@hubspot/app-connect-sdk 1.0.0-alpha.2 → 1.0.0-alpha.21

package/src/server/hono/hubspot-connect-routes/auth-init-session.test.ts

@@ -1,7 +1,9 @@
 import { Hono } from 'hono';
 import { describe, expect, it, vi } from 'vitest';
 
+import { OAUTH_CALLBACK_PATH } from '../../../shared/constants.ts';
 import {
+  HUBSPOT_APP_ORIGIN_COOKIE_NAME,
   HUBSPOT_APP_SID_COOKIE_NAME,
   TEMP_COOKIE_OAUTH_STATE,
   TEMP_COOKIE_PKCE_VERIFIER,
@@ -21,6 +23,7 @@ const hubspotConnectEnv = {
 } satisfies HubSpotConnectRoutesEnvClientSecret;
 
 const BASE_PATH = '/functions/v1/hubspot-connect';
+const APP_ORIGIN = 'https://app.example.com';
 
 function buildOAuthRouteOptions(): HubSpotConnectOAuthRouteOptions {
   return {
@@ -38,60 +41,109 @@ function buildOAuthRouteOptions(): HubSpotConnectOAuthRouteOptions {
   };
 }
 
+function buildInitSessionRequest(options: {
+  returnPath?: string;
+  origin?: string | null;
+}): Request {
+  const url = new URL('http://localhost/auth/init-session');
+  if (options.returnPath !== undefined) {
+    url.searchParams.set('return_path', options.returnPath);
+  }
+  const headers = new Headers();
+  if (options.origin !== null && options.origin !== undefined) {
+    headers.set('Origin', options.origin);
+  }
+  return new Request(url.toString(), { method: 'GET', headers });
+}
+
 describe('handleAuthInitSession', () => {
   it('returns 400 for an unsafe return_path (open redirect)', async () => {
     const app = new Hono();
     app.get('/auth/init-session', (c) =>
       handleAuthInitSession(c, buildOAuthRouteOptions())
     );
-    const res = await app.request(
-      'http://localhost/auth/init-session?return_path=//evil.example.com',
-      { method: 'GET' }
+    const res = await app.fetch(
+      buildInitSessionRequest({
+        returnPath: '//evil.example.com',
+        origin: APP_ORIGIN,
+      })
     );
     expect(res.status).toBe(400);
     expect(await res.text()).toContain('Invalid return_path');
   });
 
-  it('returns JSON with authorization_url on success', async () => {
+  it('returns 400 when the Origin header is missing', async () => {
+    const app = new Hono();
+    app.get('/auth/init-session', (c) =>
+      handleAuthInitSession(c, buildOAuthRouteOptions())
+    );
+    const res = await app.fetch(
+      buildInitSessionRequest({ returnPath: '/dashboard', origin: null })
+    );
+    expect(res.status).toBe(400);
+    expect(await res.text()).toContain('Origin');
+  });
+
+  it('returns 400 when the Origin header is not an https:// or localhost origin', async () => {
     const app = new Hono();
     app.get('/auth/init-session', (c) =>
       handleAuthInitSession(c, buildOAuthRouteOptions())
     );
-    const res = await app.request(
-      'http://localhost/auth/init-session?return_path=/dashboard',
-      { method: 'GET' }
+    const res = await app.fetch(
+      buildInitSessionRequest({
+        returnPath: '/dashboard',
+        origin: 'http://evil.example.com',
+      })
+    );
+    expect(res.status).toBe(400);
+  });
+
+  it('builds the OAuth redirect_uri from the request Origin and the frontend callback path', async () => {
+    const app = new Hono();
+    app.get('/auth/init-session', (c) =>
+      handleAuthInitSession(c, buildOAuthRouteOptions())
+    );
+    const res = await app.fetch(
+      buildInitSessionRequest({ returnPath: '/dashboard', origin: APP_ORIGIN })
     );
 
