fix(auth): resolve CORS errors for self-hosted deployments behind reverse proxies

- auth client now uses browser origin first, falling back to NEXT_PUBLIC_APP_URL
- socket client falls back to page origin when served from non-localhost (assumes /socket.io is proxied)
- add TRUSTED_ORIGINS env var to extend Better Auth trustedOrigins (apex+www, alias hostnames)
- warn at startup when NEXT_PUBLIC_APP_URL is localhost in production
- preprocess empty NEXT_PUBLIC_SOCKET_URL so docker-compose ${VAR:-} works
- migrate remaining uuid/nanoid/randomUUID usages to @sim/utils generateId/generateShortId
- extend generateShortId with optional alphabet param (rejection sampling)
- document TRUSTED_ORIGINS in .env.example, docker-compose.prod.yml, and helm values.yaml

Fixes #1243

Author: waleedlatif1

apps/sim/.env.example

@@ -11,6 +11,7 @@ BETTER_AUTH_URL=http://localhost:3000
 # NextJS (Required)
 NEXT_PUBLIC_APP_URL=http://localhost:3000
 # INTERNAL_API_BASE_URL=http://sim-app.default.svc.cluster.local:3000  # Optional: internal URL for server-side /api self-calls; defaults to NEXT_PUBLIC_APP_URL
+# TRUSTED_ORIGINS=https://www.example.com,https://app.example.com  # Optional: comma-separated additional public origins to trust for auth (apex+www, alias domains). Merged into Better Auth trustedOrigins.
 
 # Security (Required)
 ENCRYPTION_KEY=your_encryption_key  # Use `openssl rand -hex 32` to generate, used to encrypt environment variables

apps/sim/lib/auth/auth-client.ts

@@ -12,16 +12,11 @@ import { createAuthClient } from 'better-auth/react'
 import type { auth } from '@/lib/auth'
 import { env } from '@/lib/core/config/env'
 import { isBillingEnabled, isOrganizationsEnabled } from '@/lib/core/config/feature-flags'
-import { getBaseUrl } from '@/lib/core/utils/urls'
+import { getBaseUrl, getBrowserOrigin } from '@/lib/core/utils/urls'
 import { SessionContext, type SessionHookResult } from '@/app/_shell/providers/session-provider'
 
 function getAuthBaseUrl(): string {
-  try {
-    return getBaseUrl()
-  } catch (e) {
-    if (typeof window !== 'undefined') return window.location.origin
-    throw e
-  }
+  return getBrowserOrigin() ?? getBaseUrl()
 }
 
 export const client = createAuthClient({

apps/sim/lib/auth/auth.ts

@@ -79,7 +79,7 @@ import {
   isSignupEmailValidationEnabled,
 } from '@/lib/core/config/feature-flags'
 import { PlatformEvents } from '@/lib/core/telemetry'
-import { getBaseUrl } from '@/lib/core/utils/urls'
+import { getBaseUrl, isLocalhostUrl, parseOriginList } from '@/lib/core/utils/urls'
 import { processCredentialDraft } from '@/lib/credentials/draft-processor'
 import { sendEmail } from '@/lib/messaging/email/mailer'
 import { getFromEmailAddress, getPersonalEmailFrom } from '@/lib/messaging/email/utils'
@@ -145,6 +145,17 @@ const blockedSignupDomains = env.BLOCKED_SIGNUP_DOMAINS
   ? new Set(env.BLOCKED_SIGNUP_DOMAINS.split(',').map((d) => d.trim().toLowerCase()))
   : null
 
+const additionalTrustedOrigins = parseOriginList(env.TRUSTED_ORIGINS, (value) =>
+  logger.warn('Ignoring invalid entry in TRUSTED_ORIGINS', { value })
+)
+
+if (env.NODE_ENV === 'production' && isLocalhostUrl(getBaseUrl())) {
+  logger.warn(
+    'NEXT_PUBLIC_APP_URL points to localhost in production. Self-hosted deployments must set NEXT_PUBLIC_APP_URL to the public URL users access (e.g. https://sim.example.com), otherwise auth POST requests from any non-localhost origin will be rejected by trustedOrigins. Set TRUSTED_ORIGINS to allow additional public origins.',
+    { baseUrl: getBaseUrl() }
+  )
+}
+
 const validStripeKey = env.STRIPE_SECRET_KEY
 
