feat: implement OIDC endpoint origin prefetching for trusted origins resolution

Author: JoachimLK

server/api/sso/providers.post.ts

@@ -1,6 +1,7 @@
 import { z } from 'zod'
 import { eq, and, ne } from 'drizzle-orm'
 import { ssoProvider } from '~~/server/database/schema'
+import { prefetchOidcEndpointOrigins } from '~~/server/utils/auth'
 
 const registerSsoSchema = z.object({
   providerId: z.string().min(1).max(64).regex(/^[a-z0-9-]+$/, 'Only lowercase alphanumeric and hyphens'),
@@ -56,6 +57,11 @@ export default defineEventHandler(async (event) => {
   }
 
   try {
+    // Pre-discover OIDC endpoint origins so better-auth trusts them during
+    // registration. IdPs like Google use separate domains for token/userinfo
+    // endpoints (oauth2.googleapis.com) vs their issuer (accounts.google.com).
+    await prefetchOidcEndpointOrigins(body.issuer)
+
     const result = await (auth.api as any).registerSSOProvider({
       headers: event.headers,
       body: {

server/routes/ingest/[...path].ts

@@ -0,0 +1,19 @@
+/**
+ * Reverse-proxy: /ingest/** → eu.i.posthog.com/**
+ *
+ * Proxies PostHog API calls (event capture, decide, feature flags) through
+ * our domain to bypass ad-blockers. Uses an explicit server route instead
+ * of Nitro routeRules for better error handling and compression compatibility.
+ */
+export default defineEventHandler(async (event) => {
+  const path = getRouterParam(event, 'path') || ''
+  const query = getQuery(event)
+  const qs = new URLSearchParams(query as Record<string, string>).toString()
+  const target = `https://eu.i.posthog.com/${path}${qs ? `?${qs}` : ''}`
+
+  return proxyRequest(event, target, {
+    headers: {
+      'X-Forwarded-For': getRequestIP(event) || '',
+    },
+  })
+})

server/utils/auth.ts

@@ -10,17 +10,60 @@ import * as schema from "../database/schema";
 type Auth = ReturnType<typeof betterAuth>;
 let _auth: Auth | undefined;
 
+/**
+ * Runtime cache of OIDC endpoint origins discovered from IdP discovery documents.
+ *
+ * Populated by `prefetchOidcEndpointOrigins()` before provider registration so
+ * that better-auth's trusted-origins check passes for IdPs whose token/userinfo
+ * endpoints live on a different domain than the issuer (e.g. Google).
+ */
+const discoveredIdpOrigins = new Set<string>();
+
+/**
+ * Fetch an OIDC discovery document and cache every endpoint origin so
+ * better-auth trusts them during provider registration.
+ *
+ * Must be called **before** `auth.api.registerSSOProvider()` so the
+ * origins are available when better-auth validates discovery endpoints.
+ */
+export async function prefetchOidcEndpointOrigins(issuerUrl: string): Promise<void> {
+  const discoveryUrl = issuerUrl.replace(/\/+$/, "") + "/.well-known/openid-configuration";
+  const res = await $fetch<Record<string, unknown>>(discoveryUrl, {
+    timeout: 10_000,
+  });
+
+  // Extract origins from all *_endpoint fields in the discovery document
+  const endpointKeys = [
+    "authorization_endpoint",
+    "token_endpoint",
+    "userinfo_endpoint",
+    "revocation_endpoint",
+    "introspection_endpoint",
+    "end_session_endpoint",
+    "jwks_uri",
+  ];
+  for (const key of endpointKeys) {
+    const value = res[key];
+    if (typeof value === "string") {
+      try {
+        discoveredIdpOrigins.add(new URL(value).origin);
+      } catch {
+        // Skip malformed URLs
+      }
+    }
+  }
+}
+
 /**
  * Resolve trusted origins for CSRF checks and OIDC discovery.
  *
- * better-auth resolves trustedOrigins ONCE at init (without a request),
- * so origins must be available statically. We include:
+ * Combines:
  *  1. App origins (base URL, configured origins, dev defaults)
- *  2. Well-known OIDC identity-provider origins (for SSO discovery)
+ *  2. Origins auto-discovered from OIDC discovery documents
  *  3. Already-registered SSO provider issuers from the database
  *
- * For custom/self-hosted IdPs not in the well-known list, add their
- * origin to the BETTER_AUTH_TRUSTED_ORIGINS environment variable.
+ * For IdPs that cannot be auto-discovered, add their origin to the
+ * BETTER_AUTH_TRUSTED_ORIGINS environment variable.
  */
 function resolveTrustedOrigins(baseUrl: string): (request?: Request) => Promise<string[]> {
   const configuredOrigins = env.BETTER_AUTH_TRUSTED_ORIGINS;
@@ -45,21 +88,8 @@ function resolveTrustedOrigins(baseUrl: string): (request?: Request) => Promise<
     new Set([baseOrigin.origin, ...configuredOrigins, ...defaultDevOrigins]),
   );
 