     expect(res.status).toBe(200);
     const body = (await res.json()) as { authorization_url: string };
-    expect(body.authorization_url).toBeDefined();
-
     const authUrl = new URL(body.authorization_url);
-    expect(authUrl.origin).toBe('https://auth.example.test');
-    expect(authUrl.searchParams.get('response_type')).toBe('code');
-    expect(authUrl.searchParams.get('client_id')).toBe('test-client-id');
-    expect(authUrl.searchParams.get('code_challenge_method')).toBe('S256');
-    expect(authUrl.searchParams.get('code_challenge')).toBeTruthy();
-    expect(authUrl.searchParams.get('state')).toBeTruthy();
-    expect(authUrl.searchParams.get('scope')).toContain(
-      'crm.objects.contacts.read'
-    );
-    expect(authUrl.searchParams.get('optional_scope')).toContain(
-      'crm.objects.deals.read'
+    expect(authUrl.searchParams.get('redirect_uri')).toBe(
+      `${APP_ORIGIN}${OAUTH_CALLBACK_PATH}`
     );
   });
 
-  it('sets session, PKCE verifier, and state cookies', async () => {
+  it('pins the request Origin in `__Host-hs_app_origin` with SameSite=None; Partitioned', async () => {
     const app = new Hono();
     app.get('/auth/init-session', (c) =>
       handleAuthInitSession(c, buildOAuthRouteOptions())
     );
-    const res = await app.request(
-      'http://localhost/auth/init-session?return_path=/dashboard',
-      { method: 'GET' }
+    const res = await app.fetch(
+      buildInitSessionRequest({ returnPath: '/dashboard', origin: APP_ORIGIN })
+    );
+    const setCookies = res.headers.getSetCookie();
+    const originCookie = setCookies.find((h) =>
+      h.startsWith(`${HUBSPOT_APP_ORIGIN_COOKIE_NAME}=`)
+    );
+    expect(originCookie).toBeDefined();
+    expect(originCookie).toContain(
+      `${HUBSPOT_APP_ORIGIN_COOKIE_NAME}=${APP_ORIGIN}`
     );
+    expect(originCookie).toContain('SameSite=None');
+    expect(originCookie).toContain('Secure');
+    expect(originCookie).toContain('Partitioned');
+  });
 
-    expect(res.status).toBe(200);
+  it('sets all session cookies with SameSite=None; Partitioned', async () => {
+    const app = new Hono();
+    app.get('/auth/init-session', (c) =>
+      handleAuthInitSession(c, buildOAuthRouteOptions())
+    );
+    const res = await app.fetch(
+      buildInitSessionRequest({ returnPath: '/dashboard', origin: APP_ORIGIN })
+    );
     const setCookies = res.headers.getSetCookie();
 
     const sidCookie = setCookies.find((h) =>
@@ -99,18 +151,50 @@ describe('handleAuthInitSession', () => {
     );
     expect(sidCookie).toBeDefined();
     expect(sidCookie).toContain('HttpOnly');
+    expect(sidCookie).toContain('SameSite=None');
+    expect(sidCookie).toContain('Partitioned');
 
     const pkceCookie = setCookies.find((h) =>
       h.startsWith(`${TEMP_COOKIE_PKCE_VERIFIER}=`)
     );
     expect(pkceCookie).toBeDefined();
-    expect(pkceCookie).toContain('SameSite=Lax');
+    expect(pkceCookie).toContain('SameSite=None');
+    expect(pkceCookie).toContain('Partitioned');
 
