refactor(fe): share the SaaS PAYG experience with desktop via a cloud/ layer (#6649)

Co-authored-by: James Brunton <[email protected]>
This commit is contained in:
ConnorYoh
2026-06-17 11:12:05 +01:00
committed by GitHub
co-authored by James Brunton
parent ef0deef4f2
commit cd7264a76a
122 changed files with 1836 additions and 6365 deletions
@@ -260,7 +260,7 @@ public class SupabaseSecurityConfig {
applicationProperties.getSystem() != null
&& applicationProperties.getSystem().getCorsAllowedOrigins() != null
&& !applicationProperties.getSystem().getCorsAllowedOrigins().isEmpty();
List<String> origins =
List<String> configuredOrigins =
operatorOverride
? applicationProperties.getSystem().getCorsAllowedOrigins()
: List.of(
@@ -270,6 +270,18 @@ public class SupabaseSecurityConfig {
"https://stirling.com",
"https://app.stirling.com",
"https://api.stirling.com");
// Always allow the desktop (Tauri) app's webview origins so the bundled
// desktop client can reach the cloud backend regardless of the operator's
// configured web origins. A browser can never present a tauri:// (or
// tauri.localhost) origin, so these are desktop-app identities — safe to
// allow alongside allowCredentials=true. Mirrors core WebMvcConfig.
List<String> origins = new ArrayList<>(configuredOrigins);
for (String desktopOrigin :
List.of("tauri://localhost", "http://tauri.localhost", "https://tauri.localhost")) {
if (!origins.contains(desktopOrigin)) {
origins.add(desktopOrigin);
}
}
if (origins.stream().anyMatch(o -> o.contains("*"))) {
log.warn(
"CORS origins contain a wildcard paired with allowCredentials=true: {}."