chore(auth): upgrade better-auth 1.3.12 → 1.6.11 (#4766)

* chore(auth): upgrade better-auth 1.3.12 → 1.6.11

* chore(auth): address Greptile review — broaden change-email type + migration newline

* fix(auth): correct oneTimeToken expiresIn unit (minutes, not seconds)

Better-auth's oneTimeToken expiresIn is in minutes (multiplied by 60_000ms
internally). Sim's existing 24*60*60 evaluated to ~60 days of token
lifetime instead of the intended 24 hours. Tokens are one-time-use and
typically consumed within seconds of generation (Socket.IO handshake),
so this tightens an unused security window without affecting UX.

Author: waleedlatif1

apps/sim/app/api/auth/forget-password/route.test.ts

@@ -6,7 +6,7 @@
 import { createMockRequest } from '@sim/testing'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
-const { mockForgetPassword, mockLogger } = vi.hoisted(() => {
+const { mockRequestPasswordReset, mockLogger } = vi.hoisted(() => {
   const logger = {
     info: vi.fn(),
     warn: vi.fn(),
@@ -17,7 +17,7 @@ const { mockForgetPassword, mockLogger } = vi.hoisted(() => {
     child: vi.fn(),
   }
   return {
-    mockForgetPassword: vi.fn(),
+    mockRequestPasswordReset: vi.fn(),
     mockLogger: logger,
   }
 })
@@ -28,7 +28,7 @@ vi.mock('@/lib/core/utils/urls', () => ({
 vi.mock('@/lib/auth', () => ({
   auth: {
     api: {
-      forgetPassword: mockForgetPassword,
+      requestPasswordReset: mockRequestPasswordReset,
     },
   },
 }))
@@ -43,7 +43,7 @@ import { POST } from '@/app/api/auth/forget-password/route'
 describe('Forget Password API Route', () => {
   beforeEach(() => {
     vi.clearAllMocks()
-    mockForgetPassword.mockResolvedValue(undefined)
+    mockRequestPasswordReset.mockResolvedValue(undefined)
   })
 
   afterEach(() => {
@@ -62,7 +62,7 @@ describe('Forget Password API Route', () => {
     expect(response.status).toBe(200)
     expect(data.success).toBe(true)
 
-    expect(mockForgetPassword).toHaveBeenCalledWith({
+    expect(mockRequestPasswordReset).toHaveBeenCalledWith({
       body: {
         email: 'test@example.com',
         redirectTo: 'https://app.example.com/reset',
@@ -83,7 +83,7 @@ describe('Forget Password API Route', () => {
     expect(response.status).toBe(400)
     expect(data.message).toBe('Redirect URL must be a valid same-origin URL')
 
-    expect(mockForgetPassword).not.toHaveBeenCalled()
+    expect(mockRequestPasswordReset).not.toHaveBeenCalled()
   })
 
   it('should send password reset email without redirectTo', async () => {
@@ -97,7 +97,7 @@ describe('Forget Password API Route', () => {
     expect(response.status).toBe(200)
     expect(data.success).toBe(true)
 
-    expect(mockForgetPassword).toHaveBeenCalledWith({
+    expect(mockRequestPasswordReset).toHaveBeenCalledWith({
       body: {
         email: 'test@example.com',
         redirectTo: undefined,
@@ -115,7 +115,7 @@ describe('Forget Password API Route', () => {
     expect(response.status).toBe(400)
     expect(data.message).toBe('Email is required')
 
-    expect(mockForgetPassword).not.toHaveBeenCalled()
+    expect(mockRequestPasswordReset).not.toHaveBeenCalled()
   })
 
   it('should handle empty email', async () => {
@@ -129,13 +129,13 @@ describe('Forget Password API Route', () => {
     expect(response.status).toBe(400)
     expect(data.message).toBe('Please provide a valid email address')
 
-    expect(mockForgetPassword).not.toHaveBeenCalled()
+    expect(mockRequestPasswordReset).not.toHaveBeenCalled()
   })
 
   it('should handle auth service error with message', async () => {
     const errorMessage = 'User not found'
 
-    mockForgetPassword.mockRejectedValue(new Error(errorMessage))
+    mockRequestPasswordReset.mockRejectedValue(new Error(errorMessage))
 
     const req = createMockRequest('POST', {
       email: 'nonexistent@example.com',
@@ -153,7 +153,7 @@ describe('Forget Password API Route', () => {
   })
 
   it('should handle unknown error', async () => {
-    mockForgetPassword.mockRejectedValue('Unknown error')
+    mockRequestPasswordReset.mockRejectedValue('Unknown error')
 
     const req = createMockRequest('POST', {
       email: 'test@example.com',

apps/sim/app/api/auth/forget-password/route.ts

@@ -33,7 +33,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
 
     const { email, redirectTo } = parsed.data.body
 
-    await auth.api.forgetPassword({
+    await auth.api.requestPasswordReset({
       body: {
         email,
         redirectTo,

apps/sim/components/emails/auth/otp-verification-email.tsx

@@ -6,7 +6,7 @@ import { getBrandConfig } from '@/ee/whitelabeling'
 interface OTPVerificationEmailProps {
   otp: string
   email?: string
-  type?: 'sign-in' | 'email-verification' | 'forget-password' | 'chat-access'
+  type?: 'sign-in' | 'email-verification' | 'change-email' | 'forget-password' | 'chat-access'
   chatTitle?: string
 }
 
@@ -16,6 +16,8 @@ const getSubjectByType = (type: string, brandName: string, chatTitle?: string) =
       return `Sign in to ${brandName}`
     case 'email-verification':
       return `Verify your email for ${brandName}`
+    case 'change-email':
+      return `Verify your new email for ${brandName}`
     case 'forget-password':
       return `Reset your ${brandName} password`
     case 'chat-access':

apps/sim/components/emails/render.ts

@@ -39,7 +39,11 @@ interface WorkspaceInvitation {
 export async function renderOTPEmail(
   otp: string,
   email: string,
-  type: 'sign-in' | 'email-verification' | 'forget-password' = 'email-verification',
+  type:
+    | 'sign-in'
+    | 'email-verification'
+    | 'change-email'
+    | 'forget-password' = 'email-verification',
   chatTitle?: string
 ): Promise<string> {
   return await render(OTPVerificationEmail({ otp, email, type, chatTitle }))

apps/sim/components/emails/subjects.ts

@@ -4,6 +4,7 @@ import { getBrandConfig } from '@/ee/whitelabeling'
 export type EmailSubjectType =
   | 'sign-in'
   | 'email-verification'
+  | 'change-email'
   | 'forget-password'
   | 'reset-password'
   | 'invitation'
@@ -34,6 +35,8 @@ export function getEmailSubject(type: EmailSubjectType): string {
       return `Sign in to ${brandName}`
     case 'email-verification':
       return `Verify your email for ${brandName}`
+    case 'change-email':
+      return `Verify your new email for ${brandName}`
     case 'forget-password':
       return `Reset your ${brandName} password`
     case 'reset-password':