github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 15:42:09 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

state mismatch in apple sign in #2101

New Issue
Closed
opened 2026-03-13 09:27:15 -05:00 by GiteaMirror · 12 comments
GiteaMirror commented 2026-03-13 09:27:15 -05:00
Owner
Copy Link

Originally created by @FellipeMasc on GitHub (Oct 10, 2025).

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

Front - Mobile
export const authClient = createAuthClient({ baseURL: Constants.expoConfig?.extra?.NEXT_PUBLIC_APP_URL, plugins: [ expoClient({ scheme: "name", storagePrefix: "name", storage: SecureStore, }), ], });

To reproduce basically call this function in form signin
const result = await authClient.signIn.social({ provider: "apple", callbackURL: "/(tabs)", });
And for google
await authClient.signIn.social({ provider: "google", callbackURL: "/(tabs)", });

Current vs. Expected behavior

When i signin with google provider it works, but when i signin with apple provider it gets this error message:

Image

backend logs with google signin
=== AUTH REQUEST (GET) ===
Path: /api/auth/expo-authorization-proxy
Query params: {
authorizationURL: 'https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=<client_id>&state=&scope=email+profile+openid&redirect_uri=<redirect_uri>&code_challenge_method=S256&code_challenge=<code_challenge>&include_granted_scopes=true'
}
Origin header: null
Referer header: null
Response status: 302
Response location: https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=<client_id>&state=&scope=email+profile+openid&redirect_uri=<redirect_uri>&prompt=select_account&code_challenge_method=S256&code_challenge=<code_challenge>&include_granted_scopes=true
GET 302 746B 296 ms Safari 18 https://<base_url>/api/auth/callback/google
=== AUTH REQUEST (GET) ===
Path: /api/auth/callback/google
Query params: {
state: 'state',
code: 'code',
scope: 'email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email',
authuser: '0',
}
Origin header: null
Referer header: https://accounts.google.com/
Provider: google
Code presente: true
=== AUTH REQUEST (GET) ===
Path: /api/auth/callback/google
Query params: {
state: 'state',
code: 'code',
scope: 'email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email',
authuser: '0',
}
Origin header: null
Referer header: https://accounts.google.com/
Provider: google
Code presente: true

backend logs with apple signin

=== AUTH REQUEST (GET) ===
Path: /api/auth/expo-authorization-proxy
Query params: {
authorizationURL: 'https://appleid.apple.com/auth/authorize?response_type=code+id_token&client_id=<client_id>&state=&scope=email+name&redirect_uri=<redirect_uri>'
}
Origin header: null
Referer header: null
Response status: 302
Response location: https://appleid.apple.com/auth/authorize?response_type=code+id_token&client_id=<client_id>&state=&scope=email+name&redirect_uri=<redirect_uri>
POST 302 316 B 39 ms Safari 18 https://<base_url>/api/auth/callback/apple
=== AUTH REQUEST (POST) ===
Path: /api/auth/callback/apple
Origin header: https://appleid.apple.com
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 18_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.6 Mobile/15E148 Safari/604.1
Response status: 302
GET 200 2,68 KB 9 ms Safari 18 https://<base_url>/api/auth/error?error=state_mismatch
=== AUTH REQUEST (GET) ===
Path: /api/auth/error
Query params: { error: 'state_mismatch' }

What version of Better Auth are you using?

1.3.27

System info

{
  "system": {
    "platform": "win32",
    "arch": "x64",
    "version": "Windows 11 Home Single Language",
    "release": "10.0.26100",
    "cpuCount": 12,
    "cpuModel": "Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz",
    "totalMemory": "15.84 GB",
    "freeMemory": "2.13 GB"
  },
  "node": {
    "version": "v22.14.0",
    "env": "development"
  },
  "packageManager": {
    "name": "npm",
    "version": "10.9.2"
  },
  "frameworks": [
    {
      "name": "next",
      "version": "15.2.3"
    },
    {
      "name": "react",
      "version": "^19.0.0"
    }
  ],
  "databases": [
    {
      "name": "@prisma/client",
      "version": "^6.6.0"
    }
  ],
  "betterAuth": {
    "version": "^1.3.27",
  }
}

Which area(s) are affected? (Select all that apply)

