fix(cli): implement dynamic CORS origin handling and improve database connection logic

Author: zpg6

cli/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@better-auth-cloudflare/cli",
-    "version": "0.1.18",
+    "version": "0.1.19",
     "description": "CLI to generate Better Auth Cloudflare projects (Hono or OpenNext.js)",
     "author": "Zach Grimaldi",
     "repository": {

cli/src/index.ts

@@ -12,6 +12,7 @@ import {
     extractKvNamespaceId,
     initializeGitRepository,
     parseWranglerToml,
+    replaceDemoCorsOrigin,
     updateD1BlockWithId,
     updateHyperdriveBlockWithId,
     updateKvBlockWithId,
@@ -1502,7 +1503,7 @@ export const verification = {} as any;`;
                     );
                 }
                 if (answers.database === "hyperdrive-mysql") {
-                    return code.replace(/dialect:\s*"sqlite"/g, 'dialect: "mysql2"').replace(
+                    return code.replace(/dialect:\s*"sqlite"/g, 'dialect: "mysql"').replace(
                         /\.\.\.\(process\.env\.NODE_ENV === "production"[\s\S]*?\}\),/g,
                         `...(process.env.NODE_ENV === "production"
         ? {
@@ -1519,6 +1520,12 @@ export const verification = {} as any;`;
                 }
                 return code;
             });
+
+            // Replace the demo CORS origin with a dynamic function that derives
+            // the allowed origin from the request URL (works in dev, prod, and custom domains)
+            const honoEntryPath = join(targetDir, "src/index.ts");
+            debugLog("Replacing demo CORS origin with dynamic origin function");
+            tryUpdateFile(honoEntryPath, replaceDemoCorsOrigin);
         }
 
         if (isNext) {
@@ -1584,7 +1591,7 @@ export const verification = {} as any;`;
                     );
                 }
                 if (answers.database === "hyperdrive-mysql") {
-                    return code.replace(/dialect:\s*"sqlite"/g, 'dialect: "mysql2"').replace(
+                    return code.replace(/dialect:\s*"sqlite"/g, 'dialect: "mysql"').replace(
                         /\.\.\.\(process\.env\.NODE_ENV === "production"[\s\S]*?\}\),/g,
                         `...(process.env.NODE_ENV === "production"
         ? {
@@ -1961,7 +1968,9 @@ export const verification = {} as any;`;
         if (authRes.code === 0) {
             genAuth.succeed("Auth schema updated.");
 
-            // Restore original schema.ts and index.ts after successful auth generation for non-D1 databases
+            // Regenerate schema.ts and db/index.ts after auth generation for non-D1 databases.
+            // The pre-auth-generation temp files used simplified versions to avoid circular deps;
+            // now we write back the correct generated content.
             if (answers.database !== "d1") {
                 const tempSchemaBackupPath = join(targetDir, ".schema-backup.tmp");
                 const tempIndexBackupPath = join(targetDir, ".index-backup.tmp");
@@ -1975,12 +1984,23 @@ export const verification = {} as any;`;
                     rmSync(tempSchemaBackupPath, { force: true });
                 }
 
+                // Regenerate the correct db/index.ts instead of restoring the template default,
+                // since the final generated version (with correct DB driver) was already written
+                // before auth:update overwrote it with the temp version.
                 if (existsSync(tempIndexBackupPath)) {
-                    debugLog(`Restoring original index file: ${indexPath}`);
-                    const originalIndexContent = readFileSync(tempIndexBackupPath, "utf8");
-                    writeFileSync(indexPath, originalIndexContent, "utf8");
                     rmSync(tempIndexBackupPath, { force: true });
                 }
+                const { generateDbIndex } = await import("./lib/db-generator");
+                const postAuthDbConfig = {
+                    template: answers.template as "hono" | "nextjs",
+                    database: answers.database === "hyperdrive-postgres" ? ("postgres" as const) : ("mysql" as const),
+                    bindings: {
+                        d1: answers.d1Binding,
+                        hyperdrive: answers.hdBinding,
+                    },
+                };
+                debugLog(`Regenerating db/index.ts with correct driver: ${indexPath}`);
+                writeFileSync(indexPath, generateDbIndex(postAuthDbConfig));
             }
         } else {
             genAuth.fail("Failed to generate auth schema.");

