github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 07:18:56 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #6798] trustedOrigins disregarded in v1.4.7 #27955

New Issue
Closed
opened 2026-04-17 19:14:37 -05:00 by GiteaMirror · 29 comments
GiteaMirror commented 2026-04-17 19:14:37 -05:00
Owner
Copy Link

Originally created by @giuliog-GR on GitHub (Dec 16, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/6798

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

  1. Upgrade from v1.4.4 to v1.4.7
  2. Better Auth breaks due to invalid origin
  3. Downgrade to v1.4.4 everything works again

Current vs. Expected behavior

I would expect the system to continue working instead it is currently throwing the following error:

2025-12-16T12:02:08.788Z ERROR [Better Auth]: Invalid origin: http://localhost:5173

I did not have any trustedOrigin specified, I have tried to add a list of trusted origins but that does not seem to have any effect. Authentication is effectively broken.

What version of Better Auth are you using?

1.4.7

System info

{
  "system": {
    "platform": "linux",
    "arch": "x64",
    "version": "#101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023",
    "release": "5.15.0-91-generic",
    "cpuCount": 32,
    "cpuModel": "AMD EPYC 73F3 16-Core Processor",
    "totalMemory": "1003.36 GB",
    "freeMemory": "896.62 GB"
  },
  "node": {
    "version": "v22.21.0",
    "env": "development"
  },
  "packageManager": {
    "name": "npm",
    "version": "11.6.2"
  },
  "frameworks": [
    {
      "name": "svelte",
      "version": "^5.45.10"
    },
    {
      "name": "@sveltejs/kit",
      "version": "^2.49.2"
    }
  ],
  "databases": [
    {
      "name": "pg",
      "version": "^8.16.3"
    },
    {
      "name": "postgres",
      "version": "^3.4.7"
    },
    {
      "name": "drizzle",
      "version": "^0.45.1"
    }
  ],
  "betterAuth": {
    "version": "1.4.7",
    "config": {
      "trustedOrigins": [
        "https://REDACTED",
        "https://REDACTED",
        "http://localhost:5173"
      ],
      "session": {
        "expiresIn": 86400
      },
      "user": {
        "additionalFields": {
          "groups": {
            "type": "string[]",
            "required": true,
            "defaultValue": [],
            "input": false
          }
        }
      },
      "plugins": [
        {
          "name": "sveltekit-cookies",
          "config": {
            "id": "sveltekit-cookies",
            "hooks": {
              "after": [
                {}
              ]
            }
          }
        },
        {
          "name": "generic-oauth",
          "config": {
            "id": "generic-oauth",
            "endpoints": {},
            "$ERROR_CODES": {
              "INVALID_OAUTH_CONFIGURATION": "Invalid OAuth configuration",
              "TOKEN_URL_NOT_FOUND": "Invalid OAuth configuration. Token URL not found.",
              "PROVIDER_CONFIG_NOT_FOUND": "No config found for provider",
              "PROVIDER_ID_REQUIRED": "Provider ID is required",
              "INVALID_OAUTH_CONFIG": "Invalid OAuth configuration.",
              "SESSION_REQUIRED": "Session is required"
            }
          }
        }
      ]
    }
  }
}

Which area(s) are affected? (Select all that apply)

Backend, Documentation, Client

Auth config (if applicable)

import { betterAuth } from 'better-auth';
import { genericOAuth } from 'better-auth/plugins';
import { drizzleAdapter } from 'better-auth/adapters/drizzle';
import { db } from '../db';
import { sveltekitCookies } from 'better-auth/svelte-kit';
import { getRequestEvent } from '$app/server';
import { config } from '$lib/utils/config';
import * as schema from '../db/schema/better_auth';

const clientId: string = config.backends['REDACTED'].auth.client_id ?? '';

export const auth = betterAuth({
    database: drizzleAdapter(db, {
        provider: 'pg',
        schema: schema
    }),
    trustedOrigins: [
        'https://REDACTED',
        'https://REDACTED',
        'http://localhost:5173'
    ],
    session: {
        expiresIn: 60 * 60 * 24 // 1 day
    },
    user: {
        additionalFields: {
            groups: {
                type: 'string[]',
                required: true,
                defaultValue: [],
                input: false
            }
        }
    },
    plugins: [
        sveltekitCookies(getRequestEvent),
        genericOAuth({
            config: [
                {
                    providerId: 'signin',
                    clientId: clientId,
                    clientSecret: clientId.split('.')[0],
                    pkce: true,
                    accessType: 'offline',
                    discoveryUrl: 'REDACTED/openid-configuration',
                    scopes: [
                        'email',
                        'groups',
                        'openid',
                        'profile',
                        'offline_access',
                        clientId.split('.')[0]
                    ],
                    overrideUserInfo: true,
                    mapProfileToUser: async (profile) => {
                        return {
                            email: profile.email,
                            name: profile.name,
                            groups: profile.groups || []
                        };
                    }
                }
            ]
        })
    ]
});

Additional context

I have tested 1.4.6 and the issue is still there. Looks like it was introduced at some point after 1.4.4 release. Can't really find anything useful in the docs to solve this issue.

