Migration strategy for email/password users from another auth system #638

New Issue

GiteaMirror · 2026-03-13T07:58:04-05:00

GiteaMirror commented

2026-03-13 07:58:04 -05:00

Originally created by @WonderPanda on GitHub (Feb 7, 2025).

Is this suited for github?

Yes, this is suited for github

We're evaluating better-auth as a replacement for our current Auth system which is currently running on SuperTokens. better-auth looks amazing and we'd be very interested in being able to drop an additional networked dependency from our stack.

SuperTokens uses a different approach to hashing passwords though, so migrating the records directly into the user/account tables in the better-auth schema doesn't currently work.

Describe the solution you'd like

It would be great if there were some kind of strategy that could be provided when configuring better-auth's email/password to have a fallback method for attempting to compare the password hash.

Ideally, once the fallback method is used to correctly validate a username and password the field in the DB could then be updated to the expected format for better-auth

Describe alternatives you've considered

Without something like this in place we wouldn't be able to migrate all users in one go. We'd have to introduce a bunch of custom code in our backend that allows both auth systems to exist side by side and then every time a user signs in we could insert records into the better-auth schema to slowly backfill accounts. This relies on all users logging in at least once before we could safely deprecate SuperTokens from our stack.

Additional context

No response

Originally created by @WonderPanda on GitHub (Feb 7, 2025). ### Is this suited for github? - [x] Yes, this is suited for github ### Is your feature request related to a problem? Please describe. We're evaluating better-auth as a replacement for our current Auth system which is currently running on SuperTokens. better-auth looks amazing and we'd be very interested in being able to drop an additional networked dependency from our stack. SuperTokens uses a different approach to hashing passwords though, so migrating the records directly into the user/account tables in the better-auth schema doesn't currently work. ### Describe the solution you'd like It would be great if there were some kind of strategy that could be provided when configuring better-auth's email/password to have a fallback method for attempting to compare the password hash. Ideally, once the fallback method is used to correctly validate a username and password the field in the DB could then be updated to the expected format for better-auth ### Describe alternatives you've considered Without something like this in place we wouldn't be able to migrate all users in one go. We'd have to introduce a bunch of custom code in our backend that allows both auth systems to exist side by side and then every time a user signs in we could insert records into the better-auth schema to slowly backfill accounts. This relies on all users logging in at least once before we could safely deprecate SuperTokens from our stack. ### Additional context _No response_

GiteaMirror closed this issue

2026-03-13 07:58:05 -05:00

GiteaMirror commented

2026-03-13 07:58:06 -05:00

@WonderPanda commented on GitHub (Feb 7, 2025):

Oh I just realized that there is some support for this. I missed it in my first pass at https://www.better-auth.com/docs/authentication/email-password#configuration

This will probably unblock us but I'd love if there were additional configuration here to provide a migration strategy such that the custom hashing is only used when the default one falls back and could then update DB records to convert the hash to an expected format so eventually all records will match the better-auth built in hashing strategy

@WonderPanda commented on GitHub (Feb 7, 2025): Oh I just realized that there is some support for this. I missed it in my first pass at https://www.better-auth.com/docs/authentication/email-password#configuration This will probably unblock us but I'd love if there were additional configuration here to provide a migration strategy such that the custom hashing is only used when the default one falls back and could then update DB records to convert the hash to an expected format so eventually all records will match the better-auth built in hashing strategy

GiteaMirror commented

2026-03-13 07:58:06 -05:00

@j-fdion commented on GitHub (Feb 8, 2025):

I'm also really interested in this. I'm currently migrating an app from lucia auth. While I've also devised a strategy to migrate the users, I am curious what others can come up with :)

@j-fdion commented on GitHub (Feb 8, 2025): I'm also really interested in this. I'm currently migrating an app from lucia auth. While I've also devised a strategy to migrate the users, I am curious what others can come up with :)

GiteaMirror commented

2026-03-13 07:58:07 -05:00

@cbodin commented on GitHub (Feb 13, 2025):

Taking inspiration from .NET and PHP something like this could be pretty straight forward to use:

type PasswordVerifier = (data: {
  hash: string;
  password: string;
}) => Promise<boolean | "success" | "success-rehash-needed" | "failed">;

Example usage:

verify: async ({ hash, password }) => {
  // Using imported bcrypt password
  if (hash.startsWith('$2a$')) {
   const verified = await bcrypt.compare(password, hash);
   return verified ? "success-rehash-needed" : "failed";
  }

  // Using verifier from better-auth somehow
  return await verifyPassword({ hash, password });
}

Returning success-rehash-needed would allow the library to call the hash function (the default if not overridden) and update the database table. This would also allow the built-in verifier to return success-rehash-needed if passwords were ever to be migrated to argon2id in the future.

