From 9050298c6fb901524dcb149f970e97d06869da4e Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeff@jeffemmett.com>
Date: Thu, 19 Feb 2026 01:55:42 +0000
Subject: [PATCH] Fix CORS for dynamic rspace.online subdomains in EncryptID

The allowedOrigins array only listed explicit subdomains (auth, cca, demo,
app, dev) so any canvas slug subdomain like create.rspace.online was
rejected by CORS. Switch to a function-based origin check that allows all
*.rspace.online subdomains dynamically.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/encryptid/server.ts | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/src/encryptid/server.ts b/src/encryptid/server.ts
index a133119..fe03c16 100644
--- a/src/encryptid/server.ts
+++ b/src/encryptid/server.ts
@@ -194,7 +194,17 @@ const app = new Hono();
 // Middleware
 app.use('*', logger());
 app.use('*', cors({
-  origin: CONFIG.allowedOrigins,
+  origin: (origin) => {
+    // Allow all *.rspace.online subdomains dynamically (any canvas slug)
+    if (origin === 'https://rspace.online' || origin?.endsWith('.rspace.online')) {
+      return origin;
+    }
+    // Allow explicit r* ecosystem origins
+    if (CONFIG.allowedOrigins.includes(origin)) {
+      return origin;
+    }
+    return undefined;
+  },
   allowMethods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
   allowHeaders: ['Content-Type', 'Authorization'],
   credentials: true,
@@ -236,15 +246,15 @@ function resolveRpId(c: any): string {
   try {
     const url = new URL(origin);
     const hostname = url.hostname;
-    // Check if this origin is in our allowed list
+    // All *.rspace.online subdomains use rspace.online as RP ID
+    if (hostname.endsWith('.rspace.online') || hostname === 'rspace.online') {
+      return 'rspace.online';
+    }
+    // Check if this origin is in our explicit allowed list
     const isAllowed = CONFIG.allowedOrigins.some(o => {
       try { return new URL(o).hostname === hostname; } catch { return false; }
     });
     if (isAllowed && hostname !== 'localhost') {
-      // For *.rspace.online subdomains, use rspace.online
-      if (hostname.endsWith('.rspace.online') || hostname === 'rspace.online') {
-        return 'rspace.online';
-      }
       // For other allowed origins, use their domain as RP ID
       return hostname;
     }