Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
better-auth-harmony
Advanced tools
Better Auth Harmony
A better-auth plugin for email & phone normalization and additional validation, blocking over 55,000 temporary email domains.
Email normalization: foo+temp@gmail.com -> foo@gmail.com
Phone normalization: +1 (555) 123-1234 -> +15551231234
Validation: throwaway@mailinator.com -> Blocked
Getting Started
1. Install the plugin
npm i better-auth-harmony
2. Add the plugin to your auth config
// auth.ts
import { betterAuth } from 'better-auth';
import { emailHarmony } from 'better-auth-harmony';
export const auth = betterAuth({
// ... other config options
plugins: [emailHarmony()]
});
3. Migrate the database
npx @better-auth/cli migrate
or
npx @better-auth/cli generate
See the Schema section to add the fields manually.
Troubleshooting ESM
The validator.js package lacks proper ESM support. Please open an issue in this repo if the following workarounds don't help.
Error Error [ERR_MODULE_NOT_FOUND]: Cannot find module
Next.js
Add better-auth-harmony to transpilePackages in
next.config
Vite
Add better-auth-harmony to ssr.noExternal in
vite.config
Error Cannot use import statement outside a module
Workarounds
- Use NodeJs 22 or higher
- Or use
NODE_OPTIONS=--experimental-detect-modulefor Node >= 20.10
Either as an environment variable, or via:
npx --node-options=--experimental-detect-module @better-auth/cli generate
or as a local script in package.json:
{
"scripts": {
"auth-generate": "NODE_OPTIONS=--experimental-detect-module cli generate"
}
}
If none of the above works, consider yarn patch or
npm patch-package to add "type": "module" to
validator's package.json.
Options
allowNormalizedSignin(default=false) - Allow logging in with any version of the unnormalized email address. For example, a user who signed up with the emailjohndoe@googlemail.commay also log in withjohn.doe@gmail.com. Makes 1 extra database query for every login attempt.validator- Custom function to validate email. By default uses validator.js and Mailchecker.normalizer- Custom function to normalize the email address. By default usesvalidator.js/normalizeEmail().matchers- Customize when to run inputemailvalidation and normalization. Normalization always runs on user creation and update regardless of this setting.
Schema
The emailHarmony plugin requires an additional field in the user table:
| Field Name | Type | Optional | Unique | Description |
|---|---|---|---|---|
| normalizedEmail | string | True | True | User's email address after normalization |
The normalizedEmail field being unique prevents users from signing up with throwaway variations of
the same email address.
Phone number
[!NOTE] Unlike
emailHarmony, phone number normalization intercepts and modifies the user'sphoneNumber, permitting only normalized numbers in the backend.
Getting Started
1. Install the plugin
npm i better-auth-harmony
2. Add the plugin to your auth config
// auth.ts
import { betterAuth } from 'better-auth';
import { phoneNumber } from 'better-auth/plugins';
import { phoneHarmony } from 'better-auth-harmony';
export const auth = betterAuth({
// ... other config options
plugins: [phoneNumber(), phoneHarmony()]
});
See the better-auth
phoneNumber plugin documentation for
information on configuring the phoneNumber(), including validation.
Options
defaultCountry- Default country for numbers written in non-international form (without a+sign).defaultCallingCode- Default calling code for numbers written in non-international form (without a+sign). Useful for parsing non-geographic codes such as+800numbers.extract(default=true) - Defines the "strictness" of parsing a phone number. By default, it will attempt to extract the phone number from any input string, such as"My phone number is (213) 373-4253".acceptRawInputOnError(default=false) - If the normalizer throws, for example because it is unable to parse the phone number, use the original input. For example, the phone number"+12"will be saved as-is to the database.normalizer- Custom function to normalize phone number. Default usesparsePhoneNumberWithErrorfromlibphonenumber-js/max. Can be used to infer the country through the Request object, for example using IP address geolocation.matchers- Customize when to run inputphoneNumbervalidation.
FAQs
Validation and normalization for better-auth
The npm package better-auth-harmony receives a total of 23,083 weekly downloads. As such, better-auth-harmony popularity was classified as popular.
We found that better-auth-harmony demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 29 May 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025