[GH-ISSUE #1036] auth.api.signUpEmail return value problem #8561

New Issue

GiteaMirror · 2026-04-13T03:40:52-05:00

GiteaMirror commented

2026-04-13 03:40:52 -05:00

Originally created by @wh5938316 on GitHub (Dec 27, 2024).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/1036

Is this suited for github?

Yes, this is suited for github

To Reproduce

In the latest version, I noticed that the return value of auth.api.signUpEmail is { token: null }, instead of returning the user object as it used to (if I remember correctly). This is causing issues for me, as I need the created user object for subsequent processing in my application.

What is the purpose of this change?
If signUpEmail no longer returns the user object, how should I retrieve the created user after calling signUpEmail?

const data = await betterAuth().api.signUpEmail({
    body: {
      email: _.get(data, 'email'),
      password: _.get(data, 'password'),
      name: _.get(data, 'name')!,
    },
});

In version 1.0.0:
8e81ceb0e2/packages/better-auth/src/api/routes/sign-up.ts (L215-L218)

Now:
2c81db93be/packages/better-auth/src/api/routes/sign-up.ts (L233-L235)

Current vs. Expected behavior

I would like clarification on the following:

Was this change intentional as part of a design decision?
If so, how should I obtain the user information after calling signUpEmail?

What version of Better Auth are you using?

1.1.3

Provide environment information

Nest.js

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  emailAndPassword: {  
    enabled: true
  },
});

Additional context

No response

Originally created by @wh5938316 on GitHub (Dec 27, 2024). Original GitHub issue: https://github.com/better-auth/better-auth/issues/1036 ### Is this suited for github? - [ ] Yes, this is suited for github ### To Reproduce In the latest version, I noticed that the return value of `auth.api.signUpEmail` is `{ token: null }`, instead of returning the user object as it used to (if I remember correctly). This is causing issues for me, as I need the created user object for subsequent processing in my application. 1. What is the purpose of this change? 2. If signUpEmail no longer returns the user object, how should I retrieve the created user after calling signUpEmail? ```javascript const data = await betterAuth().api.signUpEmail({ body: { email: _.get(data, 'email'), password: _.get(data, 'password'), name: _.get(data, 'name')!, }, }); ``` In version 1.0.0: https://github.com/better-auth/better-auth/blob/8e81ceb0e2727e220a9119a6bccca2c01fc878c3/packages/better-auth/src/api/routes/sign-up.ts#L215-L218 Now: https://github.com/better-auth/better-auth/blob/2c81db93be61b7154fe37ec9fd709806366ca93b/packages/better-auth/src/api/routes/sign-up.ts#L233-L235 ### Current vs. Expected behavior I would like clarification on the following: 1. Was this change intentional as part of a design decision? 2. If so, how should I obtain the user information after calling signUpEmail? ### What version of Better Auth are you using? 1.1.3 ### Provide environment information ```bash Nest.js ``` ### Which area(s) are affected? (Select all that apply) Backend ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ emailAndPassword: { enabled: true }, }); ``` ### Additional context _No response_

GiteaMirror added the locked bug labels 2026-04-13 03:40:52 -05:00

GiteaMirror closed this issue

2026-04-13 03:40:53 -05:00

GiteaMirror commented

2026-04-13 03:40:53 -05:00

@wh5938316 commented on GitHub (Dec 27, 2024):

@Bekacru hi

This update originates from PR #968, which states:

Endpoints that previously returned the entire user object now only return a token. This change allows for storing sensitive fields in the user table and eliminates unnecessary returned data. As a result, all endpoints, except /get-session, now enforce this.

What I don’t understand is that the purpose of this PR is to allow storing sensitive fields in the user table and eliminate unnecessary returned data. However, I believe returning the created user in api.signUpEmail is necessary, and specifying the returned fields already avoids the issue of exposing sensitive fields.

Interestingly, in the current version, it seems that api.signInEmail is an exception, as it returns the user information.

