Describe the bug
Basically, when a form has use:enhance, it does not update form.message when running into a CSRF error when the ORIGIN variable is empty, during production build where ORIGIN is not specifically set.
the fact that the ORIGIN variable is empty, is not the thing that I report here.
It is the fact the form.message does not update, whilst the console's network tab DOES show in the response that there is a message key saying the CSRF error (see logs section).
Reproduction
To reproduce, you must start a new project using npx sv create with betterauth demo installed (since that gives a basic form with use:enhance) and the adapter-node.
Then build the project, using npm run build
Then run the build by going into the build folder and running node . (without adding any ORIGIN env variables)
Then open the link in your browser and go to /demos/better-auth/login (http://localhost:3000/demo/better-auth/login) and then just enter like test@test.com and test as password and then just click "Login"
in the browser console it should say 401 with the CSRF error, but on the frontend the form?.message does not update.
(it does update when the ORIGIN variable is set and then the database itself is not existing and then it does show "Unexpected error" in the form?.message)
Logs
xqEx-9sN.js:1 POST http://localhost:3000/demo/better-auth/login?/signInEmail 403 (Forbidden)
{
"message": "Cross-site POST form submissions are forbidden"
}System Info
System:
OS: openbsd
CPU: (1) x64 Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz
Memory: 601.54 MB / 1.98 GB
Binaries:
Node: 22.15.1 - /usr/local/bin/node
Yarn: 1.22.19 - /usr/local/bin/yarn
npm: 10.9.2 - /usr/local/bin/npm
pnpm: 10.33.0 - /usr/local/bin/pnpm
npmPackages:
@sveltejs/adapter-node: ^5.5.4 => 5.5.4
@sveltejs/kit: ^2.57.1 => 2.57.1
@sveltejs/vite-plugin-svelte: ^6.2.4 => 6.2.4
svelte: ^5.55.4 => 5.55.4
vite: ^7.3.2 => 7.3.2Severity
annoying, but I can work around it
Additional Information
If you do need a full example: https://github.com/miniontoby/vastrobustmediastorageplatform/tree/dev
and if you do need a zip of a minimum reproducable example instead of following the steps I provided, then I am fine with making that
Describe the bug
Basically, when a form has
use:enhance, it does not updateform.messagewhen running into a CSRF error when the ORIGIN variable is empty, during production build where ORIGIN is not specifically set.the fact that the ORIGIN variable is empty, is not the thing that I report here.
It is the fact the
form.messagedoes not update, whilst the console's network tab DOES show in the response that there is amessagekey saying the CSRF error (see logs section).Reproduction
To reproduce, you must start a new project using
npx sv createwith betterauth demo installed (since that gives a basic form with use:enhance) and the adapter-node.Then build the project, using
npm run buildThen run the build by going into the build folder and running
node .(without adding anyORIGINenv variables)Then open the link in your browser and go to /demos/better-auth/login (http://localhost:3000/demo/better-auth/login) and then just enter like
test@test.comandtestas password and then just click "Login"in the browser console it should say 401 with the CSRF error, but on the frontend the
form?.messagedoes not update.(it does update when the ORIGIN variable is set and then the database itself is not existing and then it does show "Unexpected error" in the
form?.message)Logs
System Info
System: OS: openbsd CPU: (1) x64 Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz Memory: 601.54 MB / 1.98 GB Binaries: Node: 22.15.1 - /usr/local/bin/node Yarn: 1.22.19 - /usr/local/bin/yarn npm: 10.9.2 - /usr/local/bin/npm pnpm: 10.33.0 - /usr/local/bin/pnpm npmPackages: @sveltejs/adapter-node: ^5.5.4 => 5.5.4 @sveltejs/kit: ^2.57.1 => 2.57.1 @sveltejs/vite-plugin-svelte: ^6.2.4 => 6.2.4 svelte: ^5.55.4 => 5.55.4 vite: ^7.3.2 => 7.3.2Severity
annoying, but I can work around it
Additional Information
If you do need a full example: https://github.com/miniontoby/vastrobustmediastorageplatform/tree/dev
and if you do need a zip of a minimum reproducable example instead of following the steps I provided, then I am fine with making that