[GH-ISSUE #7657] Cross-Origin Auth Broken in 1.4.x with Hono + Cloudflare Workers + Next.js Proxy #19497

New Issue

GiteaMirror · 2026-04-15T18:40:32-05:00

GiteaMirror commented

2026-04-15 18:40:32 -05:00

Originally created by @samsullivandelgobbo on GitHub (Jan 28, 2026).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/7657

Is this suited for github?

Yes, this is suited for github

To Reproduce

Cross-Origin Auth Broken in 1.4.x with Hono + Cloudflare Workers + Next.js Proxy

Environment

better-auth version: 1.4.17 (broken), 1.3.13 (works)
Framework: Hono on Cloudflare Workers
Client: Next.js 15 on Vercel
Setup: API at api.example.com, Web app at app.example.com
Auth Proxy: Next.js rewrites /api/auth/* → api.example.com/api/auth/*

Description

After upgrading from 1.3.13 to 1.4.17, OAuth social login (Google) completely broke on our cross-origin setup. The same configuration worked perfectly on 1.3.x.

Configuration

// Hono CORS config
cors({
  origin: ["https://app.example.com", "http://localhost:3000"],
  allowHeaders: ["Content-Type", "Authorization", "x-api-key"],
  allowMethods: ["POST", "GET", "OPTIONS", "PUT", "DELETE", "PATCH"],
  credentials: true,
})

// better-auth config
export const authOptions = {
  advanced: {
    defaultCookieAttributes: {
      sameSite: "none",
      secure: true,
    },
  },
  trustedOrigins: [
    "https://app.example.com",
    "http://localhost:3000",
  ],
  // ... plugins, social providers, etc.
}

Issues Encountered

1. Undocumented User-Agent Header Requirement

Related: #6358

1.4.x adds a default User-Agent header to requests. This causes CORS preflight failures because most CORS configs don't explicitly allow User-Agent in allowHeaders.

Symptom: CORS errors in browser, especially Safari.

Workaround: Add "User-Agent" to CORS allowHeaders.

2. Stricter Origin/CSRF Validation Breaking Proxy Setups

Related: #4052, #4720, #6944

The changelog mentions "Separate CSRF and origin checks" - this appears to have made validation stricter. Requests coming through a Next.js rewrite proxy fail origin validation even when the origin is in trustedOrigins.

Symptom: Requests return errors or unexpected responses when proxied, but work when hitting the API directly.

3. baseURL Inference Issues

Related: #6944

Without explicit baseURL, the library doesn't correctly infer the origin from proxied requests. Setting baseURL explicitly to the API domain causes a different problem (Issue 4 below).

The 1.4.8 release notes mention a fix for "Respect trustedOrigins when baseURL is inferred" but this doesn't appear to work correctly with proxy setups.

4. OAuth Callback URL Bypasses Proxy

When baseURL is set to the API domain (or inferred as such), the OAuth callback URL sent to Google points directly to the API:

redirect_uri=https://api.example.com/api/auth/callback/google

This means:

User authenticates with Google
Google redirects to api.example.com/callback (bypasses Next.js proxy)
Cookie is set on api.example.com domain
User is redirected to app.example.com
Cookie is on wrong domain - user not authenticated

This worked in 1.3.x because the baseURL inference correctly used the request's origin (which came through the proxy).

Reproduction Steps

Set up Hono API on one domain with better-auth
Set up Next.js app on different domain with rewrite proxy to API
Configure trustedOrigins to include the web app domain
Upgrade to 1.4.x
Try to sign in with Google OAuth
Observe: either CORS errors, origin validation errors, or cookies set on wrong domain

Workaround

Pin to 1.3.13:

{
  "dependencies": {
    "better-auth": "1.3.13"
  }
}

#6358 - User-Agent header CORS issue (undocumented breaking change)
#4052 - CORS violation even after defining trustedOrigins
#4720 - Next.js App Router OPTIONS Preflight Requests Not Honoring trustedOrigins
#6944 - Better-Auth 1.4.8 broken due to trusted origins
#6613 - Upgrade from 1.3 to 1.4: Error runWithRequestState on Cloudflare Workers
#6545 - Error on Cloudflare switching from 1.3.40 to 1.4.5

Current vs. Expected behavior

Expected Behavior

Cross-origin setups with proxy rewrites should work the same as in 1.3.x:

Origin should be inferred from the incoming request (respecting the proxy)
trustedOrigins should be respected for proxied requests
OAuth callback URLs should use the origin from the request, not a hardcoded baseURL

What version of Better Auth are you using?