Keeping the boolean as a valid return value retains api compatibility with version 1.x.

@cbodin commented on GitHub (Feb 13, 2025): Taking inspiration from [.NET](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.ipasswordhasher-1.verifyhashedpassword?view=aspnetcore-9.0) and [PHP](https://www.php.net/manual/en/function.password-needs-rehash.php) something like this could be pretty straight forward to use: ```ts type PasswordVerifier = (data: { hash: string; password: string; }) => Promise<boolean | "success" | "success-rehash-needed" | "failed">; ``` Example usage: ```ts verify: async ({ hash, password }) => { // Using imported bcrypt password if (hash.startsWith('$2a$')) { const verified = await bcrypt.compare(password, hash); return verified ? "success-rehash-needed" : "failed"; } // Using verifier from better-auth somehow return await verifyPassword({ hash, password }); } ``` Returning `success-rehash-needed` would allow the library to call the hash function (the default if not overridden) and update the database table. This would also allow the built-in verifier to return `success-rehash-needed` if passwords were ever to be migrated to argon2id in the future. Keeping the boolean as a valid return value retains api compatibility with version 1.x.

GiteaMirror commented

2026-03-13 07:58:08 -05:00

@WonderPanda commented on GitHub (Feb 14, 2025):

Taking inspiration from .NET and PHP something like this could be pretty straight forward to use:

type PasswordVerifier = (data: {
hash: string;
password: string;
}) => Promise<boolean | "success" | "success-rehash-needed" | "failed">;
Example usage:

verify: async ({ hash, password }) => {
// Using imported bcrypt password
if (hash.startsWith('$2a$')) {
const verified = await bcrypt.compare(password, hash);
return verified ? "success-rehash-needed" : "failed";
}

// Using verifier from better-auth somehow
return await verifyPassword({ hash, password });
}
Returning success-rehash-needed would allow the library to call the hash function (the default if not overridden) and update the database table. This would also allow the built-in verifier to return success-rehash-needed if passwords were ever to be migrated to argon2id in the future.

Keeping the boolean as a valid return value retains api compatibility with version 1.x.

Nice this is exactly the kind of API I was envisioning in my head as well

@WonderPanda commented on GitHub (Feb 14, 2025): > Taking inspiration from [.NET](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.ipasswordhasher-1.verifyhashedpassword?view=aspnetcore-9.0) and [PHP](https://www.php.net/manual/en/function.password-needs-rehash.php) something like this could be pretty straight forward to use: > > type PasswordVerifier = (data: { > hash: string; > password: string; > }) => Promise<boolean | "success" | "success-rehash-needed" | "failed">; > Example usage: > > verify: async ({ hash, password }) => { > // Using imported bcrypt password > if (hash.startsWith('$2a$')) { > const verified = await bcrypt.compare(password, hash); > return verified ? "success-rehash-needed" : "failed"; > } > > // Using verifier from better-auth somehow > return await verifyPassword({ hash, password }); > } > Returning `success-rehash-needed` would allow the library to call the hash function (the default if not overridden) and update the database table. This would also allow the built-in verifier to return `success-rehash-needed` if passwords were ever to be migrated to argon2id in the future. > > Keeping the boolean as a valid return value retains api compatibility with version 1.x. Nice this is exactly the kind of API I was envisioning in my head as well

GiteaMirror commented

2026-03-13 07:58:10 -05:00

@j-fdion commented on GitHub (Feb 16, 2025):

Taking inspiration from .NET and PHP something like this could be pretty straight forward to use:

type PasswordVerifier = (data: {
hash: string;
password: string;
}) => Promise<boolean | "success" | "success-rehash-needed" | "failed">;
Example usage:

verify: async ({ hash, password }) => {
// Using imported bcrypt password
if (hash.startsWith('$2a$')) {
const verified = await bcrypt.compare(password, hash);
return verified ? "success-rehash-needed" : "failed";
}

// Using verifier from better-auth somehow
return await verifyPassword({ hash, password });
}
Returning success-rehash-needed would allow the library to call the hash function (the default if not overridden) and update the database table. This would also allow the built-in verifier to return success-rehash-needed if passwords were ever to be migrated to argon2id in the future.

