promote(GRO-2586): dev → uat — CORS origin allowlist enforcement #220

2026-06-26T13:37:11Z

Flea Flicker commented

2026-06-26 13:37:11 +00:00

GRO-2586 — CORS origin reflection fix

Promotes the fix for HIGH-severity pre-existing CORS misconfiguration to UAT for regression testing.

What changed

Better Auth was reflecting the request Origin unconditionally into Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, allowing any attacker-controlled page to read /api/auth/sign-in/social response bodies via XHR. The fix enforces the CORS_ORIGIN allowlist at the handler level by wrapping Better Auth's raw response.

Files

src/lib/auth-cors.ts — new enforceAuthCors() helper
src/index.ts — auth handler calls enforceAuthCors() before returning
src/__tests__/authCors.test.ts — 6 regression tests (all pass)
UAT_PLAYBOOK.md §4.1 — TC-API-1.29/1.30/1.31 added

UAT test cases

TC-API-1.29: POST /api/auth/sign-in/social with Origin: https://evil.example.com → no Access-Control-Allow-Origin header
TC-API-1.30: POST /api/auth/sign-in/social with Origin: https://uat.groombook.dev → ACAO: https://uat.groombook.dev + ACAC: true
TC-API-1.31: OPTIONS preflight with attacker origin → no ACAO reflected

Related: GRO-2586 | GRO-2585

## GRO-2586 — CORS origin reflection fix Promotes the fix for HIGH-severity pre-existing CORS misconfiguration to UAT for regression testing. ### What changed Better Auth was reflecting the request `Origin` unconditionally into `Access-Control-Allow-Origin` with `Access-Control-Allow-Credentials: true`, allowing any attacker-controlled page to read `/api/auth/sign-in/social` response bodies via XHR. The fix enforces the `CORS_ORIGIN` allowlist at the handler level by wrapping Better Auth's raw response. ### Files - `src/lib/auth-cors.ts` — new `enforceAuthCors()` helper - `src/index.ts` — auth handler calls `enforceAuthCors()` before returning - `src/__tests__/authCors.test.ts` — 6 regression tests (all pass) - `UAT_PLAYBOOK.md` §4.1 — TC-API-1.29/1.30/1.31 added ### UAT test cases - **TC-API-1.29**: POST /api/auth/sign-in/social with `Origin: https://evil.example.com` → no `Access-Control-Allow-Origin` header - **TC-API-1.30**: POST /api/auth/sign-in/social with `Origin: https://uat.groombook.dev` → `ACAO: https://uat.groombook.dev` + `ACAC: true` - **TC-API-1.31**: OPTIONS preflight with attacker origin → no `ACAO` reflected Related: [GRO-2586](/GRO/issues/GRO-2586) | [GRO-2585](/GRO/issues/GRO-2585)

Flea Flicker added 1 commit 2026-06-26 13:37:12 +00:00

fix(GRO-2586): enforce trusted-origins allowlist on Better Auth CORS responses (#219 )

CI / Test (pull_request) Successful in 24s

Details

CI / Lint & Typecheck (pull_request) Successful in 32s

Details

CI / Build & Push Docker Images (pull_request) Successful in 28s

Details

e09490babe

fix(GRO-2586): enforce trusted-origins allowlist on Better Auth CORS responses

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Lint Roller approved these changes 2026-06-26 13:41:18 +00:00

Lint Roller left a comment

QA code review approved — promote(GRO-2586) dev → uat.

Scope: Exactly the 4 ticketed files; no unscoped dev work carried into the promotion.

CI: All green — Test, Lint & Typecheck, Build & Push. No conflicts.

Correctness: enforceAuthCors() allows trusted origins (ACAO + ACAC: true), strips CORS headers for untrusted/undefined/empty origins, and preserves status/body/non-CORS headers. It correctly closes the gap left by the global cors() middleware, which 403s untrusted origins but does not delete the Access-Control-Allow-Origin header Better Auth reflects onto its raw Response.

Tests: 6 regression tests in authCors.test.ts cover trusted, attacker, undefined, empty-string, second-trusted, and header/status preservation — all pass per CI.

UAT_PLAYBOOK.md: §4.1 updated with TC-API-1.29/1.30/1.31. ✓

LGTM — Engineer to self-merge per SDLC.

QA code review approved — promote(GRO-2586) dev → uat. **Scope:** Exactly the 4 ticketed files; no unscoped dev work carried into the promotion. **CI:** All green — Test, Lint & Typecheck, Build & Push. No conflicts. **Correctness:** `enforceAuthCors()` allows trusted origins (ACAO + ACAC: true), strips CORS headers for untrusted/undefined/empty origins, and preserves status/body/non-CORS headers. It correctly closes the gap left by the global `cors()` middleware, which 403s untrusted origins but does not delete the `Access-Control-Allow-Origin` header Better Auth reflects onto its raw Response. **Tests:** 6 regression tests in `authCors.test.ts` cover trusted, attacker, undefined, empty-string, second-trusted, and header/status preservation — all pass per CI. **UAT_PLAYBOOK.md:** §4.1 updated with TC-API-1.29/1.30/1.31. ✓ LGTM — Engineer to self-merge per SDLC.

Flea Flicker merged commit 2d4edb6452 into uat

2026-06-26 13:46:44 +00:00

Flea Flicker referenced this issue from a commit

2026-06-26 14:12:10 +00:00

promote(GRO-2586): dev → uat — CORS origin allowlist enforcement (#220)

Flea Flicker referenced this pull request

2026-06-26 14:12:32 +00:00

uat→main (PROD): GRO-2586 CORS origin allowlist enforcement (frozen @2d4edb6) #221

Sign in to join this conversation.

2 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: groombook/api#220