1.4

System info

{
    "better-auth": "1.3.13 (pinned, 1.4.17 broken)",
    "framework": "hono",
    "runtime": "cloudflare-workers",
    "client": "next.js 15 (vercel)"
  }

Which area(s) are affected? (Select all that apply)

Backend, Client, Package

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  emailAndPassword: {  
    enabled: true
  },
});

Additional context

No response

Adopted as tracking issue: 2026-04-14

Summary

Origin, CORS, and trustedOrigins handling regressed across the 1.3.29 to 1.4.9 range when origin checks were split from CSRF checks. The same request-validation path fails under several adapters, including Next.js server components, Hono on Cloudflare Workers, Electron file://, TanStack Start, and multi-domain deployments. The path also rejects requests that do not send an Origin header and requests that send Origin: null.

Root cause

trustedOrigins(request) does not always receive the Request object under every adapter. The origin-check middleware can reject Origin: null and file:// even when they are trusted, and it can reject server-to-server or API-client requests that have no Origin header. Proxied worker deployments also fail because request-context propagation is incomplete. Earlier point fixes closed specific regressions in 1.4.7, 1.4.8, and 1.4.9, but the adapter-wide request propagation problem remains.

Scope

In: origin-check middleware, trustedOrigins resolution with request context, CORS handling across framework adapters, non-http origins (null, file://), expo-origin header injection on Expo (#7014).

Out: baseURL resolution (tracking: baseURL / env resolution, #4151). OAuth state cookie writes (OAuth state_mismatch cluster).

Resolution criteria

trustedOrigins(request) receives the Request under every first-party adapter.
Clients with no Origin header (Postman, server-to-server) succeed when configured.
file:// and null origins pass the check when trusted.
Cross-domain cookies interoperate with trustedOrigins on multi-domain setups.
Hono on Cloudflare Workers and TanStack Start work without adapter-specific workarounds.

Prior regressions: #6798 (1.4.7), #6944 (1.4.8), #7078 (1.4.9).
Cross-reference: tracking: baseURL / env resolution (#4151) for cases where baseURL vs trustedOrigins semantics overlap (#7502 docs ambiguity).
Adjacent: oauth-provider CORS family (#8503, #7041 closed).

