feat: add BETTER_AUTH_TRUSTED_ORIGINS support for Better Auth CSRF checks and enhance origin resolution logic

Author: JoachimLK

server/utils/auth.ts

@@ -6,6 +6,22 @@ import * as schema from '../database/schema'
 type Auth = ReturnType<typeof betterAuth>
 let _auth: Auth | undefined
 
+function resolveTrustedOrigins(baseUrl: string): string[] {
+  const configuredOrigins = env.BETTER_AUTH_TRUSTED_ORIGINS
+  const baseOrigin = new URL(baseUrl)
+  const isLocalBase = baseOrigin.hostname === 'localhost' || baseOrigin.hostname === '127.0.0.1'
+  const defaultDevOrigins = (import.meta.dev || isLocalBase)
+    ? [
+        'http://localhost:3000',
+        'http://localhost:3001',
+        'http://127.0.0.1:3000',
+        'http://127.0.0.1:3001',
+      ]
+    : []
+
+  return Array.from(new Set([baseOrigin.origin, ...configuredOrigins, ...defaultDevOrigins]))
+}
+
 function resolveBetterAuthUrl(): string {
   const explicitUrl = env.BETTER_AUTH_URL?.trim()
   const railwayDomain = env.RAILWAY_PUBLIC_DOMAIN?.trim()
@@ -53,8 +69,11 @@ function resolveBetterAuthUrl(): string {
  */
 function getAuth(): Auth {
   if (!_auth) {
+    const baseURL = resolveBetterAuthUrl()
+
     _auth = betterAuth({
-      baseURL: resolveBetterAuthUrl(),
+      baseURL,
+      trustedOrigins: resolveTrustedOrigins(baseURL),
       database: drizzleAdapter(db, {
         provider: 'pg',
         schema,

server/utils/env.ts

@@ -39,6 +39,12 @@ const envSchema = z
     DATABASE_URL: z.url(),
     BETTER_AUTH_SECRET: emptyToUndefined.pipe(z.string().min(32, 'BETTER_AUTH_SECRET must be at least 32 characters')),
     BETTER_AUTH_URL: emptyToUndefined.pipe(z.url()).optional(),
+    /** Comma-separated list of additional trusted origins for Better Auth CSRF checks. */
+    BETTER_AUTH_TRUSTED_ORIGINS: emptyToUndefined
+      .pipe(z.string())
+      .transform(value => value.split(',').map(origin => origin.trim()).filter(Boolean))
+      .optional()
+      .default([]),
     /** Railway environment metadata for PR/preview detection. */
     RAILWAY_ENVIRONMENT_NAME: emptyToUndefined.optional(),
     /** PR number provided by Railway for GitHub-triggered deployments. */
@@ -109,7 +115,7 @@ export const env = new Proxy({} as z.infer<typeof envSchema>, {
           `Ensure these variables are set in your Railway service (Settings → Variables).\n` +
           `Required: DATABASE_URL, BETTER_AUTH_SECRET, S3_ENDPOINT, S3_ACCESS_KEY, S3_SECRET_KEY, S3_BUCKET\n` +
           `Required outside Railway PR/preview environments: BETTER_AUTH_URL\n` +
-          `Optional: S3_REGION (default: us-east-1), S3_FORCE_PATH_STYLE (default: true), TRUSTED_PROXY_IP, DEMO_ORG_SLUG\n`,
+          `Optional: BETTER_AUTH_TRUSTED_ORIGINS, S3_REGION (default: us-east-1), S3_FORCE_PATH_STYLE (default: true), TRUSTED_PROXY_IP, DEMO_ORG_SLUG\n`,
         )
         throw result.error
       }