2c81db93be/packages/better-auth/src/api/routes/sign-in.ts (L433-L448)

@wh5938316 commented on GitHub (Dec 27, 2024): @Bekacru hi This update originates from PR #968, which states: > Endpoints that previously returned the entire user object now only return a token. This change allows for storing sensitive fields in the user table and eliminates unnecessary returned data. As a result, all endpoints, except /get-session, now enforce this. What I don’t understand is that the purpose of this PR is to allow storing sensitive fields in the user table and eliminate unnecessary returned data. However, I believe returning the created user in `api.signUpEmail` is necessary, and specifying the returned fields already avoids the issue of exposing sensitive fields. Interestingly, in the current version, it seems that `api.signInEmail` is an exception, as it returns the user information. https://github.com/better-auth/better-auth/blob/2c81db93be61b7154fe37ec9fd709806366ca93b/packages/better-auth/src/api/routes/sign-in.ts#L433-L448

GiteaMirror commented

2026-04-13 03:40:54 -05:00

@Bekacru commented on GitHub (Dec 27, 2024):

I'll admit that we should have kept the user id and other simpler metadata like we do for sign in endpoint (which is left by mistake) for use cases that rely on the auth.api method to post process data so we don't break prod applications with a minor bump. I initially didn’t expect people to use this approach often. But, the change is actually intended to encourage people to leverage the underlying hook system for these tasks, rather than being tempted to create additional endpoints for sign-in, sign-up, or updating user information from the client after they got the user object from the response

So something you can do is write an after hook to do post process after a user is signed up like this

const auth = betterAuth({
    hooks: {
        before: createAuthMiddleware( async(ctx) => {
             if(ctx.path === "/sign-up/email"){
                 const newSession = ctx.context.newSession; //this hold the full user and session object
             }
        })
    }
})

@Bekacru commented on GitHub (Dec 27, 2024): I'll admit that we should have kept the user id and other simpler metadata like we do for sign in endpoint (which is left by mistake) for use cases that rely on the `auth.api` method to post process data so we don't break prod applications with a minor bump. I initially didn’t expect people to use this approach often. But, the change is actually intended to encourage people to leverage the underlying hook system for these tasks, rather than being tempted to create additional endpoints for sign-in, sign-up, or updating user information from the client after they got the user object from the response So something you can do is write an after hook to do post process after a user is signed up like this ```ts const auth = betterAuth({ hooks: { before: createAuthMiddleware( async(ctx) => { if(ctx.path === "/sign-up/email"){ const newSession = ctx.context.newSession; //this hold the full user and session object } }) } }) ```

GiteaMirror commented

2026-04-13 03:40:54 -05:00

@wh5938316 commented on GitHub (Dec 27, 2024):

@Bekacru

This is one of my biggest concerns about better-auth. From my perspective, better-auth seems heavily tailored for meta-frameworks and often neglects backend frameworks like NestJS in its design.

I use NestJS, and I believe the community of developers using similar frameworks and requiring better-auth is vast (NestJS has over 4 million weekly downloads on npm). However, the experience of using better-auth with NestJS is not great—and it seems to be worsening over time, which is my biggest worry. While hooks can solve certain problems, they are not a great fit for use cases in NestJS.

I sincerely hope that better-auth considers this issue. I want better-auth to shine as an auth library across the entire JavaScript ecosystem, not just within meta-frameworks.

@wh5938316 commented on GitHub (Dec 27, 2024): @Bekacru This is one of my biggest concerns about better-auth. From my perspective, better-auth seems heavily tailored for meta-frameworks and often neglects backend frameworks like NestJS in its design. I use NestJS, and I believe the community of developers using similar frameworks and requiring better-auth is vast (NestJS has over 4 million weekly downloads on npm). However, the experience of using better-auth with NestJS is not great—and it seems to be worsening over time, which is my biggest worry. While hooks can solve certain problems, they are not a great fit for use cases in NestJS. I sincerely hope that better-auth considers this issue. I want better-auth to shine as an auth library across the entire JavaScript ecosystem, not just within meta-frameworks.

