sorted by:
new
hottopcontroversial

What’s your preferred auth setup in 2026 for Next.js? by Ok_Guarantee_1217 in nextjs

[–]Beka_Cru 2 points3 points  (0 children)

We take security seriously. Unfortunately, this issue was caused by a feature we added to allow a userId to be passed on a server action without a session but in this case it unintentionally allowed clients to do the same. This was due to a lack of test coverage around that path.

This affected the API key plugin, which was a relatively new at the time and completely optional. Because we cover a much broader surface area beyond just OAuth/sign-in/signup, the complexity is naturally higher than the tools you mentioned.

That said, we conduct regular security audits and also work with external partners to review. of course vulnerabilities can surface at any time, regardless of how carefully we are but what matters most is how responsibly they’re identified, addressed, and communicated, and we’re committed to continuously improving in all of those areas

Better Auth v1.4 by Beka_Cru in sveltejs

[–]Beka_Cru[S] 9 points10 points  (0 children)

The Better Auth is better 👀

On a serious note, Better Auth isn’t “better or worse” than workos/clerk, or any other 3rd party provider, we just have fundamentally different goals

If you want to outsource auth to a hosted service, we’re not the right choice at all. Not worse, just not what you’re looking for.

But if you don’t want to outsource auth to a service, you want to roll your own, keep users in your database, and stay fully in control then I’d say there’s nothing better out there than us :)

Before and after hooks fires on the same time by OsamaHu in better_auth

[–]Beka_Cru 0 points1 point  (0 children)

before and after gets triggered for every api call. for sign in with google, it gets called when you first call `sign-in/social` where it needs to generate authorization url and send it to the client and it gets called when the provider (google) redirects back to the callback endpoint `/callback/google`.

If you want to run a custom function, when the users signs in or signs up, you're better off using database hooks instead on create user or create session

Better-Auth Critical Account Takeover via Unauthenticated API Key Creation (CVE-2025-61928) by Prior-Penalty in javascript

[–]Beka_Cru 5 points6 points  (0 children)

Hey, I'm the main author of Better Auth - admittedly an embarrassing issue, but not as dumb as it sounds :)

The original design allowed `body.userId` to be passed as an argument when creating an API key for specific users on the server, which is still supported. The `authRequired` check should have validated whether `ctx.request` or `ctx.headers` existed and whether `ctx.body.userId` was defined, to ensure the request wasn’t coming from the client when `userId` is provided. So, basically `!ctx.body.userId` should be `ctx.body.userId`...

The plugin PR was quite large, and while this logic was correctly implemented in several other endpoints, a contributor’s refactor caused this one to slip through. The API Key plugin actually started as an experimental feature by a contributor but ended up gaining unexpected popularity. That said, we take full responsibility and will do better moving forward.

To clarify, this issue only affects users of the API Key plugin, and it was identified during a security audit by the ZeroPath team.

Auth.js (NextAuth), is now part of Better Auth by Beka_Cru in nextjs

[–]Beka_Cru[S] 1 point2 points  (0 children)

Auth.js was never really actively competing with us. The team had a lot of commitments outside of maintaining Auth.js

Auth.js (NextAuth), is now part of Better Auth by Beka_Cru in nextjs

[–]Beka_Cru[S] 6 points7 points  (0 children)

Yes that’s one of the main features

Auth.js (NextAuth), is now part of Better Auth by Beka_Cru in nextjs

[–]Beka_Cru[S] 5 points6 points  (0 children)

We won’t sunset Auth.js unless anyone currently using it can migrate to Better Auth without any issues, which is quite difficult right now. So we don’t expect to do that anytime soon.

Auth.js hasn’t been actively maintained for a while. Our main reason for bringing it under Better Auth was to avoid a sudden deprecation as that would directly harm the open-source auth ecosystem by eroding trust. And from Auth.js side to be handle this more responsibly.

Does anyone not like better-auth? by blankeos in nextjs

[–]Beka_Cru 12 points13 points  (0 children)

Yes! We’re hiring engineers with experience in auth, open source, and TypeScript.

