From 0c0fc9d3c55a3f90fd0b660987ed721aecd1484c Mon Sep 17 00:00:00 2001
From: James Morton <james.morton@quackback.io>
Date: Tue, 30 Jun 2026 00:09:28 +0100
Subject: [PATCH] fix(auth): drop ignored magicLink allowedAttempts option

better-auth consumes magic-link tokens atomically on the first
verification call, so allowedAttempts has no effect for any value
other than 1 (GHSA-hc7v-rggr-4hvx). Remove the option to silence
the startup warning.
---
 apps/web/src/lib/server/auth/index.ts | 2 --
 1 file changed, 2 deletions(-)

diff --git a/apps/web/src/lib/server/auth/index.ts b/apps/web/src/lib/server/auth/index.ts
index 0c6d7bd02..f04f64a87 100644
--- a/apps/web/src/lib/server/auth/index.ts
+++ b/apps/web/src/lib/server/auth/index.ts
@@ -377,8 +377,6 @@ async function createAuth() {
         // pushes their verification row out to 7 days post-mint.
         expiresIn: 60 * 10,
         disableSignUp: false,
-        // Outlook Safe Links / Slack unfurl can consume tokens before the user clicks.
-        allowedAttempts: 3,
       }),
 
       emailOTP({