I am using the latest Bun as my node runtime

Originally created by @giuliog-GR on GitHub (Dec 16, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/6798 ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce 1. Upgrade from v1.4.4 to v1.4.7 2. Better Auth breaks due to invalid origin 3. Downgrade to v1.4.4 everything works again ### Current vs. Expected behavior I would expect the system to continue working instead it is currently throwing the following error: `2025-12-16T12:02:08.788Z ERROR [Better Auth]: Invalid origin: http://localhost:5173` I did not have any trustedOrigin specified, I have tried to add a list of trusted origins but that does not seem to have any effect. Authentication is effectively broken. ### What version of Better Auth are you using? 1.4.7 ### System info ```bash { "system": { "platform": "linux", "arch": "x64", "version": "#101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023", "release": "5.15.0-91-generic", "cpuCount": 32, "cpuModel": "AMD EPYC 73F3 16-Core Processor", "totalMemory": "1003.36 GB", "freeMemory": "896.62 GB" }, "node": { "version": "v22.21.0", "env": "development" }, "packageManager": { "name": "npm", "version": "11.6.2" }, "frameworks": [ { "name": "svelte", "version": "^5.45.10" }, { "name": "@sveltejs/kit", "version": "^2.49.2" } ], "databases": [ { "name": "pg", "version": "^8.16.3" }, { "name": "postgres", "version": "^3.4.7" }, { "name": "drizzle", "version": "^0.45.1" } ], "betterAuth": { "version": "1.4.7", "config": { "trustedOrigins": [ "https://REDACTED", "https://REDACTED", "http://localhost:5173" ], "session": { "expiresIn": 86400 }, "user": { "additionalFields": { "groups": { "type": "string[]", "required": true, "defaultValue": [], "input": false } } }, "plugins": [ { "name": "sveltekit-cookies", "config": { "id": "sveltekit-cookies", "hooks": { "after": [ {} ] } } }, { "name": "generic-oauth", "config": { "id": "generic-oauth", "endpoints": {}, "$ERROR_CODES": { "INVALID_OAUTH_CONFIGURATION": "Invalid OAuth configuration", "TOKEN_URL_NOT_FOUND": "Invalid OAuth configuration. Token URL not found.", "PROVIDER_CONFIG_NOT_FOUND": "No config found for provider", "PROVIDER_ID_REQUIRED": "Provider ID is required", "INVALID_OAUTH_CONFIG": "Invalid OAuth configuration.", "SESSION_REQUIRED": "Session is required" } } } ] } } } ``` ### Which area(s) are affected? (Select all that apply) Backend, Documentation, Client ### Auth config (if applicable) ```typescript import { betterAuth } from 'better-auth'; import { genericOAuth } from 'better-auth/plugins'; import { drizzleAdapter } from 'better-auth/adapters/drizzle'; import { db } from '../db'; import { sveltekitCookies } from 'better-auth/svelte-kit'; import { getRequestEvent } from '$app/server'; import { config } from '$lib/utils/config'; import * as schema from '../db/schema/better_auth'; const clientId: string = config.backends['REDACTED'].auth.client_id ?? ''; export const auth = betterAuth({ database: drizzleAdapter(db, { provider: 'pg', schema: schema }), trustedOrigins: [ 'https://REDACTED', 'https://REDACTED', 'http://localhost:5173' ], session: { expiresIn: 60 * 60 * 24 // 1 day }, user: { additionalFields: { groups: { type: 'string[]', required: true, defaultValue: [], input: false } } }, plugins: [ sveltekitCookies(getRequestEvent), genericOAuth({ config: [ { providerId: 'signin', clientId: clientId, clientSecret: clientId.split('.')[0], pkce: true, accessType: 'offline', discoveryUrl: 'REDACTED/openid-configuration', scopes: [ 'email', 'groups', 'openid', 'profile', 'offline_access', clientId.split('.')[0] ], overrideUserInfo: true, mapProfileToUser: async (profile) => { return { email: profile.email, name: profile.name, groups: profile.groups || [] }; } } ] }) ] }); ``` ### Additional context I have tested 1.4.6 and the issue is still there. Looks like it was introduced at some point after 1.4.4 release. Can't really find anything useful in the docs to solve this issue. I am using the latest Bun as my node runtime
GiteaMirror added the lockedbug labels 2026-04-17 19:14:38 -05:00
GiteaMirror commented 2026-04-17 19:14:39 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Dec 16, 2025):

Hi there, thanks for reporting this. It looks like the stricter origin validation introduced in v1.4.7 might be the culprit here. As a first step, please double‑check that the trustedOrigins list exactly matches the origin of your incoming requests (including protocol and port), ensuring there are no extra spaces or trailing slashes [1]. Also, since you mentioned that downgrading to v1.4.4 makes things work again, this suggests that a regression may have been introduced. It might also be worth testing under Node instead of Bun to see if the runtime plays a role with how origins are handled [2]. Could you try these troubleshooting steps and let us know if the issue persists? Tag @better-auth-agent if you would like an answer from the Agent. What changes have you noticed in your runtime headers since the upgrade?

If you need more help, tag @better-auth-agent in a comment so I can respond.

