From 7f7e908e455c6c4045eb538455676c90fde3514d Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea@groombook.dev>
Date: Thu, 18 Jun 2026 00:42:45 +0000
Subject: [PATCH] feat(GRO-2425): split CORS_ORIGIN on commas for multiple
 trusted auth origins
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Changes trustedOrigins from a single-string wrap to a comma-split array
so both demo.groombook.dev and groombook.farh.net can coexist as trusted
Better-Auth origins via a single CORS_ORIGIN env value.

Updated UAT_PLAYBOOK.md §4.1 — added TC-API-1.27 and TC-API-1.28 for
multi-origin callbackURL coverage.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 UAT_PLAYBOOK.md | 2 ++
 src/lib/auth.ts | 6 ++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/UAT_PLAYBOOK.md b/UAT_PLAYBOOK.md
index 2a85e1d..66ef0d5 100644
--- a/UAT_PLAYBOOK.md
+++ b/UAT_PLAYBOOK.md
@@ -108,6 +108,8 @@ Expected: one row, `role = 'groomer'`. If zero rows return, the request hit the
 | TC-API-1.24 | Complete setup creates super user | POST /api/setup with business name (after TC-API-1.23) | First user becomes super user, setup completes | Setup errors, 403 on admin endpoints |
 | TC-API-1.25 | Super user accesses admin features | After TC-API-1.24, GET /api/staff/me and verify isSuperUser: true | isSuperUser: true, admin endpoints accessible | 403 on admin, isSuperUser: false |
 | TC-API-1.26 | Auto-provision skipped during OOBE | During fresh setup (needsSetup: true), complete OIDC login — verify no duplicate staff record created before setup completes | No duplicate staff, OOBE completes successfully | Duplicate staff record, 403 before setup, auto-provision interferes with OOBE |
+| TC-API-1.27 | Multi-origin CORS — demo host sign-in | `POST /api/auth/sign-in/social` with `callbackURL=https://demo.groombook.dev` | 200 OK, no origin-mismatch error | 400/403 "Origin mismatch" |
+| TC-API-1.28 | Multi-origin CORS — farh.net host sign-in | `POST /api/auth/sign-in/social` with `callbackURL=https://groombook.farh.net` | 200 OK, no origin-mismatch error | 400/403 "Origin mismatch" |
 
 ### 4.2 Client Management
 
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index ff1e125..b28153d 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -118,7 +118,8 @@ export async function initAuth(): Promise<void> {
           updateAge: 60 * 60 * 24,
           cookieCache: { enabled: false },
         },
-        trustedOrigins: [process.env.CORS_ORIGIN ?? "http://localhost:5173"],
+        trustedOrigins: (process.env.CORS_ORIGIN ?? "http://localhost:5173")
+          .split(",").map((s) => s.trim()).filter(Boolean),
       });
       return;
     }
@@ -308,7 +309,8 @@ export async function initAuth(): Promise<void> {
           maxAge: 5 * 60, // 5 minutes
         },
       },
-      trustedOrigins: [process.env.CORS_ORIGIN ?? "http://localhost:5173"],
+      trustedOrigins: (process.env.CORS_ORIGIN ?? "http://localhost:5173")
+        .split(",").map((s) => s.trim()).filter(Boolean),
     });
   })();
 
-- 
2.52.0