updated handling of url's from ENV vars

2025-12-13 23:16:45 +03:00 · 2025-08-28 07:12:13 +05:30
parent 6127a916f4
commit 067b5d8ccd
5 changed files with 262 additions and 98 deletions
--- a/src/lib/auth-multi-url.test.ts
+++ b/src/lib/auth-multi-url.test.ts
@@ -0,0 +1,190 @@
+import { describe, test, expect, beforeEach, afterEach } from "bun:test";
+
+describe("Multiple URL Support in BETTER_AUTH_URL", () => {
+  let originalAuthUrl: string | undefined;
+  let originalTrustedOrigins: string | undefined;
+
+  beforeEach(() => {
+    // Save original environment variables
+    originalAuthUrl = process.env.BETTER_AUTH_URL;
+    originalTrustedOrigins = process.env.BETTER_AUTH_TRUSTED_ORIGINS;
+  });
+
+  afterEach(() => {
+    // Restore original environment variables
+    if (originalAuthUrl !== undefined) {
+      process.env.BETTER_AUTH_URL = originalAuthUrl;
+    } else {
+      delete process.env.BETTER_AUTH_URL;
+    }
+    
+    if (originalTrustedOrigins !== undefined) {
+      process.env.BETTER_AUTH_TRUSTED_ORIGINS = originalTrustedOrigins;
+    } else {
+      delete process.env.BETTER_AUTH_TRUSTED_ORIGINS;
+    }
+  });
+
+  test("should parse single URL correctly", () => {
+    process.env.BETTER_AUTH_URL = "https://gitea-mirror.mydomain.tld";
+    
+    const parseAuthUrls = () => {
+      const urlEnv = process.env.BETTER_AUTH_URL || "http://localhost:4321";
+      const urls = urlEnv.split(',').map(u => u.trim()).filter(Boolean);
+      
+      // Find first valid URL
+      for (const url of urls) {
+        try {
+          new URL(url);
+          return { primary: url, all: urls };
+        } catch {
+          // Skip invalid
+        }
+      }
+      return { primary: "http://localhost:4321", all: [] };
+    };
+
+    const result = parseAuthUrls();
+    expect(result.primary).toBe("https://gitea-mirror.mydomain.tld");
+    expect(result.all).toEqual(["https://gitea-mirror.mydomain.tld"]);
+  });
+
+  test("should parse multiple URLs and use first as primary", () => {
+    process.env.BETTER_AUTH_URL = "http://10.10.20.45:4321,https://gitea-mirror.mydomain.tld";
+    
+    const parseAuthUrls = () => {
+      const urlEnv = process.env.BETTER_AUTH_URL || "http://localhost:4321";
+      const urls = urlEnv.split(',').map(u => u.trim()).filter(Boolean);
+      
+      // Find first valid URL
+      for (const url of urls) {
+        try {
+          new URL(url);
+          return { primary: url, all: urls };
+        } catch {
+          // Skip invalid
+        }
+      }
+      return { primary: "http://localhost:4321", all: [] };
+    };
+
+    const result = parseAuthUrls();
+    expect(result.primary).toBe("http://10.10.20.45:4321");
+    expect(result.all).toEqual([
+      "http://10.10.20.45:4321",
+      "https://gitea-mirror.mydomain.tld"
+    ]);
+  });
+
+  test("should handle invalid URLs gracefully", () => {
+    process.env.BETTER_AUTH_URL = "not-a-url,http://valid.url:4321,also-invalid";
+    
+    const parseAuthUrls = () => {
+      const urlEnv = process.env.BETTER_AUTH_URL || "http://localhost:4321";
+      const urls = urlEnv.split(',').map(u => u.trim()).filter(Boolean);
+      
+      const validUrls: string[] = [];
+      let primaryUrl = "";
+      
+      for (const url of urls) {
+        try {
+          new URL(url);
+          validUrls.push(url);
+          if (!primaryUrl) {
+            primaryUrl = url;
+          }
+        } catch {
+          // Skip invalid URLs
+        }
+      }
+      
+      return { 
+        primary: primaryUrl || "http://localhost:4321", 
+        all: validUrls 
+      };
+    };
+
+    const result = parseAuthUrls();
+    expect(result.primary).toBe("http://valid.url:4321");
+    expect(result.all).toEqual(["http://valid.url:4321"]);
+  });
+
+  test("should include all URLs in trusted origins", () => {
+    process.env.BETTER_AUTH_URL = "http://10.10.20.45:4321,https://gitea-mirror.mydomain.tld";
+    process.env.BETTER_AUTH_TRUSTED_ORIGINS = "https://auth.provider.com";
+    
+    const getTrustedOrigins = () => {
+      const origins = [
+        "http://localhost:4321",
+        "http://localhost:8080",
+      ];
+      
+      // Add all URLs from BETTER_AUTH_URL
+      const urlEnv = process.env.BETTER_AUTH_URL || "";
+      if (urlEnv) {
+        const urls = urlEnv.split(',').map(u => u.trim()).filter(Boolean);
+        urls.forEach(url => {
+          try {
+            new URL(url);
+            origins.push(url);
+          } catch {
+            // Skip invalid
+          }
+        });
+      }
+      
+      // Add additional trusted origins
+      if (process.env.BETTER_AUTH_TRUSTED_ORIGINS) {
+        origins.push(...process.env.BETTER_AUTH_TRUSTED_ORIGINS.split(',').map(o => o.trim()));
+      }
+      
+      // Remove duplicates
+      return [...new Set(origins.filter(Boolean))];
+    };
+
+    const origins = getTrustedOrigins();
+    expect(origins).toContain("http://10.10.20.45:4321");
+    expect(origins).toContain("https://gitea-mirror.mydomain.tld");
+    expect(origins).toContain("https://auth.provider.com");
+    expect(origins).toContain("http://localhost:4321");
+  });
+
+  test("should handle empty BETTER_AUTH_URL", () => {
+    delete process.env.BETTER_AUTH_URL;
+    
+    const parseAuthUrls = () => {
+      const urlEnv = process.env.BETTER_AUTH_URL || "http://localhost:4321";
+      const urls = urlEnv.split(',').map(u => u.trim()).filter(Boolean);
+      
+      for (const url of urls) {
+        try {
+          new URL(url);
+          return { primary: url, all: urls };
+        } catch {
+          // Skip invalid
+        }
+      }
+      return { primary: "http://localhost:4321", all: ["http://localhost:4321"] };
+    };
+
+    const result = parseAuthUrls();
+    expect(result.primary).toBe("http://localhost:4321");
+  });
+
+  test("should handle whitespace in comma-separated URLs", () => {
+    process.env.BETTER_AUTH_URL = " http://10.10.20.45:4321 , https://gitea-mirror.mydomain.tld , http://localhost:3000 ";
+    
+    const parseAuthUrls = () => {
+      const urlEnv = process.env.BETTER_AUTH_URL || "http://localhost:4321";
+      const urls = urlEnv.split(',').map(u => u.trim()).filter(Boolean);
+      return urls;
+    };
+
+    const urls = parseAuthUrls();
+    expect(urls).toEqual([
+      "http://10.10.20.45:4321",
+      "https://gitea-mirror.mydomain.tld",
+      "http://localhost:3000"
+    ]);
+  });
+});
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -17,7 +17,7 @@ export const auth = betterAuth({
  // Secret for signing tokens
  secret: process.env.BETTER_AUTH_SECRET,

