add www variant to Better Auth trustedOrigins

prazgaitis · claude · prazgaitis · commit c626b660f31b · 2026-02-08T19:18:34.000-06:00
SITE_URL is https://march.fit but users access https://www.march.fit, causing CSRF origin check to fail with 403. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/packages/backend/auth.ts b/packages/backend/auth.ts
@@ -31,6 +31,10 @@ export const createAuth = (ctx: GenericCtx<DataModel>) => {
       "http://localhost:3000",
       "http://localhost:3001",
       process.env.SITE_URL || "",
+      // Also trust www variant of the site URL
+      ...(process.env.SITE_URL
+        ? [process.env.SITE_URL.replace("://", "://www.")]
+        : []),
     ].filter(Boolean),
     emailAndPassword: {
       enabled: true,