DiagramDiscordGitHub

Diagram Join Star

<!-- gh-comment-id:3660244001 --> @better-auth-agent[bot] commented on GitHub (Dec 16, 2025): Hi there, thanks for reporting this. It looks like the stricter origin validation introduced in v1.4.7 might be the culprit here. As a first step, please double‑check that the trustedOrigins list exactly matches the origin of your incoming requests (including protocol and port), ensuring there are no extra spaces or trailing slashes [[1]](https://github.com/better-auth/better-auth/issues/1183). Also, since you mentioned that downgrading to v1.4.4 makes things work again, this suggests that a regression may have been introduced. It might also be worth testing under Node instead of Bun to see if the runtime plays a role with how origins are handled [[2]](https://github.com/better-auth/better-auth/issues/4250). Could you try these troubleshooting steps and let us know if the issue persists? Tag @better-auth-agent if you would like an answer from the Agent. What changes have you noticed in your runtime headers since the upgrade? _If you need more help, tag @better-auth-agent in a comment so I can respond._ <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) • [Discord](https://discord.gg/fG2XXEuQX3) • [GitHub](https://github.com/Skyvern-AI/Skyvern) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/fG2XXEuQX3) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/Skyvern-AI/Skyvern)
GiteaMirror commented 2026-04-17 19:14:39 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Dec 16, 2025):

Hi @giuliog-GR! I'm Dosu and I’m helping the better-auth team.

This is a regression introduced after v1.4.4: in v1.4.7, the way Better Auth builds the trustedOrigins list changed. Now, trustedOrigins is rebuilt on every request using only the config array and the derived baseURL, dropping any origins set via environment variables or other sources. This can cause valid origins (like http://localhost:5173) to be ignored, resulting in "Invalid origin" errors even when your config looks correct. This change was introduced to support new features like per-request and async trustedOrigins, but it also broke some previous behaviors (source).

To work around this, make sure:

  • All frontend origins (including protocol and port) are explicitly listed in your trustedOrigins config.
  • If you previously relied on environment variables (like BETTER_AUTH_TRUSTED_ORIGINS), add those origins directly to your config.
  • Explicitly set baseURL in your config if it's not being derived correctly.
  • If you need dynamic or per-request origins, use the new async function form for trustedOrigins (docs).

If you want to debug further, log the computed trustedOrigins and the incoming Origin header on each request to see what is actually being checked (source). If these steps don't resolve the issue, this is likely a bug/regression and may need a patch.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other

Chat with Dosu Open in Cursor Join Discord Share on X

<!-- gh-comment-id:3660263788 --> @dosubot[bot] commented on GitHub (Dec 16, 2025): <!-- Greeting --> Hi @giuliog-GR! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team. <!-- Answer --> This is a regression introduced after v1.4.4: in v1.4.7, the way Better Auth builds the trustedOrigins list changed. Now, trustedOrigins is rebuilt on every request using only the config array and the derived baseURL, dropping any origins set via environment variables or other sources. This can cause valid origins (like http://localhost:5173) to be ignored, resulting in "Invalid origin" errors even when your config looks correct. This change was introduced to support new features like per-request and async trustedOrigins, but it also broke some previous behaviors ([source](https://github.com/better-auth/better-auth/blob/1c671650504b31626c7e12082b73b8e7832b7a5d/packages/better-auth/src/auth/base.ts#L29-L54)). To work around this, make sure: - All frontend origins (including protocol and port) are explicitly listed in your trustedOrigins config. - If you previously relied on environment variables (like BETTER_AUTH_TRUSTED_ORIGINS), add those origins directly to your config. - Explicitly set baseURL in your config if it's not being derived correctly. - If you need dynamic or per-request origins, use the new async function form for trustedOrigins ([docs](https://github.com/better-auth/better-auth/pull/3857)). If you want to debug further, log the computed trustedOrigins and the incoming Origin header on each request to see what is actually being checked ([source](https://github.com/better-auth/better-auth/issues/3743)). If these steps don't resolve the issue, this is likely a bug/regression and may need a patch. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/03cc2366-c73a-4185-8448-40ef825e3582?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/03cc2366-c73a-4185-8448-40ef825e3582?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/03cc2366-c73a-4185-8448-40ef825e3582?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/03cc2366-c73a-4185-8448-40ef825e3582?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/03cc2366-c73a-4185-8448-40ef825e3582?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/03cc2366-c73a-4185-8448-40ef825e3582?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/03cc2366-c73a-4185-8448-40ef825e3582?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=This%20is%20a%20regression%20introduced%20after%20v1.4.4%3A%20in%20v1.4.7%2C%20the%20way%20Better%20Auth%20builds%20the%20trustedOrigins%20list%20changed.%20Now%2C%20trustedOrigins%20is%20rebuilt%20on%20every%20request%20using%20only%20the%20config%20array%20and%20the%20derived%20baseURL%2C%20dropping%20any%20origins%20set%20via%20environment%20variables%20or%20other%20sources.%20This%20can%20cause%20valid%20origins%20%28like%20http%3A//localhost%3A5173%29%20to%20be%20ignored%2C%20resulting%20in%20%22Invalid%20origin%22%20errors%20even%20when%20your%20config%20looks%20correct.%20This%20change%20was%20introduced%20to%20support%20new%20features%20like%20per-request%20and%20async%20trustedOrigins%2C%20but%20it%20also%20broke%20some%20previous%20behaviors%C2%A0%28%5Bsource%5D%28https%3A//github.com/better-auth/better-auth/blob/1c671650504b31626c7e12082b73b8e7832b7a5d/packages/better-auth/src/auth/base.ts%23L29-L54%29%29.%0A%0ATo%20work%20around%20this%2C%20make%20sure%3A%0A-%20All%20frontend%20origins%20%28including%20protocol%20and%20port%29%20are%20explicitly%20listed%20in%20your%20trustedOrigins%20config.%0A-%20If%20you%20previously%20relied%20on%20environment%20variables%20%28like%20BETTER_AUTH_TRUSTED_ORIGINS%29%2C%20add%20those%20origins%20directly%20to%20your%20config.%0A-%20Explicitly%20set%20baseURL%20in%20your%20config%20if%20it%27s%20not%20being%20derived%20correctly.%0A-%20If%20you%20need%20dynamic%20or%20per-request%20origins%2C%20use%20the%20new%20async%20function%20form%20for%20trustedOrigins%20%28%5Bdocs%5D%28https%3A//github.com/better-auth/better-auth/pull/3857%29%29.%0A%0AIf%20you%20want%20to%20debug%20further%2C%20log%20the%20computed%20trustedOrigins%20and%20the%20incoming%20Origin%20header%20on%20each%20request%20to%20see%20what%20is%20actually%20being%20checked%20%28%5Bsource%5D%28https%3A//github.com/better-auth/better-auth/issues/3743%29%29.%20If%20these%20steps%20don%27t%20resolve%20the%20issue%2C%20this%20is%20likely%20a%20bug/regression%20and%20may%20need%20a%20patch.)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/6798)
GiteaMirror commented 2026-04-17 19:14:39 -05:00
Author
Owner
Copy Link