 let stripeClient = null
@@ -159,6 +170,7 @@ export const auth = betterAuth({
   trustedOrigins: [
     getBaseUrl(),
     ...(env.NEXT_PUBLIC_SOCKET_URL ? [env.NEXT_PUBLIC_SOCKET_URL] : []),
+    ...additionalTrustedOrigins,
     'https://claude.ai',
     'https://claude.com',
   ].filter(Boolean),

apps/sim/lib/core/config/env.ts

@@ -25,6 +25,7 @@ export const env = createEnv({
     ALLOWED_LOGIN_EMAILS:                  z.string().optional(),                  // Comma-separated list of allowed email addresses for login
     ALLOWED_LOGIN_DOMAINS:                 z.string().optional(),                  // Comma-separated list of allowed email domains for login
     BLOCKED_SIGNUP_DOMAINS:                z.string().optional(),                  // Comma-separated list of email domains blocked from signing up (e.g., "gmail.com,yahoo.com")
+    TRUSTED_ORIGINS:                       z.string().optional(),                  // Comma-separated additional origins to trust for auth (e.g., "https://app.example.com,https://www.example.com"). Merged into Better Auth trustedOrigins.
     TURNSTILE_SECRET_KEY:                  z.string().min(1).optional(),           // Cloudflare Turnstile secret key for captcha verification
     SIGNUP_EMAIL_VALIDATION_ENABLED:       z.boolean().optional(),                 // Enable disposable email blocking via better-auth-harmony (55K+ domains)
     ENCRYPTION_KEY:                        z.string().min(32),                     // Key for encrypting sensitive data
@@ -400,7 +401,7 @@ export const env = createEnv({
     NEXT_PUBLIC_APP_URL:                   z.string().url(),                       // Base URL of the application (e.g., https://www.sim.ai)
 
     // Client-side Services
-    NEXT_PUBLIC_SOCKET_URL:                z.string().url().optional(),            // WebSocket server URL for real-time features
+    NEXT_PUBLIC_SOCKET_URL:                z.preprocess((v) => (v === '' ? undefined : v), z.string().url().optional()), // WebSocket server URL for real-time features (empty string treated as unset)
 
     // Billing
     NEXT_PUBLIC_BILLING_ENABLED:           z.boolean().optional(),                 // Enable billing enforcement and usage tracking (client-side)

