@dubeyvishal/orbital-cli 1.5.9 → 1.6.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/package.json +1 -1
  2. package/server/src/config/api.js +1 -1
  3. package/server/src/index.js +21 -11
  4. package/server/src/lib/auth.js +2 -2
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@dubeyvishal/orbital-cli",
3
- "version": "1.5.9",
3
+ "version": "1.6.10",
4
4
  "description": "A fullstack CLI-based AI platform with chat mode, multi-tool agents, and agentic AI workflows. Includes GitHub login with device authorization, secure authentication, and modular client–server architecture for building intelligent automation tools.",
5
5
  "author": "Vishal Dubey",
6
6
  "license": "MIT",
package/server/src/config/api.js CHANGED
@@ -18,5 +18,5 @@ export const FRONTEND_URL = stripTrailingSlash(
18
18
  );
19
19
 
20
20
  export const AUTH_BASE_URL = stripTrailingSlash(
21
- process.env.BETTER_AUTH_BASE_URL || API_BASE
21
+ process.env.BETTER_AUTH_BASE_URL || FRONTEND_URL || API_BASE
22
22
  );
package/server/src/index.js CHANGED
@@ -16,19 +16,29 @@ const CLIENT_ORIGIN = FRONTEND_URL;
16
16
 
17
17
  app.use(express.json());
18
18
 
19
- // Skip Express cors for /api/auth/* routes better-auth handles its own CORS.
20
- const corsMiddleware = cors({
21
- origin: CLIENT_ORIGIN,
22
- methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
23
- credentials: true,
24
- });
25
- app.use((req, res, next) => {
26
- if (req.path.startsWith("/api/auth/")) return next();
27
- corsMiddleware(req, res, next);
19
+ // ── CORS: single source of truth for every route ──────────────────────
20
+ app.use(
21
+ cors({
22
+ origin: CLIENT_ORIGIN,
23
+ methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
24
+ credentials: true,
25
+ })
26
+ );
27
+
28
+ // Wrap the better-auth handler so it can never override the origin with "*".
29
+ const authHandler = toNodeHandler(auth);
30
+ app.all("/api/auth/*splat", (req, res) => {
31
+ const _setHeader = res.setHeader.bind(res);
32
+ res.setHeader = function (name, value) {
33
+ // Force the correct origin for any CORS header better-auth sets.
34
+ if (name.toLowerCase() === "access-control-allow-origin") {
35
+ return _setHeader(name, CLIENT_ORIGIN);
36
+ }
37
+ return _setHeader(name, value);
38
+ };
39
+ authHandler(req, res);
28
40
  });
29
41
 
30
- app.all("/api/auth/*splat", toNodeHandler(auth));
31
-
32
42
  app.use("/auth", authRoutes);
33
43
 
34
44
  app.get("/api/me" , async (req, res)=>{
package/server/src/lib/auth.js CHANGED
@@ -3,7 +3,7 @@ import { betterAuth } from "better-auth";
3
3
  import { prismaAdapter } from "better-auth/adapters/prisma";
4
4
  import { deviceAuthorization } from "better-auth/plugins";
5
5
  import prisma from "./db.js";
6
- import { API_BASE, FRONTEND_URL } from "../config/api.js";
6
+ import { AUTH_BASE_URL, FRONTEND_URL } from "../config/api.js";
7
7
 
8
8
  const CLIENT_ORIGIN =
9
9
  process.env.CLIENT_ORIGIN ||
@@ -15,7 +15,7 @@ export const auth = betterAuth({
15
15
  provider: "postgresql",
16
16
  }),
17
17
 
18
- baseURL: API_BASE,
18
+ baseURL: AUTH_BASE_URL,
19
19
  basePath: "/api/auth",
20
20
 
21
21
  trustedOrigins: [CLIENT_ORIGIN],