From 1bc0ab091be70131a9890a952f7e92dfc6488a85 Mon Sep 17 00:00:00 2001 From: Hammer Date: Wed, 28 Jan 2026 19:25:20 +0000 Subject: [PATCH] fix: use scrypt hash to update password directly in accounts table instead of auth.api.setPassword --- apps/api/src/routes/auth.ts | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/apps/api/src/routes/auth.ts b/apps/api/src/routes/auth.ts index f4fda37..17b12b0 100644 --- a/apps/api/src/routes/auth.ts +++ b/apps/api/src/routes/auth.ts @@ -1,8 +1,9 @@ import { Elysia, t } from 'elysia'; import { db } from '../db'; -import { invites, users, projects, verifications } from '../db/schema'; +import { accounts, invites, users, projects, verifications } from '../db/schema'; import { eq, and, gt, like } from 'drizzle-orm'; import { auth } from '../lib/auth'; +import { hashPassword } from 'better-auth/crypto'; export const authRoutes = new Elysia({ prefix: '/auth' }) // Validate invite token (public) @@ -173,14 +174,24 @@ export const authRoutes = new Elysia({ prefix: '/auth' }) const userId = verification.identifier.replace('password-reset:', ''); try { - await auth.api.setPassword({ - body: { - userId, - newPassword: body.newPassword, - }, - }); + // Hash the new password using BetterAuth's scrypt hasher + const hashedPassword = await hashPassword(body.newPassword); + + // Update the credential account's password directly + const [updated] = await db + .update(accounts) + .set({ password: hashedPassword }) + .where(and( + eq(accounts.userId, userId), + eq(accounts.providerId, 'credential') + )) + .returning(); + + if (!updated) { + throw new Error('No credential account found for user'); + } } catch (error) { - console.error('Failed to set password:', error); + console.error('Failed to reset password:', error); set.status = 500; throw new Error('Failed to reset password'); }