fix: use scrypt hash to update password directly in accounts table instead of auth.api.setPassword

apps/api/src/routes/auth.ts

@@ -1,8 +1,9 @@
 import { Elysia, t } from 'elysia';
 import { db } from '../db';
-import { invites, users, projects, verifications } from '../db/schema';
+import { accounts, invites, users, projects, verifications } from '../db/schema';
 import { eq, and, gt, like } from 'drizzle-orm';
 import { auth } from '../lib/auth';
+import { hashPassword } from 'better-auth/crypto';
 
 export const authRoutes = new Elysia({ prefix: '/auth' })
   // Validate invite token (public)
@@ -173,14 +174,24 @@ export const authRoutes = new Elysia({ prefix: '/auth' })
     const userId = verification.identifier.replace('password-reset:', '');
     
     try {
-      await auth.api.setPassword({
-        body: {
-          userId,
-          newPassword: body.newPassword,
-        },
-      });
+      // Hash the new password using BetterAuth's scrypt hasher
+      const hashedPassword = await hashPassword(body.newPassword);
+      
+      // Update the credential account's password directly
+      const [updated] = await db
+        .update(accounts)
+        .set({ password: hashedPassword })
+        .where(and(
+          eq(accounts.userId, userId),
+          eq(accounts.providerId, 'credential')
+        ))
+        .returning();
+      
+      if (!updated) {
+        throw new Error('No credential account found for user');
+      }
     } catch (error) {
-      console.error('Failed to set password:', error);
+      console.error('Failed to reset password:', error);
       set.status = 500;
       throw new Error('Failed to reset password');
     }