@openhi/constructs 0.0.141 → 0.0.143

package/lib/index.d.mts

@@ -1688,14 +1688,20 @@ declare class OpenHiAuthService extends OpenHiService {
      * - `https://admin{,-<childZonePrefix>}.<zone>/oauth/{callback,logout}`
      * - `https://www{,-<childZonePrefix>}.<zone>/oauth/{callback,logout}`
      *
-     * Both deployed-host pairs are auto-injected on every stage. On non-prod
-     * stages the localhost dev URLs from {@link LOCALHOST_OAUTH_CALLBACK_URLS}
-     * / {@link LOCALHOST_OAUTH_LOGOUT_URLS} join the merge; on prod they are
+     * Both deployed-host pairs are auto-injected on every stage. The stage's
+     * `additionalTrustedClientOrigins` entries (e.g. on-site customer SPA
+     * hosts) are filtered to `https://`-prefix values and contribute
+     * `/oauth/callback` + `/oauth/logout` URLs to the merge — Cognito rejects
+     * non-localhost http callbacks, so `http://` entries are silently dropped.
+     * On non-prod stages the localhost dev URLs from
+     * {@link LOCALHOST_OAUTH_CALLBACK_URLS} /
+     * {@link LOCALHOST_OAUTH_LOGOUT_URLS} join the merge; on prod they are
      * deliberately excluded.
      *
      * If `zoneName` is absent (no-DNS test configurations), the deployed-host
-     * pairs are skipped — only the localhost set survives, and only on
-     * non-prod. Override to customize.
+     * pairs are skipped — only the localhost set and any configured
+     * additional `https://` origins survive (the latter on every stage).
+     * Override to customize.
      */
     protected resolveOAuthRedirectUrls(): {
         callbackUrls: Array<string>;
@@ -2028,6 +2034,11 @@ declare class OpenHiRestApiService extends OpenHiService {
      * the website service will see at synth time. Both hostnames are
      * `https://`-only — they always resolve to real DNS records.
      *
+     * The stage's `additionalTrustedClientOrigins` config entries (e.g. on-site
+     * customer SPA hosts) are appended verbatim — both `http://` and `https://`
+     * entries flow into CORS. Scheme filtering is OAuth-specific and happens
+     * in `OpenHiAuthService.resolveOAuthRedirectUrls`.
+     *
      * Auto-injected on every stage (no `isNonProd` gate) so the admin SPA can
      * call the API cross-origin without the caller having to predict the
      * per-deploy hostname. Override to customize the auto-injected set.