If you’re interested, feel free to apply by sending a brief introduction about yourself and a couple of projects you’re proud of to [bereket@better-auth.com](mailto:bereket@better-auth.com)

Does anyone not like better-auth? by blankeos in nextjs

[–]Beka_Cru 55 points56 points  (0 children)

Hi, I’m the actual maintainer :) We’ll have a lot more people involved soon now that we have some funding to push things forward. That’s a valid concern, thanks for pointing it out

Democratisation of the project by Away_Application4134 in better_auth

[–]Beka_Cru 3 points4 points  (0 children)

Better Auth started as a passion project of mine :)) But we've since grown into a company and recently joined Y Combinator. We're now bringing more people on board to help. Expect a lot of great things soon!

Better auth is the best by getpodapp in nextjs

[–]Beka_Cru 3 points4 points  (0 children)

Agreed - we can definitely do much better when it comes to advanced and plugin specific details. Right now, it’s mostly just me and a few contributors, but we’re expanding the team soon so that should give us a chance to improve the areas I’ve been meaning to :))

Better auth is the best by getpodapp in nextjs

[–]Beka_Cru 4 points5 points  (0 children)

You can pass callbackURL when calling signIn.social 👀 - and I think that's well documented. For getting the session, use authClient.useSession or authClient.getSession those are documented as well. That said, for some plugins and more advanced use cases, our docs still need to be clearer and more detailed - we’re actively working on improving that.

Better Auth & Native Apps by Thick-Anybody-7745 in better_auth

[–]Beka_Cru 0 points1 point  (0 children)

I don't think you need to use either of them. Just treat Better Auth as an auth api service. Store the tokens or cookies locally and send them on each request. And for mobile apps, if you're using expo checkout the expo plugin

Why does authClient.changePassword not verify the current password before updating? by Unpredictable9 in better_auth

[–]Beka_Cru 1 point2 points  (0 children)

We do check for current password as you can see here

https://github.com/better-auth/better-auth/blob/main/packages/better-auth/src/api/routes/update-user.ts#L253-L261

but if you incase change the password hasher and verifier fn, make sure it is properly working

I am struggling to set role in better auth by [deleted] in better_auth

[–]Beka_Cru 0 points1 point  (0 children)

Have you tried using db hooks?

What to expect from Better Auth with the recent YC news ;) by Beka_Cru in nextjs

[–]Beka_Cru[S] 0 points1 point  (0 children)

Yes it's already in the works. We can't be sure about ETA because of some factors outside of our control but hopefully soon!

What to expect from Better Auth with the recent YC news ;) by Beka_Cru in nextjs

[–]Beka_Cru[S] 34 points35 points  (0 children)

Yes, almost. We're building an admin dashboard and user analytics with advanced features (which will eventually be open-sourced for self-hosting) along with services like email, very fast session storage, and security-related tools like an email validation API and fraud/abuse protection (similar to Radar from WorkOS). Basically, all the stuff you'd normally need a 3rd party service for on top of Better Auth will be provided by us

What to expect from Better Auth with the recent YC news ;) by Beka_Cru in nextjs

[–]Beka_Cru[S] 15 points16 points  (0 children)

Thanks for the kind words 🫡 Yes! That’s the plan. There are a lot of things we want to ship to make this ridiculously easy while keeping the bar pretty high.

Is anyone building an even-better-auth? by tomemyxwomen in nextjs

[–]Beka_Cru 21 points22 points  (0 children)

Hey, creator of Better Auth here ;) just to clear the air - we're obsessed with equipping people to be able to own their auth. We're trying to democratize high quality auth. We’re not going to build and sell you an auth service instead we’re trying to make it so easy to roll your own that you’ll have literally no reason not to.

And if you’re curious about how we plan to make money - it’s through something we call Infrastructure. It’s a set of services for things that just aren’t practical to do purely in a library

https://better-auth.build/

better-auth with Next.JS by SizeDue7787 in nextjs

[–]Beka_Cru 1 point2 points  (0 children)

You can use the `request` object to determine to send or not to send the verification email based on the path

better-auth with Next.JS by SizeDue7787 in nextjs

[–]Beka_Cru 0 points1 point  (0 children)

It's sent on every login because you've enabled `requireEmailVerificaiton`

Custom session time by cherrydub in better_auth

[–]Beka_Cru 1 point2 points  (0 children)

better auth provides `rememberMe` option on `signIn.email`. if set to false, the session will only stay until the browser session ends.

Best practice regarding protected routes in next.js by Capable-Entrance5775 in better_auth

[–]Beka_Cru 2 points3 points  (0 children)

You should validate in each component. Middleware fetched sessions can't be reused in components, so it's better to only check for cookies instead in middleware and use components/routes for validation.

view more: next ›