groombook/api
13
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
20a0c7eb926b1c7870a0a3c55504bb5f897fb388
api/src
T
History
Flea Flicker 20a0c7eb92
CI / Test (pull_request) Successful in 28s
Details
CI / Lint & Typecheck (pull_request) Successful in 33s
Details
CI / Build & Push Docker Images (pull_request) Successful in 1m29s
Details
fix(GRO-2586): enforce trusted-origins allowlist on Better Auth CORS responses 
Better Auth reflects the request Origin into Access-Control-Allow-Origin
unconditionally, bypassing the trustedOrigins config. An attacker-origin
page could XHR /api/auth/sign-in/social with credentials and read the OIDC
authorize URL + state from the response body.

- Add src/lib/auth-cors.ts: enforceAuthCors() wraps any Better Auth Response,
  stripping ACAO/ACAC for untrusted origins and enforcing the allowlist for
  trusted ones
- Wire enforceAuthCors() into the /api/auth/* handler in src/index.ts
- Add src/__tests__/authCors.test.ts: 6 regression tests covering trusted,
  untrusted, undefined, and empty-string origins
- Update UAT_PLAYBOOK.md §4.1 with TC-API-1.29/1.30/1.31 CORS test cases

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-26 13:29:56 +00:00
..
__tests__
fix(GRO-2586): enforce trusted-origins allowlist on Better Auth CORS responses
2026-06-26 13:29:56 +00:00
lib
fix(GRO-2586): enforce trusted-origins allowlist on Better Auth CORS responses
2026-06-26 13:29:56 +00:00
middleware
fix(GRO-2234): bounded sliding expiration for SSO portal sessions (#183)
2026-06-08 18:55:43 +00:00
routes
feat(GRO-2359): add POST /api/portal/clients-from-auth for OOBE (web)
2026-06-11 16:17:16 +00:00
services
feat(GRO-2157): navigation export endpoints (Phase 2.3) (#190)
2026-06-09 00:16:42 +00:00
types
Extract groombook/api from monorepo with CI workflow
2026-05-11 01:26:56 +00:00
index.ts
fix(GRO-2586): enforce trusted-origins allowlist on Better Auth CORS responses
2026-06-26 13:29:56 +00:00