github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 23:52:05 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #5727] Make 'Last Login Method' GDPR compliant #27659

New Issue
Open
opened 2026-04-17 18:47:39 -05:00 by GiteaMirror · 7 comments
GiteaMirror commented 2026-04-17 18:47:39 -05:00
Owner
Copy Link

Originally created by @JE4GLE on GitHub (Nov 2, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/5727

Originally assigned to: @ping-maxwell on GitHub.

Currently, the cookie set by the Last Login Method plugin is set by default. As it is a non-essential cookie, setting it without user consent is against the GDPR rules.

You can disable setting the cookie for everyone, by setting maxAge: 0. This makes the plugin useless.

The solution I'd like

I'd like a configurable function, which allows me to return a boolean, if the cookie should be set. In this function, I can check the user consent, if the user allows functional cookies

Alternatives I've considered

Do not use the plugin or risk fines.

Additional context

GDPR rules

Originally created by @JE4GLE on GitHub (Nov 2, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/5727 Originally assigned to: @ping-maxwell on GitHub. Currently, the cookie set by the [Last Login Method](https://www.better-auth.com/docs/plugins/last-login-method) plugin is set by default. As it is a non-essential cookie, setting it without user consent is against the GDPR rules. You can disable setting the cookie for everyone, by setting `maxAge: 0`. This makes the plugin useless. ### The solution I'd like I'd like a configurable function, which allows me to return a boolean, if the cookie should be set. In this function, I can check the user consent, if the user allows functional cookies ### Alternatives I've considered Do not use the plugin or [risk fines](https://www.enforcementtracker.com). ### Additional context [GDPR rules](https://gdpr.eu/cookies/#:~:text=To%20comply%20with,strictly%20necessary%20cookies.)
GiteaMirror added the core label 2026-04-17 18:47:39 -05:00
GiteaMirror commented 2026-04-17 18:47:40 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Nov 2, 2025):

You could add a new configuration option to the plugin—something like a callback function (e.g. cookieConsentCheck) that returns true or false based on the current request’s cookie consent state. This function would be called before setting the "last used login method" cookie so that if the user hasn’t consented to non-essential cookies, the plugin simply skips setting it instead of forcing maxAge: 0 (which disables the functionality). This approach allows you to maintain GDPR compliance while keeping the feature available for users who have given the proper consent [1], [5].

Next steps:

  1. Open a feature request in the repository proposing the addition of this configurable consent-check function.
  2. Outline that the function should receive the request context, evaluate if functional cookies are permitted, and return a boolean to indicate whether the cookie should be set.
  3. Encourage discussion around integration details, such as default behaviors and ensuring backward compatibility.

Does this solution meet your needs?

DiagramDiscordGitHub

Diagram Join Star

<!-- gh-comment-id:3478059950 --> @better-auth-agent[bot] commented on GitHub (Nov 2, 2025): You could add a new configuration option to the plugin—something like a callback function (e.g. cookieConsentCheck) that returns true or false based on the current request’s cookie consent state. This function would be called before setting the "last used login method" cookie so that if the user hasn’t consented to non-essential cookies, the plugin simply skips setting it instead of forcing maxAge: 0 (which disables the functionality). This approach allows you to maintain GDPR compliance while keeping the feature available for users who have given the proper consent [[1]](https://github.com/better-auth/better-auth/issues/4626), [[5]](https://www.better-auth.com/docs/plugins/last-login-method). Next steps: 1. Open a feature request in the repository proposing the addition of this configurable consent-check function. 2. Outline that the function should receive the request context, evaluate if functional cookies are permitted, and return a boolean to indicate whether the cookie should be set. 3. Encourage discussion around integration details, such as default behaviors and ensuring backward compatibility. Does this solution meet your needs? <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-04-17 18:47:40 -05:00
Author
Owner
Copy Link

@JE4GLE commented on GitHub (Nov 2, 2025):

@better-auth-agent This is what I did, right?

<!-- gh-comment-id:3478060893 --> @JE4GLE commented on GitHub (Nov 2, 2025): @better-auth-agent This is what I did, right?
GiteaMirror commented 2026-04-17 18:47:41 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Nov 2, 2025):

You can solve this by extending the plugin’s configuration with a custom function that checks your cookie consent status before returning a login method. In other words, modify the configuration so that the plugin only resolves and sets the cookie if the user has consented to functional cookies.

For example, update your plugin configuration as follows:

• Use the customResolveMethod option to add your consent check
• In the custom function, inspect a consent indicator (for example, a consent cookie or header). If consent isn’t given, simply return null so that the plugin won’t set the cookie.

A simplified example might look like this:

lastLoginMethod({
customResolveMethod: (ctx) => {
// Check if user has accepted functional cookies (you determine this logic)
if (ctx.cookies.get("functional_cookie_consent") !== "true") {
return null; // Do not set the cookie since consent was not provided
}
// Otherwise, return the login method based on your usual logic
if (ctx.path === "/sign-in/email") {
return "email";
}
// Continue with any other default resolution logic…
return null;
}
});

This approach makes the cookie setting conditional on user consent without forcing you to disable the plugin entirely (which, as you mentioned, would make it useless) [1][2].