Originally created by @samsullivandelgobbo on GitHub (Jan 28, 2026). Original GitHub issue: https://github.com/better-auth/better-auth/issues/7657 ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce # Cross-Origin Auth Broken in 1.4.x with Hono + Cloudflare Workers + Next.js Proxy ## Environment - **better-auth version**: 1.4.17 (broken), 1.3.13 (works) - **Framework**: Hono on Cloudflare Workers - **Client**: Next.js 15 on Vercel - **Setup**: API at `api.example.com`, Web app at `app.example.com` - **Auth Proxy**: Next.js rewrites `/api/auth/*` → `api.example.com/api/auth/*` ## Description After upgrading from `1.3.13` to `1.4.17`, OAuth social login (Google) completely broke on our cross-origin setup. The same configuration worked perfectly on 1.3.x. ## Configuration ```typescript // Hono CORS config cors({ origin: ["https://app.example.com", "http://localhost:3000"], allowHeaders: ["Content-Type", "Authorization", "x-api-key"], allowMethods: ["POST", "GET", "OPTIONS", "PUT", "DELETE", "PATCH"], credentials: true, }) // better-auth config export const authOptions = { advanced: { defaultCookieAttributes: { sameSite: "none", secure: true, }, }, trustedOrigins: [ "https://app.example.com", "http://localhost:3000", ], // ... plugins, social providers, etc. } ``` ## Issues Encountered ### 1. Undocumented User-Agent Header Requirement Related: #6358 1.4.x adds a default `User-Agent` header to requests. This causes CORS preflight failures because most CORS configs don't explicitly allow `User-Agent` in `allowHeaders`. **Symptom**: CORS errors in browser, especially Safari. **Workaround**: Add `"User-Agent"` to CORS `allowHeaders`. ### 2. Stricter Origin/CSRF Validation Breaking Proxy Setups Related: #4052, #4720, #6944 The changelog mentions "Separate CSRF and origin checks" - this appears to have made validation stricter. Requests coming through a Next.js rewrite proxy fail origin validation even when the origin is in `trustedOrigins`. **Symptom**: Requests return errors or unexpected responses when proxied, but work when hitting the API directly. ### 3. baseURL Inference Issues Related: #6944 Without explicit `baseURL`, the library doesn't correctly infer the origin from proxied requests. Setting `baseURL` explicitly to the API domain causes a different problem (Issue 4 below). The 1.4.8 release notes mention a fix for "Respect trustedOrigins when baseURL is inferred" but this doesn't appear to work correctly with proxy setups. ### 4. OAuth Callback URL Bypasses Proxy When `baseURL` is set to the API domain (or inferred as such), the OAuth callback URL sent to Google points directly to the API: ``` redirect_uri=https://api.example.com/api/auth/callback/google ``` This means: 1. User authenticates with Google 2. Google redirects to `api.example.com/callback` (bypasses Next.js proxy) 3. Cookie is set on `api.example.com` domain 4. User is redirected to `app.example.com` 5. **Cookie is on wrong domain - user not authenticated** This worked in 1.3.x because the baseURL inference correctly used the request's origin (which came through the proxy). ## Reproduction Steps 1. Set up Hono API on one domain with better-auth 2. Set up Next.js app on different domain with rewrite proxy to API 3. Configure `trustedOrigins` to include the web app domain 4. Upgrade to 1.4.x 5. Try to sign in with Google OAuth 6. Observe: either CORS errors, origin validation errors, or cookies set on wrong domain ## Workaround Pin to `1.3.13`: ```json { "dependencies": { "better-auth": "1.3.13" } } ``` ## Related Issues - #6358 - User-Agent header CORS issue (undocumented breaking change) - #4052 - CORS violation even after defining trustedOrigins - #4720 - Next.js App Router OPTIONS Preflight Requests Not Honoring trustedOrigins - #6944 - Better-Auth 1.4.8 broken due to trusted origins - #6613 - Upgrade from 1.3 to 1.4: Error runWithRequestState on Cloudflare Workers - #6545 - Error on Cloudflare switching from 1.3.40 to 1.4.5 ### Current vs. Expected behavior ## Expected Behavior Cross-origin setups with proxy rewrites should work the same as in 1.3.x: - Origin should be inferred from the incoming request (respecting the proxy) - `trustedOrigins` should be respected for proxied requests - OAuth callback URLs should use the origin from the request, not a hardcoded baseURL ### What version of Better Auth are you using? 1.4 ### System info ```bash { "better-auth": "1.3.13 (pinned, 1.4.17 broken)", "framework": "hono", "runtime": "cloudflare-workers", "client": "next.js 15 (vercel)" } ``` ### Which area(s) are affected? (Select all that apply) Backend, Client, Package ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ emailAndPassword: { enabled: true }, }); ``` ### Additional context _No response_ --- ## Adopted as tracking issue: 2026-04-14 ## Summary Origin, CORS, and `trustedOrigins` handling regressed across the 1.3.29 to 1.4.9 range when origin checks were split from CSRF checks. The same request-validation path fails under several adapters, including Next.js server components, Hono on Cloudflare Workers, Electron `file://`, TanStack Start, and multi-domain deployments. The path also rejects requests that do not send an `Origin` header and requests that send `Origin: null`. ## Root cause `trustedOrigins(request)` does not always receive the `Request` object under every adapter. The origin-check middleware can reject `Origin: null` and `file://` even when they are trusted, and it can reject server-to-server or API-client requests that have no `Origin` header. Proxied worker deployments also fail because request-context propagation is incomplete. Earlier point fixes closed specific regressions in 1.4.7, 1.4.8, and 1.4.9, but the adapter-wide request propagation problem remains. ## Scope **In:** origin-check middleware, `trustedOrigins` resolution with request context, CORS handling across framework adapters, non-http origins (`null`, `file://`), expo-origin header injection on Expo (#7014). **Out:** baseURL resolution (`tracking: baseURL / env resolution`, #4151). OAuth state cookie writes (OAuth state_mismatch cluster). ## Resolution criteria - `trustedOrigins(request)` receives the `Request` under every first-party adapter. - Clients with no `Origin` header (Postman, server-to-server) succeed when configured. - `file://` and `null` origins pass the check when trusted. - Cross-domain cookies interoperate with `trustedOrigins` on multi-domain setups. - Hono on Cloudflare Workers and TanStack Start work without adapter-specific workarounds. ## Related - Prior regressions: #6798 (1.4.7), #6944 (1.4.8), #7078 (1.4.9). - Cross-reference: `tracking: baseURL / env resolution` (#4151) for cases where `baseURL` vs `trustedOrigins` semantics overlap (#7502 docs ambiguity). - Adjacent: oauth-provider CORS family (#8503, #7041 closed).

