From 55bb3012eaa926fdd73d5ccd3386128fbd958a92 Mon Sep 17 00:00:00 2001
From: zvictor <zvictor@users.noreply.github.com>
Date: Fri, 6 Mar 2026 15:38:33 -0300
Subject: [PATCH] fix(auth): apply effective trusted origins and honor allowed
 hostnames in public mode

---
 server/src/auth/better-auth.ts | 8 ++++----
 server/src/index.ts            | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/server/src/auth/better-auth.ts b/server/src/auth/better-auth.ts
index c234cb49..5c80fad7 100644
--- a/server/src/auth/better-auth.ts
+++ b/server/src/auth/better-auth.ts
@@ -53,7 +53,7 @@ export function deriveAuthTrustedOrigins(config: Config): string[] {
       // Better Auth will surface invalid base URL separately.
     }
   }
-  if (config.deploymentMode === "authenticated" && config.deploymentExposure === "private") {
+  if (config.deploymentMode === "authenticated") {
     for (const hostname of config.allowedHostnames) {
       const trimmed = hostname.trim().toLowerCase();
       if (!trimmed) continue;
@@ -65,15 +65,15 @@ export function deriveAuthTrustedOrigins(config: Config): string[] {
   return Array.from(trustedOrigins);
 }
 
-export function createBetterAuthInstance(db: Db, config: Config): BetterAuthInstance {
+export function createBetterAuthInstance(db: Db, config: Config, trustedOrigins?: string[]): BetterAuthInstance {
   const baseUrl = config.authBaseUrlMode === "explicit" ? config.authPublicBaseUrl : undefined;
   const secret = process.env.BETTER_AUTH_SECRET ?? process.env.PAPERCLIP_AGENT_JWT_SECRET ?? "paperclip-dev-secret";
-  const trustedOrigins = deriveAuthTrustedOrigins(config);
+  const effectiveTrustedOrigins = trustedOrigins ?? deriveAuthTrustedOrigins(config);
 
   const authConfig = {
     baseURL: baseUrl,
     secret,
-    trustedOrigins,
+    trustedOrigins: effectiveTrustedOrigins,
     database: drizzleAdapter(db, {
       provider: "pg",
       schema: {
diff --git a/server/src/index.ts b/server/src/index.ts
index 6604bb54..e78a6479 100644
--- a/server/src/index.ts
+++ b/server/src/index.ts
@@ -441,7 +441,7 @@ if (config.deploymentMode === "authenticated") {
     },
     "Authenticated mode auth origin configuration",
   );
-  const auth = createBetterAuthInstance(db as any, config);
+  const auth = createBetterAuthInstance(db as any, config, effectiveTrustedOrigins);
   betterAuthHandler = createBetterAuthHandler(auth);
   resolveSession = (req) => resolveBetterAuthSession(auth, req);
   resolveSessionFromHeaders = (headers) => resolveBetterAuthSessionFromHeaders(auth, headers);