Fix CORS for dynamic rspace.online subdomains in EncryptID

The allowedOrigins array only listed explicit subdomains (auth, cca, demo,
app, dev) so any canvas slug subdomain like create.rspace.online was
rejected by CORS. Switch to a function-based origin check that allows all
*.rspace.online subdomains dynamically.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/encryptid/server.ts

@@ -194,7 +194,17 @@ const app = new Hono();
 // Middleware
 app.use('*', logger());
 app.use('*', cors({
-  origin: CONFIG.allowedOrigins,
+  origin: (origin) => {
+    // Allow all *.rspace.online subdomains dynamically (any canvas slug)
+    if (origin === 'https://rspace.online' || origin?.endsWith('.rspace.online')) {
+      return origin;
+    }
+    // Allow explicit r* ecosystem origins
+    if (CONFIG.allowedOrigins.includes(origin)) {
+      return origin;
+    }
+    return undefined;
+  },
   allowMethods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
   allowHeaders: ['Content-Type', 'Authorization'],
   credentials: true,
@@ -236,15 +246,15 @@ function resolveRpId(c: any): string {
   try {
     const url = new URL(origin);
     const hostname = url.hostname;
-    // Check if this origin is in our allowed list
+    // All *.rspace.online subdomains use rspace.online as RP ID
+    if (hostname.endsWith('.rspace.online') || hostname === 'rspace.online') {
+      return 'rspace.online';
+    }
+    // Check if this origin is in our explicit allowed list
     const isAllowed = CONFIG.allowedOrigins.some(o => {
       try { return new URL(o).hostname === hostname; } catch { return false; }
     });
     if (isAllowed && hostname !== 'localhost') {
-      // For *.rspace.online subdomains, use rspace.online
-      if (hostname.endsWith('.rspace.online') || hostname === 'rspace.online') {
-        return 'rspace.online';
-      }
       // For other allowed origins, use their domain as RP ID
       return hostname;
     }