Skip to content

Mariano/auth#2278

Merged
Marfuen merged 4 commits intomainfrom
mariano/auth
Mar 11, 2026
Merged

Mariano/auth#2278
Marfuen merged 4 commits intomainfrom
mariano/auth

Conversation

@Marfuen
Copy link
Contributor

@Marfuen Marfuen commented Mar 11, 2026

What does this PR do?

  • Fixes #XXXX (GitHub issue number)
  • Fixes COMP-XXXX (Linear issue number - should be visible at the bottom of the GitHub issue description)

Visual Demo (For contributors especially)

A visual demonstration is strongly recommended, for both the original and new change (video / image - any one).

Video Demo (if applicable):

  • Show screen recordings of the issue or feature.
  • Demonstrate how to reproduce the issue, the behavior before and after the change.

Image Demo (if applicable):

  • Add side-by-side screenshots of the original and updated change.
  • Highlight any significant change(s).

Mandatory Tasks (DO NOT REMOVE)

  • I have self-reviewed the code (A decent size PR without self-review might be rejected).
  • I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
  • I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

  • Are there environment variables that should be set?
  • What are the minimal test data to have?
  • What is expected (happy path) to have (input and output)?
  • Any other important info that could help to test that PR

Checklist

  • I haven't read the contributing guide
  • My code doesn't follow the style guidelines of this project
  • I haven't commented my code, particularly in hard-to-understand areas
  • I haven't checked if my changes generate no new warnings

Marfuen added 4 commits March 10, 2026 19:44
@Marfuen
feat(integration): enhance connection handling with organization vali…
84638ed 
…dation

- Updated ChecksController and ConnectionsController to include organization ID in relevant endpoints, ensuring that connections are validated against the correct organization.
- Introduced getConnectionForOrg method in ConnectionService to streamline organization-specific connection retrieval.
- Enhanced VariablesController and QuestionnaireController to incorporate organization ID handling for connection variables and questionnaire responses.
- Updated tests to cover new organization validation logic across affected controllers and services.
@Marfuen
refactor(auth): standardize BASE_URL usage and remove deprecated auth…
95ffdf4 
… proxy routes

- Updated auth server configuration to consistently use BASE_URL for OAuth callbacks and cookie domain handling.
- Removed references to AUTH_BASE_URL and BETTER_AUTH_URL, simplifying environment variable usage.
- Deleted obsolete auth proxy routes from the app and portal, streamlining the authentication flow.
- Enhanced comments and documentation to clarify the purpose of BASE_URL in relation to security and session management.
@Marfuen
fix(auth): enhance body parsing for authentication routes
b73b57c 
- Implemented custom middleware in main.ts to skip body parsing for /api/auth routes, ensuring better-auth can read the raw request stream for OAuth flows.
- Updated auth.module.ts to disable the module's body parser to prevent conflicts with the custom middleware.
- Configured auth.server.ts to skip the state cookie CSRF check for OAuth flows, improving compatibility with cross-origin setups.
@Marfuen
Merge branch 'main' of https://github.com/trycompai/comp into mariano…
0dbb257 
…/auth
@vercel
Copy link

vercel bot commented Mar 11, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments
Project Deployment Actions Updated (UTC)
app Skipped Skipped Mar 11, 2026 0:27am
portal Skipped Skipped Mar 11, 2026 0:27am

Request Review

@Marfuen Marfuen merged commit 0380e1c into main Mar 11, 2026
7 checks passed
@Marfuen Marfuen deleted the mariano/auth branch March 11, 2026 00:27
claude[bot]
claude bot reviewed Mar 11, 2026
View reviewed changes
Copy link

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR disables the OAuth state cookie CSRF check (skipStateCookieCheck: true) and changes body parsing/CORS configuration for auth routes — these are security-sensitive changes that warrant a human security review even though the rationale in the comments is reasonable.

Extended reasoning...

Overview

This PR modifies three files in the API authentication layer: auth.module.ts (adds disableTrustedOriginsCors and disableBodyParser flags to BetterAuthModule), auth.server.ts (adds skipStateCookieCheck: true to the account config), and main.ts (refactors body parsing to skip /api/auth routes so better-auth can read the raw request stream).

