fix: redirect middleware shouldn't check baseURL

package.json

@@ -13,7 +13,7 @@
         "lint": "biome check .",
         "lint:fix": "biome check . --apply",
         "release": "turbo --filter \"./packages/*\" build && bumpp && pnpm -r publish --access public --no-git-checks",
-        "release:no-build": "bumpp && pnpm -r publish --access public --no-git-checks",
+        "release:no-build": "bumpp && pnpm -r publish --access public --no-git-checks --tag next",
         "release:beta": "turbo --filter \"./packages/*\" build && bumpp && pnpm -r publish --access public --tag next --no-git-checks",
         "test": "turbo --filter \"./packages/*\" test",
         "typecheck": "turbo --filter \"./packages/*\" typecheck"

packages/better-auth/src/api/middlewares/redirect.ts

@@ -7,15 +7,14 @@ import { logger } from "../../utils/logger";
  * preventing open redirect attacks.
  */
 export const redirectURLMiddleware = createAuthMiddleware(async (ctx) => {
-	const { body, query, headers, context } = ctx;
+	const { body, query, context } = ctx;
 
 	const callbackURL =
 		body?.callbackURL ||
 		query?.callbackURL ||
 		query?.redirectTo ||
 		body?.redirectTo;
-	const currentURL =
+	const currentURL = query?.currentURL;
-		query?.currentURL || headers?.get("referer") || context.baseURL;
 	const trustedOrigins = context.trustedOrigins;
 
 	const validateURL = (url: string | undefined, label: string) => {

packages/better-auth/src/auth.ts

@@ -30,8 +30,8 @@ export const betterAuth = <O extends BetterAuthOptions>(options: O) => {
 					getBaseURL(undefined, basePath) || `${url.origin}${basePath}`;
 				ctx.options.baseURL = baseURL;
 				ctx.baseURL = baseURL;
-				ctx.trustedOrigins = [url.origin];
 			}
+			ctx.trustedOrigins = [url.origin, ...(ctx.options.trustedOrigins || [])];
 			if (!ctx.options.baseURL) {
 				return new Response("Base URL not set", { status: 400 });
 			}