[PR #6667] [CLOSED] feat(auth): add verifyPassword endpoint and documentation #23713

New Issue

GiteaMirror · 2026-04-15T21:55:50-05:00

GiteaMirror commented

2026-04-15 21:55:50 -05:00

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/6667
Author: @SaviruFr
Created: 12/10/2025
Status: ❌ Closed

Base: canary ← Head: feat/password

📝 Commits (10+)

7a9a951 feat(auth): add verifyPassword endpoint
b1e2ec2 docs: add documentation for verifyPassword function
70006ce Merge branch 'canary' into feat/password
acd731d chore(refactor): use existing validatePassword utility in verifyPassword endpoint
81cf3de Merge branch 'canary' into feat/password
8a2008f Merge branch 'canary' into feat/password
5c7feb6 Merge branch 'canary' into feat/password
b816696 chore: migrate verifyPassword endpoint to new scope metadata
32e09ae Merge branch 'canary' into feat/password
e8b4f7f Merge branch 'canary' into feat/password

📊 Changes

59 files changed (+1192 additions, -684 deletions)

View changed files

📝 .cspell.jsonc (+3 -0)
📝 .github/workflows/e2e.yml (+1 -1)
➕ demo/nextjs/app/(auth)/reset-password/loading.tsx (+13 -0)
📝 demo/nextjs/package.json (+2 -3)
📝 demo/oidc-client/package.json (+2 -2)
📝 demo/stateless/package.json (+2 -2)
📝 docs/content/docs/concepts/users-accounts.mdx (+15 -0)
📝 docs/content/docs/plugins/api-key.mdx (+53 -0)
📝 docs/content/docs/plugins/organization.mdx (+1 -1)
📝 docs/content/docs/plugins/username.mdx (+1 -1)
📝 docs/package.json (+3 -3)
➕ e2e/smoke/test/types.spec.ts (+17 -0)
📝 packages/better-auth/package.json (+1 -1)
📝 packages/better-auth/src/adapters/mongodb-adapter/mongodb-adapter.ts (+1 -1)
📝 packages/better-auth/src/api/index.ts (+2 -0)
📝 packages/better-auth/src/api/routes/email-verification.ts (+36 -26)
📝 packages/better-auth/src/api/routes/index.ts (+1 -1)
📝 packages/better-auth/src/api/routes/password.test.ts (+75 -0)
📝 packages/better-auth/src/api/routes/password.ts (+65 -6)
📝 packages/better-auth/src/api/routes/sign-in.ts (+9 -7)

...and 39 more files

📄 Description

Adds a server only verifyPassword endpoint for checking a user's current password. Fixes #6657

Summary by cubic

Adds a server-only verifyPassword API endpoint to confirm a user's current password before sensitive actions. Updates docs with usage and guidance for OAuth-only accounts.

New Features
- Added POST /verify-password endpoint (server-only) to auth.api.
- Requires session headers; uses sensitiveSessionMiddleware.
- Uses validatePassword to check the current password; returns { status: true } or BAD_REQUEST on invalid password.
- Exported in API index; docs include usage example and an OAuth caveat.

^{Written for commit ceed1edcba. Summary will update automatically on new commits.}

