github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 07:18:56 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #6831] Phone Number Password Reset Doesn't Create Credential Account for Phone-Verified Users #19276

New Issue
Closed
opened 2026-04-15 18:09:21 -05:00 by GiteaMirror · 4 comments
GiteaMirror commented 2026-04-15 18:09:21 -05:00
Owner
Copy Link

Originally created by @Philip-Nunoo on GitHub (Dec 17, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/6831

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

Create a user via phone number verification using signUpOnVerification option:

export const auth = betterAuth({
 plugins: [
 phoneNumber({
 sendOTP: ({ phoneNumber, code }, ctx) => {
 // Send OTP via SMS
 },
 signUpOnVerification: {
 getTempEmail: (phoneNumber) => {
 return `${phoneNumber}@my-site.com`
 }
 }
 })
 ]
})

User signs up via phone verification:

// Send OTP
await authClient.phoneNumber.sendOtp({
 phoneNumber: "+233206242008"
});

// Verify (creates user account)
await authClient.phoneNumber.verify({
phoneNumber: "+233206242008",
code: "123456"
});


User attempts password reset:

await authClient.phoneNumber.requestPasswordReset({
phoneNumber: "+233206242008"
});
await authClient.phoneNumber.resetPassword({
otp: "123456",
phoneNumber: "+233206242008",
newPassword: "new-secure-password"
});

User tries to sign in with phone + password:

await authClient.signIn.phoneNumber({
phoneNumber: "+233206242008",
password: "new-secure-password"
});


### Current vs. Expected behavior

*Current:* After password reset, attempting to sign in with signIn.phoneNumber returns:

`[Better Auth]: Credential account not found { phoneNumber: '+233206242008' }`

*Expected:* Password reset should create the necessary credential account, allowing the user to sign in with phone number + password combination.

### What version of Better Auth are you using?

1.4.7

### System info

```bash
macos

Which area(s) are affected? (Select all that apply)

Backend, Package

Auth config (if applicable)

export const auth = betterAuth({
 plugins: [
 phoneNumber({
 sendOTP: ({ phoneNumber, code }, ctx) => {
 // Implement sending OTP code via SMS
 },
 signUpOnVerification: {
 getTempEmail: (phoneNumber) => {
 return `${phoneNumber}@my-site.com`
 }
 }
 })
 ]
})

Additional context

This appears similar to issue #1010 which was for email OTP with social accounts. The password reset flow successfully sets a password but doesn't create the corresponding credential account entry needed for signIn.phoneNumber to work.

The user can still sign in using the OTP flow (sendOtp → verify), but cannot use the credential-based sign-in despite having reset their password.

Originally created by @Philip-Nunoo on GitHub (Dec 17, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/6831 ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce Create a user via phone number verification using signUpOnVerification option: ```js export const auth = betterAuth({ plugins: [ phoneNumber({ sendOTP: ({ phoneNumber, code }, ctx) => { // Send OTP via SMS }, signUpOnVerification: { getTempEmail: (phoneNumber) => { return `${phoneNumber}@my-site.com` } } }) ] }) ``` User signs up via phone verification: ``` // Send OTP await authClient.phoneNumber.sendOtp({ phoneNumber: "+233206242008" }); ``` // Verify (creates user account) await authClient.phoneNumber.verify({ phoneNumber: "+233206242008", code: "123456" }); ``` User attempts password reset: ``` await authClient.phoneNumber.requestPasswordReset({ phoneNumber: "+233206242008" }); await authClient.phoneNumber.resetPassword({ otp: "123456", phoneNumber: "+233206242008", newPassword: "new-secure-password" }); ``` User tries to sign in with phone + password: ``` await authClient.signIn.phoneNumber({ phoneNumber: "+233206242008", password: "new-secure-password" }); ``` ### Current vs. Expected behavior *Current:* After password reset, attempting to sign in with signIn.phoneNumber returns: `[Better Auth]: Credential account not found { phoneNumber: '+233206242008' }` *Expected:* Password reset should create the necessary credential account, allowing the user to sign in with phone number + password combination. ### What version of Better Auth are you using? 1.4.7 ### System info ```bash macos ``` ### Which area(s) are affected? (Select all that apply) Backend, Package ### Auth config (if applicable) ```typescript export const auth = betterAuth({ plugins: [ phoneNumber({ sendOTP: ({ phoneNumber, code }, ctx) => { // Implement sending OTP code via SMS }, signUpOnVerification: { getTempEmail: (phoneNumber) => { return `${phoneNumber}@my-site.com` } } }) ] }) ``` ### Additional context This appears similar to issue #1010 which was for email OTP with social accounts. The password reset flow successfully sets a password but doesn't create the corresponding credential account entry needed for signIn.phoneNumber to work. The user can still sign in using the OTP flow (sendOtp → verify), but cannot use the credential-based sign-in despite having reset their password.
GiteaMirror added the lockedbug labels 2026-04-15 18:09:21 -05:00
GiteaMirror commented 2026-04-15 18:09:23 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Dec 17, 2025):

Thanks for opening this issue! It looks like when using the phone number sign-up with verification and then performing a password reset, the flow isn’t automatically creating the corresponding phone credential account. This is why, although the password is reset, the signIn.phoneNumber call can’t find the necessary credential item.

One possible next step is to verify that the password reset route also triggers the creation of the phone-based credential account. In similar cases with OTP flows for social accounts, a manual linking step was needed after resetting the password [1]. You might consider handling this by checking if the credential exists after resetting the password and, if not, programmatically creating it before proceeding with signIn.phoneNumber.

Could you confirm if your implementation of the password reset is also updating the user’s credentials in your database? Also, have you tried any workarounds to manually trigger credential account creation after a password reset?

tag @better-auth-agent if you would like an answer from the Agent

If you need more help, tag @better-auth-agent in a comment so I can respond.

DiagramDiscordGitHub

Diagram Join Star

<!-- gh-comment-id:3665886015 --> @better-auth-agent[bot] commented on GitHub (Dec 17, 2025): Thanks for opening this issue! It looks like when using the phone number sign-up with verification and then performing a password reset, the flow isn’t automatically creating the corresponding phone credential account. This is why, although the password is reset, the signIn.phoneNumber call can’t find the necessary credential item. One possible next step is to verify that the password reset route also triggers the creation of the phone-based credential account. In similar cases with OTP flows for social accounts, a manual linking step was needed after resetting the password [[1]](https://github.com/better-auth/better-auth/issues/1183). You might consider handling this by checking if the credential exists after resetting the password and, if not, programmatically creating it before proceeding with signIn.phoneNumber. Could you confirm if your implementation of the password reset is also updating the user’s credentials in your database? Also, have you tried any workarounds to manually trigger credential account creation after a password reset? tag @better-auth-agent if you would like an answer from the Agent _If you need more help, tag @better-auth-agent in a comment so I can respond._ <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) • [Discord](https://discord.gg/fG2XXEuQX3) • [GitHub](https://github.com/Skyvern-AI/Skyvern) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/fG2XXEuQX3) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/Skyvern-AI/Skyvern)
GiteaMirror commented 2026-04-15 18:09:24 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Dec 17, 2025):

Hi @Philip-Nunoo! I'm Dosu and I’m helping the better-auth team.

This is a known limitation in Better Auth v1.4.7: when a user signs up via phone number verification (using signUpOnVerification), the password reset flow does not create a credential account (providerId: "credential") if one doesn't already exist. As a result, signIn.phoneNumber fails with "Credential account not found" even after a successful password reset. The password reset only updates the password if a credential account is already present, but does not create one for phone-verified users who never set a password during sign-up. This is different from the email flow, which does create the credential account if missing during password reset (source).

A fix is proposed in PR #6426, which adds logic to the phone number plugin to create or update the credential account during password reset, matching the email flow. Until this is released, you can work around the issue by prompting users to set a password immediately after OTP verification (while their session is active) using the /set-password endpoint—this will create the credential account if missing. Alternatively, you can manually create a credential account for the user after phone verification or password reset (discussion).

The current design separates OTP-based sign-in (sendOtp → verify) and credential-based sign-in (phone + password). Users created via OTP verification are expected to use the OTP flow unless a password is explicitly set and a credential account is created.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other

Chat with Dosu Open in Cursor Join Discord Share on X

<!-- gh-comment-id:3665906263 --> @dosubot[bot] commented on GitHub (Dec 17, 2025): <!-- Greeting --> Hi @Philip-Nunoo! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team. <!-- Answer --> This is a known limitation in Better Auth v1.4.7: when a user signs up via phone number verification (using signUpOnVerification), the password reset flow does not create a credential account (providerId: "credential") if one doesn't already exist. As a result, signIn.phoneNumber fails with "Credential account not found" even after a successful password reset. The password reset only updates the password if a credential account is already present, but does not create one for phone-verified users who never set a password during sign-up. This is different from the email flow, which does create the credential account if missing during password reset ([source](https://github.com/better-auth/better-auth/blob/1010192e4a7106bfccca02c5fda312adc5ac0593/packages/better-auth/src/plugins/phone-number/routes.ts#L136-L848)). A fix is proposed in [PR #6426](https://github.com/better-auth/better-auth/pull/6426), which adds logic to the phone number plugin to create or update the credential account during password reset, matching the email flow. Until this is released, you can work around the issue by prompting users to set a password immediately after OTP verification (while their session is active) using the `/set-password` endpoint—this will create the credential account if missing. Alternatively, you can manually create a credential account for the user after phone verification or password reset ([discussion](https://github.com/better-auth/better-auth/discussions/6096#discussioncomment-15015333)). The current design separates OTP-based sign-in (sendOtp → verify) and credential-based sign-in (phone + password). Users created via OTP verification are expected to use the OTP flow unless a password is explicitly set and a credential account is created. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/69d84202-f7e1-4936-abdd-f9eab6863641?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/69d84202-f7e1-4936-abdd-f9eab6863641?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/69d84202-f7e1-4936-abdd-f9eab6863641?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/69d84202-f7e1-4936-abdd-f9eab6863641?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/69d84202-f7e1-4936-abdd-f9eab6863641?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/69d84202-f7e1-4936-abdd-f9eab6863641?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/69d84202-f7e1-4936-abdd-f9eab6863641?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=This%20is%20a%20known%20limitation%20in%20Better%20Auth%20v1.4.7%3A%20when%20a%20user%20signs%20up%20via%20phone%20number%20verification%20%28using%20signUpOnVerification%29%2C%20the%20password%20reset%20flow%20does%20not%20create%20a%20credential%20account%20%28providerId%3A%20%22credential%22%29%20if%20one%20doesn%27t%20already%20exist.%20As%20a%20result%2C%20signIn.phoneNumber%20fails%20with%20%22Credential%20account%20not%20found%22%20even%20after%20a%20successful%20password%20reset.%20The%20password%20reset%20only%20updates%20the%20password%20if%20a%20credential%20account%20is%20already%20present%2C%20but%20does%20not%20create%20one%20for%20phone-verified%20users%20who%20never%20set%20a%20password%20during%20sign-up.%20This%20is%20different%20from%20the%20email%20flow%2C%20which%20does%20create%20the%20credential%20account%20if%20missing%20during%20password%20reset%C2%A0%28%5Bsource%5D%28https%3A//github.com/better-auth/better-auth/blob/1010192e4a7106bfccca02c5fda312adc5ac0593/packages/better-auth/src/plugins/phone-number/routes.ts%23L136-L848%29%29.%0A%0AA%20fix%20is%20proposed%20in%20%5BPR%20%236426%5D%28https%3A//github.com/better-auth/better-auth/pull/6426%29%2C%20which%20adds%20logic%20to%20the%20phone%20number%20plugin%20to%20create%20or%20update%20the%20credential%20account%20during%20password%20reset%2C%20matching%20the%20email%20flow.%20Until%20this%20is%20released%2C%20you%20can%20work%20around%20the%20issue%20by%20prompting%20users%20to%20set%20a%20password%20immediately%20after%20OTP%20verification%20%28while%20their%20session%20is%20active%29%20using%20the%20%60/set-password%60%20endpoint%E2%80%94this%20will%20create%20the%20credential%20account%20if%20missing.%20Alternatively%2C%20you%20can%20manually%20create%20a%20credential%20account%20for%20the%20user%20after%20phone%20verification%20or%20password%20reset%20%28%5Bdiscussion%5D%28https%3A//github.com/better-auth/better-auth/discussions/6096%23discussioncomment-15015333%29%29.%0A%0AThe%20current%20design%20separates%20OTP-based%20sign-in%20%28sendOtp%20%E2%86%92%20verify%29%20and%20credential-based%20sign-in%20%28phone%20%2B%20password%29.%20Users%20created%20via%20OTP%20verification%20are%20expected%20to%20use%20the%20OTP%20flow%20unless%20a%20password%20is%20explicitly%20set%20and%20a%20credential%20account%20is%20created.)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/6831)
GiteaMirror commented 2026-04-15 18:09:25 -05:00
Author
Owner
Copy Link

@jslno commented on GitHub (Dec 18, 2025):

Looking into it 👀

<!-- gh-comment-id:3670681522 --> @jslno commented on GitHub (Dec 18, 2025): Looking into it :eyes:
GiteaMirror commented 2026-04-15 18:09:25 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Apr 1, 2026):

This issue has been locked as it was closed more than 7 days ago. If you're experiencing a similar problem or you have additional context, please open a new issue and reference this one.

<!-- gh-comment-id:4166558118 --> @github-actions[bot] commented on GitHub (Apr 1, 2026): This issue has been locked as it was closed more than 7 days ago. If you're experiencing a similar problem or you have additional context, please open a new issue and reference this one.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label bug locked
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#19276
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?