@AdamAtRocketly commented on GitHub (Dec 16, 2025):

We are also experiencing this issue. I've stepped through the latest versions, and it is working up to 1.4.5. It appears to be related to the isTrustedOrigin functionality added in this commit in 1.4.6, though we haven't figured out why exactly.

Image

The trusted origins we've set in the options are being reflected in the context when it is logged out but are seemingly ignored. Additionally, if you add the option to disable the CSRF checking altogether, there is now an error indicating an invalid callback URL.

Possibly related: https://github.com/better-auth/better-auth/issues/6326

<!-- gh-comment-id:3660955151 --> @AdamAtRocketly commented on GitHub (Dec 16, 2025): We are also experiencing this issue. I've stepped through the latest versions, and it is working up to 1.4.5. It appears to be related to the isTrustedOrigin functionality added in [this commit](https://github.com/better-auth/better-auth/commit/197e88dd0de87def3f8ef637847cfae1de742c1a) in 1.4.6, though we haven't figured out why exactly. <img width="674" height="316" alt="Image" src="https://github.com/user-attachments/assets/16641dc5-a73e-4d2f-9ef9-c1f7170f4b2a" /> The trusted origins we've set in the options are being reflected in the context when it is logged out but are seemingly ignored. Additionally, if you add the option to disable the CSRF checking altogether, there is now an error indicating an invalid callback URL. Possibly related: https://github.com/better-auth/better-auth/issues/6326
GiteaMirror commented 2026-04-17 19:14:40 -05:00
Author
Owner
Copy Link

@KyawIT commented on GitHub (Dec 16, 2025):

Expo / Better Auth – Invalid Origin Problem (Root Cause)

Problem:
In an Expo project using Expo Go, authentication fails with:

Invalid origin: exp://<local-ip>:8081

Why this happens:

  • Expo Go does not use the app scheme (frontend:// / recipe://) during development.
  • Instead, it sends requests from a temporary development origin like:
    exp://10.0.0.17:8081
  • In better-auth v1.3.x, configuring
    trustedOrigins: ["exp://"]
    was sufficient because origin matching was permissive.
  • In better-auth v1.4.x, origin validation became stricter, and
    "exp://" no longer matches exp://<ip>:<port>, causing requests to be rejected.

Result:
The same configuration works on older versions but fails on newer versions with an Invalid origin error.

<!-- gh-comment-id:3662482162 --> @KyawIT commented on GitHub (Dec 16, 2025): ### Expo / Better Auth – Invalid Origin Problem (Root Cause) **Problem:** In an Expo project using Expo Go, authentication fails with: ```bash Invalid origin: exp://<local-ip>:8081 ``` **Why this happens:** - Expo Go does **not** use the app scheme (`frontend://` / `recipe://`) during development. - Instead, it sends requests from a temporary development origin like: `exp://10.0.0.17:8081` - In `better-auth` **v1.3.x**, configuring `trustedOrigins: ["exp://"]` was sufficient because origin matching was permissive. - In `better-auth` **v1.4.x**, origin validation became stricter, and `"exp://"` no longer matches `exp://<ip>:<port>`, causing requests to be rejected. **Result:** The same configuration works on older versions but fails on newer versions with an `Invalid origin` error.
GiteaMirror commented 2026-04-17 19:14:41 -05:00
Author
Owner
Copy Link

@TrawenCZ commented on GitHub (Dec 16, 2025):

+1

Just migrated today from next-auth to better auth and have been struggling with this issue for hours. Is this expected? If so, the error as showed by @AdamAtRocketly is extremely confusing.

