@convex-dev/better-auth 0.11.4 → 0.12.0

package/src/component/_generated/server.ts

@@ -107,11 +107,6 @@ export const internalAction: ActionBuilder<DataModel, "internal"> =
  */
 export const httpAction: HttpActionBuilder = httpActionGeneric;
 
-type GenericCtx =
-  | GenericActionCtx<DataModel>
-  | GenericMutationCtx<DataModel>
-  | GenericQueryCtx<DataModel>;
-
 /**
  * A set of services for use within Convex query functions.
  *

package/src/component/schema.ts

@@ -1,8 +1,9 @@
 /**
  * This file is auto-generated. Do not edit this file manually.
- * To regenerate the schema, run:
- * `npx @better-auth/cli generate --output src/component/schema.ts -y`
- * 
+ * To regenerate the schema, from your project root:
+ *
+ *   npx auth generate --output src/component/schema.ts
+ *
  * To customize the schema, generate to an alternate file and import
  * the table definitions to your schema file. See
  * https://labs.convex.dev/better-auth/features/local-install#adding-custom-indexes.
@@ -76,6 +77,7 @@ export const tables = {
     secret: v.string(),
     backupCodes: v.string(),
     userId: v.string(),
+    verified: v.optional(v.union(v.null(), v.boolean())),
   })
     .index("userId", ["userId"]),
   oauthApplication: defineTable({

package/src/nextjs/index.ts

@@ -46,6 +46,10 @@ const handler = (request: Request, siteUrl: string) => {
   const newRequest = new Request(nextUrl, request);
   newRequest.headers.set("accept-encoding", "application/json");
   newRequest.headers.set("host", new URL(siteUrl).host);
+  newRequest.headers.set("x-forwarded-host", requestUrl.host);
+  newRequest.headers.set("x-forwarded-proto", requestUrl.protocol.replace(/:$/, ""));
+  newRequest.headers.set("x-better-auth-forwarded-host", requestUrl.host);
+  newRequest.headers.set("x-better-auth-forwarded-proto", requestUrl.protocol.replace(/:$/, ""));
   return fetch(newRequest, { method: request.method, redirect: "manual" });
 };
 

package/src/plugins/convex/client.ts

@@ -1,9 +1,11 @@
 import type { BetterAuthClientPlugin } from "better-auth/client";
 import type { convex } from "./index.js";
+import { VERSION } from "../../version.js";
 
 export const convexClient = () => {
   return {
     id: "convex",
+    version: VERSION,
     $InferServerPlugin: {} as ReturnType<typeof convex>,
   } satisfies BetterAuthClientPlugin;
 };

package/src/plugins/convex/index.ts

@@ -11,6 +11,7 @@ import type { JwtOptions, Jwk } from "better-auth/plugins/jwt";
 import { oidcProvider as oidcProviderPlugin } from "better-auth/plugins/oidc-provider";
 import { omit } from "convex-helpers";
 import type { AuthConfig, AuthProvider } from "convex/server";
+import { VERSION } from "../../version.js";
 
 export const JWT_COOKIE_NAME = "convex_jwt";
 
@@ -164,7 +165,7 @@ export const convex = (opts: {
    * Handles error that occurs when existing JWKS key does not match configured
    * algorithm, which will be common for 0.10 upgrades switching from EdDSA to RS256.
    *
-   * @default true
+   * @default false
    */
   jwksRotateOnTokenGenerationError?: boolean;
   /**
@@ -181,6 +182,7 @@ export const convex = (opts: {
       issuer: `${process.env.CONVEX_SITE_URL}`,
       jwks_uri: `${process.env.CONVEX_SITE_URL}${opts.options?.basePath ?? "/api/auth"}/convex/jwks`,
     },
+    __skipDeprecationWarning: true,
   });
   const providerConfig = parseAuthConfig(opts.authConfig, opts);
 
