fix stuff based on copilot review

kantord · kantord · commit 898c70b32f8d · 2025-11-14T11:29:47.000+01:00
diff --git a/src/app/dashboard/page.tsx b/src/app/dashboard/page.tsx
@@ -28,7 +28,7 @@ export default async function DashboardPage() {
               User Info:
             </p>
             <p className="text-zinc-600 dark:text-zinc-400">
-              Email: <strong>{session.user.email}</strong>
+              Email: <strong>{session.user.email || "Not provided"}</strong>
             </p>
             <p className="text-zinc-600 dark:text-zinc-400">
               User ID: <strong>{session.user.id}</strong>
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
@@ -2,15 +2,22 @@ import { betterAuth } from "better-auth";
 import { genericOAuth } from "better-auth/plugins";
 
 // Read from environment variables to support any OIDC provider
-const OIDC_ISSUER = process.env.OIDC_ISSUER_URL || "";
-const OIDC_CLIENT_ID = process.env.OIDC_CLIENT_ID || "";
-const OIDC_CLIENT_SECRET = process.env.OIDC_CLIENT_SECRET || "";
-const BETTER_AUTH_SECRET = process.env.BETTER_AUTH_SECRET || "ChangeMePlease";
+const OIDC_ISSUER = process.env.OIDC_ISSUER_URL;
+const OIDC_CLIENT_ID = process.env.OIDC_CLIENT_ID;
+const OIDC_CLIENT_SECRET = process.env.OIDC_CLIENT_SECRET;
+const BETTER_AUTH_SECRET = process.env.BETTER_AUTH_SECRET;
 const BETTER_AUTH_URL = process.env.BETTER_AUTH_URL || "http://localhost:3000";
 
+// Validate required environment variables
+if (!BETTER_AUTH_SECRET) {
+  throw new Error(
+    "[Better Auth] BETTER_AUTH_SECRET is required. Set it in .env.local to a strong, random value.",
+  );
+}
+
 if (!OIDC_ISSUER || !OIDC_CLIENT_ID || !OIDC_CLIENT_SECRET) {
-  console.warn(
-    "[Better Auth] Missing OIDC configuration. Set OIDC_ISSUER_URL, OIDC_CLIENT_ID, and OIDC_CLIENT_SECRET in .env.local",
+  throw new Error(
+    "[Better Auth] OIDC configuration is incomplete. Set OIDC_ISSUER_URL, OIDC_CLIENT_ID, and OIDC_CLIENT_SECRET in .env.local",
   );
 }
 
@@ -22,15 +29,26 @@ console.log("[Better Auth] OIDC Configuration:", {
   callbackURL: `${BETTER_AUTH_URL}/api/auth/oauth2/callback/oidc`,
 });
 
+// Configure trusted origins - defaults to localhost ports for development
+// Set TRUSTED_ORIGINS environment variable for production (comma-separated list)
+const trustedOrigins = process.env.TRUSTED_ORIGINS
+  ? process.env.TRUSTED_ORIGINS.split(",").map((origin) => origin.trim())
+  : [
+      "http://localhost:3000",
+      "http://localhost:3001",
+      "http://localhost:3002",
+      "http://localhost:3003",
+    ];
+
+// Always include BETTER_AUTH_URL if not already present
+if (BETTER_AUTH_URL && !trustedOrigins.includes(BETTER_AUTH_URL)) {
+  trustedOrigins.push(BETTER_AUTH_URL);
+}
+
 export const auth = betterAuth({
   secret: BETTER_AUTH_SECRET,
   baseURL: BETTER_AUTH_URL,
-  trustedOrigins: [
-    "http://localhost:3000",
-    "http://localhost:3001",
-    "http://localhost:3002",
-    "http://localhost:3003",
-  ],
+  trustedOrigins,
   // No database configuration - running in stateless mode
   session: {
     expiresIn: 60 * 60 * 24 * 7, // 7 days