-  // Base URL configuration - ensure it's a valid URL
+  // Base URL configuration - use the primary URL (Better Auth only supports single baseURL)
  baseURL: (() => {
    const url = process.env.BETTER_AUTH_URL || "http://localhost:4321";
    try {
@@ -31,20 +31,30 @@ export const auth = betterAuth({
  })(),
  basePath: "/api/auth", // Specify the base path for auth endpoints
  
-  // Trusted origins for OAuth flows - parse from environment if set
+  // Trusted origins - this is how we support multiple access URLs
  trustedOrigins: (() => {
    const origins = [
      "http://localhost:4321",
      "http://localhost:8080", // Keycloak
-      process.env.BETTER_AUTH_URL || "http://localhost:4321"
    ];
    
-    // Add trusted origins from environment if set
+    // Add the primary URL from BETTER_AUTH_URL
+    const primaryUrl = process.env.BETTER_AUTH_URL || "http://localhost:4321";
+    try {
+      new URL(primaryUrl);
+      origins.push(primaryUrl);
+    } catch {
+      // Skip if invalid
+    }
+    
+    // Add additional trusted origins from environment
+    // This is where users can specify multiple access URLs
    if (process.env.BETTER_AUTH_TRUSTED_ORIGINS) {
      origins.push(...process.env.BETTER_AUTH_TRUSTED_ORIGINS.split(',').map(o => o.trim()));
    }
    
-    return origins.filter(Boolean);
+    // Remove duplicates and return
+    return [...new Set(origins.filter(Boolean))];
  })(),

  // Authentication methods