fix: cache serverAuth per-host instead of singleton (#125)

onmax · web-flow · commit fa8a758a54ae · 2026-02-13T19:05:38.000+01:00
diff --git a/src/runtime/server/utils/auth.ts b/src/runtime/server/utils/auth.ts
@@ -10,7 +10,7 @@ import { withoutProtocol } from 'ufo'
 
 type AuthInstance = Auth<ReturnType<typeof createServerAuth>>
 
-let _auth: AuthInstance | null = null
+const _authCache = new Map<string, AuthInstance>()
 let _baseURLInferenceLogged = false
 
 function normalizeLoopbackOrigin(origin: string): string {
@@ -144,24 +144,28 @@ function getBaseURL(event?: H3Event): string {
   throw new Error('siteUrl required. Set NUXT_PUBLIC_SITE_URL.')
 }
 
-/** Returns Better Auth instance. Pass event for accurate URL detection on first call. */
+/** Returns Better Auth instance. Caches per resolved host (or single instance when siteUrl is explicit). */
 export function serverAuth(event?: H3Event): AuthInstance {
-  if (_auth)
-    return _auth
-
   const runtimeConfig = useRuntimeConfig()
   const siteUrl = getBaseURL(event)
+  const hasExplicitSiteUrl = runtimeConfig.public.siteUrl && typeof runtimeConfig.public.siteUrl === 'string'
+  const cacheKey = hasExplicitSiteUrl ? '__explicit__' : siteUrl
+
+  const cached = _authCache.get(cacheKey)
+  if (cached)
+    return cached
 
   const database = createDatabase()
   const userConfig = createServerAuth({ runtimeConfig, db })
 
-  _auth = betterAuth({
+  const auth = betterAuth({
     ...userConfig,
     ...(database && { database }),
     secondaryStorage: createSecondaryStorage(),
     secret: runtimeConfig.betterAuthSecret,
     baseURL: siteUrl,
   })
 
-  return _auth
+  _authCache.set(cacheKey, auth)
+  return auth
 }
diff --git a/test/cases/base-url-inference/.nuxtrc b/test/cases/base-url-inference/.nuxtrc
@@ -0,0 +1 @@
+setups.@onmax/nuxt-better-auth="0.0.2-alpha.21"
diff --git a/test/cases/base-url-inference/app/app.vue b/test/cases/base-url-inference/app/app.vue
@@ -0,0 +1,3 @@
+<template>
+  <NuxtPage />
+</template>
diff --git a/test/cases/base-url-inference/app/auth.config.ts b/test/cases/base-url-inference/app/auth.config.ts
@@ -0,0 +1,3 @@
+import { defineClientAuth } from '../../../../src/runtime/config'
+
+export default defineClientAuth({})
diff --git a/test/cases/base-url-inference/nuxt.config.ts b/test/cases/base-url-inference/nuxt.config.ts
@@ -0,0 +1,6 @@
+export default defineNuxtConfig({
+  modules: ['../../../src/module'],
+  runtimeConfig: {
+    betterAuthSecret: 'test-secret-for-testing-only-32chars!',
+  },
+})
diff --git a/test/cases/base-url-inference/server/api/test/base-url.get.ts b/test/cases/base-url-inference/server/api/test/base-url.get.ts
@@ -0,0 +1,4 @@
+export default defineEventHandler((event) => {
+  const auth = serverAuth(event) as { options?: { baseURL?: string } }
+  return { baseURL: auth.options?.baseURL }
+})
diff --git a/test/cases/base-url-inference/server/auth.config.ts b/test/cases/base-url-inference/server/auth.config.ts
@@ -0,0 +1,11 @@
+import { defineServerAuth } from '../../../../src/runtime/config'
+
+export default defineServerAuth(({ runtimeConfig }) => ({
+  appName: 'Base URL inference test app',
+  socialProviders: {
+    github: {
+      clientId: runtimeConfig.github?.clientId || 'test',
+      clientSecret: runtimeConfig.github?.clientSecret || 'test',
+    },
+  },
+}))
diff --git a/test/server-auth-base-url-cache.test.ts b/test/server-auth-base-url-cache.test.ts
@@ -0,0 +1,32 @@
+import { fileURLToPath } from 'node:url'
+import { setup, url } from '@nuxt/test-utils/e2e'
+import { describe, expect, it } from 'vitest'
+
+describe('serverAuth baseURL inference', async () => {
+  await setup({
+    rootDir: fileURLToPath(new URL('./cases/base-url-inference', import.meta.url)),
+  })
+
+  it('derives baseURL from each request host when siteUrl is unset', async () => {
+    const firstResponse = await fetch(url('/api/test/base-url'), {
+      headers: {
+        'x-forwarded-host': 'first.example.com',
+        'x-forwarded-proto': 'https',
+      },
+    })
+    expect(firstResponse.status).toBe(200)
+    const firstBody = await firstResponse.json() as { baseURL: string | undefined }
+
+    const secondResponse = await fetch(url('/api/test/base-url'), {
+      headers: {
+        'x-forwarded-host': 'second.example.com',
+        'x-forwarded-proto': 'https',
+      },
+    })
+    expect(secondResponse.status).toBe(200)
+    const secondBody = await secondResponse.json() as { baseURL: string | undefined }
+
+    expect(firstBody.baseURL).toBe('https://first.example.com')
+    expect(secondBody.baseURL).toBe('https://second.example.com')
+  })
+})

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+setups.@onmax/nuxt-better-auth="0.0.2-alpha.21"`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+<template>`
	`2`	`+ <NuxtPage />`
	`3`	`+</template>`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+import { defineClientAuth } from '../../../../src/runtime/config'`
	`2`	`+`
	`3`	`+export default defineClientAuth({})`