feat: add trusted origins configuration for auth

[adelrodriguez]

Greptile Overview

Greptile Summary

This PR extracts the hardcoded trustedOrigins: ["init://"] into a configurable AUTH_TRUSTED_ORIGINS environment variable with comprehensive regex-based parsing for HTTP/HTTPS origins, wildcard subdomains, and custom URL schemes.

Key changes:

• Removed hardcoded init:// from auth/options.ts
• Added AUTH_TRUSTED_ORIGINS env var with CSV parsing and pattern matching
• Passes env value to createAuth() configuration

Critical issue:

• AUTH_TRUSTED_ORIGINS is required but has no default value. When the environment variable is unset, the app will fail at runtime during env parsing. Since mobile authentication requires the init:// scheme (per AndroidManifest.xml:27), the default should include this value to prevent breaking existing functionality.

Confidence Score: 2/5

• This PR will break mobile authentication and fail at runtime when AUTH_TRUSTED_ORIGINS is unset
• The missing default value for a required environment variable creates a breaking change that will cause immediate runtime failures in environments where AUTH_TRUSTED_ORIGINS is not explicitly configured
• packages/env/src/presets.ts requires a default value to prevent runtime failures

Important Files Changed

Filename	Overview
packages/env/src/presets.ts	Added AUTH_TRUSTED_ORIGINS env var with comprehensive validation but missing .optional() or default value, causing runtime failures when unset
packages/backend/src/functions/shared/auth/index.ts	Added trustedOrigins: env.AUTH_TRUSTED_ORIGINS to auth config, may pass undefined when env var unset

Sequence Diagram

sequenceDiagram
    participant EnvFile as Environment
    participant PresetFn as auth preset function
    participant Backend as Backend env module
    participant AuthSetup as convexAuth function
    
    EnvFile->>PresetFn: Read AUTH_TRUSTED_ORIGINS
    PresetFn->>PresetFn: Transform CSV to array
    PresetFn->>PresetFn: Check regex patterns
    PresetFn->>Backend: Provide processed value
    Backend->>AuthSetup: Pass trustedOrigins config
    AuthSetup->>AuthSetup: Configure CORS checking

Loading

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat_add_trusted_origins_configuration_for_auth

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[adelrodriguez]

• feat: add trusted origins configuration for auth #84 👈 (View in Graphite)
• refactor: improve logger initialization and configuration #83
• refactor: centralize environment variable handling with @tooling/env #82
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[greptile-apps]

_{3 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

_{3 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

_{3 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}