-  // Well-known OIDC identity-provider origins trusted for SSO discovery.
-  // These are reputable IdPs whose origins are safe to allow; an attacker
-  // cannot serve pages from these domains, so CSRF risk is negligible.
-  const wellKnownIdpOrigins = [
-    "https://accounts.google.com",
-    "https://login.microsoftonline.com",
-    "https://*.okta.com",
-    "https://*.auth0.com",
-    "https://*.onelogin.com",
-    "https://*.duendesoftware.com",
-    "https://*.pingidentity.com",
-  ];
-
   return async () => {
-    const allOrigins = [...staticOrigins, ...wellKnownIdpOrigins];
+    const allOrigins = [...staticOrigins, ...discoveredIdpOrigins];
 
     // Load already-registered SSO provider issuers from the database
     try {

tests/unit/sso-trusted-origins.test.ts

@@ -5,9 +5,97 @@ import { describe, it, expect } from 'vitest'
  *
  * The resolveTrustedOrigins function in auth.ts dynamically adds IdP origins
  * for SSO callback flows. These tests verify the URL parsing and filtering
- * logic that would be applied to registered SSO provider issuers.
+ * logic that would be applied to registered SSO provider issuers and
+ * OIDC discovery documents.
  */
 
+describe('SSO trusted origins — OIDC discovery endpoint extraction', () => {
+  /**
+   * Simulates the endpoint origin extraction from prefetchOidcEndpointOrigins.
+   * This mirrors the logic in server/utils/auth.ts without network calls.
+   */
+  function extractEndpointOrigins(discoveryDoc: Record<string, unknown>): string[] {
+    const endpointKeys = [
+      'authorization_endpoint',
+      'token_endpoint',
+      'userinfo_endpoint',
+      'revocation_endpoint',
+      'introspection_endpoint',
+      'end_session_endpoint',
+      'jwks_uri',
+    ]
+    const origins = new Set<string>()
+    for (const key of endpointKeys) {
+      const value = discoveryDoc[key]
+      if (typeof value === 'string') {
+        try { origins.add(new URL(value).origin) } catch {}
+      }
+    }
+    return [...origins]
+  }
+
+  it('extracts origins from Google discovery doc (multi-domain)', () => {
+    // Google uses different domains for issuer vs endpoints
+    const googleDiscovery = {
+      issuer: 'https://accounts.google.com',
+      authorization_endpoint: 'https://accounts.google.com/o/oauth2/v2/auth',
+      token_endpoint: 'https://oauth2.googleapis.com/token',
+      userinfo_endpoint: 'https://openidconnect.googleapis.com/v1/userinfo',
+      jwks_uri: 'https://www.googleapis.com/oauth2/v3/certs',
+      revocation_endpoint: 'https://oauth2.googleapis.com/revoke',
+    }
+    const origins = extractEndpointOrigins(googleDiscovery)
+    expect(origins).toContain('https://accounts.google.com')
+    expect(origins).toContain('https://oauth2.googleapis.com')
+    expect(origins).toContain('https://openidconnect.googleapis.com')
+    expect(origins).toContain('https://www.googleapis.com')
+  })
+
+  it('extracts origins from Azure AD discovery doc', () => {
+    const azureDiscovery = {
+      authorization_endpoint: 'https://login.microsoftonline.com/tenant/oauth2/v2.0/authorize',
+      token_endpoint: 'https://login.microsoftonline.com/tenant/oauth2/v2.0/token',
+      userinfo_endpoint: 'https://graph.microsoft.com/oidc/userinfo',
+      jwks_uri: 'https://login.microsoftonline.com/tenant/discovery/v2.0/keys',
+      end_session_endpoint: 'https://login.microsoftonline.com/tenant/oauth2/v2.0/logout',
+    }
+    const origins = extractEndpointOrigins(azureDiscovery)
+    expect(origins).toContain('https://login.microsoftonline.com')
+    expect(origins).toContain('https://graph.microsoft.com')
+  })
+
+  it('deduplicates origins from same-domain endpoints', () => {
+    const keycloakDiscovery = {
+      authorization_endpoint: 'https://kc.corp.com/realms/prod/protocol/openid-connect/auth',
+      token_endpoint: 'https://kc.corp.com/realms/prod/protocol/openid-connect/token',
+      userinfo_endpoint: 'https://kc.corp.com/realms/prod/protocol/openid-connect/userinfo',
+      jwks_uri: 'https://kc.corp.com/realms/prod/protocol/openid-connect/certs',
+    }
+    const origins = extractEndpointOrigins(keycloakDiscovery)
+    expect(origins).toEqual(['https://kc.corp.com'])
+  })
+
+  it('skips non-string and missing endpoint values', () => {
+    const partialDoc = {
+      authorization_endpoint: 'https://auth.example.com/authorize',
+      token_endpoint: null,
+      userinfo_endpoint: 12345,
+      jwks_uri: undefined,
+    }
+    const origins = extractEndpointOrigins(partialDoc)
+    expect(origins).toEqual(['https://auth.example.com'])
+  })
+
+  it('skips malformed URLs gracefully', () => {
+    const badDoc = {
+      authorization_endpoint: 'not-a-url',
+      token_endpoint: 'https://valid.example.com/token',
+    }
+    const origins = extractEndpointOrigins(badDoc)
+    expect(origins).toEqual(['https://valid.example.com'])
+  })
+})
+
 describe('SSO trusted origins — issuer URL parsing', () => {
   /**
    * Simulates the issuer → origin extraction from resolveTrustedOrigins.