@@ -189,9 +191,9 @@ export const convex = (opts: {
       issuer: `${process.env.CONVEX_SITE_URL}`,
       audience: "convex",
       expirationTime: `${jwtExpirationSeconds}s`,
-      definePayload: ({ user, session }) => ({
+      definePayload: async ({ user, session }) => ({
         ...(opts.jwt?.definePayload
-          ? opts.jwt.definePayload({ user, session })
+          ? await opts.jwt.definePayload({ user, session })
           : omit(user, ["id", "image"])),
         sessionId: session.id,
         iat: Math.floor(new Date().getTime() / 1000),
@@ -253,6 +255,7 @@ export const convex = (opts: {
 
   return {
     id: "convex",
+    version: VERSION,
     init: (ctx) => {
       const { options, logger: _logger } = ctx;
       if (options.basePath !== "/api/auth" && !opts.options?.basePath) {
@@ -337,6 +340,7 @@ export const convex = (opts: {
                 ...ctx,
                 headers: {},
                 method: "GET",
+                asResponse: false,
                 returnHeaders: false,
                 returnStatus: false,
               });
@@ -382,6 +386,7 @@ export const convex = (opts: {
         async (ctx) => {
           const response = await oidcProvider.endpoints.getOpenIdConfig({
             ...ctx,
+            asResponse: false,
             returnHeaders: false,
             returnStatus: false,
           });
@@ -478,6 +483,7 @@ export const convex = (opts: {
         async (ctx) => {
           const response = await jwt.endpoints.getJwks({
             ...ctx,
+            asResponse: false,
             returnHeaders: false,
             returnStatus: false,
           });
@@ -504,6 +510,9 @@ export const convex = (opts: {
           await jwtPlugin(jwtOptions).endpoints.getJwks({
             ...ctx,
             method: "GET",
+            asResponse: false,
+            returnHeaders: false,
+            returnStatus: false,
           });
           const jwks: any[] = await ctx.context.adapter.findMany({
             model: "jwks",
@@ -542,6 +551,9 @@ export const convex = (opts: {
           await jwtPlugin(jwtOptions).endpoints.getJwks({
             ...ctx,
             method: "GET",
+            asResponse: false,
+            returnHeaders: false,
+            returnStatus: false,
           });
           const jwks: any[] = await ctx.context.adapter.findMany({
             model: "jwks",
@@ -588,6 +600,7 @@ export const convex = (opts: {
           const runEndpoint = async () => {
             const response = await jwt.endpoints.getToken({
               ...ctx,
+              asResponse: false,
               returnHeaders: false,
               returnStatus: false,
             });

package/src/plugins/cross-domain/client.test.ts

@@ -1,29 +1,23 @@
-import { describe, it, expect, beforeEach, vi } from "vitest";
-import { getCookie, getSetCookie, parseSetCookieHeader, crossDomainClient } from "./client.js";
-
-describe("parseSetCookieHeader", () => {
-  it("parses a simple cookie", () => {
-    const header = "session_token=abc123";
-    const map = parseSetCookieHeader(header);
-    expect(map.get("session_token")?.value).toBe("abc123");
-  });
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { crossDomainClient, getCookie, getSetCookie } from "./client.js";
 
-  it("parses cookie with attributes", () => {
-    const header = "session_token=abc123; Path=/; Secure; HttpOnly";
-    const map = parseSetCookieHeader(header);
-    const cookie = map.get("session_token");
-    expect(cookie?.value).toBe("abc123");
-  });
+describe("getSetCookie", () => {
+  it("stores cookies from RFC-1123 Expires headers without splitting the date", () => {
+    const header =
+      "session_token=abc; Path=/; Expires=Wed, 21 Oct 2030 07:28:00 GMT, other_cookie=xyz; Path=/";
 
-  it("parses multiple cookies", () => {
-    const header = "a=1, b=2";
-    const map = parseSetCookieHeader(header);
-    expect(map.get("a")?.value).toBe("1");
-    expect(map.get("b")?.value).toBe("2");
+    const result = JSON.parse(getSetCookie(header));
+
+    expect(result.session_token).toEqual({
+      value: "abc",
+      expires: "2030-10-21T07:28:00.000Z",
+    });
+    expect(result.other_cookie).toEqual({
+      value: "xyz",
+      expires: null,
+    });
   });
-});
 
-describe("getSetCookie", () => {
   it("stores expires as ISO string", () => {
     const header = "session_token=abc; Max-Age=3600";
     const result = JSON.parse(getSetCookie(header));
@@ -66,7 +60,10 @@ describe("getSetCookie", () => {
 describe("getCookie", () => {
   it("returns cookie string for valid cookies", () => {
     const stored = JSON.stringify({
-      session: { value: "abc", expires: new Date(Date.now() + 60000).toISOString() },
+      session: {
+        value: "abc",
+        expires: new Date(Date.now() + 60000).toISOString(),
+      },
     });
     const result = getCookie(stored);
     expect(result).toContain("session=abc");
@@ -74,8 +71,14 @@ describe("getCookie", () => {
 
   it("filters out expired cookies", () => {
     const stored = JSON.stringify({
-      expired: { value: "old", expires: new Date(Date.now() - 60000).toISOString() },
-      valid: { value: "new", expires: new Date(Date.now() + 60000).toISOString() },
+      expired: {
+        value: "old",
+        expires: new Date(Date.now() - 60000).toISOString(),
+      },
+      valid: {
+        value: "new",
+        expires: new Date(Date.now() + 60000).toISOString(),
+      },
     });
     const result = getCookie(stored);
     expect(result).not.toContain("expired=old");
@@ -112,7 +115,10 @@ describe("getCookie", () => {
 
 describe("crossDomainClient", () => {
   let storage: Map<string, string>;
-  let mockStorage: { getItem: (key: string) => string | null; setItem: (key: string, value: string) => void };
+  let mockStorage: {
+    getItem: (key: string) => string | null;
+    setItem: (key: string, value: string) => void;
+  };
   const cookieName = "better-auth_cookie";
   const localCacheName = "better-auth_session_data";
 
@@ -120,7 +126,9 @@ describe("crossDomainClient", () => {
     storage = new Map<string, string>();
     mockStorage = {
       getItem: (key) => storage.get(key) ?? null,
-      setItem: (key, value) => { storage.set(key, value); },
+      setItem: (key, value) => {
+        storage.set(key, value);
+      },
     };
   });
 
@@ -184,9 +192,12 @@ describe("crossDomainClient", () => {
 
   describe("onSuccess handler", () => {
     it("clears cookies when get-session returns null", async () => {
-      storage.set(cookieName, JSON.stringify({
-        "better-auth.session_token": { value: "stale", expires: null },
-      }));
+      storage.set(
+        cookieName,
+        JSON.stringify({
+          "better-auth.session_token": { value: "stale", expires: null },
+        })
+      );
 
       const onSuccess = getOnSuccessHook();
       await onSuccess({

package/src/plugins/cross-domain/client.ts

@@ -1,39 +1,8 @@
 import type { BetterAuthClientPlugin, ClientStore } from "better-auth";
+import { parseSetCookieHeader } from "better-auth/cookies";
 import type { BetterFetchOption } from "@better-fetch/fetch";
 import type { crossDomain } from "./index.js";
-
-interface CookieAttributes {
-  value: string;
-  expires?: Date;
-  "max-age"?: number;
-  domain?: string;
-  path?: string;
-  secure?: boolean;
-  httpOnly?: boolean;
-  sameSite?: "Strict" | "Lax" | "None";
-}
-
-export function parseSetCookieHeader(
-  header: string
-): Map<string, CookieAttributes> {
-  const cookieMap = new Map<string, CookieAttributes>();
-  const cookies = header.split(", ");
-  cookies.forEach((cookie) => {
-    const [nameValue, ...attributes] = cookie.split("; ");
-    const [name, value] = nameValue.split("=");
-
-    const cookieObj: CookieAttributes = { value };
-
-    attributes.forEach((attr) => {
-      const [attrName, attrValue] = attr.split("=");
-      cookieObj[attrName.toLowerCase() as "value"] = attrValue;
-    });
-
-    cookieMap.set(name, cookieObj);
-  });
-
-  return cookieMap;
-}
+import { VERSION } from "../../version.js";
 
 interface StoredCookie {
   value: string;
@@ -77,13 +46,10 @@ export function getCookie(cookie: string) {
   } catch {
     // noop
   }
-  const toSend = Object.entries(parsed).reduce((acc, [key, value]) => {
-    if (value.expires && new Date(value.expires) < new Date()) {
-      return acc;
-    }
-    return `${acc}; ${key}=${value.value}`;
-  }, "");
-  return toSend;
+  return Object.entries(parsed)
+    .filter(([, value]) => !value.expires || new Date(value.expires) >= new Date())
+    .map(([key, value]) => `${key}=${value.value}`)
+    .join("; ");
 }
 
 export const crossDomainClient = (
@@ -104,6 +70,7 @@ export const crossDomainClient = (
 
   return {
     id: "cross-domain",
+    version: VERSION,
     $InferServerPlugin: {} as ReturnType<typeof crossDomain>,
     getActions(_, $store) {
       store = $store;
@@ -154,7 +121,13 @@ export const crossDomainClient = (
           if (!sessionData) return null;
           try {
             const parsed = JSON.parse(sessionData);
-            if (parsed && typeof parsed === "object" && Object.keys(parsed).length === 0) return null;
+            if (
+              parsed &&
+              typeof parsed === "object" &&
+              Object.keys(parsed).length === 0
+            ) {
+              return null;
+            }
             return parsed;
           } catch {
             return null;
@@ -164,8 +137,8 @@ export const crossDomainClient = (
     },
     fetchPlugins: [
       {
-        id: "convex",
-        name: "Convex",
+        id: "cross-domain",
+        name: "Cross Domain",
         hooks: {
           async onSuccess(context) {
             if (!storage) {
@@ -239,7 +212,7 @@ export const crossDomainClient = (
               error: null,
               isPending: false,
             });
-            storage.setItem(localCacheName, "{}");
+            await storage.setItem(localCacheName, "{}");
           }
           return {
             url,

package/src/plugins/cross-domain/index.test.ts

@@ -1,67 +1,145 @@
 import { describe, expect, it } from "vitest";
+import { betterAuth } from "better-auth/minimal";
+import { memoryAdapter } from "better-auth/adapters/memory";
+import type { MemoryDB } from "better-auth/adapters/memory";
+import { genericOAuth } from "better-auth/plugins";
+import { magicLink } from "better-auth/plugins/magic-link";
 import { crossDomain } from "./index.js";
 
-const getPostRewriteMatcher = () => {
-  const plugin = crossDomain({ siteUrl: "https://example.com" });
-  const matcher = plugin.hooks?.before?.[2]?.matcher;
-  if (!matcher) {
-    throw new Error("expected cross-domain POST rewrite matcher");
-  }
-  return matcher;
-};
+const SITE_URL = "https://myapp.example.com";
+const AUTH_BASE_URL = "http://localhost:3000";
+const BASE_PATH = "/api/auth";
 
-describe("crossDomain POST rewrite matcher", () => {
-  it("matches POST requests regardless of route", () => {
-    const matcher = getPostRewriteMatcher();
-    type MatcherContext = Parameters<typeof matcher>[0];
+describe("crossDomain plugin", async () => {
+  let capturedMagicLinkUrl = "";
 
-    const knownPathCtx = {
-      method: "POST",
-      path: "/sign-in/email",
-      headers: new Headers(),
-    } satisfies Partial<MatcherContext>;
-    const unknownPathCtx = {
-      method: "POST",
-      path: "/custom-endpoint",
-      headers: new Headers(),
-    } satisfies Partial<MatcherContext>;
+  const db: MemoryDB = {
+    user: [],
+    session: [],
+    account: [],
+    verification: [],
+  };
 
-    expect(matcher(knownPathCtx as MatcherContext)).toBe(true);
-    expect(matcher(unknownPathCtx as MatcherContext)).toBe(true);
+  const auth = betterAuth({
+    baseURL: AUTH_BASE_URL,
+    basePath: BASE_PATH,
+    secret: "test-secret-at-least-thirty-two-characters-long",
+    database: memoryAdapter(db),
+    emailAndPassword: {
+      enabled: true,
+      requireEmailVerification: false,
+    },
+    plugins: [
+      magicLink({
+        sendMagicLink: async ({ url }) => {
+          capturedMagicLinkUrl = url;
+        },
+      }),
+      genericOAuth({
+        config: [
+          {
+            providerId: "example-oauth",
+            clientId: "test-client-id",
+            clientSecret: "test-client-secret",
+            authorizationUrl: "https://provider.example.com/oauth/authorize",
+            tokenUrl: "https://provider.example.com/oauth/token",
+          },
+        ],
+      }),
+      crossDomain({ siteUrl: SITE_URL }),
+    ],
   });
 
-  it("rejects non-POST methods", () => {
-    const matcher = getPostRewriteMatcher();
-    type MatcherContext = Parameters<typeof matcher>[0];
+  const post = (
+    path: string,
+    body: Record<string, unknown>,
+    extraHeaders?: Record<string, string>
+  ) =>
+    auth.handler(
+      new Request(`${AUTH_BASE_URL}${BASE_PATH}${path}`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", ...extraHeaders },
+        body: JSON.stringify(body),
+      })
+    );
 
-    const getSignInCtx = {
-      method: "GET",
-      path: "/sign-in/email",
-      headers: new Headers(),
-    } satisfies Partial<MatcherContext>;
-    const optionsLinkSocialCtx = {
-      method: "OPTIONS",
-      path: "/link-social",
-      headers: new Headers(),
-    } satisfies Partial<MatcherContext>;
-
-    expect(matcher(getSignInCtx as MatcherContext)).toBe(false);
-    expect(matcher(optionsLinkSocialCtx as MatcherContext)).toBe(false);
+  await post("/sign-up/email", {
+    email: "test@example.com",
+    password: "testpassword123",
+    name: "Test User",
   });
 
-  it("rejects expo-native requests", () => {
-    const matcher = getPostRewriteMatcher();
-    type MatcherContext = Parameters<typeof matcher>[0];
+  describe("callbackURL defaulting for magic-link", () => {
+    it("injects siteUrl when callbackURL is absent", async () => {
+      capturedMagicLinkUrl = "";
+      await post("/sign-in/magic-link", { email: "test@example.com" });
+      const url = new URL(capturedMagicLinkUrl);
+      expect(url.searchParams.get("callbackURL")).toBe(SITE_URL);
+    });
+
+    it("rewrites relative callbackURL to absolute using siteUrl", async () => {
+      capturedMagicLinkUrl = "";
+      await post("/sign-in/magic-link", {
+        email: "test@example.com",
+        callbackURL: "/dashboard",
+      });
+      const url = new URL(capturedMagicLinkUrl);
+      expect(url.searchParams.get("callbackURL")).toBe(`${SITE_URL}/dashboard`);
+    });
 
-    const headers = new Headers();
-    headers.set("expo-origin", "expo");
+    it("preserves absolute callbackURL", async () => {
+      capturedMagicLinkUrl = "";
+      await post("/sign-in/magic-link", {
+        email: "test@example.com",
+        callbackURL: "https://other.example.com/callback",
+      });
+      const url = new URL(capturedMagicLinkUrl);
+      expect(url.searchParams.get("callbackURL")).toBe(
+        "https://other.example.com/callback"
+      );
+    });
+  });
 
-    const expoCtx = {
-      method: "POST",
-      path: "/sign-in/social",
-      headers,
-    } satisfies Partial<MatcherContext>;
+  describe("callbackURL defaulting for oauth2", () => {
+    it("injects siteUrl when callbackURL is absent", async () => {
+      const response = await post("/sign-in/oauth2", {
+        providerId: "example-oauth",
+        disableRedirect: true,
+      });
+      const { url } = (await response.json()) as { url: string };
+      const state = new URL(url).searchParams.get("state");
+      const verification = db.verification.find(
+        (entry) => entry.identifier === state
+      );
+      expect(verification).toBeDefined();
+      expect(JSON.parse(verification!.value).callbackURL).toBe(SITE_URL);
+    });
+
+    it("rewrites relative callbackURL to absolute using siteUrl", async () => {
+      const response = await post("/sign-in/oauth2", {
+        providerId: "example-oauth",
+        callbackURL: "/dashboard",
+        disableRedirect: true,
+      });
+      const { url } = (await response.json()) as { url: string };
+      const state = new URL(url).searchParams.get("state");
+      const verification = db.verification.find(
+        (entry) => entry.identifier === state
+      );
+      expect(verification).toBeDefined();
+      expect(JSON.parse(verification!.value).callbackURL).toBe(
+        `${SITE_URL}/dashboard`
+      );
+    });
+  });
 
-    expect(matcher(expoCtx as MatcherContext)).toBe(false);
+  describe("no callbackURL injection for email sign-in", () => {
+    it("does not redirect when callbackURL is absent", async () => {
+      const response = await post("/sign-in/email", {
+        email: "test@example.com",
+        password: "testpassword123",
+      });
+      expect(response.status).not.toBe(302);
+    });
   });
 });

package/src/plugins/cross-domain/index.ts

@@ -4,6 +4,7 @@ import { generateRandomString } from "better-auth/crypto";
 import { createAuthEndpoint, createAuthMiddleware } from "better-auth/api";
 import { oneTimeToken as oneTimeTokenPlugin } from "better-auth/plugins/one-time-token";
 import { z } from "zod";
+import { VERSION } from "../../version.js";
 
 export const crossDomain = ({ siteUrl }: { siteUrl: string }) => {
   const oneTimeToken = oneTimeTokenPlugin();
@@ -24,6 +25,7 @@ export const crossDomain = ({ siteUrl }: { siteUrl: string }) => {
 
   return {
     id: "cross-domain",
+    version: VERSION,
     // TODO: remove this in the next minor release, it doesn't
     // actually affect ctx.trustedOrigins. cors allowedOrigins
     // is using it, via options.trustedOrigins, though, so it's
@@ -55,8 +57,7 @@ export const crossDomain = ({ siteUrl }: { siteUrl: string }) => {
               Boolean(
                 ctx.request?.headers.has("better-auth-cookie") ||
                   ctx.headers?.has("better-auth-cookie")
-              ) &&
-              !isExpoNative(ctx)
+              ) && !isExpoNative(ctx)
             );
           },
           handler: createAuthMiddleware(async (ctx) => {
@@ -85,8 +86,8 @@ export const crossDomain = ({ siteUrl }: { siteUrl: string }) => {
           matcher: (ctx) => {
             return Boolean(
               ctx.method === "GET" &&
-              ctx.path?.startsWith("/verify-email") &&
-              !isExpoNative(ctx)
+                ctx.path?.startsWith("/verify-email") &&
+                !isExpoNative(ctx)
             );
           },
           handler: createAuthMiddleware(async (ctx) => {
@@ -101,6 +102,18 @@ export const crossDomain = ({ siteUrl }: { siteUrl: string }) => {
             return Boolean(ctx.method === "POST" && !isExpoNative(ctx));
           },
           handler: createAuthMiddleware(async (ctx) => {
+            // Set callbackURL to siteUrl for redirect-triggering paths with
+            // no callbackURL defined.
+            if (
+              ctx.body &&
+              !ctx.body.callbackURL &&
+              (ctx.path?.startsWith("/sign-in/social") ||
+                ctx.path?.startsWith("/sign-in/oauth2") ||
+                ctx.path?.startsWith("/sign-in/magic-link") ||
+                ctx.path?.startsWith("/send-verification-email"))
+            ) {
+              ctx.body.callbackURL = siteUrl;
+            }
             if (ctx.body?.callbackURL) {
               ctx.body.callbackURL = rewriteCallbackURL(ctx.body.callbackURL);
             }
@@ -125,8 +138,7 @@ export const crossDomain = ({ siteUrl }: { siteUrl: string }) => {
               Boolean(
                 ctx.request?.headers.has("better-auth-cookie") ||
                   ctx.headers?.has("better-auth-cookie")
-              ) &&
-              !isExpoNative(ctx)
+              ) && !isExpoNative(ctx)
             );
           },
           handler: createAuthMiddleware(async (ctx) => {
@@ -144,7 +156,7 @@ export const crossDomain = ({ siteUrl }: { siteUrl: string }) => {
               (ctx.path?.startsWith("/callback") ||
                 ctx.path?.startsWith("/oauth2/callback") ||
                 ctx.path?.startsWith("/magic-link/verify")) &&
-              !isExpoNative(ctx)
+                !isExpoNative(ctx)
             );
           },
           handler: createAuthMiddleware(async (ctx) => {
@@ -185,6 +197,7 @@ export const crossDomain = ({ siteUrl }: { siteUrl: string }) => {
         async (ctx) => {
           const response = await oneTimeToken.endpoints.verifyOneTimeToken({
             ...ctx,
+            asResponse: false,
             returnHeaders: false,
             returnStatus: false,
           });

package/src/react-start/index.ts

@@ -65,6 +65,10 @@ const handler = (request: Request, opts: { convexSiteUrl: string }) => {
   const headers = new Headers(request.headers);
   headers.set("accept-encoding", "application/json");
   headers.set("host", new URL(opts.convexSiteUrl).host);
+  headers.set("x-forwarded-host", requestUrl.host);
+  headers.set("x-forwarded-proto", requestUrl.protocol.replace(/:$/, ""));
+  headers.set("x-better-auth-forwarded-host", requestUrl.host);
+  headers.set("x-better-auth-forwarded-proto", requestUrl.protocol.replace(/:$/, ""));
   return fetch(nextUrl, {
     method: request.method,
     headers,