Sensitive Actions
Certain actions in your application, like deleting an account, changing a password, or updating billing information, are highly sensitive. To protect these actions from session hijacking or an unattended terminal, you should require users to re-authenticate or verify their identity.
Certain actions in your application, like deleting an account, changing a password, or updating billing information, are highly sensitive. To protect these actions from session hijacking or an unattended terminal, you should require users to re-authenticate or verify their identity.
Implementing Step-Up Authentication
Better Auth provides mechanisms to handle sensitive actions securely.
- Re-Authentication: Before allowing a sensitive action, redirect the user to a specific verification route or open a modal that requires them to enter their password or a TOTP code.
- Session Flags: Once verified, you can temporarily flag the user's session as "recently verified" or create a short-lived token specifically for executing the sensitive action.
- Backend Validation: In your Convex mutations (e.g., in
users.tsorbilling.ts), explicitly check that this elevated authorization state is present before proceeding with the operation.
Example: Account Deletion
Account deletion is enabled by default in Better Auth:
user: {
deleteUser: {
enabled: true,
},
},When a user initiates this action, ensure your UI prompts them to confirm their intent, often by typing a phrase like "DELETE" or entering their current password, before executing the deletion API call. The Convex backend uses the onDelete trigger to automatically clean up the associated record in the users table.
Two-Factor Authentication Scope
When implementing Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA), it's important to understand the scope and how it affects the user session.
Removing Authentication Providers
You might decide to simplify your login experience by removing unused authentication providers. Since Better Auth is configured declaratively, removing a provider is straightforward.