Client, Backend

Auth config (if applicable)

export const auth = betterAuth({
  baseURL: ...
  basePath: "/api/auth",
  secret: ...
  cookies: {
    secret: ... ,
  },
  database: prismaAdapter(prisma, {
    provider: "postgresql",
  }),
  cors: {
    origin: [...],
    credentials: true,
  },
  trustedOrigins: ["myapp://", "exp://", "https://appleid.apple.com"],
  plugins: [nextCookies(), expo()],
  socialProviders: {
    google: {
      enabled: true,
      prompt: "select_account",
      clientId: process.env.GOOGLE_CLIENT_ID as string,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
      redirectUri: `${process.env.BETTER_AUTH_URL}/api/auth/callback/google`,
    },
    apple: {
      enabled: true,
      clientId: process.env.APPLE_CLIENT_ID as string,
      clientSecret: process.env.APPLE_CLIENT_SECRET as string,
      redirectUri: `${process.env.BETTER_AUTH_URL}/api/auth/callback/apple`,
    },
  },
});

Additional context

No response

Originally created by @FellipeMasc on GitHub (Oct 10, 2025). ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce Front - Mobile `export const authClient = createAuthClient({ baseURL: Constants.expoConfig?.extra?.NEXT_PUBLIC_APP_URL, plugins: [ expoClient({ scheme: "name", storagePrefix: "name", storage: SecureStore, }), ], });` To reproduce basically call this function in form signin `const result = await authClient.signIn.social({ provider: "apple", callbackURL: "/(tabs)", });` And for google `await authClient.signIn.social({ provider: "google", callbackURL: "/(tabs)", });` ### Current vs. Expected behavior When i signin with google provider it works, but when i signin with apple provider it gets this error message: ![Image](https://github.com/user-attachments/assets/59121b6a-69d1-457d-8c8f-d89e45746f50) backend logs with google signin === AUTH REQUEST (GET) === Path: /api/auth/expo-authorization-proxy Query params: { authorizationURL: 'https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=<client_id>&state=<state>&scope=email+profile+openid&redirect_uri=<redirect_uri>&code_challenge_method=S256&code_challenge=<code_challenge>&include_granted_scopes=true' } Origin header: null Referer header: null Response status: 302 Response location: https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=<client_id>&state=<state>&scope=email+profile+openid&redirect_uri=<redirect_uri>&prompt=select_account&code_challenge_method=S256&code_challenge=<code_challenge>&include_granted_scopes=true GET 302 746B 296 ms Safari 18 https://<base_url>/api/auth/callback/google === AUTH REQUEST (GET) === Path: /api/auth/callback/google Query params: { state: 'state', code: 'code', scope: 'email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email', authuser: '0', } Origin header: null Referer header: https://accounts.google.com/ Provider: google Code presente: true === AUTH REQUEST (GET) === Path: /api/auth/callback/google Query params: { state: 'state', code: 'code', scope: 'email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email', authuser: '0', } Origin header: null Referer header: https://accounts.google.com/ Provider: google Code presente: true backend logs with apple signin === AUTH REQUEST (GET) === Path: /api/auth/expo-authorization-proxy Query params: { authorizationURL: 'https://appleid.apple.com/auth/authorize?response_type=code+id_token&client_id=<client_id>&state=<state>&scope=email+name&redirect_uri=<redirect_uri>' } Origin header: null Referer header: null Response status: 302 Response location: https://appleid.apple.com/auth/authorize?response_type=code+id_token&client_id=<client_id>&state=<state>&scope=email+name&redirect_uri=<redirect_uri> POST 302 316 B 39 ms Safari 18 https://<base_url>/api/auth/callback/apple === AUTH REQUEST (POST) === Path: /api/auth/callback/apple Origin header: https://appleid.apple.com User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 18_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.6 Mobile/15E148 Safari/604.1 Response status: 302 GET 200 2,68 KB 9 ms Safari 18 https://<base_url>/api/auth/error?error=state_mismatch === AUTH REQUEST (GET) === Path: /api/auth/error Query params: { error: 'state_mismatch' } ### What version of Better Auth are you using? 1.3.27 ### System info ```bash { "system": { "platform": "win32", "arch": "x64", "version": "Windows 11 Home Single Language", "release": "10.0.26100", "cpuCount": 12, "cpuModel": "Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz", "totalMemory": "15.84 GB", "freeMemory": "2.13 GB" }, "node": { "version": "v22.14.0", "env": "development" }, "packageManager": { "name": "npm", "version": "10.9.2" }, "frameworks": [ { "name": "next", "version": "15.2.3" }, { "name": "react", "version": "^19.0.0" } ], "databases": [ { "name": "@prisma/client", "version": "^6.6.0" } ], "betterAuth": { "version": "^1.3.27", } } ``` ### Which area(s) are affected? (Select all that apply) Client, Backend ### Auth config (if applicable) ```typescript export const auth = betterAuth({ baseURL: ... basePath: "/api/auth", secret: ... cookies: { secret: ... , }, database: prismaAdapter(prisma, { provider: "postgresql", }), cors: { origin: [...], credentials: true, }, trustedOrigins: ["myapp://", "exp://", "https://appleid.apple.com"], plugins: [nextCookies(), expo()], socialProviders: { google: { enabled: true, prompt: "select_account", clientId: process.env.GOOGLE_CLIENT_ID as string, clientSecret: process.env.GOOGLE_CLIENT_SECRET as string, redirectUri: `${process.env.BETTER_AUTH_URL}/api/auth/callback/google`, }, apple: { enabled: true, clientId: process.env.APPLE_CLIENT_ID as string, clientSecret: process.env.APPLE_CLIENT_SECRET as string, redirectUri: `${process.env.BETTER_AUTH_URL}/api/auth/callback/apple`, }, }, }); ``` ### Additional context _No response_
GiteaMirror added the social-providerexpo labels 2026-03-13 09:27:15 -05:00
GiteaMirror commented 2026-03-13 09:27:16 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Oct 10, 2025):

