Matt
3ae86f2854
The /set-password page is the landing target for two unrelated email
flows:
1. CRM admin invite → `crm_user_invites` row, consumed via
`consumeCrmInvite` (creates the better-auth user + profile).
2. Forgot-password → better-auth verification row, consumed via
`auth.api.resetPassword` (rotates the password on an existing
user).
The endpoint previously only handled (1). A user clicking a
reset-password link landed on the same page but hit a token-not-found
error because their token isn't in the invite table.
Try the invite path first (the historical behaviour); on NotFoundError
fall through to better-auth's resetPassword. Both stores rejecting
returns a single unified `INVITE_OR_RESET_INVALID` error matching the
page's existing error-rendering shape.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>