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/6667 **Author:** [@SaviruFr](https://github.com/SaviruFr) **Created:** 12/10/2025 **Status:** ❌ Closed **Base:** `canary` ← **Head:** `feat/password` --- ### 📝 Commits (10+) - [`7a9a951`](https://github.com/better-auth/better-auth/commit/7a9a9516a03a072179acb4f7623c1c7d555e02af) feat(auth): add verifyPassword endpoint - [`b1e2ec2`](https://github.com/better-auth/better-auth/commit/b1e2ec2034ee7772c7afdf818bce3c8e789bbc80) docs: add documentation for verifyPassword function - [`70006ce`](https://github.com/better-auth/better-auth/commit/70006ce0fbac22809c772d3ef7761cf87287de51) Merge branch 'canary' into feat/password - [`acd731d`](https://github.com/better-auth/better-auth/commit/acd731dd4525ce3f7a63b76662b82099e0b55201) chore(refactor): use existing validatePassword utility in verifyPassword endpoint - [`81cf3de`](https://github.com/better-auth/better-auth/commit/81cf3de8985003ce931f480f6d82f7bfe995c026) Merge branch 'canary' into feat/password - [`8a2008f`](https://github.com/better-auth/better-auth/commit/8a2008f8063cb25dcf000ddf2db676411f70351b) Merge branch 'canary' into feat/password - [`5c7feb6`](https://github.com/better-auth/better-auth/commit/5c7feb613bd59cc233277112c339afd8cb4d9485) Merge branch 'canary' into feat/password - [`b816696`](https://github.com/better-auth/better-auth/commit/b8166969e9b203e329381e143e2dd7df0ea253e0) chore: migrate verifyPassword endpoint to new scope metadata - [`32e09ae`](https://github.com/better-auth/better-auth/commit/32e09ae7c3cf7e8b47f254a1d3d4d3d4bff01ec4) Merge branch 'canary' into feat/password - [`e8b4f7f`](https://github.com/better-auth/better-auth/commit/e8b4f7f52004c8f629648bd518ada0681fb17aae) Merge branch 'canary' into feat/password ### 📊 Changes **59 files changed** (+1192 additions, -684 deletions) <details> <summary>View changed files</summary> 📝 `.cspell.jsonc` (+3 -0) 📝 `.github/workflows/e2e.yml` (+1 -1) ➕ `demo/nextjs/app/(auth)/reset-password/loading.tsx` (+13 -0) 📝 `demo/nextjs/package.json` (+2 -3) 📝 `demo/oidc-client/package.json` (+2 -2) 📝 `demo/stateless/package.json` (+2 -2) 📝 `docs/content/docs/concepts/users-accounts.mdx` (+15 -0) 📝 `docs/content/docs/plugins/api-key.mdx` (+53 -0) 📝 `docs/content/docs/plugins/organization.mdx` (+1 -1) 📝 `docs/content/docs/plugins/username.mdx` (+1 -1) 📝 `docs/package.json` (+3 -3) ➕ `e2e/smoke/test/types.spec.ts` (+17 -0) 📝 `packages/better-auth/package.json` (+1 -1) 📝 `packages/better-auth/src/adapters/mongodb-adapter/mongodb-adapter.ts` (+1 -1) 📝 `packages/better-auth/src/api/index.ts` (+2 -0) 📝 `packages/better-auth/src/api/routes/email-verification.ts` (+36 -26) 📝 `packages/better-auth/src/api/routes/index.ts` (+1 -1) 📝 `packages/better-auth/src/api/routes/password.test.ts` (+75 -0) 📝 `packages/better-auth/src/api/routes/password.ts` (+65 -6) 📝 `packages/better-auth/src/api/routes/sign-in.ts` (+9 -7) _...and 39 more files_ </details> ### 📄 Description Adds a server only verifyPassword endpoint for checking a user's current password. Fixes #6657  --- ## Summary by cubic Adds a server-only verifyPassword API endpoint to confirm a user's current password before sensitive actions. Updates docs with usage and guidance for OAuth-only accounts. - **New Features** - Added POST /verify-password endpoint (server-only) to auth.api. - Requires session headers; uses sensitiveSessionMiddleware. - Uses validatePassword to check the current password; returns { status: true } or BAD_REQUEST on invalid password. - Exported in API index; docs include usage example and an OAuth caveat. <sup>Written for commit ceed1edcba15218b496cb841b1537e81a8235198. Summary will update automatically on new commits.</sup>  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-15 21:55:50 -05:00

GiteaMirror closed this issue

2026-04-15 21:55:51 -05:00

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#23713