Skip to content

plugin-auth: always register better-auth bearer() for cross-origin / mobile token auth#1173

Merged
xuyushun441-sys merged 1 commit intomainfrom
copilot/fix-issue-1172
Apr 17, 2026
Merged

plugin-auth: always register better-auth bearer() for cross-origin / mobile token auth#1173
xuyushun441-sys merged 1 commit intomainfrom
copilot/fix-issue-1172

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 17, 2026

Session cookies are blocked third-party, so cross-origin SPAs (e.g. localhost:5173demo.objectstack.ai) and native mobile clients lose sessions on reload. better-auth's bearer() plugin solves this by accepting Authorization: ****** and emitting rotated tokens via the set-auth-token` response header — but it requires both server-plugin registration and CORS header plumbing.

Changes

  • @objectstack/plugin-authAuthManager.buildPluginList() unconditionally prepends bearer(). Additive to cookie auth; no config surface change. AuthConfig.trustedOrigins was already wired through.
  • @objectstack/plugin-hono-server — CORS middleware always exposes set-auth-token so the client SDK can capture rotated tokens. HonoCorsOptions gains allowHeaders / exposeHeaders; user-supplied exposeHeaders are merged (deduped) with the default rather than overriding it, so adding an app header can't accidentally break bearer auth.
// Default behavior — no config needed
new HonoServerPlugin({ cors: { origins: 'https://app.example.com', credentials: true } });
// → Access-Control-Expose-Headers: set-auth-token
// → Access-Control-Allow-Headers:   Content-Type, Authorization, X-Requested-With

// Extend without losing the bearer default
new HonoServerPlugin({
  cors: {
    exposeHeaders: ['X-Request-Id'],          // merged → [set-auth-token, X-Request-Id]
    allowHeaders:  ['Content-Type', 'Authorization', 'X-Tenant-Id'],
  },
});

Tests

  • auth-manager.test.ts — new case asserting bearer is registered with no plugin config; existing plugin-count assertions updated (+1).
  • hono-plugin.test.ts — new mock of hono/cors captures config; 3 cases covering the default expose, expose-header merging, and custom allow-headers.

@xuyushun441-sys
feat(plugin-auth): add always-on bearer() + expose set-auth-token via…
151dd19 
… CORS

Agent-Logs-Url: https://github.com/objectstack-ai/framework/sessions/49ce74a1-c7c1-489e-960a-cbf3144fbce4

Co-authored-by: xuyushun441-sys <255036401+xuyushun441-sys@users.noreply.github.com>
@vercel
Copy link
Copy Markdown

vercel bot commented Apr 17, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
objectstack-demo Ready Ready Preview, Comment Apr 17, 2026 4:18am
spec Building Building Preview, Comment Apr 17, 2026 4:18am

Request Review

@xuyushun441-sys xuyushun441-sys marked this pull request as ready for review April 17, 2026 04:18
@xuyushun441-sys xuyushun441-sys merged commit f27779c into main Apr 17, 2026
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

Copilot code review Copilot

@xuyushun441-sys xuyushun441-sys

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xuyushun441-sys