Security risks

The most security-sensitive change is skipStateCookieCheck: true in auth.server.ts. This disables the state cookie CSRF validation for OAuth flows. The comment explains the justification — in a cross-origin setup, the state cookie may not survive the OAuth redirect, and the DB-stored OAuth state parameter already provides CSRF protection. While this reasoning appears sound and mirrors better-auth's own oAuthProxy plugin approach, disabling a CSRF defense layer is inherently risky and should be verified by someone with deep knowledge of the OAuth flow and deployment architecture.

Additionally, disableTrustedOriginsCors: true delegates CORS entirely to the main.ts configuration (origin: true which allows all origins). A human should verify this is the intended CORS policy.

Level of scrutiny

This PR touches authentication and security middleware configuration — production-critical code paths that handle OAuth, CSRF protection, CORS, and request body parsing for the auth system. The changes are small in line count but high in security impact. This warrants careful human review, particularly from someone familiar with the OAuth flow and cross-origin cookie behavior in the deployment environment.

Other factors

The PR template is not filled out (no issue linked, all mandatory checkboxes unchecked, negative checklist items). There are no tests added. The body parsing refactor in main.ts is well-commented and logically sound, but the interaction between Express-level middleware and NestJS module middleware for auth routes is subtle enough to benefit from manual testing verification.

apps/api/src/auth/auth.module.ts
Comment on lines +22 to 26
// own SkipBodyParsingMiddleware to avoid conflicts.
disableBodyParser: true,
}),
],
controllers: [AuthController],
Copy link

@claude claude bot Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Stale comment at main.ts:17: "The library will re-add body parsers after handling auth routes" is now incorrect. This PR adds disableBodyParser: true in auth.module.ts, which explicitly prevents the library from re-adding body parsers. Body parsing for non-auth routes is instead handled by the custom middleware in STEP 3. The comment should be updated to reflect the new approach.

Extended reasoning...

What the bug is

The comment at main.ts lines 16-17 reads:

// Disable body parser - required for better-auth NestJS integration
// The library will re-add body parsers after handling auth routes

This second line is now factually incorrect given the changes in this PR.

How this PR changes the behavior

This PR adds disableBodyParser: true to the BetterAuthModule.forRoot() configuration in auth.module.ts (line 25). The accompanying comment in that file correctly explains the intent: "Body parsing for non-auth routes is handled in main.ts with a custom middleware that skips /api/auth paths. Disable the module's own SkipBodyParsingMiddleware to avoid conflicts."

The disableBodyParser: true option explicitly tells the @thallesp/nestjs-better-auth module not to re-add body parsers. This directly contradicts the comment at main.ts:17 which claims "The library will re-add body parsers after handling auth routes."

Step-by-step proof

  1. main.ts:19 creates the NestJS app with bodyParser: false, disabling Express's default body parsing.
  2. main.ts:17 claims the library (BetterAuthModule) will re-add body parsers after auth routes.
  3. However, auth.module.ts:25 sets disableBodyParser: true in the BetterAuthModule config, which prevents the module from adding any body parsing middleware.
  4. Instead, main.ts lines 53-63 (STEP 3) add a custom Express middleware that applies express.json() and express.urlencoded() to all routes except those starting with /api/auth.
  5. So the actual flow is: body parsing is disabled globally, the library does NOT re-add it (contradicting the comment), and a custom middleware selectively applies body parsing to non-auth routes.

Impact

This is a documentation/comment issue only — no functional impact. The code itself works correctly. However, a developer reading the comment at main.ts:17 would get a false understanding of how body parsing works in the application, potentially leading to confusion when debugging body-parsing issues or making future changes.

How to fix

Update the comment at main.ts:16-17 to accurately describe the current approach, e.g.:

// Disable body parser - required for better-auth NestJS integration
// Custom middleware in STEP 3 applies body parsing selectively, skipping /api/auth routes

@claudfuen
Copy link
Contributor

claudfuen commented Mar 11, 2026

🎉 This PR is included in version 3.1.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Marfuen @claudfuen