fix(web): portless dev auth redirects and session cookies

[MaheshtheDev]

Middleware now reconstructs public URLs from portless forwarded headers and recognizes better-auth-dev session cookies so OAuth sign-in works with local API + worktree dev URLs.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	supermemory-app	53ae4af	Commit Preview URL Branch Preview URL	May 20 2026, 11:40 PM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	supermemory-mcp	53ae4af	May 20 2026, 11:39 PM

[MaheshtheDev]

• fix(web): portless dev auth redirects and session cookies #981 👈 (View in Graphite)
• main

---

How to use the Graphite Merge Queue

Add the label Main to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

Claude finished @MaheshtheDev's task in 1m 1s —— View job

---

Re-reviewing PR after updates

• Get the latest PR diff
• Check if vorflux's review issues were addressed
• Submit review

---

All three issues from vorflux's previous review have been addressed:

1. Empty string handling — getPublicRequestUrl now uses || instead of ?? for the protocol fallback
2. IPv6 loopback — PROXY_LOCAL_HOSTS now includes ::1
3. Open redirect fix — resolveAuthRedirectUrl validates the target origin before returning

Submitted a clean review (10/10). This is ready to ship.

[claude]

Overview: This PR fixes OAuth authentication in portless/worktree dev environments by reconstructing public URLs from forwarded headers and supporting dev-prefixed session cookies.

Issues found: None — this looks good to ship.

The implementation is clean:

• getPublicRequestUrl correctly handles x-forwarded-host and x-forwarded-proto headers with sensible fallbacks to PORTLESS_URL env var
• resolveAuthRedirectUrl properly remaps localhost redirect URLs (from the API) back to the actual public origin, which is the right fix for dev proxy environments
• The middleware now checks both production and dev session cookies via getAuthSessionCookie, and constructs redirect URLs using the public-facing URL rather than the internal request URL
• Variable shadowing bug in the original middleware (reusing url for the login redirect) is fixed with proper naming (loginUrl)

Score: 10/10

[vorflux]

Overall clean approach and the middleware variable-shadowing fix is a good catch. Three issues below.

[claude]

Overview: This PR fixes OAuth authentication in portless/worktree dev environments by reconstructing public URLs from forwarded headers and supporting dev-prefixed session cookies.

Issues found: None — all issues from the previous review have been addressed:

1. ✅ getPublicRequestUrl now uses || instead of ?? for the protocol fallback, properly handling empty x-forwarded-proto headers
2. ✅ PROXY_LOCAL_HOSTS now includes ::1 (IPv6 loopback)
3. ✅ resolveAuthRedirectUrl validates the target origin before returning, preventing open redirects — non-localhost URLs must match the current origin or fall back to the origin root

The implementation is clean and secure.

Score: 10/10

[graphite-app]

Merge activity

• May 20, 11:37 PM UTC: MaheshtheDev added this pull request to the Graphite merge queue.
• May 20, 11:39 PM UTC: Merged by the Graphite merge queue.