separate auth instances for every origin

Author: Rajat

apps/web/app/actions.ts

@@ -3,14 +3,7 @@ import { headers as headersType } from "next/headers";
 export async function getBackendAddress(
     headers: Headers,
 ): Promise<`${string}://${string}`> {
-    const protocol = headers.get("x-forwarded-proto") || "http";
-    const forwardedHost = headers
-        .get("x-forwarded-host")
-        ?.split(",")[0]
-        ?.trim();
-    const host = forwardedHost || headers.get("host");
-
-    return `${protocol}://${host}`;
+    return `${headers.get("x-forwarded-proto")}://${headers.get("host")}`;
 }
 
 export async function getAddressFromHeaders(headers: typeof headersType) {

apps/web/app/api/auth/[...all]/route.ts

@@ -1,10 +1,11 @@
 import { als } from "@/async-local-storage";
 import { getBackendAddress } from "@/app/actions";
-import { auth } from "@/auth";
+import { getAuth } from "@/auth";
 import { toNextJsHandler } from "better-auth/next-js";
 
-const handlers = toNextJsHandler(auth);
+const getHandlers = (baseURL: string) => toNextJsHandler(getAuth(baseURL));
 
+// This is needed to prevent creating URLs like https://0.0.0.0:3000/api/auth/sign-in/sso
 export const rewriteAuthRequestOrigin = async (req: Request) => {
     const publicOrigin = await getBackendAddress(req.headers);
     const currentUrl = new URL(req.url);
@@ -23,6 +24,7 @@ export const rewriteAuthRequestOrigin = async (req: Request) => {
 
 export const POST = async (req: Request) => {
     const rewrittenReq = await rewriteAuthRequestOrigin(req);
+    const handlers = getHandlers(new URL(rewrittenReq.url).origin);
     const map = new Map();
     map.set("domain", req.headers.get("domain"));
     map.set("domainId", req.headers.get("domainId"));
@@ -31,6 +33,7 @@ export const POST = async (req: Request) => {
 
 export const GET = async (req: Request) => {
     const rewrittenReq = await rewriteAuthRequestOrigin(req);
+    const handlers = getHandlers(new URL(rewrittenReq.url).origin);
     const map = new Map();
     map.set("domain", req.headers.get("domain"));
     map.set("domainId", req.headers.get("domainId"));

apps/web/app/api/auth/__tests__/route.test.ts

@@ -2,6 +2,10 @@
  * @jest-environment node
  */
 
+const mockGetAuth = jest.fn(() => ({}));
+const mockHandlerGet = jest.fn();
+const mockHandlerPost = jest.fn();
+
 jest.mock("@/app/actions", () => ({
     getBackendAddress: jest.fn(),
 }));
@@ -18,17 +22,19 @@ jest.mock(
 
 jest.mock("@/auth", () => ({
     auth: {},
+    getAuth: mockGetAuth,
 }));
 
 jest.mock("better-auth/next-js", () => ({
     toNextJsHandler: () => ({
-        GET: jest.fn(),
-        POST: jest.fn(),
+        GET: mockHandlerGet,
+        POST: mockHandlerPost,
     }),
 }));
 
 import { getBackendAddress } from "@/app/actions";
-import { rewriteAuthRequestOrigin } from "../[...all]/route";
+import { getAuth } from "@/auth";
+import { POST, rewriteAuthRequestOrigin } from "../[...all]/route";
 
 describe("Auth Route Origin Rewrite", () => {
     beforeEach(() => {
@@ -110,4 +116,33 @@ describe("Auth Route Origin Rewrite", () => {
             }),
         );
     });
+
+    it("creates request-scoped auth handlers per rewritten origin", async () => {
+        (getBackendAddress as jest.Mock).mockResolvedValue(
+            "https://domain1.clqa.site",
+        );
+        mockHandlerPost.mockResolvedValue(new Response(null, { status: 200 }));
+
+        const req = new Request("https://0.0.0.0:3000/api/auth/sign-in/sso", {
+            method: "POST",
+            headers: {
+                host: "domain1.clqa.site",
+                domain: "domain1",
+                domainId: "domain-id-1",
+            },
+            body: JSON.stringify({
+                providerId: "google",
+                callbackURL: "/dashboard",
+            }),
+        });
+
+        await POST(req);
+
+        expect(getAuth).toHaveBeenCalledWith("https://domain1.clqa.site");
+        expect(mockHandlerPost).toHaveBeenCalledTimes(1);
+        const rewrittenRequest = mockHandlerPost.mock.calls[0][0] as Request;
+        expect(rewrittenRequest.url).toBe(
+            "https://domain1.clqa.site/api/auth/sign-in/sso",
+        );
+    });
 });

apps/web/auth.ts

@@ -87,9 +87,34 @@ const getSessionUserId = async (
     return (authUser as { userId?: string } | null)?.userId;
 };
 
-const config: any = {
+const getSessionConfig = () => {
+    if (process.env.SESSION_COOKIE_CACHE_MAX_AGE) {
+        const configuredMaxAge = parseInt(
+            process.env.SESSION_COOKIE_CACHE_MAX_AGE,
+        );
+
+        if (configuredMaxAge > 0) {
+            return {
+                cookieCache: {
+                    enabled: true,
+                    maxAge: configuredMaxAge * 60,
+                },
+            };
+        }
+    }
+
+    return {
+        cookieCache: {
+            enabled: true,
+            maxAge: 5 * 60, // 5 minutes
+        },
+    };
+};
+
+const createAuthConfig = (baseURL = ""): any => ({
     appName: "CourseLit",
     secret: process.env.AUTH_SECRET,
+    ...(baseURL ? { baseURL } : {}),
     user: {
         additionalFields: {
             userId: {
@@ -259,24 +284,17 @@ const config: any = {
         }
         return origins;
     },
-};
+    session: getSessionConfig(),
+});
 
-if (process.env.SESSION_COOKIE_CACHE_MAX_AGE) {
-    if (parseInt(process.env.SESSION_COOKIE_CACHE_MAX_AGE) > 0) {
-        config.session = {
-            cookieCache: {
-                enabled: true,
-                maxAge: parseInt(process.env.SESSION_COOKIE_CACHE_MAX_AGE) * 60,
-            },
-        };
+const authInstances = new Map<string, ReturnType<typeof betterAuth>>();
+
+export const getAuth = (baseURL = "") => {
+    if (!authInstances.has(baseURL)) {
+        authInstances.set(baseURL, betterAuth(createAuthConfig(baseURL)));
     }
-} else {
-    config.session = {
-        cookieCache: {
-            enabled: true,
-            maxAge: 5 * 60, // 5 minutes
-        },
-    };
-}
 
-export const auth = betterAuth(config);
+    return authInstances.get(baseURL)!;
+};
+
+export const auth = getAuth();