github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 07:18:56 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #8313] Prisma adapter: verification.delete() uses non-unique identifier in WhereUniqueInput #28376

New Issue
Closed
opened 2026-04-17 19:48:54 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-17 19:48:54 -05:00
Owner
Copy Link

Originally created by @aniravi24 on GitHub (Mar 3, 2026).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/8313

Originally assigned to: @ping-maxwell on GitHub.

Bug Report

Description

The Prisma adapter calls prisma.verification.delete({ where: { identifier } }) during the email OTP sign-in flow, but identifier is not a unique field on the verification table. Prisma's delete() requires a WhereUniqueInput, so it rejects the call.

This is a different code path from the fix in #7096 (which addressed compound AND conditions in update()). Here the issue is that delete() is used with a plain non-unique field.

Environment

  • better-auth version: 1.5.1
  • Prisma version: 7.4.2
  • Database: PostgreSQL
  • Node runtime: Bun

Steps to Reproduce

  1. Configure better-auth with Prisma adapter and email OTP plugin
  2. Trigger an OTP sign-in flow (/api/auth/sign-in/email-otp)
  3. The adapter attempts to clean up old verification records by identifier

Error

PrismaClientValidationError:
Invalid `prisma.verification.delete()` invocation:

{
  where: {
    identifier: "sign-in-otp-user@example.com",
?   id?: String,
?   AND?: VerificationWhereInput | VerificationWhereInput[],
?   OR?: VerificationWhereInput[],
?   NOT?: VerificationWhereInput | VerificationWhereInput[],
?   value?: StringFilter | String,
?   expiresAt?: DateTimeFilter | DateTime,
?   createdAt?: DateTimeFilter | DateTime,
?   updatedAt?: DateTimeNullableFilter | DateTime | Null
  }
}

Argument `where` of type VerificationWhereUniqueInput needs at least one of `id` arguments.

Expected Behavior

The adapter should use deleteMany({ where: { identifier } }) instead of delete({ where: { identifier } }), since identifier is not a unique field in better-auth's own schema definition (it only has a regular index, not a unique constraint).

Related

  • #5929 / #7096 — similar issue with update() and compound AND conditions (fixed, but delete() path was not covered)
Originally created by @aniravi24 on GitHub (Mar 3, 2026). Original GitHub issue: https://github.com/better-auth/better-auth/issues/8313 Originally assigned to: @ping-maxwell on GitHub. ## Bug Report ### Description The Prisma adapter calls `prisma.verification.delete({ where: { identifier } })` during the email OTP sign-in flow, but `identifier` is **not a unique field** on the `verification` table. Prisma's `delete()` requires a `WhereUniqueInput`, so it rejects the call. This is a different code path from the fix in #7096 (which addressed compound `AND` conditions in `update()`). Here the issue is that `delete()` is used with a plain non-unique field. ### Environment - **better-auth version:** 1.5.1 - **Prisma version:** 7.4.2 - **Database:** PostgreSQL - **Node runtime:** Bun ### Steps to Reproduce 1. Configure better-auth with Prisma adapter and email OTP plugin 2. Trigger an OTP sign-in flow (`/api/auth/sign-in/email-otp`) 3. The adapter attempts to clean up old verification records by `identifier` ### Error ``` PrismaClientValidationError: Invalid `prisma.verification.delete()` invocation: { where: { identifier: "sign-in-otp-user@example.com", ? id?: String, ? AND?: VerificationWhereInput | VerificationWhereInput[], ? OR?: VerificationWhereInput[], ? NOT?: VerificationWhereInput | VerificationWhereInput[], ? value?: StringFilter | String, ? expiresAt?: DateTimeFilter | DateTime, ? createdAt?: DateTimeFilter | DateTime, ? updatedAt?: DateTimeNullableFilter | DateTime | Null } } Argument `where` of type VerificationWhereUniqueInput needs at least one of `id` arguments. ``` ### Expected Behavior The adapter should use `deleteMany({ where: { identifier } })` instead of `delete({ where: { identifier } })`, since `identifier` is not a unique field in better-auth's own schema definition (it only has a regular index, not a unique constraint). ### Related - #5929 / #7096 — similar issue with `update()` and compound `AND` conditions (fixed, but `delete()` path was not covered)
GiteaMirror added the lockedbug labels 2026-04-17 19:48:54 -05:00
GiteaMirror commented 2026-04-17 19:48:57 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Mar 3, 2026):

Thanks for the detailed report! This is indeed a valid bug. The issue stems from the Prisma adapter calling delete() with a non-unique identifier field in the deleteVerificationByIdentifier function, which then hits the Prisma adapter's delete function that uses db[model].delete().