     const stateCookie = setCookies.find((h) =>
       h.startsWith(`${TEMP_COOKIE_OAUTH_STATE}=`)
     );
     expect(stateCookie).toBeDefined();
-    expect(stateCookie).toContain('SameSite=Lax');
+    expect(stateCookie).toContain('SameSite=None');
+    expect(stateCookie).toContain('Partitioned');
+  });
+
+  it('returns JSON with authorization_url on success', async () => {
+    const app = new Hono();
+    app.get('/auth/init-session', (c) =>
+      handleAuthInitSession(c, buildOAuthRouteOptions())
+    );
+    const res = await app.fetch(
+      buildInitSessionRequest({ returnPath: '/dashboard', origin: APP_ORIGIN })
+    );
+
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as { authorization_url: string };
+    expect(body.authorization_url).toBeDefined();
+
+    const authUrl = new URL(body.authorization_url);
+    expect(authUrl.origin).toBe('https://auth.example.test');
+    expect(authUrl.searchParams.get('response_type')).toBe('code');
+    expect(authUrl.searchParams.get('client_id')).toBe('test-client-id');
+    expect(authUrl.searchParams.get('code_challenge_method')).toBe('S256');
+    expect(authUrl.searchParams.get('code_challenge')).toBeTruthy();
+    expect(authUrl.searchParams.get('state')).toBeTruthy();
+    expect(authUrl.searchParams.get('scope')).toContain(
+      'crm.objects.contacts.read'
+    );
+    expect(authUrl.searchParams.get('optional_scope')).toContain(
+      'crm.objects.deals.read'
+    );
   });
 
   it('defaults return_path to / when param is absent', async () => {
@@ -118,9 +202,9 @@ describe('handleAuthInitSession', () => {
     app.get('/auth/init-session', (c) =>
       handleAuthInitSession(c, buildOAuthRouteOptions())
     );
-    const res = await app.request('http://localhost/auth/init-session', {
-      method: 'GET',
-    });
+    const res = await app.fetch(
+      buildInitSessionRequest({ origin: APP_ORIGIN })
+    );
     expect(res.status).toBe(200);
     const body = (await res.json()) as { authorization_url: string };
     const state =

package/src/server/hono/hubspot-connect-routes/auth-init-session.ts

@@ -1,6 +1,7 @@
 import type { Context } from 'hono';
 
 import {
+  HUBSPOT_APP_ORIGIN_COOKIE_NAME,
   HUBSPOT_APP_SID_COOKIE_NAME,
   TEMP_COOKIE_OAUTH_STATE,
   TEMP_COOKIE_PKCE_VERIFIER,
@@ -13,8 +14,9 @@ import { deriveHubSpotAuthorizeScopesFromClientMetadata } from './fetch-hubspot-
 import type { HubSpotConnectOAuthRouteOptions } from './types.ts';
 import {
   buildCimdClientIdUrlFromRequest,
-  buildOAuthRedirectUriFromRequest,
+  buildFrontendOAuthRedirectUri,
   isSafeReturnPath,
+  parseAppOriginHeader,
 } from './utils.ts';
 
 export async function handleAuthInitSession(
@@ -31,6 +33,18 @@ export async function handleAuthInitSession(
     return c.text('Invalid return_path', 400);
   }
 
+  // The app origin pins the OAuth `redirect_uri` (which lands on the
+  // frontend, not on this edge function) and, via the persisted
+  // `__Host-hs_app_origin` cookie, drives credentialed
+  // `Access-Control-Allow-Origin` on every subsequent SDK response.
+  const appOrigin = parseAppOriginHeader(c.req.header('Origin'));
+  if (!appOrigin) {
+    return c.text(
+      'Missing or invalid Origin header; init-session must be called from a browser',
+      400
+    );
+  }
+
   const sessionIdBytes = new Uint8Array(32);
   crypto.getRandomValues(sessionIdBytes);
   const sessionId = base64url(sessionIdBytes);
@@ -57,16 +71,12 @@ export async function handleAuthInitSession(
         xForwardedProto,
         xForwardedHost,
         requestHostHeader,
+        appOrigin,
       })
     : hubspotConnectEnv.hubspotClientId;
 
-  const redirectUri = buildOAuthRedirectUriFromRequest({
-    requestUrl: c.req.url,
-    basePath: options.basePath,
-    xForwardedProto,
-    xForwardedHost,
-    requestHostHeader,
-  });
+  console.log('clientId', clientId);
+  const redirectUri = buildFrontendOAuthRedirectUri(appOrigin);
 
   const authorizeUrl = new URL(hubspotConnectEnv.hubspotAuthorizationEndpoint);
   authorizeUrl.searchParams.set('response_type', 'code');
@@ -92,12 +102,25 @@ export async function handleAuthInitSession(
     }
   }
 
