github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 23:52:05 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #4615] email_verified not updated after Social Login #27320

New Issue
Closed
opened 2026-04-17 18:15:43 -05:00 by GiteaMirror · 3 comments
GiteaMirror commented 2026-04-17 18:15:43 -05:00
Owner
Copy Link

Originally created by @thyngster on GitHub (Sep 12, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/4615

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

Ex:

Create an account using email/password with requireEmailVerification: true.

Do not verify the email, and then try to log in using a social provider (e.g., Google) with the same email.

In this case, the user is successfully logged in via the social provider, but user.email_verified remains false.

However, if the user signs up directly using a social login, the account is created with email_verified: true. So

Current vs. Expected behavior

I would expect that if a user logs in via social with an existing unverified email/password account, their email_verified field should be updated to true.

What version of Better Auth are you using?

1.3.9

System info

{
  "system": {
    "platform": "darwin",
    "arch": "arm64",
    "version": "Darwin Kernel Version 24.6.0: Mon Jul 14 11:30:34 PDT 2025; root:xnu-11417.140.69~1/RELEASE_ARM64_T8103",
    "release": "24.6.0",
    "cpuCount": 8,
    "cpuModel": "Apple M1",
    "totalMemory": "8.00 GB",
    "freeMemory": "0.17 GB"
  },
  "node": {
    "version": "v23.1.0",
    "env": "development"
  },
  "packageManager": {
    "name": "npm",
    "version": "10.9.0"
  },
  "frameworks": [
    {
      "name": "vue",
      "version": "^3.5.21"
    },
    {
      "name": "nuxt",
      "version": "^4.1.1"
    }
  ],
  "databases": [
    {
      "name": "pg",
      "version": "^8.16.3"
    },
    {
      "name": "drizzle",
      "version": "^0.44.5"
    }
  ],
  "betterAuth": {
    "version": "Unknown",
    "config": null
  }
}

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
 emailAndPassword: {
    enabled: true,
    autoSignIn: false,
    requireEmailVerification: true,
    minPasswordLength: 8,
    maxPasswordLength: 128,

  },
});

Additional context

No response

Originally created by @thyngster on GitHub (Sep 12, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/4615 ### Is this suited for github? - [ ] Yes, this is suited for github ### To Reproduce Ex: Create an account using email/password with `requireEmailVerification: true.` Do not verify the email, and then try to log in using a social provider (e.g., Google) with the same email. In this case, the user is successfully logged in via the social provider, but `user.email_verified` remains false. However, if the user signs up directly using a social login, the account is created with `email_verified: true`. So ### Current vs. Expected behavior I would expect that if a user logs in via social with an existing unverified email/password account, their `email_verified` field should be updated to true. ### What version of Better Auth are you using? 1.3.9 ### System info ```bash { "system": { "platform": "darwin", "arch": "arm64", "version": "Darwin Kernel Version 24.6.0: Mon Jul 14 11:30:34 PDT 2025; root:xnu-11417.140.69~1/RELEASE_ARM64_T8103", "release": "24.6.0", "cpuCount": 8, "cpuModel": "Apple M1", "totalMemory": "8.00 GB", "freeMemory": "0.17 GB" }, "node": { "version": "v23.1.0", "env": "development" }, "packageManager": { "name": "npm", "version": "10.9.0" }, "frameworks": [ { "name": "vue", "version": "^3.5.21" }, { "name": "nuxt", "version": "^4.1.1" } ], "databases": [ { "name": "pg", "version": "^8.16.3" }, { "name": "drizzle", "version": "^0.44.5" } ], "betterAuth": { "version": "Unknown", "config": null } } ``` ### Which area(s) are affected? (Select all that apply) Backend ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ emailAndPassword: { enabled: true, autoSignIn: false, requireEmailVerification: true, minPasswordLength: 8, maxPasswordLength: 128, }, }); ``` ### Additional context _No response_
GiteaMirror added the locked label 2026-04-17 18:15:43 -05:00
GiteaMirror commented 2026-04-17 18:15:46 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Sep 12, 2025):

This is a known gap in Better Auth's current behavior: when a user with an unverified email/password account logs in via a social provider (like Google), the email_verified field is not automatically updated, even if the social provider confirms the email is verified. This is not handled by default in v1.3.9, and there is no built-in config option for this scenario. The code fetches the email_verified status from the OAuth provider during social login, but it does not update the existing user's field if the account already exists and was unverified before (source).