<!-- gh-comment-id:3662636880 --> @TrawenCZ commented on GitHub (Dec 16, 2025): +1 Just migrated today from `next-auth` to better auth and have been struggling with this issue for hours. Is this expected? If so, the error as showed by @AdamAtRocketly is extremely confusing.
GiteaMirror commented 2026-04-17 19:14:42 -05:00
Author
Owner
Copy Link

@Bekacru commented on GitHub (Dec 19, 2025):

does 1.4.8-beta.1 addressed this issue?

<!-- gh-comment-id:3673573745 --> @Bekacru commented on GitHub (Dec 19, 2025): does 1.4.8-beta.1 addressed this issue?
GiteaMirror commented 2026-04-17 19:14:43 -05:00
Author
Owner
Copy Link

@ansh commented on GitHub (Dec 19, 2025):

Doesn't seem like it is fixed @Bekacru

<!-- gh-comment-id:3673748831 --> @ansh commented on GitHub (Dec 19, 2025): Doesn't seem like it is fixed @Bekacru
GiteaMirror commented 2026-04-17 19:14:45 -05:00
Author
Owner
Copy Link

@AdamAtRocketly commented on GitHub (Dec 19, 2025):

This issue shouldn't be closed. This issue isn't related to either the env variable or anything expo specific.

<!-- gh-comment-id:3675187123 --> @AdamAtRocketly commented on GitHub (Dec 19, 2025): This issue shouldn't be closed. This issue isn't related to either the env variable or anything expo specific.
GiteaMirror commented 2026-04-17 19:14:46 -05:00
Author
Owner
Copy Link

@Bekacru commented on GitHub (Dec 19, 2025):

@AdamAtRocketly can you check if 1.4.8-beta.3 address your issue? thank you

<!-- gh-comment-id:3675865106 --> @Bekacru commented on GitHub (Dec 19, 2025): @AdamAtRocketly can you check if `1.4.8-beta.3` address your issue? thank you
GiteaMirror commented 2026-04-17 19:14:47 -05:00
Author
Owner
Copy Link

@alexaka1 commented on GitHub (Dec 20, 2025):

@AdamAtRocketly can you check if 1.4.8-beta.3 address your issue? thank you

1.4.8-beta.4 does not address it either :(

<!-- gh-comment-id:3677886694 --> @alexaka1 commented on GitHub (Dec 20, 2025): > [@AdamAtRocketly](https://github.com/AdamAtRocketly) can you check if `1.4.8-beta.3` address your issue? thank you `1.4.8-beta.4` does not address it either :(
GiteaMirror commented 2026-04-17 19:14:48 -05:00
Author
Owner
Copy Link

@Bekacru commented on GitHub (Dec 20, 2025):

1.4.8-beta.4 does not address it either :( can you tell me what exactly is the issue for you?

you're provided origins are just not recognized?

also please check if you're providing baseURL or not @alexaka1

<!-- gh-comment-id:3677900706 --> @Bekacru commented on GitHub (Dec 20, 2025): `1.4.8-beta.4 does not address it either :(` can you tell me what exactly is the issue for you? you're provided origins are just not recognized? also please check if you're providing `baseURL` or not @alexaka1
GiteaMirror commented 2026-04-17 19:14:48 -05:00
Author
Owner
Copy Link

@alexaka1 commented on GitHub (Dec 20, 2025):

1.4.8-beta.4 does not address it either :( can you tell me what exactly is the issue for you?

you're provided origins are just not recognized?

also please check if you're providing baseURL or not @alexaka1

I am not providing either. 1.4.4 and before worked with this configuration. With the loosest interpertation of semver, I assume this configuration should still work on 1.4.x versions.

<!-- gh-comment-id:3677903814 --> @alexaka1 commented on GitHub (Dec 20, 2025): > `1.4.8-beta.4 does not address it either :(` can you tell me what exactly is the issue for you? > > you're provided origins are just not recognized? > > also please check if you're providing `baseURL` or not [@alexaka1](https://github.com/alexaka1) I am not providing either. `1.4.4` and before worked with this configuration. With the loosest interpertation of semver, I assume this configuration should still work on 1.4.x versions.
GiteaMirror commented 2026-04-17 19:14:49 -05:00
Author
Owner
Copy Link

@AdamAtRocketly commented on GitHub (Dec 22, 2025):

Looks like beta branches are coming out at a rapid pace. Back from the weekend now, which branch should we be testing with?

To sum up the issue, trustOrigins are ignored, whether passed directly as an array or used from an env variable, if baseUrl is inferred. baseUrl needs to remain inferred in our case as we run a multi-tenant setup and would require a significant refactor to try an accommodate which tenancy a user is on at auth time.

Our current setup works up to 1.4.4.

Please let me know if there is any specific information I can provide to help with the issue.

