mosaicstack/stack
1
0
Fork 0
Code Issues 13 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

fix(auth): add CORS headers to BetterAuth raw HTTP handler (#112)
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details

Browse Source 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
This commit was merged in pull request #112.
This commit is contained in:
Jason Woltje
2026-03-15 16:47:27 +00:00
committed by jason.woltje
parent 014ebdacda
commit 049bb719e8
1 changed files with 26 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
apps/gateway/src/auth/auth.controller.ts
View File

@@ -7,16 +7,17 @@ import { AUTH } from './auth.tokens.js';
export function mountAuthHandler(app: NestFastifyApplication): void { export function mountAuthHandler(app: NestFastifyApplication): void {
const auth = app.get<Auth>(AUTH); const auth = app.get<Auth>(AUTH);
const nodeHandler = toNodeHandler(auth); const nodeHandler = toNodeHandler(auth);
const corsOrigin = process.env['GATEWAY_CORS_ORIGIN'] ?? 'http://localhost:3000';
const fastify = app.getHttpAdapter().getInstance(); const fastify = app.getHttpAdapter().getInstance();
// Use Fastify's addHook to intercept auth requests at the raw HTTP level, // BetterAuth is mounted at the raw HTTP level via Fastify's onRequest hook,
// before Fastify's body parser runs. This avoids conflicts with NestJS's // bypassing NestJS middleware (including CORS). We must set CORS headers
// custom content-type parser. // manually on the raw response before handing off to BetterAuth.
fastify.addHook( fastify.addHook(
'onRequest', 'onRequest',
( (
req: { raw: IncomingMessage; url: string }, req: { raw: IncomingMessage; url: string; method: string },
reply: { raw: ServerResponse; hijack: () => void }, reply: { raw: ServerResponse; hijack: () => void },
done: () => void, done: () => void,
) => { ) => {
@@ -25,6 +26,27 @@ export function mountAuthHandler(app: NestFastifyApplication): void {
return; return;
} }
const origin = req.raw.headers.origin;
const allowed = corsOrigin.split(',').map((o) => o.trim());
if (origin && allowed.includes(origin)) {
reply.raw.setHeader('Access-Control-Allow-Origin', origin);
reply.raw.setHeader('Access-Control-Allow-Credentials', 'true');
reply.raw.setHeader(
'Access-Control-Allow-Methods',
'GET, POST, PUT, PATCH, DELETE, OPTIONS',
);
reply.raw.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, Cookie');
}
// Handle preflight
if (req.method === 'OPTIONS') {
reply.hijack();
reply.raw.writeHead(204);
reply.raw.end();
return;
}
reply.hijack(); reply.hijack();
nodeHandler(req.raw as IncomingMessage, reply.raw as ServerResponse) nodeHandler(req.raw as IncomingMessage, reply.raw as ServerResponse)
.then(() => { .then(() => {