Hi @FellipeMasc! I'm Dosu and I’m helping the better-auth team.

The "state_mismatch" error with Apple sign-in in Better Auth (when Google works) is almost always due to how the OAuth state is stored and validated, especially in mobile/Expo flows. Apple uses a POST callback, which can break state/cookie/session propagation if your client or backend isn't handling it exactly as expected. This is a common issue in Expo/mobile because cookies and session storage behave differently than on web, and the @better-auth/expo plugin has to work around this by propagating session cookies via URL query parameters during OAuth redirects for trusted origins like exp:// and myapp://.

Here’s what you should check and try:

  • Make sure you are using the latest versions of both better-auth and @better-auth/expo, as recent updates improved state/cookie handling for mobile flows.
  • Do not set callbackURL to the API callback endpoint (like /api/auth/callback/apple) in signIn.social; use a user-facing route or omit it. The Apple OAuth app’s redirect URI should still point to the API callback endpoint. Setting callbackURL to the API endpoint can cause state mismatch errors [source].
  • After calling authClient.signIn.social, immediately call await authClient.getSession() to force a session refresh. This is a known workaround for session not being available right after OAuth on mobile and helps avoid state_mismatch errors [source].
  • Double-check that your trustedOrigins includes all relevant schemes (myapp://, exp://, https://appleid.apple.com) and that your redirect URIs are public HTTPS URLs (not localhost) if testing on a real device.
  • If you have custom middleware or route handling, make sure cookies from the initial response are sent with the callback request. Any break in cookie/session propagation will cause a state mismatch [source].

If you’re already following these patterns and still see the error, focus on how your Expo client handles the OAuth callback and session cookie after redirect. You may need to manually parse the cookie from the redirect URL and set it for your API requests to maintain session continuity in some edge cases [source].

Let me know if you need a code example for your Expo client setup.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