cli/src/lib/auth-generator.ts

@@ -39,6 +39,7 @@ function generateHonoAuth(config: AuthConfig): string {
         imports.push(`import { drizzle } from "drizzle-orm/postgres-js";`);
     } else {
         imports.push(`import { drizzle } from "drizzle-orm/mysql2";`);
+        imports.push(`import mysql from "mysql2";`);
     }
 
     imports.push(`import { schema } from "../db";`, `import type { CloudflareBindings } from "../env";`);
@@ -205,47 +206,49 @@ function generateHonoCloudflareConfig(config: AuthConfig): string {
     if (config.resources.r2) {
         parts.push(`
                 // R2 configuration for file storage (${config.bindings.r2 || "R2_BUCKET"} binding from wrangler.toml)
-                r2: {
-                    bucket: env?.${config.bindings.r2 || "R2_BUCKET"},
-                    maxFileSize: 2 * 1024 * 1024, // 2MB
-                    allowedTypes: [".jpg", ".jpeg", ".png", ".gif"],
-                    additionalFields: {
-                        category: { type: "string", required: false },
-                        isPublic: { type: "boolean", required: false },
-                        description: { type: "string", required: false },
-                    },
-                    hooks: {
-                        upload: {
-                            before: async (file, ctx) => {
-                                // Only allow authenticated users to upload files
-                                if (ctx.session === null) {
-                                    return null; // Blocks upload
-                                }
-
-                                // Only allow paid users to upload files (for example)
-                                const isPaidUser = (userId: string) => true; // example
-                                if (isPaidUser(ctx.session.user.id) === false) {
-                                    return null; // Blocks upload
-                                }
-
-                                // Allow upload
-                            },
-                            after: async (file, ctx) => {
-                                // Track your analytics (for example)
-                                console.log("File uploaded:", file);
-                            },
+                ...(env?.${config.bindings.r2 || "R2_BUCKET"} ? {
+                    r2: {
+                        bucket: env.${config.bindings.r2 || "R2_BUCKET"},
+                        maxFileSize: 2 * 1024 * 1024, // 2MB
+                        allowedTypes: [".jpg", ".jpeg", ".png", ".gif"],
+                        additionalFields: {
+                            category: { type: "string", required: false },
+                            isPublic: { type: "boolean", required: false },
+                            description: { type: "string", required: false },
                         },
-                        download: {
-                            before: async (file, ctx) => {
-                                // Only allow user to access their own files (by default all files are public)
-                                if (file.isPublic === false && file.userId !== ctx.session?.user.id) {
-                                    return null; // Blocks download
-                                }
-                                // Allow download
+                        hooks: {
+                            upload: {
+                                before: async (file, ctx) => {
+                                    // Only allow authenticated users to upload files
+                                    if (ctx.session === null) {
+                                        return null; // Blocks upload
+                                    }
+
+                                    // Only allow paid users to upload files (for example)
+                                    const isPaidUser = (userId: string) => true; // example
+                                    if (isPaidUser(ctx.session.user.id) === false) {
+                                        return null; // Blocks upload
+                                    }
+
+                                    // Allow upload
+                                },
+                                after: async (file, ctx) => {
+                                    // Track your analytics (for example)
+                                    console.log("File uploaded:", file);
+                                },
+                            },
+                            download: {
+                                before: async (file, ctx) => {
+                                    // Only allow user to access their own files (by default all files are public)
+                                    if (file.isPublic === false && file.userId !== ctx.session?.user.id) {
+                                        return null; // Blocks download
+                                    }
+                                    // Allow download
+                                },
                             },
                         },
                     },
-                },`);
+                } : {}),`);
     }
 
     return parts.join("");
@@ -351,12 +354,19 @@ const generateHonoSchemaConfig = generateSchemaConfig;
 const generateNextjsSchemaConfig = generateSchemaConfig;
 
