fix: cookie size limit shouldn't throw error (#5031)

Co-authored-by: Alex Yang <himself65@outlook.com>

Author: Bekacru

packages/better-auth/src/api/routes/sign-up.ts

@@ -195,99 +195,119 @@ export const signUpEmail = <O extends BetterAuthOptions>() =>
 });
 }
 
-const maxPasswordLength = ctx.context.password.config.maxPasswordLength;
-if (password.length > maxPasswordLength) {
-ctx.context.logger.error("Password is too long");
-throw new APIError("BAD_REQUEST", {
-message: BASE_ERROR_CODES.PASSWORD_TOO_LONG,
-});
-}
-const dbUser = await ctx.context.internalAdapter.findUserByEmail(email);
-if (dbUser?.user) {
-ctx.context.logger.info(`Sign-up attempt for existing email: ${email}`);
-throw new APIError("UNPROCESSABLE_ENTITY", {
-message: BASE_ERROR_CODES.USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL,
-});
-}
-
-const additionalData = parseUserInput(
-ctx.context.options,
-additionalFields as any,
-);
-/**
- * Hash the password
- *
- * This is done prior to creating the user
- * to ensure that any plugin that
- * may break the hashing should break
- * before the user is created.
- */
-const hash = await ctx.context.password.hash(password);
-let createdUser: User;
-try {
-createdUser = await ctx.context.internalAdapter.createUser(
-{
-email: email.toLowerCase(),
-name,
-image,
-...additionalData,
-emailVerified: false,
-},
-ctx,
-);
-if (!createdUser) {
+const maxPasswordLength = ctx.context.password.config.maxPasswordLength;
+if (password.length > maxPasswordLength) {
+ctx.context.logger.error("Password is too long");
 throw new APIError("BAD_REQUEST", {
-message: BASE_ERROR_CODES.FAILED_TO_CREATE_USER,
+message: BASE_ERROR_CODES.PASSWORD_TOO_LONG,
 });
 }
-} catch (e) {
-if (isDevelopment) {
-ctx.context.logger.error("Failed to create user", e);
+const dbUser = await ctx.context.internalAdapter.findUserByEmail(email);
+if (dbUser?.user) {
+ctx.context.logger.info(
+`Sign-up attempt for existing email: ${email}`,
+);
+throw new APIError("UNPROCESSABLE_ENTITY", {
+message: BASE_ERROR_CODES.USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL,
+});
 }
-if (e instanceof APIError) {
-throw e;
+
+ const additionalData = parseUserInput(
+ ctx.context.options,
+ additionalFields as any,
+ );
+/**
+ * Hash the password
+ *
+ * This is done prior to creating the user
+ * to ensure that any plugin that
+ * may break the hashing should break
+ * before the user is created.
+ */
+const hash = await ctx.context.password.hash(password);
+let createdUser: User;
+try {
+createdUser = await ctx.context.internalAdapter.createUser(
+{
+email: email.toLowerCase(),
+name,
+image,
+ ...additionalData,
+emailVerified: false,
+},
+ctx,
+);
+if (!createdUser) {
+throw new APIError("BAD_REQUEST", {
+message: BASE_ERROR_CODES.FAILED_TO_CREATE_USER,
+});
+}
+} catch (e) {
+if (isDevelopment) {
+ctx.context.logger.error("Failed to create user", e);
+}
+if (e instanceof APIError) {
+throw e;
+}
+ctx.context.logger?.error("Failed to create user", e);
+throw new APIError("UNPROCESSABLE_ENTITY", {
+message: BASE_ERROR_CODES.FAILED_TO_CREATE_USER,
+details: e,
+});
 }
-throw new APIError("UNPROCESSABLE_ENTITY", {
-message: BASE_ERROR_CODES.FAILED_TO_CREATE_USER,
-details: e,
-});
-}
-if (!createdUser) {
-throw new APIError("UNPROCESSABLE_ENTITY", {
-message: BASE_ERROR_CODES.FAILED_TO_CREATE_USER,
-});
-}
-await ctx.context.internalAdapter.linkAccount(
-{
-userId: createdUser.id,
-providerId: "credential",
-accountId: createdUser.id,
-password: hash,
-},
-ctx,
-);
-if (
-ctx.context.options.emailVerification?.sendOnSignUp ||
-ctx.context.options.emailAndPassword.requireEmailVerification
-) {
-const token = await createEmailVerificationToken(
-ctx.context.secret,
-createdUser.email,
-undefined,
-ctx.context.options.emailVerification?.expiresIn,
-);
-const url = `${
-ctx.context.baseURL
-}/verify-email?token=${token}&callbackURL=${body.callbackURL || "/"}`;
-await ctx.context.options.emailVerification?.sendVerificationEmail?.(
+if (!createdUser) {
+throw new APIError("UNPROCESSABLE_ENTITY", {
+message: BASE_ERROR_CODES.FAILED_TO_CREATE_USER,
+});
+}
+await ctx.context.internalAdapter.linkAccount(
 {
-user: createdUser,
-url,
-token,
+userId: createdUser.id,
+providerId: "credential",
+accountId: createdUser.id,
+password: hash,
 },
-ctx.request,
+ctx,
 );
-}
+if (
+ctx.context.options.emailVerification?.sendOnSignUp ||
+ctx.context.options.emailAndPassword.requireEmailVerification
+) {
+const token = await createEmailVerificationToken(
+ctx.context.secret,
+createdUser.email,
+undefined,
+ctx.context.options.emailVerification?.expiresIn,
+);
+const url = `${
+ctx.context.baseURL
+}/verify-email?token=${token}&callbackURL=${body.callbackURL || "/"}`;
+
+const args: Parameters<
+Required<
+Required<BetterAuthOptions>["emailVerification"]
+>["sendVerificationEmail"]
+> = ctx.request
+? [
+{
+user: createdUser,
+url,
+token,
+},
+ctx.request,
+]
+: [
+{
+user: createdUser,
+url,
+token,
+},
+];
+
+await ctx.context.options.emailVerification?.sendVerificationEmail?.(
+...args,
+);
+}
 
