From 09ad98990cfdb04e5dfe1966fb527f685f98b448 Mon Sep 17 00:00:00 2001
From: kenneth <kenneth@nym.sh>
Date: Mon, 23 Mar 2026 00:22:36 +0000
Subject: [PATCH] fix(backend): add CORS middleware and disable CSRF in dev

- Add CORS middleware for /api/auth/* and global routes
- Disable better-auth CSRF origin check when NODE_ENV != production

Co-authored-by: Ona <no-reply@ona.com>
---
 apps/aelis-backend/src/auth/index.ts |  3 +++
 apps/aelis-backend/src/server.ts     | 21 +++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/apps/aelis-backend/src/auth/index.ts b/apps/aelis-backend/src/auth/index.ts
index 351a25e..0a9b567 100644
--- a/apps/aelis-backend/src/auth/index.ts
+++ b/apps/aelis-backend/src/auth/index.ts
@@ -16,6 +16,9 @@ export function createAuth(db: Database) {
 			provider: "pg",
 			schema,
 		}),
+		advanced: {
+			disableCSRFCheck: process.env.NODE_ENV !== "production",
+		},
 		emailAndPassword: {
 			enabled: true,
 		},
diff --git a/apps/aelis-backend/src/server.ts b/apps/aelis-backend/src/server.ts
index 22fa66b..9680b04 100644
--- a/apps/aelis-backend/src/server.ts
+++ b/apps/aelis-backend/src/server.ts
@@ -1,4 +1,5 @@
 import { Hono } from "hono"
+import { cors } from "hono/cors"
 
 import { registerAdminHttpHandlers } from "./admin/http.ts"
 import { createRequireAdmin } from "./auth/admin-middleware.ts"
@@ -50,6 +51,26 @@ function main() {
 
 	const app = new Hono()
 
+	app.use(
+		"/api/auth/*",
+		cors({
+			origin: (origin) => origin,
+			allowHeaders: ["Content-Type", "Authorization"],
+			allowMethods: ["POST", "GET", "OPTIONS"],
+			exposeHeaders: ["Content-Length"],
+			maxAge: 600,
+			credentials: true,
+		}),
+	)
+
+	app.use(
+		"*",
+		cors({
+			origin: (origin) => origin,
+			credentials: true,
+		}),
+	)
+
 	app.get("/health", (c) => c.json({ status: "ok" }))
 
 	const authSessionMiddleware = createRequireSession(auth)