apps/sim/lib/core/utils/urls.test.ts

@@ -0,0 +1,135 @@
+/**
+ * @vitest-environment jsdom
+ */
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+
+const { mockGetEnv } = vi.hoisted(() => ({
+  mockGetEnv: vi.fn<(key: string) => string | undefined>(),
+}))
+
+vi.mock('@/lib/core/config/env', () => ({
+  env: {},
+  getEnv: mockGetEnv,
+}))
+
+vi.mock('@/lib/core/config/feature-flags', () => ({
+  isProd: false,
+}))
+
+import {
+  getBrowserOrigin,
+  getSocketUrl,
+  isLocalhostUrl,
+  parseOriginList,
+} from '@/lib/core/utils/urls'
+
+function setLocation(url: string) {
+  Object.defineProperty(window, 'location', {
+    value: new URL(url),
+    writable: true,
+    configurable: true,
+  })
+}
+
+describe('getBrowserOrigin', () => {
+  it('returns the page origin in the browser', () => {
+    setLocation('https://example.com/some/path')
+    expect(getBrowserOrigin()).toBe('https://example.com')
+  })
+})
+
+describe('getSocketUrl', () => {
+  beforeEach(() => {
+    mockGetEnv.mockReset()
+    mockGetEnv.mockReturnValue(undefined)
+  })
+
+  afterEach(() => {
+    vi.restoreAllMocks()
+  })
+
+  it('uses NEXT_PUBLIC_SOCKET_URL when explicitly set', () => {
+    mockGetEnv.mockImplementation((key) =>
+      key === 'NEXT_PUBLIC_SOCKET_URL' ? 'https://socket.example.com' : undefined
+    )
+    setLocation('https://app.example.com/')
+    expect(getSocketUrl()).toBe('https://socket.example.com')
+  })
+
+  it('returns the page origin when served from a non-localhost host', () => {
+    setLocation('https://10.0.3.36/signup')
+    expect(getSocketUrl()).toBe('https://10.0.3.36')
+  })
+
+  it('falls back to localhost:3002 when served from localhost', () => {
+    setLocation('http://localhost:3000/')
+    expect(getSocketUrl()).toBe('http://localhost:3002')
+  })
+
+  it('falls back to localhost:3002 when served from 127.0.0.1', () => {
+    setLocation('http://127.0.0.1:3000/')
+    expect(getSocketUrl()).toBe('http://localhost:3002')
+  })
+
+  it('explicit env var wins over the localhost fallback', () => {
+    mockGetEnv.mockImplementation((key) =>
+      key === 'NEXT_PUBLIC_SOCKET_URL' ? 'http://realtime.local:3002' : undefined
+    )
+    setLocation('http://localhost:3000/')
+    expect(getSocketUrl()).toBe('http://realtime.local:3002')
+  })
+
+  it('treats whitespace-only env var as unset', () => {
+    mockGetEnv.mockImplementation((key) => (key === 'NEXT_PUBLIC_SOCKET_URL' ? '   ' : undefined))
+    setLocation('https://app.example.com/')
+    expect(getSocketUrl()).toBe('https://app.example.com')
+  })
+})
+
+describe('parseOriginList', () => {
+  it('returns an empty array for undefined, null, or empty input', () => {
+    expect(parseOriginList(undefined)).toEqual([])
+    expect(parseOriginList(null)).toEqual([])
+    expect(parseOriginList('')).toEqual([])
+    expect(parseOriginList('   ')).toEqual([])
+  })
+
+  it('parses comma-separated origins and normalizes them', () => {
+    expect(parseOriginList('https://a.example.com, https://b.example.com/path')).toEqual([
+      'https://a.example.com',
+      'https://b.example.com',
+    ])
+  })
+
+  it('dedupes equal origins after normalization', () => {
+    expect(
+      parseOriginList('https://a.example.com,https://a.example.com/foo,https://a.example.com')
+    ).toEqual(['https://a.example.com'])
+  })
+
+  it('drops invalid entries and reports them via the callback', () => {
+    const invalid: string[] = []
+    const result = parseOriginList('https://ok.example.com, not-a-url, ', (v) => invalid.push(v))
+    expect(result).toEqual(['https://ok.example.com'])
+    expect(invalid).toEqual(['not-a-url'])
+  })
+
+  it('preserves non-default ports in the origin', () => {
+    expect(parseOriginList('http://10.0.3.36:8080')).toEqual(['http://10.0.3.36:8080'])
+  })
+})
+
+describe('isLocalhostUrl', () => {
+  it('matches localhost variants', () => {
+    expect(isLocalhostUrl('http://localhost:3000')).toBe(true)
+    expect(isLocalhostUrl('http://127.0.0.1')).toBe(true)
+    expect(isLocalhostUrl('https://localhost')).toBe(true)
+  })
+
+  it('does not match public hostnames or invalid URLs', () => {
+    expect(isLocalhostUrl('https://10.0.3.36')).toBe(false)
+    expect(isLocalhostUrl('https://app.example.com')).toBe(false)
+    expect(isLocalhostUrl('not-a-url')).toBe(false)
+    expect(isLocalhostUrl('')).toBe(false)
+  })
+})

apps/sim/lib/core/utils/urls.ts

@@ -103,6 +103,62 @@ export function getEmailDomain(): string {
 
 const DEFAULT_SOCKET_URL = 'http://localhost:3002'
 const DEFAULT_OLLAMA_URL = 'http://localhost:11434'
+const LOCALHOST_HOSTNAMES = new Set(['localhost', '127.0.0.1', '[::1]', '::1'])
+
+/**
+ * Parses a comma-separated list of origins (e.g. from a `TRUSTED_ORIGINS` env
+ * var) into a deduped array of normalized origins. Invalid entries are dropped.
+ *
+ * @param raw - Comma-separated origin list, or undefined/empty
+ * @param onInvalid - Optional callback invoked once per invalid entry
+ */
+export function parseOriginList(
+  raw: string | undefined | null,
+  onInvalid?: (value: string) => void
+): string[] {
+  if (!raw) return []
+  const seen = new Set<string>()
+  const origins: string[] = []
+  for (const candidate of raw.split(',')) {
+    const trimmed = candidate.trim()
+    if (!trimmed) continue
+    try {
+      const { origin } = new URL(trimmed)
+      if (!seen.has(origin)) {
+        seen.add(origin)
+        origins.push(origin)
+      }
+    } catch {
+      onInvalid?.(trimmed)
+    }
+  }
+  return origins
+}
+
+/**
+ * Returns true when the given URL points at a localhost loopback host.
+ * Used to detect misconfigured deployments where `NEXT_PUBLIC_APP_URL` is left
+ * at its development default in production.
+ */
+export function isLocalhostUrl(url: string): boolean {
+  try {
+    const { hostname } = new URL(url)
+    return LOCALHOST_HOSTNAMES.has(hostname)
+  } catch {
+    return false
+  }
+}
+
+/**
+ * Returns the current browser origin, or `null` when called server-side.
+ *
+ * Use this when an absolute URL is needed for a same-origin resource (auth API,
+ * reverse-proxied socket, etc.) so a misconfigured `NEXT_PUBLIC_*` env var
+ * baked into the client bundle at build time can't pin requests to the wrong host.
+ */
+export function getBrowserOrigin(): string | null {
+  return typeof window !== 'undefined' ? window.location.origin : null
+}
 
