Skip to content

fix: incorrect operationId in password reset callback endpoint#9072

Merged
ping-maxwell merged 4 commits intobetter-auth:mainfrom
ramonclaudio:chore/rename-forget-to-forgot
Apr 9, 2026
Merged

fix: incorrect operationId in password reset callback endpoint#9072
ping-maxwell merged 4 commits intobetter-auth:mainfrom
ramonclaudio:chore/rename-forget-to-forgot

Conversation

@ramonclaudio
Copy link
Copy Markdown
Contributor

@ramonclaudio ramonclaudio commented Apr 9, 2026
edited
Loading

Fixes an incorrect top-level operationId on requestPasswordResetCallback. The top-level field feeds the OpenTelemetry span attribute ATTR_OPERATION_ID (via getOperationId in api/to-auth-endpoints.ts), while the OpenAPI generator reads metadata.openapi.operationId. On this route they were out of sync: OpenAPI said resetPasswordCallback but OTel was tagged forgetPasswordCallback, a leftover from the old /forget-password route name. Every other endpoint that sets both fields (e.g. email-verification.ts:82+96, oauth-proxy/index.ts:138+143) keeps them matching; this route was the only outlier.

Bundled a forget to forgot cleanup pass on places unrelated to the deprecated /forget-password/email-otp flow:

  • packages/better-auth/src/api/routes/password.ts:156: top-level operationId to resetPasswordCallback
  • packages/better-auth/src/api/routes/password.test.ts:6: describe("forget password") to describe("forgot password")
  • demo/nextjs: (auth)/forget-password/ directory, forget-password-form.tsx, Forget* identifiers, sign-in-form.tsx href
  • demo/expo: forget-password.tsx file, index.tsx route push and button text. Also fixes a broken authClient.forgetPassword(...) call (method does not exist on the current client) by switching to authClient.requestPasswordReset(...)

Untouched on purpose: the deprecated /forget-password/email-otp endpoint, its "forget-password" OTP type literal, the forget-password-otp- identifier prefix, the forgetPasswordEmailOTP export, the rate-limiter matcher, the email-otp docs that describe those literals, and the 1-4.mdx / 1-5.mdx blog history. Renaming any of those would invalidate stored OTPs and break consumers still on the deprecated path.

@ramonclaudio ramonclaudio requested review from a team as code owners April 9, 2026 17:25
@ramonclaudio ramonclaudio requested review from bytaesu and removed request for a team April 9, 2026 17:25
@better-release better-release bot added core Core infra, API routes, session, cookies, client SDK docs Documentation, demos labels Apr 9, 2026
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Apr 9, 2026
edited
Loading

Open in StackBlitz

@better-auth/api-key

npm i https://pkg.pr.new/@better-auth/api-key@9072

better-auth

npm i https://pkg.pr.new/better-auth@9072

auth

npm i https://pkg.pr.new/auth@9072

@better-auth/core

npm i https://pkg.pr.new/@better-auth/core@9072

@better-auth/drizzle-adapter

npm i https://pkg.pr.new/@better-auth/drizzle-adapter@9072

@better-auth/electron

npm i https://pkg.pr.new/@better-auth/electron@9072

@better-auth/expo

npm i https://pkg.pr.new/@better-auth/expo@9072

@better-auth/i18n

npm i https://pkg.pr.new/@better-auth/i18n@9072

@better-auth/kysely-adapter

npm i https://pkg.pr.new/@better-auth/kysely-adapter@9072

@better-auth/memory-adapter

npm i https://pkg.pr.new/@better-auth/memory-adapter@9072

@better-auth/mongo-adapter

npm i https://pkg.pr.new/@better-auth/mongo-adapter@9072

@better-auth/oauth-provider

npm i https://pkg.pr.new/@better-auth/oauth-provider@9072

@better-auth/passkey

npm i https://pkg.pr.new/@better-auth/passkey@9072

@better-auth/prisma-adapter

npm i https://pkg.pr.new/@better-auth/prisma-adapter@9072

@better-auth/redis-storage

npm i https://pkg.pr.new/@better-auth/redis-storage@9072

@better-auth/scim

npm i https://pkg.pr.new/@better-auth/scim@9072

@better-auth/sso

npm i https://pkg.pr.new/@better-auth/sso@9072

@better-auth/stripe

npm i https://pkg.pr.new/@better-auth/stripe@9072

@better-auth/telemetry

npm i https://pkg.pr.new/@better-auth/telemetry@9072

@better-auth/test-utils

npm i https://pkg.pr.new/@better-auth/test-utils@9072

commit: af34a1c

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 8 files

@ramonclaudio ramonclaudio force-pushed the chore/rename-forget-to-forgot branch from 09eb044 to 0d1c7e0 Compare April 9, 2026 17:34
@ramonclaudio ramonclaudio changed the title chore: rename leftover forget to forgot in non-deprecated paths fix(api): align password reset callback operation id with openapi Apr 9, 2026
ping-maxwell
ping-maxwell requested changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@ping-maxwell ping-maxwell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just the changeset should be updated, the rest looks good

Comment thread .changeset/fix-password-reset-callback-operation-id.md Outdated
@ping-maxwell ping-maxwell changed the title fix(api): align password reset callback operation id with openapi fix: incorrect operationId in password reset callback endpoint Apr 9, 2026
@ramonclaudio
fix(api): align password reset callback operation id with openapi
03f6379
@ramonclaudio
chore(demo): rename forget-password to forgot-password
a4c8382 
fixes broken authClient.forgetPassword() call in expo demo (method does not exist on client) by switching to authClient.requestPasswordReset()
@ramonclaudio ramonclaudio force-pushed the chore/rename-forget-to-forgot branch from 0d1c7e0 to a4c8382 Compare April 9, 2026 18:01
@ping-maxwell ping-maxwell enabled auto-merge April 9, 2026 20:07
@ping-maxwell ping-maxwell added this pull request to the merge queue Apr 9, 2026
Merged via the queue into better-auth:main with commit 6ce30cf Apr 9, 2026
27 of 28 checks passed
@better-release better-release bot mentioned this pull request Apr 9, 2026
Merged
@ramonclaudio ramonclaudio deleted the chore/rename-forget-to-forgot branch April 10, 2026 15:48
@better-release better-release bot mentioned this pull request Apr 10, 2026
Merged
@better-release
Copy link
Copy Markdown
Contributor

better-release bot commented Apr 18, 2026

This issue has been locked as it was closed more than 7 days ago. If you're experiencing a similar problem or you have additional context, please open a new issue and reference this one.

@better-release better-release bot added the locked Locked conversations after being closed for 7 days label Apr 18, 2026
@better-release better-release bot locked as resolved and limited conversation to collaborators Apr 18, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@ping-maxwell ping-maxwell ping-maxwell approved these changes

@bytaesu bytaesu Awaiting requested review from bytaesu bytaesu is a code owner automatically assigned from better-auth/docs

Assignees

No one assigned

Labels

core Core infra, API routes, session, cookies, client SDK docs Documentation, demos locked Locked conversations after being closed for 7 days

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ramonclaudio @ping-maxwell