A recommended workaround is to use a database hook to update the user record after a successful social login. You can implement this using the databaseHooks configuration, as discussed in issue 2719. In your hook, check if the social provider marks the email as verified and update the user's email_verified field accordingly.

Let me know if you want a code example for this workaround!

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

<!-- gh-comment-id:3286446480 --> @dosubot[bot] commented on GitHub (Sep 12, 2025): <!-- Answer --> This is a known gap in Better Auth's current behavior: when a user with an unverified email/password account logs in via a social provider (like Google), the email_verified field is not automatically updated, even if the social provider confirms the email is verified. This is not handled by default in v1.3.9, and there is no built-in config option for this scenario. The code fetches the email_verified status from the OAuth provider during social login, but it does not update the existing user's field if the account already exists and was unverified before ([source](https://github.com/better-auth/better-auth/blob/a5391f8909ee91beae65bac78697df2cf6810fc7/packages/better-auth/src/plugins/generic-oauth/index.ts)). A recommended workaround is to use a database hook to update the user record after a successful social login. You can implement this using the `databaseHooks` configuration, as discussed in [issue 2719](https://github.com/better-auth/better-auth/issues/2719). In your hook, check if the social provider marks the email as verified and update the user's email_verified field accordingly. Let me know if you want a code example for this workaround! <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/3e7344e4-35af-484a-93ce-10f5984a5116?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/3e7344e4-35af-484a-93ce-10f5984a5116?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/3e7344e4-35af-484a-93ce-10f5984a5116?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/3e7344e4-35af-484a-93ce-10f5984a5116?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/3e7344e4-35af-484a-93ce-10f5984a5116?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/3e7344e4-35af-484a-93ce-10f5984a5116?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/3e7344e4-35af-484a-93ce-10f5984a5116?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/4615)
GiteaMirror commented 2026-04-17 18:15:46 -05:00
Author
Owner
Copy Link

@thyngster commented on GitHub (Sep 12, 2025):

I really think that user should reflect the current email verification, if a new registration from social provider marks the email as validated, any login from a social should update the user details for consistency

<!-- gh-comment-id:3286460430 --> @thyngster commented on GitHub (Sep 12, 2025): I really think that user should reflect the current email verification, if a new registration from social provider marks the email as validated, any login from a social should update the user details for consistency
GiteaMirror commented 2026-04-17 18:15:47 -05:00
Author
Owner
Copy Link

@junwen-k commented on GitHub (Dec 20, 2025):

@himself65 Hi there!

I noticed that the logic implemented here for the login flow doesn't seem to be applied when using authClient.linkSocial().

Successful linkSocial() calls does not update my email_verified field, however logging in does worked as expected.

Was this distinction intentional, or should the same handling be extended to the account linking process as well?

https://github.com/better-auth/better-auth/blob/canary/packages/better-auth/src/api/routes/account.ts#L103

Thanks for the help!

<!-- gh-comment-id:3677519618 --> @junwen-k commented on GitHub (Dec 20, 2025): @himself65 Hi there! I noticed that the logic implemented here for the login flow doesn't seem to be applied when using `authClient.linkSocial()`. Successful `linkSocial()` calls does not update my `email_verified ` field, however logging in does worked as expected. Was this distinction intentional, or should the same handling be extended to the account linking process as well? https://github.com/better-auth/better-auth/blob/canary/packages/better-auth/src/api/routes/account.ts#L103 Thanks for the help!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label locked
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#27320
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?