@dosubot[bot] commented on GitHub (Oct 10, 2025): <!-- Greeting --> Hi @FellipeMasc! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team. <!-- Answer --> The "state_mismatch" error with Apple sign-in in Better Auth (when Google works) is almost always due to how the OAuth state is stored and validated, especially in mobile/Expo flows. Apple uses a POST callback, which can break state/cookie/session propagation if your client or backend isn't handling it exactly as expected. This is a common issue in Expo/mobile because cookies and session storage behave differently than on web, and the @better-auth/expo plugin has to work around this by propagating session cookies via URL query parameters during OAuth redirects for trusted origins like exp:// and myapp://. Here’s what you should check and try: - Make sure you are using the latest versions of both better-auth and @better-auth/expo, as recent updates improved state/cookie handling for mobile flows. - Do not set callbackURL to the API callback endpoint (like /api/auth/callback/apple) in signIn.social; use a user-facing route or omit it. The Apple OAuth app’s redirect URI should still point to the API callback endpoint. Setting callbackURL to the API endpoint can cause state mismatch errors [[source]](https://github.com/better-auth/better-auth/issues/4998). - After calling authClient.signIn.social, immediately call await authClient.getSession() to force a session refresh. This is a known workaround for session not being available right after OAuth on mobile and helps avoid state_mismatch errors [[source]](https://github.com/better-auth/better-auth/issues/5034). - Double-check that your trustedOrigins includes all relevant schemes (myapp://, exp://, https://appleid.apple.com) and that your redirect URIs are public HTTPS URLs (not localhost) if testing on a real device. - If you have custom middleware or route handling, make sure cookies from the initial response are sent with the callback request. Any break in cookie/session propagation will cause a state mismatch [[source]](https://github.com/better-auth/better-auth/issues/4969). If you’re already following these patterns and still see the error, focus on how your Expo client handles the OAuth callback and session cookie after redirect. You may need to manually parse the cookie from the redirect URL and set it for your API requests to maintain session continuity in some edge cases [[source]](https://github.com/better-auth/better-auth/issues/5034). Let me know if you need a code example for your Expo client setup. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/9d7ec518-30fc-459b-8980-10fe471a9105?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/9d7ec518-30fc-459b-8980-10fe471a9105?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/9d7ec518-30fc-459b-8980-10fe471a9105?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/9d7ec518-30fc-459b-8980-10fe471a9105?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/9d7ec518-30fc-459b-8980-10fe471a9105?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/9d7ec518-30fc-459b-8980-10fe471a9105?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/9d7ec518-30fc-459b-8980-10fe471a9105?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/5227)
GiteaMirror commented 2026-03-13 09:27:17 -05:00
Author
Owner
Copy Link

@jjjrmy commented on GitHub (Oct 13, 2025):

downgrading to 1.3.11 resolved the issue for me

@jjjrmy commented on GitHub (Oct 13, 2025): downgrading to `1.3.11` resolved the issue for me
GiteaMirror commented 2026-03-13 09:27:17 -05:00
Author
Owner
Copy Link

@jjjrmy commented on GitHub (Oct 13, 2025):

just tested on latest version and getting this error

@jjjrmy commented on GitHub (Oct 13, 2025): just tested on latest version and getting this error
GiteaMirror commented 2026-03-13 09:27:18 -05:00
Author
Owner
Copy Link

@AlejandroCastro17 commented on GitHub (Oct 14, 2025):

downgrading to 1.3.11 resolved the issue for me

doesn't work for me

@AlejandroCastro17 commented on GitHub (Oct 14, 2025): > downgrading to `1.3.11` resolved the issue for me doesn't work for me
GiteaMirror commented 2026-03-13 09:27:19 -05:00
Author
Owner
Copy Link

@AlejandroCastro17 commented on GitHub (Oct 17, 2025):

export const auth = betterAuth({
  advanced: {
    cookies: {
      state: {
        attributes: {
          sameSite: "none",
          secure: true,
        }
      }
    }
  }
});

is a temporary fix..

@AlejandroCastro17 commented on GitHub (Oct 17, 2025): ```javascript export const auth = betterAuth({ advanced: { cookies: { state: { attributes: { sameSite: "none", secure: true, } } } } }); ``` is a temporary fix..
GiteaMirror commented 2026-03-13 09:27:21 -05:00
Author
Owner
Copy Link

@MrPancakes39 commented on GitHub (Oct 21, 2025):

@AlejandroCastro17 #5243 solves it

@MrPancakes39 commented on GitHub (Oct 21, 2025): @AlejandroCastro17 #5243 solves it
GiteaMirror commented 2026-03-13 09:27:21 -05:00
Author
Owner
Copy Link

@bandhan-majumder commented on GitHub (Oct 30, 2025):

https://github.com/better-auth/better-auth/issues/5243#issuecomment-3467041275 might help

@bandhan-majumder commented on GitHub (Oct 30, 2025): https://github.com/better-auth/better-auth/issues/5243#issuecomment-3467041275 might help
GiteaMirror commented 2026-03-13 09:27:22 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Oct 30, 2025):

Based on similar reports and known behavior with Apple’s POST-based OAuth callback, please try the following troubleshooting steps:

  1. Verify that your Apple configuration (including the redirect URI in your Apple developer console) exactly matches the value used in your Better Auth setup. A mismatch here can cause the state value to be lost or misinterpreted.

