[PR #8863] fix: propagate sendVerificationEmail errors #25161

Open
opened 2026-04-15 22:44:44 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/8863
Author: @ping-maxwell
Created: 3/31/2026
Status: 🔄 Open

Base: mainHead: fix/send-email-verification-swallows-ratelimit-errors


📝 Commits (1)

  • 3b14107 fix: propagate sendVerificationEmail errors on POST /send-verification-email

📊 Changes

2 files changed (+49 additions, -9 deletions)

View changed files

📝 packages/better-auth/src/api/routes/email-verification.test.ts (+40 -0)
📝 packages/better-auth/src/api/routes/email-verification.ts (+9 -9)

📄 Description

closes https://github.com/better-auth/better-auth/issues/8757

Problem

sendVerificationEmail was invoked via runInBackgroundOrAwait, which could defer work when advanced.backgroundTasks.handler is configured (so the handler could return 200 before the email callback finished) and, in the default path, caught and logged errors without rethrowing. User callbacks that throw APIError (e.g. 429 from a rate limiter) were therefore not reliably reflected in the HTTP response (better-auth/better-auth#8757).

Solution

Await sendVerificationEmail directly inside sendVerificationEmailFn so failures surface to the client with the correct status. Added a short comment clarifying that this does not weaken unauthenticated anti-enumeration behavior, since this path runs only after a real unverified user is determined. ### Testing

  • Added a regression test that throws APIError from sendVerificationEmail and asserts the thrown status/body.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/8863 **Author:** [@ping-maxwell](https://github.com/ping-maxwell) **Created:** 3/31/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `fix/send-email-verification-swallows-ratelimit-errors` --- ### 📝 Commits (1) - [`3b14107`](https://github.com/better-auth/better-auth/commit/3b1410794b397278a975e41ae258f1daff0a07dc) fix: propagate `sendVerificationEmail` errors on POST `/send-verification-email` ### 📊 Changes **2 files changed** (+49 additions, -9 deletions) <details> <summary>View changed files</summary> 📝 `packages/better-auth/src/api/routes/email-verification.test.ts` (+40 -0) 📝 `packages/better-auth/src/api/routes/email-verification.ts` (+9 -9) </details> ### 📄 Description closes https://github.com/better-auth/better-auth/issues/8757 ### Problem `sendVerificationEmail` was invoked via `runInBackgroundOrAwait`, which could defer work when `advanced.backgroundTasks.handler` is configured (so the handler could return **200** before the email callback finished) and, in the default path, **caught and logged errors without rethrowing**. User callbacks that throw `APIError` (e.g. **429** from a rate limiter) were therefore not reliably reflected in the HTTP response ([better-auth/better-auth#8757](https://github.com/better-auth/better-auth/issues/8757)). ### Solution Await `sendVerificationEmail` directly inside `sendVerificationEmailFn` so failures surface to the client with the correct status. Added a short comment clarifying that this does not weaken unauthenticated anti-enumeration behavior, since this path runs only after a real unverified user is determined. ### Testing - Added a regression test that throws `APIError` from `sendVerificationEmail` and asserts the thrown status/body. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-15 22:44:44 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#25161