push

innungsapp/apps/admin/lib/auth.ts

@@ -4,6 +4,8 @@ import { magicLink } from 'better-auth/plugins'
 import { admin as adminPlugin } from 'better-auth/plugins'
 import { prisma } from '@innungsapp/shared'
 import { sendMagicLinkEmail } from './email'
+import { headers } from 'next/headers'
+
 
 export const auth = betterAuth({
   database: prismaAdapter(prisma, {
@@ -17,10 +19,25 @@ export const auth = betterAuth({
   trustedOrigins: [
     process.env.NEXT_PUBLIC_APP_URL ?? 'http://localhost:3032',
     process.env.EXPO_PUBLIC_API_URL ?? 'http://localhost:3032',
-    'http://192.168.178.115:3032',
-    'http://localhost:8081', // Expo dev client
-    'http://192.168.178.115:8081',
+    'http://localhost:3000',
+    'http://localhost:3001',
+    'http://localhost:3032',
+    'http://localhost:8081',
+    'http://*.localhost:3032',
+    'http://*.localhost:3000',
+    'https://*.innungsapp.de',
+    'https://*.innungsapp.com',
+    // Additional origins from env (comma-separated)
+    ...(process.env.BETTER_AUTH_TRUSTED_ORIGINS ?? '').split(',').map((o) => o.trim()).filter(Boolean),
   ],
+  user: {
+    additionalFields: {
+      mustChangePassword: {
+        type: 'boolean',
+        defaultValue: false,
+      },
+    },
+  },
   plugins: [
     magicLink({
       sendMagicLink: async ({ email, url }) => {
@@ -38,3 +55,19 @@ export const auth = betterAuth({
 })
 
 export type Auth = typeof auth
+
+export async function getSanitizedHeaders() {
+  const allHeaders = await headers()
+  const sanitizedHeaders = new Headers(allHeaders)
+  
+  // Avoid ENOTFOUND by forcing host to localhost for internal better-auth fetches
+  // We use the host defined in BETTER_AUTH_URL
+  try {
+    const betterAuthUrl = new URL(process.env.BETTER_AUTH_URL || 'http://localhost:3032')
+    sanitizedHeaders.set('host', betterAuthUrl.host)
+  } catch (e) {
+    sanitizedHeaders.set('host', 'localhost:3032')
+  }
+  
+  return sanitizedHeaders
+}