groombook/api
13
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(GRO-2586): enforce trusted-origins allowlist on Better Auth CORS responses (#219)
CI / Test (push) Successful in 26s
Details
CI / Lint & Typecheck (push) Successful in 30s
Details
CI / Build & Push Docker Images (push) Successful in 32s
Details

Browse Source 
fix(GRO-2586): enforce trusted-origins allowlist on Better Auth CORS responses

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit was merged in pull request #219.
This commit is contained in:
Flea Flicker
2026-06-26 13:35:59 +00:00
parent c01e4acf0a
commit dace2c4e66
4 changed files with 89 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/index.ts
+4 -2
View File
@@ -3,6 +3,7 @@ import { Hono } from "hono";
import { logger } from "hono/logger";
import { cors } from "hono/cors";
import { getAuth, initAuth, getActiveProviders } from "./lib/auth.js";
import { enforceAuthCors } from "./lib/auth-cors.js";
import { clientsRouter } from "./routes/clients.js";
import { petsRouter } from "./routes/pets.js";
import { servicesRouter } from "./routes/services.js";
@@ -200,9 +201,10 @@ api.use("*", resolveStaffMiddleware);
// Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
// authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths
const authRouter = new Hono();
authRouter.all("/*", (c) => {
authRouter.all("/*", async (c) => {
try {
return getAuth().handler(c.req.raw);
const res = await getAuth().handler(c.req.raw);
return enforceAuthCors(c.req.header("origin"), TRUSTED_ORIGINS, res);
} catch {
return c.json({ error: "Authentication not configured" }, 503);
}