 function generateDbConnection(config: AuthConfig): string {
+    const binding = config.bindings.hyperdrive || "HYPERDRIVE";
     if (config.database === "sqlite") {
         return `drizzle(env.${config.bindings.d1 || "DATABASE"}, { schema, logger: true })`;
     } else if (config.database === "postgres") {
-        return `drizzle(env.${config.bindings.hyperdrive || "HYPERDRIVE"}, { schema, logger: true })`;
+        return `drizzle(env.${binding}, { schema, logger: true })`;
     } else {
-        return `drizzle(env.${config.bindings.hyperdrive || "HYPERDRIVE"}, { schema, logger: true })`;
+        return `drizzle(mysql.createPool({
+        host: env.${binding}.host,
+        user: env.${binding}.user,
+        password: env.${binding}.password,
+        database: env.${binding}.database,
+        port: env.${binding}.port,
+    }), { schema, mode: "default", logger: true })`;
     }
 }
 

cli/src/lib/helpers.ts

@@ -4,6 +4,23 @@ export interface JSONObject {
 }
 export interface JSONArray extends Array<JSONValue> {}
 
+const DYNAMIC_CORS_ORIGIN = `origin: (requestOrigin: string, c) => {
+            const self = new URL(c.req.url).origin;
+            return requestOrigin === self ? requestOrigin : "";
+        },`;
+
+/**
+ * Replace a hardcoded/wildcard CORS origin in the Hono template with a dynamic
+ * origin function that derives the allowed origin from the request URL.
+ * Handles both the demo URL and the wildcard `"*"` placeholder.
+ * Returns the input unchanged if neither pattern is present.
+ */
+export function replaceDemoCorsOrigin(code: string): string {
+    return code
+        .replace(`origin: "https://better-auth-cloudflare-hono.zpg6.workers.dev",`, DYNAMIC_CORS_ORIGIN)
+        .replace(/origin: "\*",.*/, DYNAMIC_CORS_ORIGIN);
+}
+
 export function validateBindingName(name: string): string | undefined {
     if (!name || name.trim().length === 0) return "Please enter a binding name";
     if (!/^[A-Z0-9_]+$/.test(name)) return "Use ONLY A-Z, 0-9, and underscores";

cli/tests/auth-generator.test.ts

@@ -80,7 +80,7 @@ describe("Auth Generator", () => {
 
             const result = generateAuthFile(config);
 
-            expect(result).toContain("bucket: env?.MY_BUCKET");
+            expect(result).toContain("bucket: env.MY_BUCKET");
             expect(result).toContain("maxFileSize: 2 * 1024 * 1024");
             expect(result).toContain('allowedTypes: [".jpg", ".jpeg", ".png", ".gif"]');
             expect(result).toContain("hooks: {");
@@ -98,7 +98,7 @@ describe("Auth Generator", () => {
 
             expect(result).toContain("d1: env");
             expect(result).toContain("kv: env?.KV");
-            expect(result).toContain("bucket: env?.R2_BUCKET");
+            expect(result).toContain("bucket: env.R2_BUCKET");
         });
     });
 
@@ -247,7 +247,7 @@ describe("Auth Generator", () => {
 
             // Should use default binding names
             expect(result).toContain("kv: env?.KV");
-            expect(result).toContain("bucket: env?.R2_BUCKET");
+            expect(result).toContain("bucket: env.R2_BUCKET");
         });
 