Keeping the boolean as a valid return value retains api compatibility with version 1.x.

Thanks It gives me inspiration on how to organize my migration code :)

@j-fdion commented on GitHub (Feb 16, 2025): > Taking inspiration from [.NET](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.ipasswordhasher-1.verifyhashedpassword?view=aspnetcore-9.0) and [PHP](https://www.php.net/manual/en/function.password-needs-rehash.php) something like this could be pretty straight forward to use: > > type PasswordVerifier = (data: { > hash: string; > password: string; > }) => Promise<boolean | "success" | "success-rehash-needed" | "failed">; > Example usage: > > verify: async ({ hash, password }) => { > // Using imported bcrypt password > if (hash.startsWith('$2a$')) { > const verified = await bcrypt.compare(password, hash); > return verified ? "success-rehash-needed" : "failed"; > } > > // Using verifier from better-auth somehow > return await verifyPassword({ hash, password }); > } > Returning `success-rehash-needed` would allow the library to call the hash function (the default if not overridden) and update the database table. This would also allow the built-in verifier to return `success-rehash-needed` if passwords were ever to be migrated to argon2id in the future. > > Keeping the boolean as a valid return value retains api compatibility with version 1.x. Thanks It gives me inspiration on how to organize my migration code :)

GiteaMirror commented

2026-03-13 07:58:10 -05:00

@dosubot[bot] commented on GitHub (Jun 15, 2025):

Hi, @WonderPanda. I'm Dosu, and I'm helping the better-auth team manage their backlog. I'm marking this issue as stale.

Issue Summary:

The issue involved migrating users from SuperTokens to better-auth due to differing password hashing methods.
You initially overlooked existing support but suggested enhancing it for seamless migration.
@cbodin proposed a PasswordVerifier function inspired by .NET and PHP, which was well-received.
The proposal aligns with your envisioned solution and has been effectively implemented.

Next Steps:

Please confirm if this issue is still relevant to the latest version of the better-auth repository by commenting here.
If no further updates are provided, the issue will be automatically closed in 7 days.

Thank you for your understanding and contribution!

@dosubot[bot] commented on GitHub (Jun 15, 2025): Hi, @WonderPanda. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog. I'm marking this issue as stale. **Issue Summary:** - The issue involved migrating users from SuperTokens to better-auth due to differing password hashing methods. - You initially overlooked existing support but suggested enhancing it for seamless migration. - @cbodin proposed a `PasswordVerifier` function inspired by .NET and PHP, which was well-received. - The proposal aligns with your envisioned solution and has been effectively implemented. **Next Steps:** - Please confirm if this issue is still relevant to the latest version of the better-auth repository by commenting here. - If no further updates are provided, the issue will be automatically closed in 7 days. Thank you for your understanding and contribution!

GiteaMirror commented

2026-03-13 07:58:11 -05:00

@arenddeboer commented on GitHub (Jun 16, 2025):

Even though this is now closed, I think better migration tooling can help adoption. Especially enterprise customers who will likely also be the ones who will need premium subscriptions when they become available.

@arenddeboer commented on GitHub (Jun 16, 2025): Even though this is now closed, I think better migration tooling can help adoption. Especially enterprise customers who will likely also be the ones who will need premium subscriptions when they become available.

GiteaMirror referenced this issue

2026-03-13 10:52:51 -05:00

[PR #638] [CLOSED] Add isUnique to table component #3410

GiteaMirror referenced this issue

2026-04-13 07:55:30 -05:00

[PR #638] [CLOSED] Add isUnique to table component #11657

GiteaMirror referenced this issue

2026-04-15 19:36:39 -05:00

[PR #638] [CLOSED] Add isUnique to table component #20311

GiteaMirror referenced this issue

2026-04-17 20:25:06 -05:00

[PR #638] [CLOSED] Add isUnique to table component #29011

Sign in to join this conversation.

Branches Tags

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#638