Next steps:

  1. Integrate your consent check logic into the customResolveMethod function as shown.
  2. Test that when the consent cookie (or other indicator) isn’t present or accepted, the last login method cookie isn’t set.
  3. Confirm that with consent given, the plugin behaves as expected.

If you run into any issues or need further customization, please let us know so we can troubleshoot further.

DiagramDiscordGitHub

Diagram Join Star

<!-- gh-comment-id:3478061036 --> @better-auth-agent[bot] commented on GitHub (Nov 2, 2025): You can solve this by extending the plugin’s configuration with a custom function that checks your cookie consent status before returning a login method. In other words, modify the configuration so that the plugin only resolves and sets the cookie if the user has consented to functional cookies. For example, update your plugin configuration as follows: • Use the customResolveMethod option to add your consent check • In the custom function, inspect a consent indicator (for example, a consent cookie or header). If consent isn’t given, simply return null so that the plugin won’t set the cookie. A simplified example might look like this: ------------------------------------------------- lastLoginMethod({ customResolveMethod: (ctx) => { // Check if user has accepted functional cookies (you determine this logic) if (ctx.cookies.get("functional_cookie_consent") !== "true") { return null; // Do not set the cookie since consent was not provided } // Otherwise, return the login method based on your usual logic if (ctx.path === "/sign-in/email") { return "email"; } // Continue with any other default resolution logic… return null; } }); ------------------------------------------------- This approach makes the cookie setting conditional on user consent without forcing you to disable the plugin entirely (which, as you mentioned, would make it useless) [[1]](https://github.com/better-auth/better-auth/issues/4626)[[2]](https://www.better-auth.com/docs/plugins/last-login-method). Next steps: 1. Integrate your consent check logic into the customResolveMethod function as shown. 2. Test that when the consent cookie (or other indicator) isn’t present or accepted, the last login method cookie isn’t set. 3. Confirm that with consent given, the plugin behaves as expected. If you run into any issues or need further customization, please let us know so we can troubleshoot further. <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-04-17 18:47:41 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Feb 1, 2026):

Hi, @JE4GLE. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary:

  • You requested making the "Last Login Method" plugin GDPR compliant by conditionally setting its non-essential cookie based on user consent.
  • A callback function (e.g., cookieConsentCheck) was suggested to check consent before setting the cookie.
  • You implemented this solution successfully, confirming the plugin now respects GDPR requirements.
  • The issue was resolved with this configurable consent check approach.

Next Steps:

  • Please confirm if this solution remains relevant with the latest version of better-auth.
  • If it is, feel free to keep the discussion open by commenting; otherwise, I will close this issue automatically in 7 days.

Thanks for your understanding and contribution!

<!-- gh-comment-id:3831313065 --> @dosubot[bot] commented on GitHub (Feb 1, 2026): Hi, @JE4GLE. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary:** - You requested making the "Last Login Method" plugin GDPR compliant by conditionally setting its non-essential cookie based on user consent. - A callback function (e.g., cookieConsentCheck) was suggested to check consent before setting the cookie. - You implemented this solution successfully, confirming the plugin now respects GDPR requirements. - The issue was resolved with this configurable consent check approach. **Next Steps:** - Please confirm if this solution remains relevant with the latest version of better-auth. - If it is, feel free to keep the discussion open by commenting; otherwise, I will close this issue automatically in 7 days. Thanks for your understanding and contribution!
GiteaMirror commented 2026-04-17 18:47:42 -05:00
Author
Owner
Copy Link

@JE4GLE commented on GitHub (Feb 1, 2026):

@dosubot The solution remains very relevant and there even is an open PR to review and merge

<!-- gh-comment-id:3831800196 --> @JE4GLE commented on GitHub (Feb 1, 2026): @dosubot The solution remains very relevant and there even is an open PR to review and merge
GiteaMirror commented 2026-04-17 18:47:42 -05:00
Author
Owner
Copy Link

@simonfelding commented on GitHub (Feb 24, 2026):

I would really like this too. @JE4GLE are you talking about the PR in #5753? I think storing the cookie in the database with the storeInDatabase setting should disable the cookie by default. Why would you ever want both?

<!-- gh-comment-id:3955248085 --> @simonfelding commented on GitHub (Feb 24, 2026): I would really like this too. @JE4GLE are you talking about the PR in #5753? I think storing the cookie in the database with the storeInDatabase setting should disable the cookie by default. Why would you ever want both?
GiteaMirror commented 2026-04-17 18:47:43 -05:00
Author
Owner
Copy Link

@JE4GLE commented on GitHub (Feb 25, 2026):

@simonfelding Yes that is the PR. I don't want to disable the cookie for everyone. The use case is GDPR compliance so I want to decide on a user basis, if the cookie should be set or not.

<!-- gh-comment-id:3957557469 --> @JE4GLE commented on GitHub (Feb 25, 2026): @simonfelding Yes that is the PR. I don't want to disable the cookie for everyone. The use case is GDPR compliance so I want to decide on a user basis, if the cookie should be set or not.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label core
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#27659
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?