fix(cors): normalize self-hosted origins for CORS and auth

Normalize CLIENT_URL and CHECKOUT_BASE_URL to URL origins so path/trailing slash values still match browser Origin headers, reuse the same helper for Better Auth trustedOrigins, and add focused tests for path and invalid URL cases.

Author: ramadanomar

server/src/utils/auth.ts

@@ -21,6 +21,7 @@ import sendOTPEmail from "@/internal/emails/sendOTPEmail.js";
 import { afterOrgCreated } from "./authUtils/afterOrgCreated.js";
 import { beforeSessionCreated } from "./authUtils/beforeSessionCreated.js";
 import { ADMIN_USER_IDs } from "./constants.js";
+import { getSelfHostedOrigins } from "./corsOrigins.js";
 
 export const auth = betterAuth({
 	baseURL: process.env.BETTER_AUTH_URL,
@@ -68,13 +69,7 @@ export const auth = betterAuth({
 			"https://*.useautumn.com",
 		];
 
-		// Always trust CLIENT_URL and CHECKOUT_BASE_URL (required for self-hosted deployments)
-		if (process.env.CLIENT_URL) {
-			origins.push(process.env.CLIENT_URL);
-		}
-		if (process.env.CHECKOUT_BASE_URL) {
-			origins.push(process.env.CHECKOUT_BASE_URL);
-		}
+		origins.push(...getSelfHostedOrigins());
 
 		// Better Auth validates origins independently from app-level CORS.
 		// Allow local multi-port setups for any non-production runtime.

server/src/utils/corsOrigins.ts

@@ -16,19 +16,30 @@ export const ALLOWED_ORIGINS = [
 	"https://localhost:8080",
 ];
 
+const toOrigin = ({ url }: { url?: string }): string | undefined => {
+	if (!url) return undefined;
+
+	try {
+		return new URL(url).origin;
+	} catch {
+		return undefined;
+	}
+};
+
+export const getSelfHostedOrigins = (): string[] => {
+	const origins = [
+		toOrigin({ url: process.env.CLIENT_URL }),
+		toOrigin({ url: process.env.CHECKOUT_BASE_URL }),
+	];
+
+	return origins.filter((origin): origin is string => Boolean(origin));
+};
+
 /** Allow any localhost origin in dev for multi-worktree support */
 export const isAllowedOrigin = (origin: string): string | undefined => {
 	if (ALLOWED_ORIGINS.includes(origin)) return origin;
-
-	// Allow CLIENT_URL and CHECKOUT_BASE_URL for self-hosted deployments
-	if (process.env.CLIENT_URL && origin === process.env.CLIENT_URL) {
-		return origin;
-	}
-	if (
-		process.env.CHECKOUT_BASE_URL &&
-		origin === process.env.CHECKOUT_BASE_URL
-	) {
-		return origin;
+	for (const selfHostedOrigin of getSelfHostedOrigins()) {
+		if (origin === selfHostedOrigin) return origin;
 	}
 
 	if (

server/tests/unit/corsOrigins.test.ts

@@ -78,6 +78,15 @@ describe("isAllowedOrigin", () => {
 			).toBe("https://autumn-dashboard-production.up.railway.app");
 		});
 
+		test("allows CLIENT_URL origin when URL has path and trailing slash", () => {
+			process.env.NODE_ENV = "production";
+			process.env.CLIENT_URL =
+				"https://autumn-dashboard-production.up.railway.app/app/";
+			expect(
+				isAllowedOrigin("https://autumn-dashboard-production.up.railway.app"),
+			).toBe("https://autumn-dashboard-production.up.railway.app");
+		});
+
 		test("allows CHECKOUT_BASE_URL in production", () => {
 			process.env.NODE_ENV = "production";
 			process.env.CHECKOUT_BASE_URL =
@@ -87,6 +96,15 @@ describe("isAllowedOrigin", () => {
 			).toBe("https://autumn-checkout-production.up.railway.app");
 		});
 
+		test("allows CHECKOUT_BASE_URL origin when URL has path", () => {
+			process.env.NODE_ENV = "production";
+			process.env.CHECKOUT_BASE_URL =
+				"https://autumn-checkout-production.up.railway.app/c";
+			expect(
+				isAllowedOrigin("https://autumn-checkout-production.up.railway.app"),
+			).toBe("https://autumn-checkout-production.up.railway.app");
+		});
+
 		test("allows both CLIENT_URL and CHECKOUT_BASE_URL simultaneously", () => {
 			process.env.NODE_ENV = "production";
 			process.env.CLIENT_URL = "https://dashboard.mycompany.com";
@@ -109,6 +127,16 @@ describe("isAllowedOrigin", () => {
 			).toBeUndefined();
 		});
 
+		test("ignores invalid self-hosted URL env values", () => {
+			process.env.NODE_ENV = "production";
+			process.env.CLIENT_URL = "autumn-dashboard-production.up.railway.app";
+			process.env.CHECKOUT_BASE_URL = "not-a-url";
+
+			expect(
+				isAllowedOrigin("https://autumn-dashboard-production.up.railway.app"),
+			).toBeUndefined();
+		});
+
 		test("rejects custom domains when env URLs are unset", () => {
 			process.env.NODE_ENV = "production";
 			delete process.env.CLIENT_URL;