  2. Since Apple’s callback uses a POST request while Google uses GET, ensure that your cookie settings (which store the state value) work correctly with POST requests. In many cases the solution is to set the default cookie attributes (for example, SameSite=None and secure=true) so that the state cookie is preserved on Apple’s POST callback [1], [2].

  3. Check that your secret used for signing cookies is properly configured on both client and server sides. A misconfigured secret could cause the state value in the cookie to not match the one in the OAuth request.

  4. Enable additional logging or debugging in your Better Auth setup to inspect whether the state cookie is present at the time of Apple’s callback. This will help determine if the cookie is being dropped or altered during the POST request.

  5. Follow the tip referenced in the GitHub comment (as mentioned in your query) to see if there is an update or suggested workaround that addresses this particular state-check flow for Apple sign-in.

Try these steps and let me know if additional troubleshooting is needed.

DiagramDiscordGitHub

Diagram Join Star

@better-auth-agent[bot] commented on GitHub (Oct 30, 2025): Based on similar reports and known behavior with Apple’s POST-based OAuth callback, please try the following troubleshooting steps: 1. Verify that your Apple configuration (including the redirect URI in your Apple developer console) exactly matches the value used in your Better Auth setup. A mismatch here can cause the state value to be lost or misinterpreted. 2. Since Apple’s callback uses a POST request while Google uses GET, ensure that your cookie settings (which store the state value) work correctly with POST requests. In many cases the solution is to set the default cookie attributes (for example, SameSite=None and secure=true) so that the state cookie is preserved on Apple’s POST callback [[1]](https://github.com/better-auth/better-auth/issues/5227), [[2]](https://github.com/better-auth/better-auth/issues/4070). 3. Check that your secret used for signing cookies is properly configured on both client and server sides. A misconfigured secret could cause the state value in the cookie to not match the one in the OAuth request. 4. Enable additional logging or debugging in your Better Auth setup to inspect whether the state cookie is present at the time of Apple’s callback. This will help determine if the cookie is being dropped or altered during the POST request. 5. Follow the tip referenced in the GitHub comment (as mentioned in your query) to see if there is an update or suggested workaround that addresses this particular state-check flow for Apple sign-in. Try these steps and let me know if additional troubleshooting is needed. <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-03-13 09:27:23 -05:00
Author
Owner
Copy Link

@evikzub commented on GitHub (Nov 3, 2025):

Guys,

Please review and fix this issue for Expo
Setting sameSite: "none" and secure: true does not change anything.

I have tested it on versions 1.3.27 and 1.3.34. It works for the Web, but not for Expo.
The only version that allows me to run it on Expo is 1.3.18.
As you see, it is way behind your current build.

Simply run it on Expo, and you will see the issue with Google and Apple.
If it works on your end, could you update the documentation?

@evikzub commented on GitHub (Nov 3, 2025): Guys, Please review and fix this issue for Expo Setting sameSite: "none" and secure: true does not change anything. I have tested it on versions 1.3.27 and 1.3.34. It works for the Web, but not for Expo. The only version that allows me to run it on Expo is 1.3.18. As you see, it is way behind your current build. Simply run it on Expo, and you will see the issue with Google and Apple. If it works on your end, could you update the documentation?
GiteaMirror commented 2026-03-13 09:27:23 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Nov 3, 2025):

(tag @better-auth-agent)

DiagramDiscordGitHub

Diagram Join Star

@better-auth-agent[bot] commented on GitHub (Nov 3, 2025): (tag @better-auth-agent) <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-03-13 09:27:24 -05:00
Author
Owner
Copy Link

@jtomaszewski commented on GitHub (Nov 19, 2025):

The fix from #5748 seem to have been reverted, so it's probably not fixed yet?