 /**
  * Returns the socket server URL for server-side internal API calls.
@@ -114,10 +170,25 @@ export function getSocketServerUrl(): string {
 
 /**
  * Returns the socket server URL for client-side Socket.IO connections.
- * Reads from NEXT_PUBLIC_SOCKET_URL with a localhost fallback for development.
+ *
+ * Resolution order:
+ * 1. `NEXT_PUBLIC_SOCKET_URL` if explicitly set (subdomain, separate host:port)
+ * 2. In the browser when the page is served from a non-localhost origin, the
+ *    page's own origin — assumes the reverse proxy routes `/socket.io` to the
+ *    realtime service. This avoids shipping a hardcoded `localhost:3002` to
+ *    self-hosters behind nginx/Cloudflare.
+ * 3. `http://localhost:3002` for local development and SSR.
  */
 export function getSocketUrl(): string {
-  return getEnv('NEXT_PUBLIC_SOCKET_URL') || DEFAULT_SOCKET_URL
+  const explicit = getEnv('NEXT_PUBLIC_SOCKET_URL')?.trim()
+  if (explicit) return explicit
+
+  const browserOrigin = getBrowserOrigin()
+  if (browserOrigin && !LOCALHOST_HOSTNAMES.has(window.location.hostname)) {
+    return browserOrigin
+  }
+
+  return DEFAULT_SOCKET_URL
 }
 
 /**

bun.lock

@@ -13,6 +13,10 @@ services:
       - DATABASE_URL=postgresql://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-postgres}@db:5432/${POSTGRES_DB:-simstudio}
       - BETTER_AUTH_URL=${NEXT_PUBLIC_APP_URL:-http://localhost:3000}
       - NEXT_PUBLIC_APP_URL=${NEXT_PUBLIC_APP_URL:-http://localhost:3000}
+      # TRUSTED_ORIGINS: comma-separated public origins to trust for auth in
+      # addition to NEXT_PUBLIC_APP_URL. Use when serving from multiple domains
+      # (apex + www, alias hostnames, reverse-proxy IPs). Empty by default.
+      - TRUSTED_ORIGINS=${TRUSTED_ORIGINS:-}
       - BETTER_AUTH_SECRET=${BETTER_AUTH_SECRET}
       - ENCRYPTION_KEY=${ENCRYPTION_KEY}
       - API_ENCRYPTION_KEY=${API_ENCRYPTION_KEY:-}
@@ -22,7 +26,11 @@ services:
       - SIM_AGENT_API_URL=${SIM_AGENT_API_URL}
       - OLLAMA_URL=${OLLAMA_URL:-http://localhost:11434}
       - SOCKET_SERVER_URL=${SOCKET_SERVER_URL:-http://realtime:3002}
-      - NEXT_PUBLIC_SOCKET_URL=${NEXT_PUBLIC_SOCKET_URL:-http://localhost:3002}
+      # NEXT_PUBLIC_SOCKET_URL is read by the browser. Leaving it unset lets the
+      # client default to the page's own origin (assumes the reverse proxy routes
+      # /socket.io). Set it explicitly only when the realtime service is on a
+      # different host:port from the app (e.g. wss://socket.example.com).
+      - NEXT_PUBLIC_SOCKET_URL=${NEXT_PUBLIC_SOCKET_URL:-}
       - ADMISSION_GATE_MAX_INFLIGHT=${ADMISSION_GATE_MAX_INFLIGHT:-500}
     depends_on:
       db: