Organization set-active endpoint is missing session context #1943

New Issue

GiteaMirror · 2026-03-13T09:14:04-05:00

GiteaMirror commented

2026-03-13 09:14:04 -05:00

Originally created by @JE4GLE on GitHub (Sep 16, 2025).

Is this suited for github?

Yes, this is suited for github

To Reproduce

Use the auth config from below.
Call setActive from the organization plugin

Current vs. Expected behavior

I expect to somewhere find the current userId in the request data. However, it is nowhere to be found. I expect it to be in ctx.context?.session, but it is null

What version of Better Auth are you using?

1.3.11

System info

There is no output, when executing the command.

I'm using better-auth v1.3.11 with Svelte 5.

Which area(s) are affected? (Select all that apply)

Package

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  hooks: {
    after: createAuthMiddleware(async (ctx) => {
        if (ctx.path === '/organization/set-active') {
            console.log(ctx.context?.session);
        }
    }
  }
});

Additional context

Use Case:
I want to persist the last active organization in the database. Therefore, I need the userId setting the organization active. I wasn't able to find it in the request context.

Originally created by @JE4GLE on GitHub (Sep 16, 2025). ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce 1. Use the auth config from below. 2. Call `setActive` from the organization plugin ### Current vs. Expected behavior I expect to somewhere find the current userId in the request data. However, it is nowhere to be found. I expect it to be in `ctx.context?.session`, but it is null ### What version of Better Auth are you using? 1.3.11 ### System info ```bash There is no output, when executing the command. I'm using better-auth v1.3.11 with Svelte 5. ``` ### Which area(s) are affected? (Select all that apply) Package ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ hooks: { after: createAuthMiddleware(async (ctx) => { if (ctx.path === '/organization/set-active') { console.log(ctx.context?.session); } } } }); ``` ### Additional context Use Case: I want to persist the last active organization in the database. Therefore, I need the userId setting the organization active. I wasn't able to find it in the request context.

GiteaMirror added the stale plugin labels 2026-03-13 09:14:04 -05:00

GiteaMirror commented

2026-03-13 09:14:05 -05:00

@dosubot[bot] commented on GitHub (Sep 16, 2025):

Hi @JE4GLE! I'm Dosu and I’m helping the better-auth team.

This is a known issue in Better Auth v1.3.11: the session context (including userId) can be missing in plugin endpoints like /organization/set-active because session extraction is not enforced by default for these routes. The plugin architecture is modular and session enforcement is opt-in, so unless middleware explicitly adds the session to the context, hooks may see ctx.context.session as null. This was fixed in newer versions, where session data from cookies is always added to the context, ensuring hooks receive the correct session info (source).

For your version, you can try a workaround: in your middleware hook, assign ctx.context.newSession to ctx.context.session before accessing the session (source). If you need to enrich the session with organization info, use a session.create.before hook in your config to add properties like activeOrganizationId (source).

Upgrading to a newer version will resolve this issue and ensure session context is always available in hooks.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Sep 16, 2025):  Hi @JE4GLE! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team.  This is a known issue in Better Auth v1.3.11: the session context (including userId) can be missing in plugin endpoints like `/organization/set-active` because session extraction is not enforced by default for these routes. The plugin architecture is modular and session enforcement is opt-in, so unless middleware explicitly adds the session to the context, hooks may see `ctx.context.session` as null. This was fixed in newer versions, where session data from cookies is always added to the context, ensuring hooks receive the correct session info ([source](https://github.com/better-auth/better-auth/pull/3578)). For your version, you can try a workaround: in your middleware hook, assign `ctx.context.newSession` to `ctx.context.session` before accessing the session ([source](https://github.com/better-auth/better-auth/issues/3353)). If you need to enrich the session with organization info, use a `session.create.before` hook in your config to add properties like `activeOrganizationId` ([source](https://github.com/better-auth/better-auth/issues/3233)). Upgrading to a newer version will resolve this issue and ensure session context is always available in hooks.  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- How did I do? [Good](https://app.dosu.dev/response-feedback/ae849d93-60a6-4276-99b3-7fbb1a01f67b?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/ae849d93-60a6-4276-99b3-7fbb1a01f67b?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/ae849d93-60a6-4276-99b3-7fbb1a01f67b?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/ae849d93-60a6-4276-99b3-7fbb1a01f67b?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/ae849d93-60a6-4276-99b3-7fbb1a01f67b?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/ae849d93-60a6-4276-99b3-7fbb1a01f67b?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/ae849d93-60a6-4276-99b3-7fbb1a01f67b?feedback_type=other)  [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/4708)

GiteaMirror commented

2026-03-13 09:14:05 -05:00

@JE4GLE commented on GitHub (Sep 16, 2025):

@dosu Well, there is no newer version and I don't know how assigning ctx.context.session, which is null btw, to ctx.context.newSession would fix that issue.

@JE4GLE commented on GitHub (Sep 16, 2025): @dosu Well, there is no newer version and I don't know how assigning `ctx.context.session`, which is `null` btw, to `ctx.context.newSession` would fix that issue.

GiteaMirror commented

2026-03-13 09:14:06 -05:00

@dosubot[bot] commented on GitHub (Sep 16, 2025):

You're right—assigning ctx.context.session = ctx.context.newSession only works if newSession is already populated with valid session data. If both are null, this assignment does nothing and won't fix the missing session context issue. In Better Auth v1.3.11, plugin endpoints like /organization/set-active don't enforce session extraction by default, so ctx.context.session can be null unless you manually extract the session in your middleware or route handler. There isn't a built-in way in this version to force session extraction for plugin endpoints, so if you need the userId, you may need to manually call getSession(ctx) with a properly constructed context, or pass the userId from the client if possible. This limitation is a known issue in v1.3.11 and earlier versions reference.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Sep 16, 2025):  You're right—assigning `ctx.context.session = ctx.context.newSession` only works if `newSession` is already populated with valid session data. If both are null, this assignment does nothing and won't fix the missing session context issue. In Better Auth v1.3.11, plugin endpoints like `/organization/set-active` don't enforce session extraction by default, so `ctx.context.session` can be null unless you manually extract the session in your middleware or route handler. There isn't a built-in way in this version to force session extraction for plugin endpoints, so if you need the userId, you may need to manually call `getSession(ctx)` with a properly constructed context, or pass the userId from the client if possible. This limitation is a known issue in v1.3.11 and earlier versions [reference](https://github.com/better-auth/better-auth/issues/3353).  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- How did I do? [Good](https://app.dosu.dev/response-feedback/4744818f-95c2-4ed1-b317-45e87a840a0c?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/4744818f-95c2-4ed1-b317-45e87a840a0c?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/4744818f-95c2-4ed1-b317-45e87a840a0c?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/4744818f-95c2-4ed1-b317-45e87a840a0c?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/4744818f-95c2-4ed1-b317-45e87a840a0c?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/4744818f-95c2-4ed1-b317-45e87a840a0c?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/4744818f-95c2-4ed1-b317-45e87a840a0c?feedback_type=other)  [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/4708)

GiteaMirror commented

2026-03-13 09:14:06 -05:00

@JE4GLE commented on GitHub (Sep 16, 2025):

@dosu Okay so you agree that this bug is still relevant and needs to be fixed, as persisting the active organization in the database is a relevant use case

@JE4GLE commented on GitHub (Sep 16, 2025): @dosu Okay so you agree that this bug is still relevant and needs to be fixed, as persisting the active organization in the database is a relevant use case

GiteaMirror commented

2026-03-13 09:14:07 -05:00

@dosubot[bot] commented on GitHub (Sep 16, 2025):

Yes, I agree—the bug with missing session context in plugin endpoints like /organization/set-active is still present and unresolved in Better Auth v1.3.11. This directly impacts use cases like persisting the active organization in the database, since you need the userId from the session context and it's not reliably available in these endpoints reference.

The technical root cause is that session extraction isn't enforced by default for plugin endpoints; middleware like orgSessionMiddleware is supposed to populate ctx.context.session, but in practice, it can still be null due to middleware execution order or missing session tokens reference. There’s no built-in fix in v1.3.11, and recent updates haven’t addressed this specific issue.

The only reliable workaround is to manually call getSessionFromCtx(ctx) in your custom middleware or endpoint logic to ensure session context is available before you access it reference. This isn’t documented for plugin endpoints, but it’s the best option until a future release fixes the bug.

Persisting the active organization is a common and important requirement, and this bug definitely needs to be fixed to support it properly.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Sep 16, 2025):  Yes, I agree—the bug with missing session context in plugin endpoints like `/organization/set-active` is still present and unresolved in Better Auth v1.3.11. This directly impacts use cases like persisting the active organization in the database, since you need the userId from the session context and it's not reliably available in these endpoints [reference](https://github.com/better-auth/better-auth/issues/3695). The technical root cause is that session extraction isn't enforced by default for plugin endpoints; middleware like `orgSessionMiddleware` is supposed to populate `ctx.context.session`, but in practice, it can still be null due to middleware execution order or missing session tokens [reference](https://github.com/better-auth/better-auth/blob/4df178463eeeced7972c9a59f902b4bbf55db30b/packages/better-auth/src/plugins/organization/routes/crud-org.ts). There’s no built-in fix in v1.3.11, and recent updates haven’t addressed this specific issue. The only reliable workaround is to manually call `getSessionFromCtx(ctx)` in your custom middleware or endpoint logic to ensure session context is available before you access it [reference](https://github.com/better-auth/better-auth/blob/4df178463eeeced7972c9a59f902b4bbf55db30b/packages/better-auth/src/api/routes/session.ts). This isn’t documented for plugin endpoints, but it’s the best option until a future release fixes the bug. Persisting the active organization is a common and important requirement, and this bug definitely needs to be fixed to support it properly.  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- How did I do? [Good](https://app.dosu.dev/response-feedback/a2e7b3be-cdff-48b8-b973-a692ebb2d8db?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/a2e7b3be-cdff-48b8-b973-a692ebb2d8db?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/a2e7b3be-cdff-48b8-b973-a692ebb2d8db?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/a2e7b3be-cdff-48b8-b973-a692ebb2d8db?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/a2e7b3be-cdff-48b8-b973-a692ebb2d8db?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/a2e7b3be-cdff-48b8-b973-a692ebb2d8db?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/a2e7b3be-cdff-48b8-b973-a692ebb2d8db?feedback_type=other)  [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/4708)

GiteaMirror commented

2026-03-13 09:14:08 -05:00

@JE4GLE commented on GitHub (Sep 16, 2025):

@dosu The workaround works, thank you. I'm still thinking that the session field in ctx.context should be populated correctly

@JE4GLE commented on GitHub (Sep 16, 2025): @dosu The workaround works, thank you. I'm still thinking that the session field in `ctx.context` should be populated correctly

GiteaMirror commented

2026-03-13 09:14:09 -05:00

@dosubot[bot] commented on GitHub (Sep 16, 2025):

Glad the workaround helps! You're absolutely right—session context (like ctx.context.session) should be reliably populated in plugin endpoints, especially for use cases like persisting the active organization. This is a common expectation in authentication frameworks, but in Better Auth v1.3.11, session extraction isn't enforced by default for plugin endpoints, so the session field can be null unless you manually handle it in middleware or route logic reference.

Recent updates have improved session enforcement for some endpoints (like /organization/list), but there's no fix or planned fix for this bug in /organization/set-active as of now reference. For now, keep using the manual session extraction workaround, and keep an eye on future releases for a more robust solution.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Sep 16, 2025):  Glad the workaround helps! You're absolutely right—session context (like `ctx.context.session`) should be reliably populated in plugin endpoints, especially for use cases like persisting the active organization. This is a common expectation in authentication frameworks, but in Better Auth v1.3.11, session extraction isn't enforced by default for plugin endpoints, so the session field can be null unless you manually handle it in middleware or route logic [reference](https://github.com/better-auth/better-auth/issues/3452). Recent updates have improved session enforcement for some endpoints (like `/organization/list`), but there's no fix or planned fix for this bug in `/organization/set-active` as of now [reference](https://github.com/better-auth/better-auth/pull/4563). For now, keep using the manual session extraction workaround, and keep an eye on future releases for a more robust solution.  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- How did I do? [Good](https://app.dosu.dev/response-feedback/0275aa9e-16c9-405c-8c3c-04b2c712a906?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/0275aa9e-16c9-405c-8c3c-04b2c712a906?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/0275aa9e-16c9-405c-8c3c-04b2c712a906?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/0275aa9e-16c9-405c-8c3c-04b2c712a906?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/0275aa9e-16c9-405c-8c3c-04b2c712a906?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/0275aa9e-16c9-405c-8c3c-04b2c712a906?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/0275aa9e-16c9-405c-8c3c-04b2c712a906?feedback_type=other)  [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/4708)

GiteaMirror referenced this issue

2026-03-13 11:31:52 -05:00

[PR #1943] [MERGED] docs: Add productionURL to OAuth Proxy options #4083

GiteaMirror referenced this issue

2026-04-13 08:19:24 -05:00

[PR #1943] [MERGED] docs: Add productionURL to OAuth Proxy options #12330

GiteaMirror referenced this issue

2026-04-15 20:03:09 -05:00

[PR #1943] [MERGED] docs: Add productionURL to OAuth Proxy options #20984

GiteaMirror referenced this issue

2026-04-17 20:58:28 -05:00

[PR #1943] [MERGED] docs: Add productionURL to OAuth Proxy options #29684

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#1943