From 63d7aaa8c29a55583793f6580e70738ca15f752c Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea@groombook.dev>
Date: Thu, 18 Jun 2026 01:30:43 +0000
Subject: [PATCH] =?UTF-8?q?chore:=20promote=20dev=20=E2=86=92=20uat=20(GRO?=
 =?UTF-8?q?-2425=20comma-split=20CORS=5FORIGIN)=20(#217)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

chore: promote dev → uat (GRO-2425 comma-split CORS_ORIGIN)

Co-authored-by: Flea Flicker <flea@groombook.dev>
Co-committed-by: Flea Flicker <flea@groombook.dev>
---
 UAT_PLAYBOOK.md | 2 ++
 src/lib/auth.ts | 6 ++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/UAT_PLAYBOOK.md b/UAT_PLAYBOOK.md
index 2a85e1d..66ef0d5 100644
--- a/UAT_PLAYBOOK.md
+++ b/UAT_PLAYBOOK.md
@@ -108,6 +108,8 @@ Expected: one row, `role = 'groomer'`. If zero rows return, the request hit the
 | TC-API-1.24 | Complete setup creates super user | POST /api/setup with business name (after TC-API-1.23) | First user becomes super user, setup completes | Setup errors, 403 on admin endpoints |
 | TC-API-1.25 | Super user accesses admin features | After TC-API-1.24, GET /api/staff/me and verify isSuperUser: true | isSuperUser: true, admin endpoints accessible | 403 on admin, isSuperUser: false |
 | TC-API-1.26 | Auto-provision skipped during OOBE | During fresh setup (needsSetup: true), complete OIDC login — verify no duplicate staff record created before setup completes | No duplicate staff, OOBE completes successfully | Duplicate staff record, 403 before setup, auto-provision interferes with OOBE |
+| TC-API-1.27 | Multi-origin CORS — demo host sign-in | `POST /api/auth/sign-in/social` with `callbackURL=https://demo.groombook.dev` | 200 OK, no origin-mismatch error | 400/403 "Origin mismatch" |
+| TC-API-1.28 | Multi-origin CORS — farh.net host sign-in | `POST /api/auth/sign-in/social` with `callbackURL=https://groombook.farh.net` | 200 OK, no origin-mismatch error | 400/403 "Origin mismatch" |
 
 ### 4.2 Client Management
 
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index ff1e125..b28153d 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -118,7 +118,8 @@ export async function initAuth(): Promise<void> {
           updateAge: 60 * 60 * 24,
           cookieCache: { enabled: false },
         },
-        trustedOrigins: [process.env.CORS_ORIGIN ?? "http://localhost:5173"],
+        trustedOrigins: (process.env.CORS_ORIGIN ?? "http://localhost:5173")
+          .split(",").map((s) => s.trim()).filter(Boolean),
       });
       return;
     }
@@ -308,7 +309,8 @@ export async function initAuth(): Promise<void> {
           maxAge: 5 * 60, // 5 minutes
         },
       },
-      trustedOrigins: [process.env.CORS_ORIGIN ?? "http://localhost:5173"],
+      trustedOrigins: (process.env.CORS_ORIGIN ?? "http://localhost:5173")
+        .split(",").map((s) => s.trim()).filter(Boolean),
     });
   })();