<!-- gh-comment-id:3682902655 --> @AdamAtRocketly commented on GitHub (Dec 22, 2025): Looks like beta branches are coming out at a rapid pace. Back from the weekend now, which branch should we be testing with? To sum up the issue, `trustOrigins` are ignored, whether passed directly as an array or used from an `env` variable, if `baseUrl` is inferred. `baseUrl` needs to remain inferred in our case as we run a multi-tenant setup and would require a significant refactor to try an accommodate which tenancy a user is on at auth time. Our current setup works up to 1.4.4. Please let me know if there is any specific information I can provide to help with the issue.
GiteaMirror commented 2026-04-17 19:14:50 -05:00
Author
Owner
Copy Link

@Bekacru commented on GitHub (Dec 22, 2025):

have you tried the latest beta better-auth@beta? @AdamAtRocketly @alexaka1

We're looking into this and hopefully we'll have a fix and release today!

<!-- gh-comment-id:3683195819 --> @Bekacru commented on GitHub (Dec 22, 2025): have you tried the latest beta `better-auth@beta`? @AdamAtRocketly @alexaka1 We're looking into this and hopefully we'll have a fix and release today!
GiteaMirror commented 2026-04-17 19:14:50 -05:00
Author
Owner
Copy Link

@alexaka1 commented on GitHub (Dec 23, 2025):

have you tried the latest beta better-auth@beta? @AdamAtRocketly @alexaka1

We're looking into this and hopefully we'll have a fix and release today!

Just tried out 1.4.8-beta.7 and I still have the same issues.

2025-12-23T11:58:42.292Z ERROR [Better Auth]: Invalid origin: http://localhost:3000
2025-12-23T11:58:42.293Z INFO [Better Auth]: If it's a valid URL, please add http://localhost:3000 to trustedOrigins in your auth config
 Current list of trustedOrigins: http://localhost:3000
2025-12-23T11:58:42.296Z ERROR [Better Auth]: Invalid origin
 POST /api/auth/sign-in/social 403 in 44ms (compile: 21ms, render: 23ms)
2025-12-23T11:58:44.688Z WARN [Better Auth]: [better-auth] Base URL could not be determined. Please set a valid base URL using the baseURL config option or the BETTER_AUTH_BASE_URL environment variable. Without this, callbacks and redirects may not work correctly.

my setup

<!-- gh-comment-id:3686397406 --> @alexaka1 commented on GitHub (Dec 23, 2025): > have you tried the latest beta `better-auth@beta`? [@AdamAtRocketly](https://github.com/AdamAtRocketly) [@alexaka1](https://github.com/alexaka1) > > We're looking into this and hopefully we'll have a fix and release today! Just tried out `1.4.8-beta.7` and I still have the same issues. ```console 2025-12-23T11:58:42.292Z ERROR [Better Auth]: Invalid origin: http://localhost:3000 2025-12-23T11:58:42.293Z INFO [Better Auth]: If it's a valid URL, please add http://localhost:3000 to trustedOrigins in your auth config Current list of trustedOrigins: http://localhost:3000 2025-12-23T11:58:42.296Z ERROR [Better Auth]: Invalid origin POST /api/auth/sign-in/social 403 in 44ms (compile: 21ms, render: 23ms) 2025-12-23T11:58:44.688Z WARN [Better Auth]: [better-auth] Base URL could not be determined. Please set a valid base URL using the baseURL config option or the BETTER_AUTH_BASE_URL environment variable. Without this, callbacks and redirects may not work correctly. ``` [my setup](https://github.com/alexaka1/mhu-nextjs-sport/blob/e734bc81a32d791ff75f18d7cdd40d9c4a570887/src/auth.ts)
GiteaMirror commented 2026-04-17 19:14:51 -05:00
Author
Owner
Copy Link

@JE4GLE commented on GitHub (Dec 23, 2025):

@alexaka1 Check out #6944 and this comment

<!-- gh-comment-id:3686411815 --> @JE4GLE commented on GitHub (Dec 23, 2025): @alexaka1 Check out #6944 and [this comment](https://github.com/better-auth/better-auth/issues/6944#issuecomment-3686298358)
GiteaMirror commented 2026-04-17 19:14:52 -05:00
Author
Owner
Copy Link

@Bekacru commented on GitHub (Dec 23, 2025):

this should be fixed on 1.4.9

<!-- gh-comment-id:3687894111 --> @Bekacru commented on GitHub (Dec 23, 2025): this should be fixed on 1.4.9
GiteaMirror commented 2026-04-17 19:14:52 -05:00
Author
Owner
Copy Link

@subvertallchris commented on GitHub (Dec 23, 2025):

Possibly related to this, I'm trying to upgrade from an older 1.2.x version and when I go past 1.4.4, my local dev sessions are treated as logged out. 1.4.4, they work fine -- I'm able to swap version numbers, install, restart server, and my session picks up where it left off.

We have trustedOrigins set and I tried with and without baseUrl. We use a special test domain over http (not https) on port 3000. Tried 1.4.9 and it still happens. If we log back in it works correctly and seems stable but I'm concerned that pushing this to prod will log out 100% of our users. We're going to explore in a test environment after the holidays but wanted to flag this here now. The symptoms seem slightly different from others but the version numbers match perfectly.

