fix(app): stabilize auth bootstrap and direct backend integration

Backend/index.ts

@@ -30,6 +30,10 @@ const openApiDocument = buildOpenApiDocument();
 const trustedOrigins = process.env.BETTER_AUTH_TRUSTED_ORIGINS
   ? process.env.BETTER_AUTH_TRUSTED_ORIGINS.split(',').map((origin) => origin.trim()).filter(Boolean)
   : [];
+const corsMiddleware = cors({
+  origin: trustedOrigins.length > 0 ? trustedOrigins : true,
+  credentials: true,
+});
 
 const buildMinioConnectOrigin = (): string | null => {
   const endpoint = process.env.MINIO_ENDPOINT?.trim();
@@ -71,8 +75,6 @@ app.get('/openapi.json', (_req, res) => {
 
 app.use('/docs', swaggerUi.serve, swaggerUi.setup(openApiDocument));
 
-app.all('/api/auth/*splat', toNodeHandler(auth));
-
 app.use(
   helmet({
     contentSecurityPolicy: {
@@ -88,12 +90,8 @@ app.use(
     },
   }),
 );
-app.use(
-  cors({
-    origin: trustedOrigins.length > 0 ? trustedOrigins : true,
-    credentials: true,
-  }),
-);
+app.use(corsMiddleware);
+app.all('/api/auth/*splat', corsMiddleware, toNodeHandler(auth));
 app.use(rateLimit({ keyPrefix: 'global', windowMs: 60_000, max: 400 }));
 app.use(requestContext);
 app.use(express.json());