 if (
 ctx.context.options.emailAndPassword.autoSignIn === false ||

packages/better-auth/src/cookies/cookies.test.ts

@@ -368,4 +368,68 @@ describe("getSessionCookie", async () => {
 });
 await expect(getCookieCache(request)).rejects.toThrow();
 });
+
+it("should log error and skip setting cookie when data exceeds size limit", async () => {
+const loggerErrors: string[] = [];
+const mockLogger = {
+log: (level: string, message: string) => {
+if (level === "error") {
+loggerErrors.push(message);
+}
+},
+};
+
+const { auth } = await getTestInstance({
+secret: "better-auth.secret",
+user: {
+additionalFields: {
+customField1: {
+type: "string",
+defaultValue: "",
+},
+customField2: {
+type: "string",
+defaultValue: "",
+},
+customField3: {
+type: "string",
+defaultValue: "",
+},
+},
+},
+session: {
+cookieCache: {
+enabled: true,
+},
+},
+logger: mockLogger,
+});
+
+// Create a very large string that will exceed the cookie size limit when combined with session data
+// The limit is 4093 bytes, so we create data that will definitely exceed it
+const largeString = "x".repeat(2000);
+
+// Sign up with large user data using the server API
+const result = await auth.api.signUpEmail({
+body: {
+name: "Test User",
+email: "large-data-test@example.com",
+password: "password123",
+customField1: largeString,
+customField2: largeString,
+customField3: largeString,
+},
+});
+
+// Check that logger recorded an error about exceeding size limit
+const sizeError = loggerErrors.find((msg) =>
+msg.includes("Session data exceeds cookie size limit"),
+);
+expect(sizeError).toBeDefined();
+expect(sizeError).toContain("4093 bytes");
+
+// The sign up should still succeed
+expect(result).toBeDefined();
+expect(result?.user).toBeDefined();
+});
 });

packages/better-auth/src/cookies/index.ts

@@ -145,9 +145,10 @@ export async function setCookieCache(
 },
 );
 if (data.length > 4093) {
-throw new BetterAuthError(
-"Session data is too large to store in the cookie. Please disable session cookie caching or reduce the size of the session data",
+ctx.context?.logger?.error(
+`Session data exceeds cookie size limit (${data.length} bytes > 4093 bytes). Consider reducing session data size or disabling cookie cache. Session will not be cached in cookie.`,
 );
+return;
 }
 ctx.setCookie(ctx.context.authCookies.sessionData.name, data, options);
 }