+  setResponseCookie({
+    c,
+    value: serializeCookie({
+      name: HUBSPOT_APP_ORIGIN_COOKIE_NAME,
+      value: appOrigin,
+      path: '/',
+      sameSite: 'None',
+      partitioned: true,
+      maxAge: SESSION_MAX_AGE_SEC,
+    }),
+  });
   setResponseCookie({
     c,
     value: serializeCookie({
       name: HUBSPOT_APP_SID_COOKIE_NAME,
       value: sessionId,
       path: '/',
+      sameSite: 'None',
+      partitioned: true,
       maxAge: SESSION_MAX_AGE_SEC,
     }),
   });
@@ -107,7 +130,8 @@ export async function handleAuthInitSession(
       name: TEMP_COOKIE_PKCE_VERIFIER,
       value: encodeURIComponent(codeVerifier),
       path: '/',
-      sameSite: 'Lax',
+      sameSite: 'None',
+      partitioned: true,
       maxAge: OAUTH_TEMP_MAX_AGE_SEC,
     }),
   });
@@ -117,7 +141,8 @@ export async function handleAuthInitSession(
       name: TEMP_COOKIE_OAUTH_STATE,
       value: encodeURIComponent(stateValue),
       path: '/',
-      sameSite: 'Lax',
+      sameSite: 'None',
+      partitioned: true,
       maxAge: OAUTH_TEMP_MAX_AGE_SEC,
     }),
   });

package/src/server/hono/hubspot-connect-routes/auth-logout.test.ts

@@ -4,6 +4,7 @@ import { afterEach, describe, expect, it, vi } from 'vitest';
 import type { Logger } from '../../../shared/logger.ts';
 import {
   HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,
+  HUBSPOT_APP_ORIGIN_COOKIE_NAME,
   HUBSPOT_APP_SID_COOKIE_NAME,
 } from '../../constants.ts';
 import { handleAuthLogout } from './auth-logout.ts';
@@ -76,12 +77,24 @@ describe('handleAuthLogout', () => {
     );
     expect(accessCookie).toBeDefined();
     expect(accessCookie).toContain('Max-Age=0');
+    expect(accessCookie).toContain('SameSite=None');
+    expect(accessCookie).toContain('Partitioned');
 
     const sidCookie = setCookies.find((header) =>
       header.startsWith(`${HUBSPOT_APP_SID_COOKIE_NAME}=`)
     );
     expect(sidCookie).toBeDefined();
     expect(sidCookie).toContain('Max-Age=0');
+    expect(sidCookie).toContain('SameSite=None');
+    expect(sidCookie).toContain('Partitioned');
+
+    const originCookie = setCookies.find((header) =>
+      header.startsWith(`${HUBSPOT_APP_ORIGIN_COOKIE_NAME}=`)
+    );
+    expect(originCookie).toBeDefined();
+    expect(originCookie).toContain('Max-Age=0');
+    expect(originCookie).toContain('SameSite=None');
+    expect(originCookie).toContain('Partitioned');
   });
 
   it('clears cookies and logs a warning when revoke returns non-OK HTTP', async () => {

package/src/server/hono/hubspot-connect-routes/auth-logout.ts

@@ -3,6 +3,7 @@ import type { Context } from 'hono';
 import type { Logger } from '../../../shared/logger.ts';
 import {
   HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,
+  HUBSPOT_APP_ORIGIN_COOKIE_NAME,
   HUBSPOT_APP_SID_COOKIE_NAME,
   HUBSPOT_REFRESH_COOKIE_PREFIX,
 } from '../../constants.ts';
@@ -10,7 +11,10 @@ import { parseCookies } from '../../utils/cookie-utils.ts';
 import { serializeCookie, setResponseCookie } from '../utils/cookie-utils.ts';
 import { buildClientAssertion } from './oauth-client.ts';
 import type { HubSpotConnectOAuthRouteOptions } from './types.ts';
-import { buildCimdClientIdUrlFromRequest } from './utils.ts';
+import {
+  buildCimdClientIdUrlFromRequest,
+  parseAppOriginHeader,
+} from './utils.ts';
 
 async function revokeToken(options: {
   revokeEndpointUrl: string;
@@ -46,15 +50,23 @@ export async function handleAuthLogout(
   const cookies = parseCookies(c.req.header('Cookie'));
   const accessToken = cookies[HUBSPOT_ACCESS_TOKEN_COOKIE_NAME];
 