GiteaMirror added the tracking platform core bug labels 2026-04-15 18:40:32 -05:00

GiteaMirror commented

2026-04-15 18:40:37 -05:00

@better-auth-agent[bot] commented on GitHub (Jan 28, 2026):

It looks like you're experiencing issues with cross-origin authentication using Better Auth version 1.4.x with Hono, Cloudflare Workers, and a Next.js proxy setup. Based on the reported behavior and configuration details, here are some troubleshooting steps and potential solutions to address the various issues:

CORS Configuration: Ensure that the User-Agent header is included in your CORS configuration. It appears that the introduction of the User-Agent header in version 1.4.x is causing CORS failures, especially on browsers like Safari. You can add "User-Agent" to your allowHeaders in the CORS setup to resolve this issue.
```
cors({
    origin: ["https://app.example.com", "http://localhost:3000"],
    allowHeaders: ["Content-Type", "Authorization", "x-api-key", "User-Agent"],
    allowMethods: ["POST", "GET", "OPTIONS", "PUT", "DELETE", "PATCH"],
    credentials: true,
});
```
Trusted Origins and CSRF Validation: The stricter validations for CSRF and origin checks introduced in 1.4.x may cause issues with requests routed through the Next.js proxy. Ensure that your trustedOrigins are configured correctly and include both web app and API domains.
OAuth Callback URL: The OAuth callback URL needs to respect the original request's headers or proxy settings. Setting the baseURL explicitly to the API domain might lead to issues where the callback bypasses the proxy. Consider reviewing how the callback URL is constructed in your authentication flow.
Reverting to a Stable Version: If these issues persist and you need a quick fix, it might be worthwhile to revert back to version 1.3.13, which is working for your setup.

{
  "dependencies": {
    "better-auth": "1.3.13"
  }
}

Given these suggestions, how are you currently configuring your CORS settings? Feel free to share your current setup, and I can provide more tailored advice!

If you need more help, tag @better-auth-agent in a comment so I can respond.

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Jan 28, 2026): It looks like you're experiencing issues with cross-origin authentication using Better Auth version 1.4.x with Hono, Cloudflare Workers, and a Next.js proxy setup. Based on the reported behavior and configuration details, here are some troubleshooting steps and potential solutions to address the various issues: 1. **CORS Configuration**: Ensure that the `User-Agent` header is included in your CORS configuration. It appears that the introduction of the User-Agent header in version 1.4.x is causing CORS failures, especially on browsers like Safari. You can add `"User-Agent"` to your `allowHeaders` in the CORS setup to resolve this issue. ```typescript cors({ origin: ["https://app.example.com", "http://localhost:3000"], allowHeaders: ["Content-Type", "Authorization", "x-api-key", "User-Agent"], allowMethods: ["POST", "GET", "OPTIONS", "PUT", "DELETE", "PATCH"], credentials: true, }); ``` 2. **Trusted Origins and CSRF Validation**: The stricter validations for CSRF and origin checks introduced in 1.4.x may cause issues with requests routed through the Next.js proxy. Ensure that your `trustedOrigins` are configured correctly and include both web app and API domains. 3. **OAuth Callback URL**: The OAuth callback URL needs to respect the original request's headers or proxy settings. Setting the `baseURL` explicitly to the API domain might lead to issues where the callback bypasses the proxy. Consider reviewing how the callback URL is constructed in your authentication flow. 4. **Reverting to a Stable Version**: If these issues persist and you need a quick fix, it might be worthwhile to revert back to version 1.3.13, which is working for your setup. ```json { "dependencies": { "better-auth": "1.3.13" } } ``` Given these suggestions, how are you currently configuring your CORS settings? Feel free to share your current setup, and I can provide more tailored advice! _If you need more help, tag @better-auth-agent in a comment so I can respond._  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-04-15 18:40:38 -05:00

@VesperQuartz commented on GitHub (Mar 1, 2026):

has this been fixed?

@VesperQuartz commented on GitHub (Mar 1, 2026): has this been fixed?

GiteaMirror commented

2026-04-15 18:40:39 -05:00

@samsullivandelgobbo commented on GitHub (Mar 2, 2026):

@VesperQuartz No - have been pinned to 1.3.x for who knows how long now. The auth proxy is through a nextjs route to external api which resolves the CORS stuff enough for prod

@samsullivandelgobbo commented on GitHub (Mar 2, 2026): @VesperQuartz No - have been pinned to 1.3.x for who knows how long now. The auth proxy is through a nextjs route to external api which resolves the CORS stuff enough for prod

GiteaMirror commented

2026-04-15 18:40:40 -05:00

@hafizjavaid commented on GitHub (Mar 7, 2026):

I'm getting the same error, but within the Nuxt application. "better-auth": "^1.4.7", has anyone found the solution for this?

@hafizjavaid commented on GitHub (Mar 7, 2026): I'm getting the same error, but within the Nuxt application. "better-auth": "^1.4.7", has anyone found the solution for this?

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#19497