fix(backend): add CORS middleware and disable CSRF in dev

- Add CORS middleware for /api/auth/* and global routes - Disable better-auth CSRF origin check when NODE_ENV != production Co-authored-by: Ona <no-reply@ona.com>
2026-03-23 18:41:17 +00:00 · 2026-03-23 00:22:36 +00:00
parent 7909211c1b
commit 09ad98990c
2 changed files with 24 additions and 0 deletions
--- a/apps/aelis-backend/src/auth/index.ts
+++ b/apps/aelis-backend/src/auth/index.ts
@@ -16,6 +16,9 @@ export function createAuth(db: Database) {
 			provider: "pg",
 			schema,
 		}),
+		advanced: {
+			disableCSRFCheck: process.env.NODE_ENV !== "production",
+		},
 		emailAndPassword: {
 			enabled: true,
 		},
--- a/apps/aelis-backend/src/server.ts
+++ b/apps/aelis-backend/src/server.ts
@@ -1,4 +1,5 @@
 import { Hono } from "hono"
+import { cors } from "hono/cors"

 import { registerAdminHttpHandlers } from "./admin/http.ts"
 import { createRequireAdmin } from "./auth/admin-middleware.ts"
@@ -50,6 +51,26 @@ function main() {

 	const app = new Hono()

+	app.use(
+		"/api/auth/*",
+		cors({
+			origin: (origin) => origin,
+			allowHeaders: ["Content-Type", "Authorization"],
+			allowMethods: ["POST", "GET", "OPTIONS"],
+			exposeHeaders: ["Content-Length"],
+			maxAge: 600,
+			credentials: true,
+		}),
+	)
+
+	app.use(
+		"*",
+		cors({
+			origin: (origin) => origin,
+			credentials: true,
+		}),
+	)
+
 	app.get("/health", (c) => c.json({ status: "ok" }))

 	const authSessionMiddleware = createRequireSession(auth)