<!-- gh-comment-id:3687987837 --> @subvertallchris commented on GitHub (Dec 23, 2025): Possibly related to this, I'm trying to upgrade from an older 1.2.x version and when I go past 1.4.4, my local dev sessions are treated as logged out. 1.4.4, they work fine -- I'm able to swap version numbers, install, restart server, and my session picks up where it left off. We have `trustedOrigins` set and I tried with and without `baseUrl`. We use a special test domain over http (not https) on port 3000. Tried 1.4.9 and it still happens. If we log back in it works correctly and seems stable but I'm concerned that pushing this to prod will log out 100% of our users. We're going to explore in a test environment after the holidays but wanted to flag this here now. The symptoms seem slightly different from others but the version numbers match perfectly.
GiteaMirror commented 2026-04-17 19:14:53 -05:00
Author
Owner
Copy Link

@Bekacru commented on GitHub (Dec 23, 2025):

Most likely, cause of the default secret change. The default dev secret now have a better entropy. Do you have BETTER_AUTH_SECRET set in your env vars? @subvertallchris

<!-- gh-comment-id:3688020536 --> @Bekacru commented on GitHub (Dec 23, 2025): Most likely, cause of the default secret change. The default dev secret now have a better entropy. Do you have `BETTER_AUTH_SECRET` set in your env vars? @subvertallchris
GiteaMirror commented 2026-04-17 19:14:53 -05:00
Author
Owner
Copy Link

@subvertallchris commented on GitHub (Dec 23, 2025):

That sounds plausible! We do not set that in dev but we do in prod. I'll test that locally, thank you and sorry to add something seemingly unrelated to this Issue.

<!-- gh-comment-id:3688036047 --> @subvertallchris commented on GitHub (Dec 23, 2025): That sounds plausible! We do not set that in dev but we do in prod. I'll test that locally, thank you and sorry to add something seemingly unrelated to this Issue.
GiteaMirror commented 2026-04-17 19:14:54 -05:00
Author
Owner
Copy Link

@alexaka1 commented on GitHub (Dec 24, 2025):

this should be fixed on 1.4.9

Unfortunately I am still on Santa's naughty list.

2025-12-24T09:15:00.268Z WARN [Better Auth]: [better-auth] Base URL could not be determined. Please set a valid base URL using the baseURL config option or the BETTER_AUTH_BASE_URL environment variable. Without this, callbacks and redirects may not work correctly.
2025-12-24T09:15:00.924Z ERROR [Better Auth]: Invalid origin: http://localhost:3000
2025-12-24T09:15:00.925Z INFO [Better Auth]: If it's a valid URL, please add http://localhost:3000 to trustedOrigins in your auth config
 Current list of trustedOrigins: http://localhost:3000
2025-12-24T09:15:00.928Z ERROR [Better Auth]: Invalid origin
 POST /api/auth/sign-in/social 403 in 36ms (compile: 16ms, render: 20ms)

On 1.4.9, same on 1.4.10-beta.1 and 1.5.0-beta.1.

<!-- gh-comment-id:3689212244 --> @alexaka1 commented on GitHub (Dec 24, 2025): > this should be fixed on 1.4.9 Unfortunately I am still on Santa's naughty list. ``` 2025-12-24T09:15:00.268Z WARN [Better Auth]: [better-auth] Base URL could not be determined. Please set a valid base URL using the baseURL config option or the BETTER_AUTH_BASE_URL environment variable. Without this, callbacks and redirects may not work correctly. 2025-12-24T09:15:00.924Z ERROR [Better Auth]: Invalid origin: http://localhost:3000 2025-12-24T09:15:00.925Z INFO [Better Auth]: If it's a valid URL, please add http://localhost:3000 to trustedOrigins in your auth config Current list of trustedOrigins: http://localhost:3000 2025-12-24T09:15:00.928Z ERROR [Better Auth]: Invalid origin POST /api/auth/sign-in/social 403 in 36ms (compile: 16ms, render: 20ms) ``` On `1.4.9`, same on `1.4.10-beta.1` and `1.5.0-beta.1`.
GiteaMirror commented 2026-04-17 19:14:54 -05:00
Author
Owner
Copy Link

@ricardo17coelho commented on GitHub (Dec 26, 2025):

I'm also facing this issue, when i try to "sign-out".
I get an 403 error
{"code":"INVALID_ORIGIN","message":"Invalid origin"}

<!-- gh-comment-id:3693115568 --> @ricardo17coelho commented on GitHub (Dec 26, 2025): I'm also facing this issue, when i try to "sign-out". I get an 403 error `{"code":"INVALID_ORIGIN","message":"Invalid origin"}`
GiteaMirror commented 2026-04-17 19:14:55 -05:00
Author
Owner
Copy Link

@jonathansamines commented on GitHub (Dec 26, 2025):

@alexaka1 @ricardo17coelho I am no longer able to reproduce this as of latest beta. Could you please provide a smaller reproduction example with your issue? Please make sure you are using the latest beta, otherwise you might be testing a version that does not contain the fix. Thanks!