This is a known pattern of issues with the Prisma adapter. Related fixes include:

  • PR #7096 - Fixed similar update() issues with compound AND conditions
  • PR #6425 - Fixed delete() by extracting id to root level
  • PR #6226 - Changed deleteOrganization to use deleteMany()

Temporary workaround: You can add a @unique constraint to the identifier field in your Verification schema, though this may not be ideal if you expect multiple verifications per identifier.

Your suggested fix of using deleteMany({ where: { identifier } }) is the correct approach for this case.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other

Chat with Dosu Open in Cursor Join Discord Share on X

<!-- gh-comment-id:3988460723 --> @dosubot[bot] commented on GitHub (Mar 3, 2026): <!-- Answer --> Thanks for the detailed report! This is indeed a valid bug. The issue stems from the Prisma adapter calling `delete()` with a non-unique `identifier` field in the [`deleteVerificationByIdentifier` function](https://github.com/better-auth/better-auth/blob/35deabdef026f6887eb5dfda539f39460076fad4/packages/better-auth/src/db/internal-adapter.ts#L1142-L1163), which then hits the [Prisma adapter's delete function](https://github.com/better-auth/better-auth/blob/35deabdef026f6887eb5dfda539f39460076fad4/packages/prisma-adapter/src/prisma-adapter.ts#L494-L516) that uses `db[model].delete()`. This is a known pattern of issues with the Prisma adapter. Related fixes include: - [PR #7096](https://github.com/better-auth/better-auth/pull/7096) - Fixed similar `update()` issues with compound AND conditions - [PR #6425](https://github.com/better-auth/better-auth/pull/6425) - Fixed `delete()` by extracting `id` to root level - [PR #6226](https://github.com/better-auth/better-auth/pull/6226) - Changed `deleteOrganization` to use `deleteMany()` **Temporary workaround**: You can add a `@unique` constraint to the `identifier` field in your Verification schema, though this may not be ideal if you expect multiple verifications per identifier. Your suggested fix of using `deleteMany({ where: { identifier } })` is the correct approach for this case. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/b3a43248-d549-4a81-9072-d0954c4b2dcd?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/b3a43248-d549-4a81-9072-d0954c4b2dcd?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/b3a43248-d549-4a81-9072-d0954c4b2dcd?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/b3a43248-d549-4a81-9072-d0954c4b2dcd?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/b3a43248-d549-4a81-9072-d0954c4b2dcd?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/b3a43248-d549-4a81-9072-d0954c4b2dcd?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/b3a43248-d549-4a81-9072-d0954c4b2dcd?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=Thanks%20for%20the%20detailed%20report%21%20This%20is%20indeed%20a%20valid%20bug.%20The%20issue%20stems%20from%20the%20Prisma%20adapter%20calling%20%60delete%28%29%60%20with%20a%20non-unique%20%60identifier%60%20field%20in%20the%20%5B%60deleteVerificationByIdentifier%60%20function%5D%28https%3A//github.com/better-auth/better-auth/blob/35deabdef026f6887eb5dfda539f39460076fad4/packages/better-auth/src/db/internal-adapter.ts%23L1142-L1163%29%2C%20which%20then%20hits%20the%20%5BPrisma%20adapter%27s%20delete%20function%5D%28https%3A//github.com/better-auth/better-auth/blob/35deabdef026f6887eb5dfda539f39460076fad4/packages/prisma-adapter/src/prisma-adapter.ts%23L494-L516%29%20that%20uses%20%60db%5Bmodel%5D.delete%28%29%60.%0A%0AThis%20is%20a%20known%20pattern%20of%20issues%20with%20the%20Prisma%20adapter.%20Related%20fixes%20include%3A%0A-%20%5BPR%20%237096%5D%28https%3A//github.com/better-auth/better-auth/pull/7096%29%20-%20Fixed%20similar%20%60update%28%29%60%20issues%20with%20compound%20AND%20conditions%0A-%20%5BPR%20%236425%5D%28https%3A//github.com/better-auth/better-auth/pull/6425%29%20-%20Fixed%20%60delete%28%29%60%20by%20extracting%20%60id%60%20to%20root%20level%0A-%20%5BPR%20%236226%5D%28https%3A//github.com/better-auth/better-auth/pull/6226%29%20-%20Changed%20%60deleteOrganization%60%20to%20use%20%60deleteMany%28%29%60%0A%0A%2A%2ATemporary%20workaround%2A%2A%3A%20You%20can%20add%20a%20%60%40unique%60%20constraint%20to%20the%20%60identifier%60%20field%20in%20your%20Verification%20schema%2C%20though%20this%20may%20not%20be%20ideal%20if%20you%20expect%20multiple%20verifications%20per%20identifier.%0A%0AYour%20suggested%20fix%20of%20using%20%60deleteMany%28%7B%20where%3A%20%7B%20identifier%20%7D%20%7D%29%60%20is%20the%20correct%20approach%20for%20this%20case.)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/8313)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label bug locked
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#28376
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?