@@ -18,10 +18,19 @@ const authSecret =
1818 process . env . BETTER_AUTH_SECRET ?? process . env . NEXT_PUBLIC_BETTER_AUTH_SECRET ;
1919if ( ! authSecret ) throw new Error ( "BETTER_AUTH_SECRET is not set" ) ;
2020
21+ const authBaseURL =
22+ process . env . BETTER_AUTH_URL ??
23+ process . env . NEXT_PUBLIC_BASE_URL ??
24+ "https://www.peterplate.com" ;
25+
26+ const trustedOrigins = Array . from (
27+ new Set ( [ "https://www.peterplate.com" , authBaseURL ] ) ,
28+ ) ;
29+
2130export const auth = betterAuth ( {
2231 debug : process . env . NODE_ENV !== "production" ,
2332 secret : authSecret ,
24- baseURL : process . env . NEXT_PUBLIC_BASE_URL ?? "https://www.peterplate.com" ,
33+ baseURL : authBaseURL ,
2534 // The iOS PWA shell (WKWebView) always sends Origin: https://www.peterplate.com
2635 // because Settings.swift hardcodes rootUrl to that domain. Better Auth builds
2736 // its trusted-origins list from baseURL alone, so if NEXT_PUBLIC_BASE_URL is
@@ -30,12 +39,7 @@ export const auth = betterAuth({
3039 // WKWebView is every request, because Swift injects the app-platform cookie
3140 // via WKHTTPCookieStore. Listing the production origin explicitly makes the
3241 // iOS auth flow immune to baseURL misconfiguration.
33- trustedOrigins : [
34- "https://www.peterplate.com" ,
35- ...( process . env . NEXT_PUBLIC_BASE_URL
36- ? [ process . env . NEXT_PUBLIC_BASE_URL ]
37- : [ ] ) ,
38- ] ,
42+ trustedOrigins,
3943 user : {
4044 additionalFields : {
4145 hasOnboarded : {
@@ -77,7 +81,7 @@ export const auth = betterAuth({
7781 // (b) causes Swift's ASWebAuthenticationSession.start() to silently
7882 // return false because "localhost" doesn't match the Associated
7983 // Domains entitlement (applinks:www.peterplate.com).
80- redirectURI : `${ process . env . NEXT_PUBLIC_BASE_URL ?? "https://www.peterplate.com" } /auth/native` ,
84+ redirectURI : `${ authBaseURL ?? "https://www.peterplate.com" } /auth/native` ,
8185 scopes,
8286 pkce : true ,
8387 mapProfileToUser,
0 commit comments