@openhi/constructs 0.0.141 → 0.0.142

package/lib/index.mjs

@@ -2992,6 +2992,11 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
    * the website service will see at synth time. Both hostnames are
    * `https://`-only — they always resolve to real DNS records.
    *
+   * The stage's `additionalTrustedClientOrigins` config entries (e.g. on-site
+   * customer SPA hosts) are appended verbatim — both `http://` and `https://`
+   * entries flow into CORS. Scheme filtering is OAuth-specific and happens
+   * in `OpenHiAuthService.resolveOAuthRedirectUrls`.
+   *
    * Auto-injected on every stage (no `isNonProd` gate) so the admin SPA can
    * call the API cross-origin without the caller having to predict the
    * per-deploy hostname. Override to customize the auto-injected set.
@@ -3011,7 +3016,9 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       childZonePrefix: this.childZonePrefix,
       zoneName
     });
-    return [`https://${adminHost}`, `https://${websiteHost}`];
+    const stageType = this.ohEnv.ohStage.stageType;
+    const additional = this.ohEnv.ohStage.ohApp.config.deploymentTargets?.[stageType]?.additionalTrustedClientOrigins ?? [];
+    return [`https://${adminHost}`, `https://${websiteHost}`, ...additional];
   }
   /**
    * Builds the full `CorsPreflightOptions` from a merged origins array,
@@ -3712,14 +3719,20 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
    * - `https://admin{,-<childZonePrefix>}.<zone>/oauth/{callback,logout}`
    * - `https://www{,-<childZonePrefix>}.<zone>/oauth/{callback,logout}`
    *
-   * Both deployed-host pairs are auto-injected on every stage. On non-prod
-   * stages the localhost dev URLs from {@link LOCALHOST_OAUTH_CALLBACK_URLS}
-   * / {@link LOCALHOST_OAUTH_LOGOUT_URLS} join the merge; on prod they are
+   * Both deployed-host pairs are auto-injected on every stage. The stage's
+   * `additionalTrustedClientOrigins` entries (e.g. on-site customer SPA
+   * hosts) are filtered to `https://`-prefix values and contribute
+   * `/oauth/callback` + `/oauth/logout` URLs to the merge — Cognito rejects
+   * non-localhost http callbacks, so `http://` entries are silently dropped.
+   * On non-prod stages the localhost dev URLs from
+   * {@link LOCALHOST_OAUTH_CALLBACK_URLS} /
+   * {@link LOCALHOST_OAUTH_LOGOUT_URLS} join the merge; on prod they are
    * deliberately excluded.
    *
    * If `zoneName` is absent (no-DNS test configurations), the deployed-host
-   * pairs are skipped — only the localhost set survives, and only on
-   * non-prod. Override to customize.
+   * pairs are skipped — only the localhost set and any configured
+   * additional `https://` origins survive (the latter on every stage).
+   * Override to customize.
    */
   resolveOAuthRedirectUrls() {
     const isNonProd = this.ohEnv.ohStage.stageType !== import_config7.OPEN_HI_STAGE.PROD;
@@ -3741,15 +3754,21 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       });
       deployedOrigins.push(`https://${adminHost}`, `https://${websiteHost}`);
     }
+    const stageType = this.ohEnv.ohStage.stageType;
+    const additionalHttpsOrigins = this.ohEnv.ohStage.ohApp.config.deploymentTargets?.[stageType]?.additionalTrustedClientOrigins?.filter(
+      (o) => o.startsWith("https://")
+    ) ?? [];
     const localhostCallbacks = isNonProd ? LOCALHOST_OAUTH_CALLBACK_URLS : [];
     const localhostLogouts = isNonProd ? LOCALHOST_OAUTH_LOGOUT_URLS : [];
     return {
       callbackUrls: [
         ...deployedOrigins.map((o) => `${o}/oauth/callback`),
+        ...additionalHttpsOrigins.map((o) => `${o}/oauth/callback`),
         ...localhostCallbacks
       ],
       logoutUrls: [
         ...deployedOrigins.map((o) => `${o}/oauth/logout`),
+        ...additionalHttpsOrigins.map((o) => `${o}/oauth/logout`),
         ...localhostLogouts
       ]
     };