GiteaMirror commented

2026-04-13 03:40:55 -05:00

@Bekacru commented on GitHub (Dec 27, 2024):

valid concern. the thing is, Better Auth was designed to be used within a server and client scope, where you can call the Better Auth server using the provided client and that's mostly about it. The auth.api feature was mostly an afterthought so there is a way to provide essential actions that needs to be called on server like getSession without requiring to create a bunch of separated actions.

so now instead of exporting an action called getSession, we can reuse the same endpoint that the client uses to get the session so we have one getSession implementation. This also allowed us to extend this to all plugis, like the organization plugin now can expose getActiveOrganization or something, so that each plugin doesn’t also need to export separate server callable actions.

The auth.api.signUpEmail and other methods, which I didn't initially intended to be called in the server, were primarily an afterthought. That’s why they don’t provide as polished an API as the client.

That said, it turned out to be a happy accident that opened up a lot of additional use cases, including integration with frameworks like NestJS and other backend focused frameworks. So it's a fair callout and we should definitely keep this in mind when making future API decisions.

And I'll also review the singUpEmail and similar endpoints changes and we might revert it so we can still return some useful user info for post processing.

@Bekacru commented on GitHub (Dec 27, 2024): valid concern. the thing is, Better Auth was designed to be used within a `server` and `client` scope, where you can call the Better Auth server using the provided `client` and that's mostly about it. The `auth.api` feature was mostly an afterthought so there is a way to provide essential actions that needs to be called on server like `getSession` without requiring to create a bunch of separated actions. so now instead of exporting an action called `getSession`, we can reuse the same endpoint that the client uses to get the session so we have one getSession implementation. This also allowed us to extend this to all plugis, like the organization plugin now can expose `getActiveOrganization` or something, so that each plugin doesn’t also need to export separate server callable actions. The `auth.api.signUpEmail` and other methods, which I didn't initially intended to be called in the server, were primarily an afterthought. That’s why they don’t provide as polished an API as the client. That said, it turned out to be a happy accident that opened up a lot of additional use cases, including integration with frameworks like NestJS and other backend focused frameworks. So it's a fair callout and we should definitely keep this in mind when making future API decisions. And I'll also review the singUpEmail and similar endpoints changes and we might revert it so we can still return some useful user info for post processing.

GiteaMirror commented

2026-04-13 03:40:55 -05:00

@wh5938316 commented on GitHub (Dec 27, 2024):

I’m really glad to hear that you recognize this point. The code quality of better-auth is outstanding, and its usability within meta-frameworks is excellent. I truly believe it has the potential to revolutionize the auth ecosystem across the entire JavaScript landscape.

One of the biggest challenges I’ve faced when using better-auth with NestJS is related to route guarding. In NestJS, I implement this through middleware and guards. Ideally, within a single request lifecycle, the session should only be retrieved once. If the entire request lifecycle is handled within better-auth, this isn’t an issue. However, when it’s not, the session ends up being fetched twice (once in the middleware and once again in the API).

I wonder if it’s possible for better-auth’s $context to be injected externally. This could potentially address the issue. I’d like to open an issue to discuss this further.

@wh5938316 commented on GitHub (Dec 27, 2024): I’m really glad to hear that you recognize this point. The code quality of better-auth is outstanding, and its usability within meta-frameworks is excellent. I truly believe it has the potential to revolutionize the auth ecosystem across the entire JavaScript landscape. One of the biggest challenges I’ve faced when using better-auth with NestJS is related to route guarding. In NestJS, I implement this through middleware and guards. Ideally, within a single request lifecycle, the session should only be retrieved once. If the entire request lifecycle is handled within better-auth, this isn’t an issue. However, when it’s not, the session ends up being fetched twice (once in the middleware and once again in the API). I wonder if it’s possible for better-auth’s $context to be injected externally. This could potentially address the issue. I’d like to open an issue to discuss this further.

GiteaMirror commented

2026-04-13 03:40:56 -05:00

@Bekacru commented on GitHub (Dec 27, 2024):

Doesn't Nestjs provide a way to inject the session through out the routing chain?

@Bekacru commented on GitHub (Dec 27, 2024): Doesn't Nestjs provide a way to inject the session through out the routing chain?

