chore(better-auth): fix inferred trusted origins on cloned context (better-auth#7007)

Author: jonathansamines

packages/better-auth/src/api/middlewares/origin-check.test.ts

@@ -501,6 +501,7 @@ describe("origin check middleware", async (it) => {
 describe("trusted origins with baseURL inferred from request", async (it) => {
 	it("should respect trustedOrigins array when baseURL is NOT in config", async () => {
 		const { customFetchImpl, testUser } = await getTestInstance({
+			baseURL: undefined,
 			trustedOrigins: ["http://my-frontend.com"],
 			emailAndPassword: {
 				enabled: true,
@@ -533,6 +534,7 @@ describe("trusted origins with baseURL inferred from request", async (it) => {
 
 	it("should reject untrusted origins even when baseURL is inferred", async () => {
 		const { customFetchImpl, testUser } = await getTestInstance({
+			baseURL: undefined,
 			trustedOrigins: ["http://my-frontend.com"],
 			emailAndPassword: {
 				enabled: true,
@@ -567,6 +569,7 @@ describe("trusted origins with baseURL inferred from request", async (it) => {
 
 		try {
 			const { customFetchImpl, testUser } = await getTestInstance({
+				baseURL: undefined,
 				emailAndPassword: {
 					enabled: true,
 				},
@@ -601,6 +604,7 @@ describe("trusted origins with baseURL inferred from request", async (it) => {
 
 	it("should allow requests from inferred baseURL origin", async () => {
 		const { customFetchImpl, testUser } = await getTestInstance({
+			baseURL: undefined,
 			emailAndPassword: {
 				enabled: true,
 			},
@@ -635,6 +639,7 @@ describe("trusted origins with baseURL inferred from request", async (it) => {
 
 		try {
 			const { customFetchImpl, testUser } = await getTestInstance({
+				baseURL: undefined,
 				trustedOrigins: ["http://config-origin.com"],
 				emailAndPassword: {
 					enabled: true,

packages/better-auth/src/auth/trusted-origins.test.ts

@@ -35,8 +35,8 @@ async function createAuthTestInstance(overrides?: Partial<BetterAuthOptions>) {
 
 	const { auth, client } = await getTestInstance(
 		{
-			plugins: [testServerPlugin],
 			...overrides,
+			plugins: [testServerPlugin, ...(overrides?.plugins || [])],
 		},
 		{ clientOptions: { plugins: [testClientPlugin] } },
 	);
@@ -73,6 +73,44 @@ describe("trusted origins", () => {
 			).resolves.toBe(true);
 		});
 
+		it("should always allow the app's origin (inferred from baseURL)", async () => {
+			const { isTrustedOrigin } = await createAuthTestInstance({
+				baseURL: undefined,
+			});
+
+			await expect(isTrustedOrigin("http://localhost:3000")).resolves.toBe(
+				true,
+			);
+
+			await expect(
+				isTrustedOrigin("http://localhost:3000/some/path"),
+			).resolves.toBe(true);
+		});
+
+		it("should always allow the app's origin (even if context is updated)", async () => {
+			const { isTrustedOrigin } = await createAuthTestInstance({
+				baseURL: undefined,
+				plugins: [
+					{
+						id: "test-init-plugin",
+						init() {
+							return {
+								context: {},
+							};
+						},
+					},
+				],
+			});
+
+			await expect(isTrustedOrigin("http://localhost:3000")).resolves.toBe(
+				true,
+			);
+
+			await expect(
+				isTrustedOrigin("http://localhost:3000/some/path"),
+			).resolves.toBe(true);
+		});
+
 		it("should reject origins that start with a trusted origin", async () => {
 			const { isTrustedOrigin } = await createAuthTestInstance({
 				trustedOrigins: ["https://trusted.com"],

packages/better-auth/src/context/create-context.ts

@@ -189,7 +189,7 @@ export async function createAuthContext(
 				allowRelativePaths: boolean;
 			},
 		) {
-			return ctx.trustedOrigins.some((origin) =>
+			return this.trustedOrigins.some((origin) =>
 				matchesOriginPattern(url, origin, settings),
 			);
 		},

packages/sso/src/routes/sso.ts

@@ -735,7 +735,7 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 							tokenEndpointAuthentication:
 								body.oidcConfig.tokenEndpointAuthentication,
 						},
-						isTrustedOrigin: ctx.context.isTrustedOrigin,
+						isTrustedOrigin: (url: string) => ctx.context.isTrustedOrigin(url),
 					});
 				} catch (error) {
 					if (error instanceof DiscoveryError) {