Small edit: I am not able to reproduce even on latest stable (1.4.9)

<!-- gh-comment-id:3693141830 --> @jonathansamines commented on GitHub (Dec 26, 2025): @alexaka1 @ricardo17coelho I am no longer able to reproduce this as of latest beta. Could you please provide a smaller reproduction example with your issue? Please make sure you are using the latest beta, otherwise you might be testing a version that does not contain the fix. Thanks! **Small edit**: I am not able to reproduce even on latest stable (1.4.9)
GiteaMirror commented 2026-04-17 19:14:56 -05:00
Author
Owner
Copy Link

@alexaka1 commented on GitHub (Dec 26, 2025):

@jonathansamines I have investigated further, and removing the genericOAuth plugin fixes it. https://github.com/alexaka1/repro-better-auth-6798

I have ran

pnpx @better-auth/cli migrate

And used a github app that is setup to accept localhost:3000 as the origin for login. I have made sure to NOT define BETTER_AUTH_URL or _SECRET in my .env.

The repo as is, repros my issue. If you remove the genericOAuth plugin from lib/auth.ts the issue goes away.

<!-- gh-comment-id:3693387039 --> @alexaka1 commented on GitHub (Dec 26, 2025): @jonathansamines I have investigated further, and removing the `genericOAuth` plugin fixes it. https://github.com/alexaka1/repro-better-auth-6798 I have ran ```shell pnpx @better-auth/cli migrate ``` And used a github app that is setup to accept localhost:3000 as the origin for login. I have made sure to **NOT** define BETTER_AUTH_URL or _SECRET in my `.env`. The repo as is, repros my issue. If you remove the `genericOAuth` plugin from `lib/auth.ts` the issue goes away.
GiteaMirror commented 2026-04-17 19:14:57 -05:00
Author
Owner
Copy Link

@jonathansamines commented on GitHub (Dec 26, 2025):

@jonathansamines I have investigated further, and removing the genericOAuth plugin fixes it. https://github.com/alexaka1/repro-better-auth-6798

I have ran

pnpx @better-auth/cli migrate
And used a github app that is setup to accept localhost:3000 as the origin for login. I have made sure to NOT define BETTER_AUTH_URL or _SECRET in my .env.

The repo as is, repros my issue. If you remove the genericOAuth plugin from lib/auth.ts the issue goes away.

Awesome, let me take a look!

<!-- gh-comment-id:3693439092 --> @jonathansamines commented on GitHub (Dec 26, 2025): > [@jonathansamines](https://github.com/jonathansamines) I have investigated further, and removing the `genericOAuth` plugin fixes it. https://github.com/alexaka1/repro-better-auth-6798 > > I have ran > > pnpx @better-auth/cli migrate > And used a github app that is setup to accept localhost:3000 as the origin for login. I have made sure to **NOT** define BETTER_AUTH_URL or _SECRET in my `.env`. > > The repo as is, repros my issue. If you remove the `genericOAuth` plugin from `lib/auth.ts` the issue goes away. Awesome, let me take a look!
GiteaMirror commented 2026-04-17 19:14:58 -05:00
Author
Owner
Copy Link

@jonathansamines commented on GitHub (Dec 26, 2025):

@jonathansamines I have investigated further, and removing the genericOAuth plugin fixes it. https://github.com/alexaka1/repro-better-auth-6798

I have ran

pnpx @better-auth/cli migrate
And used a github app that is setup to accept localhost:3000 as the origin for login. I have made sure to NOT define BETTER_AUTH_URL or _SECRET in my .env.

The repo as is, repros my issue. If you remove the genericOAuth plugin from lib/auth.ts the issue goes away.

Good news is we have found the issue and have a fix pending to merge. See https://github.com/better-auth/better-auth/pull/7007

<!-- gh-comment-id:3693490937 --> @jonathansamines commented on GitHub (Dec 26, 2025): > [@jonathansamines](https://github.com/jonathansamines) I have investigated further, and removing the `genericOAuth` plugin fixes it. https://github.com/alexaka1/repro-better-auth-6798 > > I have ran > > pnpx @better-auth/cli migrate > And used a github app that is setup to accept localhost:3000 as the origin for login. I have made sure to **NOT** define BETTER_AUTH_URL or _SECRET in my `.env`. > > The repo as is, repros my issue. If you remove the `genericOAuth` plugin from `lib/auth.ts` the issue goes away. Good news is we have found the issue and have a fix pending to merge. See https://github.com/better-auth/better-auth/pull/7007
GiteaMirror commented 2026-04-17 19:14:59 -05:00
Author
Owner
Copy Link

@alexaka1 commented on GitHub (Jan 1, 2026):

Which version should I try it out with?

<!-- gh-comment-id:3703994624 --> @alexaka1 commented on GitHub (Jan 1, 2026): Which version should I try it out with?
GiteaMirror commented 2026-04-17 19:14:59 -05:00
Author
Owner
Copy Link

@ricardo17coelho commented on GitHub (Jan 1, 2026):

Which version should I try it out with?

For me > 1.4.10 works ( signOut )

<!-- gh-comment-id:3704044849 --> @ricardo17coelho commented on GitHub (Jan 1, 2026): > Which version should I try it out with? For me > 1.4.10 works ( signOut )
GiteaMirror commented 2026-04-17 19:15:00 -05:00
Author
Owner
Copy Link

@alexaka1 commented on GitHub (Jan 2, 2026):

Which version should I try it out with?

I can confirm 1.4.10 works! Thx.

<!-- gh-comment-id:3705017951 --> @alexaka1 commented on GitHub (Jan 2, 2026): > Which version should I try it out with? I can confirm `1.4.10` works! Thx.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label bug locked
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#27955
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?