-  const clientId = hubspotConnectEnv.isCimdEnabled
-    ? buildCimdClientIdUrlFromRequest({
-        requestUrl: c.req.url,
-        basePath,
-        xForwardedProto,
-        xForwardedHost,
-        requestHostHeader,
-      })
-    : hubspotConnectEnv.hubspotClientId;
+  let clientId: string;
+  if (hubspotConnectEnv.isCimdEnabled) {
+    const appOrigin = parseAppOriginHeader(c.req.header('Origin'));
+    if (!appOrigin) {
+      return c.json({ error: 'Missing or invalid Origin header' }, 400);
+    }
+    clientId = buildCimdClientIdUrlFromRequest({
+      requestUrl: c.req.url,
+      basePath,
+      xForwardedProto,
+      xForwardedHost,
+      requestHostHeader,
+      appOrigin,
+    });
+  } else {
+    clientId = hubspotConnectEnv.hubspotClientId;
+  }
 
   const revokeEndpointUrl = new URL(
     '/oauth/v1/revoke',
@@ -109,6 +121,8 @@ export async function handleAuthLogout(
       name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,
       value: '',
       path: '/',
+      sameSite: 'None',
+      partitioned: true,
       maxAge: 0,
     }),
   });
@@ -118,6 +132,19 @@ export async function handleAuthLogout(
       name: HUBSPOT_APP_SID_COOKIE_NAME,
       value: '',
       path: '/',
+      sameSite: 'None',
+      partitioned: true,
+      maxAge: 0,
+    }),
+  });
+  setResponseCookie({
+    c,
+    value: serializeCookie({
+      name: HUBSPOT_APP_ORIGIN_COOKIE_NAME,
+      value: '',
+      path: '/',
+      sameSite: 'None',
+      partitioned: true,
       maxAge: 0,
     }),
   });
@@ -130,6 +157,8 @@ export async function handleAuthLogout(
           name: cookieName,
           value: '',
           path: refreshCookiePath,
+          sameSite: 'None',
+          partitioned: true,
           maxAge: 0,
         }),
       });

package/src/server/hono/hubspot-connect-routes/auth-refresh.test.ts

@@ -175,11 +175,15 @@ describe('handleAuthRefresh', () => {
       h.startsWith(`${HUBSPOT_ACCESS_TOKEN_COOKIE_NAME}=`)
     );
     expect(accessCookie).toContain('new-access-token');
+    expect(accessCookie).toContain('SameSite=None');
+    expect(accessCookie).toContain('Partitioned');
 
     const refreshCookie = setCookies.find((h) =>
       h.startsWith(`${refreshCookieName}=`)
     );
     expect(refreshCookie).toContain('new-refresh-token');
+    expect(refreshCookie).toContain('SameSite=None');
+    expect(refreshCookie).toContain('Partitioned');
   });
 
   it('clears stale refresh cookies on success', async () => {
@@ -220,5 +224,7 @@ describe('handleAuthRefresh', () => {
       h.startsWith(`${staleCookieName}=`)
     );
     expect(staleCleared).toContain('Max-Age=0');
+    expect(staleCleared).toContain('SameSite=None');
+    expect(staleCleared).toContain('Partitioned');
   });
 });

package/src/server/hono/hubspot-connect-routes/auth-refresh.ts

@@ -20,6 +20,7 @@ import type { HubSpotConnectOAuthRouteOptions } from './types.ts';
 import {
   buildCimdClientIdUrlFromRequest,
   isPositiveFiniteNumber,
+  parseAppOriginHeader,
 } from './utils.ts';
 
 export async function handleAuthRefresh(
@@ -53,15 +54,23 @@ export async function handleAuthRefresh(
     return c.json({ error: 'Missing refresh token' }, 401);
   }
 