package/lib/index.d.ts

@@ -95,14 +95,43 @@ interface OpenHiConfig {
         [OPEN_HI_STAGE.DEV]?: {
             [OPEN_HI_DEPLOYMENT_TARGET_ROLE.PRIMARY]?: OpenHiEnvironmentConfig;
             [OPEN_HI_DEPLOYMENT_TARGET_ROLE.SECONDARY]?: Array<OpenHiEnvironmentConfig>;
+            /**
+             * Additional client origins trusted by this stage beyond the
+             * stage-owned admin/website hosts that auto-injection derives from
+             * branch context. Each entry is a full `<scheme>://<host>` string
+             * with no path and no trailing slash (e.g.
+             * `https://main.onsitedev.codedrifters.com`). Consumed by both the
+             * REST API CORS allow-list and the Auth OAuth callback list at the
+             * service layer.
+             */
+            additionalTrustedClientOrigins?: ReadonlyArray<string>;
         };
         [OPEN_HI_STAGE.STAGE]?: {
             [OPEN_HI_DEPLOYMENT_TARGET_ROLE.PRIMARY]?: OpenHiEnvironmentConfig;
             [OPEN_HI_DEPLOYMENT_TARGET_ROLE.SECONDARY]?: Array<OpenHiEnvironmentConfig>;
+            /**
+             * Additional client origins trusted by this stage beyond the
+             * stage-owned admin/website hosts that auto-injection derives from
+             * branch context. Each entry is a full `<scheme>://<host>` string
+             * with no path and no trailing slash (e.g.
+             * `https://main.onsitestage.codedrifters.com`). Consumed by both
+             * the REST API CORS allow-list and the Auth OAuth callback list
+             * at the service layer.
+             */
+            additionalTrustedClientOrigins?: ReadonlyArray<string>;
         };
         [OPEN_HI_STAGE.PROD]?: {
             [OPEN_HI_DEPLOYMENT_TARGET_ROLE.PRIMARY]?: OpenHiEnvironmentConfig;
             [OPEN_HI_DEPLOYMENT_TARGET_ROLE.SECONDARY]?: Array<OpenHiEnvironmentConfig>;
+            /**
+             * Additional client origins trusted by this stage beyond the
+             * stage-owned admin/website hosts that auto-injection derives from
+             * branch context. Each entry is a full `<scheme>://<host>` string
+             * with no path and no trailing slash. Consumed by both the REST
+             * API CORS allow-list and the Auth OAuth callback list at the
+             * service layer.
+             */
+            additionalTrustedClientOrigins?: ReadonlyArray<string>;
         };
     };
 }
@@ -2325,14 +2354,20 @@ declare class OpenHiAuthService extends OpenHiService {
      * - `https://admin{,-<childZonePrefix>}.<zone>/oauth/{callback,logout}`
      * - `https://www{,-<childZonePrefix>}.<zone>/oauth/{callback,logout}`
      *
-     * Both deployed-host pairs are auto-injected on every stage. On non-prod
-     * stages the localhost dev URLs from {@link LOCALHOST_OAUTH_CALLBACK_URLS}
-     * / {@link LOCALHOST_OAUTH_LOGOUT_URLS} join the merge; on prod they are
+     * Both deployed-host pairs are auto-injected on every stage. The stage's
+     * `additionalTrustedClientOrigins` entries (e.g. on-site customer SPA
+     * hosts) are filtered to `https://`-prefix values and contribute
+     * `/oauth/callback` + `/oauth/logout` URLs to the merge — Cognito rejects
+     * non-localhost http callbacks, so `http://` entries are silently dropped.
+     * On non-prod stages the localhost dev URLs from
+     * {@link LOCALHOST_OAUTH_CALLBACK_URLS} /
+     * {@link LOCALHOST_OAUTH_LOGOUT_URLS} join the merge; on prod they are
      * deliberately excluded.
      *
      * If `zoneName` is absent (no-DNS test configurations), the deployed-host
-     * pairs are skipped — only the localhost set survives, and only on
-     * non-prod. Override to customize.
+     * pairs are skipped — only the localhost set and any configured
+     * additional `https://` origins survive (the latter on every stage).
+     * Override to customize.
      */
     protected resolveOAuthRedirectUrls(): {
         callbackUrls: Array<string>;
@@ -2665,6 +2700,11 @@ declare class OpenHiRestApiService extends OpenHiService {
      * the website service will see at synth time. Both hostnames are
      * `https://`-only — they always resolve to real DNS records.
      *
+     * The stage's `additionalTrustedClientOrigins` config entries (e.g. on-site
+     * customer SPA hosts) are appended verbatim — both `http://` and `https://`
+     * entries flow into CORS. Scheme filtering is OAuth-specific and happens
+     * in `OpenHiAuthService.resolveOAuthRedirectUrls`.
+     *
      * Auto-injected on every stage (no `isNonProd` gate) so the admin SPA can
      * call the API cross-origin without the caller having to predict the
      * per-deploy hostname. Override to customize the auto-injected set.

