fix: use Better Auth internal API for invite user creation

2026-01-28 22:03:59 +00:00
parent 3e63a4be8d
commit ead71ae0a7
1 changed files with 18 additions and 27 deletions
--- a/src/routes/invite.ts
+++ b/src/routes/invite.ts
@@ -1,7 +1,8 @@
 import { Elysia, t } from 'elysia';
 import { db } from '../db';
-import { invites, users, accounts } from '../db/schema';
+import { invites, users } from '../db/schema';
 import { eq, and } from 'drizzle-orm';
+import { auth } from '../lib/auth';

 export const inviteRoutes = new Elysia({ prefix: '/auth/invite' })
  // Validate invite token (public - no auth required)
@@ -36,7 +37,7 @@ export const inviteRoutes = new Elysia({ prefix: '/auth/invite' })
  })

  // Accept invite (public - no auth required)
-  // Creates user directly in DB, bypassing Better Auth's blocked signup endpoint
+  // Uses Better Auth's internal API to create the user properly
  .post('/:token/accept', async ({ params, body, set }: {
    params: { token: string };
    body: { password: string; name?: string };
@@ -72,32 +73,21 @@ export const inviteRoutes = new Elysia({ prefix: '/auth/invite' })
    }

    try {
-      const now = new Date();
-      const userId = crypto.randomUUID();
-      const accountId = crypto.randomUUID();
-      const hashedPassword = await Bun.password.hash(body.password, { algorithm: 'bcrypt', cost: 10 });
-
-      // Create user record
-      await db.insert(users).values({
-        id: userId,
-        email: invite.email,
-        name: body.name || invite.name,
-        role: invite.role,
-        emailVerified: false,
-        createdAt: now,
-        updatedAt: now,
+      // Use Better Auth's internal API to create the user properly
+      const result = await auth.api.signUpEmail({
+        body: {
+          email: invite.email,
+          password: body.password,
+          name: body.name || invite.name,
+        },
      });

-      // Create credential account record (how Better Auth stores email/password)
-      await db.insert(accounts).values({
-        id: accountId,
-        userId,
-        accountId: userId,
-        providerId: 'credential',
-        password: hashedPassword,
-        createdAt: now,
-        updatedAt: now,
-      });
+      // Set the role from the invite
+      if (invite.role && invite.role !== 'user') {
+        await db.update(users)
+          .set({ role: invite.role })
+          .where(eq(users.email, invite.email));
+      }

      // Mark invite as accepted
      await db.update(invites)
@@ -107,13 +97,14 @@ export const inviteRoutes = new Elysia({ prefix: '/auth/invite' })
      return {
        success: true,
        user: {
-          id: userId,
+          id: result.user?.id,
          email: invite.email,
          name: body.name || invite.name,
          role: invite.role,
        },
      };
    } catch (error: any) {
+      console.error('Invite accept error:', error);
      set.status = 400;
      throw new Error(error.message || 'Failed to create account');
    }