-  const clientId = hubspotConnectEnv.isCimdEnabled
-    ? buildCimdClientIdUrlFromRequest({
-        requestUrl: c.req.url,
-        basePath,
-        xForwardedProto,
-        xForwardedHost,
-        requestHostHeader,
-      })
-    : hubspotConnectEnv.hubspotClientId;
+  let clientId: string;
+  if (hubspotConnectEnv.isCimdEnabled) {
+    const appOrigin = parseAppOriginHeader(c.req.header('Origin'));
+    if (!appOrigin) {
+      return c.json({ error: 'Missing or invalid Origin header' }, 400);
+    }
+    clientId = buildCimdClientIdUrlFromRequest({
+      requestUrl: c.req.url,
+      basePath,
+      xForwardedProto,
+      xForwardedHost,
+      requestHostHeader,
+      appOrigin,
+    });
+  } else {
+    clientId = hubspotConnectEnv.hubspotClientId;
+  }
 
   const tokenEndpointUrl = new URL(
     '/oauth/v1/token',
@@ -135,6 +144,8 @@ export async function handleAuthRefresh(
       name: HUBSPOT_ACCESS_TOKEN_COOKIE_NAME,
       value: newAccessToken,
       path: '/',
+      sameSite: 'None',
+      partitioned: true,
       maxAge: expires_in,
     }),
   });
@@ -144,6 +155,8 @@ export async function handleAuthRefresh(
       name: refreshCookieName,
       value: newRefreshToken,
       path: refreshCookiePath,
+      sameSite: 'None',
+      partitioned: true,
       maxAge: REFRESH_COOKIE_MAX_AGE_SEC,
     }),
   });
@@ -161,6 +174,8 @@ export async function handleAuthRefresh(
           name: cookieName,
           value: '',
           path: refreshCookiePath,
+          sameSite: 'None',
+          partitioned: true,
           maxAge: 0,
         }),
       });

package/src/server/hono/hubspot-connect-routes/cimd-public-routes.test.ts

@@ -1,6 +1,7 @@
 import { Hono } from 'hono';
 import { describe, expect, it, vi } from 'vitest';
 
+import { OAUTH_CALLBACK_PATH } from '../../../shared/constants.ts';
 import { createTestAppKeys } from '../../utils/test-fixtures.ts';
 import {
   handleCimdAppJwks,
@@ -13,6 +14,7 @@ import type {
 import type { HubSpotConnectOAuthRouteOptions } from './types.ts';
 
 const BASE_PATH = '/functions/v1/hubspot-connect';
+const APP_ORIGIN = 'https://app.example.com';
 
 function buildOptions(
   hubspotConnectEnv: HubSpotConnectOAuthRouteOptions['hubspotConnectEnv'],
@@ -57,10 +59,11 @@ describe('handleCimdClientJson', () => {
     app.get(`${BASE_PATH}/client.json`, (c) =>
       handleCimdClientJson(c, buildOptions(clientSecretEnv))
     );
-    const res = await app.request(
-      `http://app.example.test${BASE_PATH}/client.json`,
-      { method: 'GET' }
+    const clientJsonUrl = new URL(
+      `http://app.example.test${BASE_PATH}/client.json`
     );
+    clientJsonUrl.searchParams.set('app_origin', APP_ORIGIN);
+    const res = await app.request(clientJsonUrl.toString(), { method: 'GET' });
 
     expect(res.status).toBe(200);
     expect(res.headers.get('Content-Type')).toContain('application/json');
@@ -71,9 +74,7 @@ describe('handleCimdClientJson', () => {
       scope: { required: string[]; optional?: string[] };
     };
 