package/lib/index.js

@@ -7196,6 +7196,11 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
    * the website service will see at synth time. Both hostnames are
    * `https://`-only — they always resolve to real DNS records.
    *
+   * The stage's `additionalTrustedClientOrigins` config entries (e.g. on-site
+   * customer SPA hosts) are appended verbatim — both `http://` and `https://`
+   * entries flow into CORS. Scheme filtering is OAuth-specific and happens
+   * in `OpenHiAuthService.resolveOAuthRedirectUrls`.
+   *
    * Auto-injected on every stage (no `isNonProd` gate) so the admin SPA can
    * call the API cross-origin without the caller having to predict the
    * per-deploy hostname. Override to customize the auto-injected set.
@@ -7215,7 +7220,9 @@ var _OpenHiRestApiService = class _OpenHiRestApiService extends OpenHiService {
       childZonePrefix: this.childZonePrefix,
       zoneName
     });
-    return [`https://${adminHost}`, `https://${websiteHost}`];
+    const stageType = this.ohEnv.ohStage.stageType;
+    const additional = this.ohEnv.ohStage.ohApp.config.deploymentTargets?.[stageType]?.additionalTrustedClientOrigins ?? [];
+    return [`https://${adminHost}`, `https://${websiteHost}`, ...additional];
   }
   /**
    * Builds the full `CorsPreflightOptions` from a merged origins array,
@@ -7941,14 +7948,20 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
    * - `https://admin{,-<childZonePrefix>}.<zone>/oauth/{callback,logout}`
    * - `https://www{,-<childZonePrefix>}.<zone>/oauth/{callback,logout}`
    *
-   * Both deployed-host pairs are auto-injected on every stage. On non-prod
-   * stages the localhost dev URLs from {@link LOCALHOST_OAUTH_CALLBACK_URLS}
-   * / {@link LOCALHOST_OAUTH_LOGOUT_URLS} join the merge; on prod they are
+   * Both deployed-host pairs are auto-injected on every stage. The stage's
+   * `additionalTrustedClientOrigins` entries (e.g. on-site customer SPA
+   * hosts) are filtered to `https://`-prefix values and contribute
+   * `/oauth/callback` + `/oauth/logout` URLs to the merge — Cognito rejects
+   * non-localhost http callbacks, so `http://` entries are silently dropped.
+   * On non-prod stages the localhost dev URLs from
+   * {@link LOCALHOST_OAUTH_CALLBACK_URLS} /
+   * {@link LOCALHOST_OAUTH_LOGOUT_URLS} join the merge; on prod they are
    * deliberately excluded.
    *
    * If `zoneName` is absent (no-DNS test configurations), the deployed-host
-   * pairs are skipped — only the localhost set survives, and only on
-   * non-prod. Override to customize.
+   * pairs are skipped — only the localhost set and any configured
+   * additional `https://` origins survive (the latter on every stage).
+   * Override to customize.
    */
   resolveOAuthRedirectUrls() {
     const isNonProd = this.ohEnv.ohStage.stageType !== import_config7.OPEN_HI_STAGE.PROD;
@@ -7970,15 +7983,21 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
       });
       deployedOrigins.push(`https://${adminHost}`, `https://${websiteHost}`);
     }
+    const stageType = this.ohEnv.ohStage.stageType;
+    const additionalHttpsOrigins = this.ohEnv.ohStage.ohApp.config.deploymentTargets?.[stageType]?.additionalTrustedClientOrigins?.filter(
+      (o) => o.startsWith("https://")
+    ) ?? [];
     const localhostCallbacks = isNonProd ? LOCALHOST_OAUTH_CALLBACK_URLS : [];
     const localhostLogouts = isNonProd ? LOCALHOST_OAUTH_LOGOUT_URLS : [];
     return {
       callbackUrls: [
         ...deployedOrigins.map((o) => `${o}/oauth/callback`),
+        ...additionalHttpsOrigins.map((o) => `${o}/oauth/callback`),
         ...localhostCallbacks
       ],
       logoutUrls: [
         ...deployedOrigins.map((o) => `${o}/oauth/logout`),
+        ...additionalHttpsOrigins.map((o) => `${o}/oauth/logout`),
         ...localhostLogouts
       ]
     };