GiteaMirror commented

2026-04-13 03:40:56 -05:00

@wh5938316 commented on GitHub (Dec 27, 2024):

I haven’t thoroughly reviewed the full codebase of better-auth, especially better-call, so I’m not sure if my understanding is entirely correct.

Currently, I inject the session and user into the request before processing each guarded route using the following approach:

@Injectable()
export class GlobalGuardMiddleware implements NestMiddleware {
  constructor(private readonly authService: AuthService) {}

  async use(req: Request, _res: Response, next: NextFunction) {
    const result = await this.authService.auth.api.getSession({
      headers: fromNodeHeaders(req.headers),
    });

    if (!result) {
      next();
      return;
    }

    const { session, user } = result;

    req['user'] = user as User;
    req['session'] = session as Session;

    next();
  }
}

However, if I call api.createInvitation within a route handler, the better-auth sessionMiddleware would also fetch the session from the database again, right?

@wh5938316 commented on GitHub (Dec 27, 2024): I haven’t thoroughly reviewed the full codebase of `better-auth`, especially `better-call`, so I’m not sure if my understanding is entirely correct. Currently, I inject the session and user into the request before processing each guarded route using the following approach: ```javascript @Injectable() export class GlobalGuardMiddleware implements NestMiddleware { constructor(private readonly authService: AuthService) {} async use(req: Request, _res: Response, next: NextFunction) { const result = await this.authService.auth.api.getSession({ headers: fromNodeHeaders(req.headers), }); if (!result) { next(); return; } const { session, user } = result; req['user'] = user as User; req['session'] = session as Session; next(); } } ``` However, if I call api.createInvitation within a route handler, the better-auth `sessionMiddleware` would also fetch the session from the database again, right?

GiteaMirror commented

2026-04-13 03:40:57 -05:00

@Bekacru commented on GitHub (Dec 27, 2024):

Yeah it does fetch twice. We can potentially make the api to accept session or the actual ctx object. but if there is a cookie cache this wouldn't be a big issue other than for requests that cache miss.

@Bekacru commented on GitHub (Dec 27, 2024): Yeah it does fetch twice. We can potentially make the api to accept `session` or the actual ctx object. but if there is a cookie cache this wouldn't be a big issue other than for requests that cache miss.

GiteaMirror commented

2026-04-13 03:40:57 -05:00

@wh5938316 commented on GitHub (Dec 27, 2024):

Yes, this isn’t a big issue, so when I realized this on the first day of using better-auth, I didn’t consider it a reason to not use it with NestJS. It just triggered a bit of my OCD (haha).

I mentioned this to highlight a point: when better-auth tries to cover the entire lifecycle of a request in backend frameworks, there might be some challenges or potential issues.

@wh5938316 commented on GitHub (Dec 27, 2024): Yes, this isn’t a big issue, so when I realized this on the first day of using better-auth, I didn’t consider it a reason to not use it with NestJS. It just triggered a bit of my OCD (haha). I mentioned this to highlight a point: when better-auth tries to cover the entire lifecycle of a request in backend frameworks, there might be some challenges or potential issues.

GiteaMirror referenced this issue

2026-04-13 07:29:43 -05:00

[GH-ISSUE #8561] Email OTP: Case-sensitive email handling causes OTP verification failures #11120

GiteaMirror referenced this issue

2026-04-13 10:30:17 -05:00

[PR #8651] fix(email-otp): normalize email casing and whitespace across all endpoints #16367

GiteaMirror referenced this issue

2026-04-15 19:05:14 -05:00

[GH-ISSUE #8561] Email OTP: Case-sensitive email handling causes OTP verification failures #19751

GiteaMirror referenced this issue

2026-04-15 22:41:38 -05:00

[PR #8651] fix(email-otp): normalize email casing and whitespace across all endpoints #25021

GiteaMirror referenced this issue

2026-04-17 19:53:38 -05:00

[GH-ISSUE #8561] Email OTP: Case-sensitive email handling causes OTP verification failures #28443

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#8561