantics that the name implies, and 3. Refuses to automatically update it when email ownership is proven. If a field is named emailVerified, it must strictly reflect email verification—not onboarding completion, trust level, or any other unrelated process. Any other interpretation violates established naming conventions and data modeling standards. If flexibility were the goal, Better Auth should not have chosen such a semantically specific field name or should have allowed developers to define custom verification fields. Recommended Solutions I respectfully recommend one of the following solutions: 1. Auto-verify on password reset (if reset occurs via email) onPasswordReset → set emailVerified = true This is logically coherent 2. Allow custom verification schemas or rename the field If Better Auth intends not to define strict semantics for this field, it should not assign a semantically-loaded name such as emailVerified. A more flexible or developer-defined model would prevent confusion. Conclusion In its current form, the emailVerified behavior presents a contradiction between naming and functionality. It results in poor user experience, violates semantic expectations, and forces unnecessary overrides by developers. I kindly request that the Better Auth team review this design inconsistency . Addressing this issue would significantly improve both developer clarity and overall user experience. Thank you Best, Ipule Pipi [Formal Letter of Concern Regarding Logical Inconsistency in emailVerified Behavior.pdf](https://github.com/user-attachments/files/23837386/Formal.Letter.of.Concern.Regarding.Logical.Inconsistency.in.emailVerified.Behavior.pdf) ### Current vs. Expected behavior [Formal Letter of Concern Regarding Logical Inconsistency in emailVerified Behavior.pdf](https://github.com/user-attachments/files/23837394/Formal.Letter.of.Concern.Regarding.Logical.Inconsistency.in.emailVerified.Behavior.pdf) ### What version of Better Auth are you using? 1.3.34 ### System info ```bash Really nothing here. ``` ### Which area(s) are affected? (Select all that apply) Client ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ emailAndPassword: { enabled: true }, }); ``` ### Additional context Everything is in the pdf or text.
GiteaMirror added the lockedenhancement labels 2026-04-15 17:56:26 -05:00
GiteaMirror commented 2026-04-15 17:56:28 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Nov 30, 2025):

Hi Ipule,

Thank you for your detailed feedback. Our current design treats password resets strictly as a recovery mechanism, which means even when a user successfully completes a password reset, the emailVerified flag isn’t updated automatically. This behavior is intentional to ensure that users complete the explicit email verification step, as outlined in our email verification documentation [3]. We understand your point that this creates a semantic inconsistency between the field’s name and its behavior, and we agree that auto-updating the flag—or offering better customization over this process—could improve both clarity and user experience.

As a next step, you might consider using a custom callback (afterPasswordReset or a similar middleware hook) to update the emailVerified field as soon as you detect a successful reset. This workaround should provide a smoother flow until we can evaluate and potentially adjust the framework’s core behavior.

Tag @better-auth-agent if you would like an answer from the Agent.

Do you have additional details on how you’d like the process to work, or any further suggestions on improving this flow?

DiagramDiscordGitHub

Diagram Join Star

<!-- gh-comment-id:3592132764 --> @better-auth-agent[bot] commented on GitHub (Nov 30, 2025): Hi Ipule, Thank you for your detailed feedback. Our current design treats password resets strictly as a recovery mechanism, which means even when a user successfully completes a password reset, the emailVerified flag isn’t updated automatically. This behavior is intentional to ensure that users complete the explicit email verification step, as outlined in our email verification documentation [[3]](https://www.better-auth.com/docs/concepts/email). We understand your point that this creates a semantic inconsistency between the field’s name and its behavior, and we agree that auto-updating the flag—or offering better customization over this process—could improve both clarity and user experience. As a next step, you might consider using a custom callback (afterPasswordReset or a similar middleware hook) to update the emailVerified field as soon as you detect a successful reset. This workaround should provide a smoother flow until we can evaluate and potentially adjust the framework’s core behavior. Tag @better-auth-agent if you would like an answer from the Agent. Do you have additional details on how you’d like the process to work, or any further suggestions on improving this flow? <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-04-15 17:56:28 -05:00
Author
Owner
Copy Link

@ipipi2024 commented on GitHub (Nov 30, 2025):

emailVerified has a clear, literal meaning: the user’s email has been verified. If Better Auth provides this field, it must reflect that meaning. A password reset via email proves email ownership, so emailVerified should update accordingly—or the field should be renamed or removed to avoid semantic inconsistency.

<!-- gh-comment-id:3592133314 --> @ipipi2024 commented on GitHub (Nov 30, 2025): emailVerified has a clear, literal meaning: the user’s email has been verified. If Better Auth provides this field, it must reflect that meaning. A password reset via email proves email ownership, so emailVerified should update accordingly—or the field should be renamed or removed to avoid semantic inconsistency.
GiteaMirror commented 2026-04-15 17:56:28 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Mar 1, 2026):

Hi, @ipipi2024. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary:

  • You raised a concern that the emailVerified field does not update to true after a password reset via email link, causing semantic inconsistency.
  • The team explained this is intentional to keep email verification as an explicit step separate from password resets.
  • You pointed out that this behavior can lead to confusion and suggested either updating the field to reflect actual email ownership or renaming/removing it.
  • The discussion highlights a tension between framework design choices and clear, intuitive data representation.
  • No resolution has been reached yet, and the issue remains open.

Next Steps:

  • Please let me know if this issue is still relevant with the latest version of better-auth by commenting here.
  • If I don’t hear back within 7 days, I will automatically close this issue.

Thank you for your understanding and contribution!

<!-- gh-comment-id:3980374617 --> @dosubot[bot] commented on GitHub (Mar 1, 2026): Hi, @ipipi2024. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary:** - You raised a concern that the `emailVerified` field does not update to true after a password reset via email link, causing semantic inconsistency. - The team explained this is intentional to keep email verification as an explicit step separate from password resets. - You pointed out that this behavior can lead to confusion and suggested either updating the field to reflect actual email ownership or renaming/removing it. - The discussion highlights a tension between framework design choices and clear, intuitive data representation. - No resolution has been reached yet, and the issue remains open. **Next Steps:** - Please let me know if this issue is still relevant with the latest version of better-auth by commenting here. - If I don’t hear back within 7 days, I will automatically close this issue. Thank you for your understanding and contribution!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label enhancement locked
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#19140
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?