         test("handles empty resources", () => {

cli/tests/cors-origin-replacement.test.ts

@@ -0,0 +1,94 @@
+import { describe, test, expect } from "bun:test";
+import { readFileSync } from "fs";
+import { join } from "path";
+import { replaceDemoCorsOrigin } from "../src/lib/helpers";
+
+const HONO_TEMPLATE_SRC = readFileSync(join(__dirname, "../../examples/hono/src/index.ts"), "utf8");
+
+const DEMO_URL = "better-auth-cloudflare-hono.zpg6.workers.dev";
+
+const WILDCARD_VARIANT = HONO_TEMPLATE_SRC.replace(
+    `origin: "https://${DEMO_URL}",`,
+    'origin: "*", // In production, replace with your actual domain'
+);
+
+describe("replaceDemoCorsOrigin", () => {
+    describe("demo URL variant", () => {
+        test("removes the hardcoded demo URL", () => {
+            const result = replaceDemoCorsOrigin(HONO_TEMPLATE_SRC);
+            expect(result).not.toContain(DEMO_URL);
+        });
+
+        test("inserts dynamic origin callback", () => {
+            const result = replaceDemoCorsOrigin(HONO_TEMPLATE_SRC);
+            expect(result).toContain("origin: (requestOrigin: string, c) =>");
+            expect(result).toContain("new URL(c.req.url).origin");
+        });
+
+        test("produces syntactically valid CORS block", () => {
+            const result = replaceDemoCorsOrigin(HONO_TEMPLATE_SRC);
+            const corsBlockMatch = result.match(/cors\(\{([\s\S]*?)\}\)/);
+            expect(corsBlockMatch).not.toBeNull();
+            const corsBody = corsBlockMatch![1];
+            expect(corsBody).toContain("origin:");
+            expect(corsBody).toContain("allowHeaders:");
+            expect(corsBody).toContain("credentials:");
+        });
+    });
+
+    describe('wildcard variant (origin: "*")', () => {
+        test("removes the wildcard origin", () => {
+            const result = replaceDemoCorsOrigin(WILDCARD_VARIANT);
+            expect(result).not.toContain('origin: "*"');
+        });
+
+        test("inserts dynamic origin callback", () => {
+            const result = replaceDemoCorsOrigin(WILDCARD_VARIANT);
+            expect(result).toContain("origin: (requestOrigin: string, c) =>");
+            expect(result).toContain("new URL(c.req.url).origin");
+        });
+
+        test("produces syntactically valid CORS block", () => {
+            const result = replaceDemoCorsOrigin(WILDCARD_VARIANT);
+            const corsBlockMatch = result.match(/cors\(\{([\s\S]*?)\}\)/);
+            expect(corsBlockMatch).not.toBeNull();
+            const corsBody = corsBlockMatch![1];
+            expect(corsBody).toContain("origin:");
+            expect(corsBody).toContain("allowHeaders:");
+            expect(corsBody).toContain("credentials:");
+        });
+    });
+
+    test("does NOT run on NextJS template content (no-op for unrelated files)", () => {
+        const nextjsContent = `
+import { NextResponse } from "next/server";
+export async function middleware(request) {
+    return NextResponse.next();
+}
+`;
+        const result = replaceDemoCorsOrigin(nextjsContent);
+        expect(result).toBe(nextjsContent);
+    });
+
+    test("is idempotent — second call is a no-op", () => {
+        const first = replaceDemoCorsOrigin(HONO_TEMPLATE_SRC);
+        const second = replaceDemoCorsOrigin(first);
+        expect(second).toBe(first);
+    });
+
+    test("is idempotent for wildcard variant", () => {
+        const first = replaceDemoCorsOrigin(WILDCARD_VARIANT);
+        const second = replaceDemoCorsOrigin(first);
+        expect(second).toBe(first);
+    });
+
+    test("does not corrupt the file when neither pattern is present", () => {
+        const alreadyEdited = HONO_TEMPLATE_SRC.replace(
+            `origin: "https://${DEMO_URL}",`,
+            'origin: "https://my-custom-domain.com",'
+        );
+        const result = replaceDemoCorsOrigin(alreadyEdited);
+        expect(result).toBe(alreadyEdited);
+        expect(result).toContain('origin: "https://my-custom-domain.com"');
+    });
+});

cli/tests/integration/validators.ts

@@ -350,6 +350,9 @@ export class FileValidator {
                 if (!index.includes("/api/auth/*")) {
                     errors.push("Missing auth routes in Hono app");
                 }
+                if (index.includes('origin: "*"') || index.includes("better-auth-cloudflare-hono.zpg6.workers.dev")) {
+                    errors.push("CORS origin should be replaced with dynamic origin function");
+                }
             } catch (error) {
                 errors.push(`Failed to read index.ts: ${error}`);
             }

examples/opennextjs/src/app/dashboard/SignOutButton.tsx

@@ -48,10 +48,9 @@ export default function SignOutButton() {
                     },
                 },
             });
-        } catch (e: any) {
-            // Catch any unexpected errors during the signOut call itself
+        } catch (e) {
             console.error("Unexpected sign out error:", e);
-            setError(e.message || "An unexpected error occurred. Please try again.");
+            setError(e instanceof Error ? e.message : "An unexpected error occurred. Please try again.");
             // router.replace("/"); // Fallback redirect
         } finally {
             setIsLoading(false);