-    expect(body.redirect_uri).toBe(
-      `http://app.example.test${BASE_PATH}/auth/callback`
-    );
+    expect(body.redirect_uri).toBe(`${APP_ORIGIN}${OAUTH_CALLBACK_PATH}`);
     expect(body.jwks_uri).toBe(`http://app.example.test${BASE_PATH}/jwks.json`);
     expect(body.scope.required).toContain('crm.objects.contacts.read');
     expect(body.scope.optional).toContain('crm.objects.deals.read');

package/src/server/hono/hubspot-connect-routes/cimd-public-routes.ts

@@ -22,13 +22,17 @@ export async function handleCimdClientJson(
   const xForwardedProto = c.req.header('x-forwarded-proto') ?? undefined;
   const xForwardedHost = c.req.header('x-forwarded-host') ?? undefined;
   const requestHostHeader = c.req.header('host') ?? undefined;
-
+  const appOrigin = c.req.query('app_origin');
+  if (!appOrigin) {
+    return c.text('Missing app origin', 400);
+  }
   const forwarded: BuildOAuthRedirectUriFromRequestOptions = {
     requestUrl: c.req.url,
     basePath,
     xForwardedProto,
     xForwardedHost,
     requestHostHeader,
+    appOrigin,
   };
 
   const body: HubSpotConnectCimdClientDocument = {

package/src/server/hono/hubspot-connect-routes/hubspot-connect-routes.ts

@@ -2,7 +2,8 @@ import type { Hono } from 'hono';
 
 import { noopLogger, type Logger } from '../../../shared/logger.ts';
 import type { AppKeys } from '../../types.ts';
-import { handleAuthCallback } from './auth-callback.ts';
+import { corsMiddleware } from '../utils/cors-middleware.ts';
+import { handleAuthComplete } from './auth-complete.ts';
 import { handleAuthInitSession } from './auth-init-session.ts';
 import { handleAuthLogout } from './auth-logout.ts';
 import { handleAuthRefresh } from './auth-refresh.ts';
@@ -13,6 +14,7 @@ import {
   handleCimdClientJson,
 } from './cimd-public-routes.ts';
 import type { HubSpotConnectRoutesEnv } from './load-hubspot-connect-routes-env.ts';
+import type { HubSpotConnectOAuthRouteOptions } from './types.ts';
 
 /**
  * Options accepted by {@link registerHubSpotConnectRoutes}.
@@ -72,7 +74,7 @@ export function registerHubSpotConnectRoutes(
   assertHubSpotConnectCimdClientMetadata(cimdClientMetadata);
 
   const refreshCookiePath = `${basePath}/auth`;
-  const oauthRouteOptions = {
+  const oauthRouteOptions: HubSpotConnectOAuthRouteOptions = {
     appKeys,
     refreshCookiePath,
     logger,
@@ -81,6 +83,12 @@ export function registerHubSpotConnectRoutes(
     cimdClientMetadata,
   };
 
+  // Credentialed CORS for the cross-origin Lovable / Supabase shape.
+  // Echoes the request `Origin` (or the pinned `__Host-hs_app_origin`
+  // cookie value once init-session has run) and short-circuits OPTIONS
+  // preflights with a 204 before any route handler runs.
+  app.use('*', corsMiddleware());
+
   app.get('/client.json', (c) => handleCimdClientJson(c, oauthRouteOptions));
   if (hubspotConnectEnv.isCimdEnabled) {
     app.get('/jwks.json', (c) => handleCimdAppJwks(c, oauthRouteOptions));
@@ -89,7 +97,7 @@ export function registerHubSpotConnectRoutes(
   app.get('/auth/init-session', (c) =>
     handleAuthInitSession(c, oauthRouteOptions)
   );
-  app.get('/auth/callback', (c) => handleAuthCallback(c, oauthRouteOptions));
+  app.post('/auth/complete', (c) => handleAuthComplete(c, oauthRouteOptions));
   app.post('/auth/refresh', (c) => handleAuthRefresh(c, oauthRouteOptions));
   app.post('/auth/logout', (c) => handleAuthLogout(c, oauthRouteOptions));
 }