@jtomaszewski commented on GitHub (Nov 19, 2025): The fix from #5748 seem to have been [reverted](https://github.com/better-auth/better-auth/commit/956eb5b015417ae6cc1a7f78891ce9e81539c2f2), so it's probably not fixed yet?
GiteaMirror commented 2026-03-13 09:27:25 -05:00
Author
Owner
Copy Link

@evikzub commented on GitHub (Nov 24, 2025):

I have tested it with the current 1.4.1

GOOGLE
First time sign-in fails with code: 'UND_ERR_CONNECT_TIMEOUT'

POST /api/auth/sign-in/social 200 in 96ms
GET /api/auth/get-session 200 in 190ms
GET /api/auth/get-session 200 in 92ms
GET /api/auth/expo-authorization-proxy?authorizationURL=...
2025-11-24T09:19:23.804Z ERROR [Better Auth]: [TypeError: fetch failed] {
[cause]: [Error [ConnectTimeoutError]: Connect Timeout Error (attempted address: oauth2.googleapis.com:443, timeout: 10000ms)] {
code: 'UND_ERR_CONNECT_TIMEOUT'
}
}
GET /api/auth/callback/google?state=n_TpStc5b9qp6UN9mWs9rYSJu6_e6BF1&code=4%2F0Ab32j91ZfPO1Fh-HYwn...&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&prompt=consent 302 in 10703ms
GET /api/auth/error?error=invalid_code 200 in 59ms

I have to close the browser.
On the second attempt, it signed in

APPLE does not sign in with a few attempts

POST /api/auth/callback/apple 302 in 54ms
GET /api/auth/get-session 200 in 27ms
2025-11-24T10:24:25.749Z ERROR [Better Auth]: [TypeError: fetch failed] {
[cause]: [Error [ConnectTimeoutError]: Connect Timeout Error (attempted addresses: 17.32.194.37:443, timeout: 10000ms)] {
code: 'UND_ERR_CONNECT_TIMEOUT'
}
}
GET /api/auth/callback/apple?code=cec49be0c14...&state=Hc0EXj5Wu8r0j-S1aFhz_Uu44RBi-pcW 302 in 10792ms
GET /api/auth/error?error=invalid_code 200 in 70ms

Any idea on how to fix it or a workaround?

@evikzub commented on GitHub (Nov 24, 2025): I have tested it with the current 1.4.1 GOOGLE First time sign-in fails with code: 'UND_ERR_CONNECT_TIMEOUT' --- POST /api/auth/sign-in/social 200 in 96ms GET /api/auth/get-session 200 in 190ms GET /api/auth/get-session 200 in 92ms GET /api/auth/expo-authorization-proxy?authorizationURL=... 2025-11-24T09:19:23.804Z ERROR [Better Auth]: [TypeError: fetch failed] { [cause]: [Error [ConnectTimeoutError]: Connect Timeout Error (attempted address: oauth2.googleapis.com:443, timeout: 10000ms)] { code: 'UND_ERR_CONNECT_TIMEOUT' } } GET /api/auth/callback/google?state=n_TpStc5b9qp6UN9mWs9rYSJu6_e6BF1&code=4%2F0Ab32j91ZfPO1Fh-HYwn...&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&prompt=consent 302 in 10703ms GET /api/auth/error?error=invalid_code 200 in 59ms --- I have to close the browser. On the second attempt, it signed in APPLE does not sign in with a few attempts --- POST /api/auth/callback/apple 302 in 54ms GET /api/auth/get-session 200 in 27ms 2025-11-24T10:24:25.749Z ERROR [Better Auth]: [TypeError: fetch failed] { [cause]: [Error [ConnectTimeoutError]: Connect Timeout Error (attempted addresses: 17.32.194.37:443, timeout: 10000ms)] { code: 'UND_ERR_CONNECT_TIMEOUT' } } GET /api/auth/callback/apple?code=cec49be0c14...&state=Hc0EXj5Wu8r0j-S1aFhz_Uu44RBi-pcW 302 in 10792ms GET /api/auth/error?error=invalid_code 200 in 70ms --- Any idea on how to fix it or a workaround?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label expo social-provider
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#2101
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?