From 980f00255b5790103a5decc4c19e35c62ea45fc6 Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason@diversecanvas.com>
Date: Sun, 15 Mar 2026 11:44:00 -0500
Subject: [PATCH] fix(auth): add trustedOrigins to BetterAuth config

BetterAuth rejects cross-origin requests unless the origin is in
trustedOrigins. The web dashboard at localhost:3000 was getting
"Invalid origin" errors when calling auth endpoints on localhost:4000.

Reads GATEWAY_CORS_ORIGIN env var (comma-separated), defaults to
http://localhost:3000.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 packages/auth/src/auth.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/packages/auth/src/auth.ts b/packages/auth/src/auth.ts
index ea473a9..329039e 100644
--- a/packages/auth/src/auth.ts
+++ b/packages/auth/src/auth.ts
@@ -39,6 +39,9 @@ export function createAuth(config: AuthConfig) {
       ]
     : undefined;
 
+  const corsOrigin = process.env['GATEWAY_CORS_ORIGIN'] ?? 'http://localhost:3000';
+  const trustedOrigins = corsOrigin.split(',').map((o) => o.trim());
+
   return betterAuth({
     database: drizzleAdapter(db, {
       provider: 'pg',
@@ -47,6 +50,7 @@ export function createAuth(config: AuthConfig) {
     baseURL: baseURL ?? process.env['BETTER_AUTH_URL'] ?? 'http://localhost:4000',
     secret: secret ?? process.env['BETTER_AUTH_SECRET'],
     basePath: '/api/auth',
+    trustedOrigins,
     emailAndPassword: {
       enabled: true,
     },