From 4fcc15737f64d0d7cbb54da3b7859f3e2b1994b7 Mon Sep 17 00:00:00 2001
From: Till JS <tills95@gmail.com>
Date: Thu, 7 May 2026 23:07:22 +0200
Subject: [PATCH] feat(auth): add memoro-app.mana.how to SSO trusted origins

Memoro's SvelteKit SPA at memoro-app.mana.how is a separate deploy
under mana e.V. that needs to use the central mana-auth (login,
session, JWT). Without this entry Better-Auth rejects its preflight
silently (no Access-Control-Allow-Origin header) and the SPA can't
even reach POST /api/v1/auth/login.

Updates both SSOTs per the rule in CLAUDE.md / mana-auth/CLAUDE.md:
  1. PRODUCTION_TRUSTED_ORIGINS in services/mana-auth/src/auth/sso-origins.ts
  2. CORS_ORIGINS for mana-auth in docker-compose.macmini.yml

sso-config.spec.ts will pick up the consistency between the two.
---
 docker-compose.macmini.yml                 | 2 +-
 services/mana-auth/src/auth/sso-origins.ts | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/docker-compose.macmini.yml b/docker-compose.macmini.yml
index 7406c346b..49164f7d6 100644
--- a/docker-compose.macmini.yml
+++ b/docker-compose.macmini.yml
@@ -250,7 +250,7 @@ services:
       # Enforced by services/mana-auth/src/auth/sso-config.spec.ts.
       # All productivity modules now live under mana.how (path-based) —
       # no per-module subdomain entries required here.
-      CORS_ORIGINS: https://mana.how,https://auth.mana.how,https://whopxl.mana.how,https://cards.mana.how,https://cards-api.mana.how
+      CORS_ORIGINS: https://mana.how,https://auth.mana.how,https://whopxl.mana.how,https://cards.mana.how,https://cards-api.mana.how,https://memoro-app.mana.how
     ports:
       - "3001:3001"
     healthcheck:
diff --git a/services/mana-auth/src/auth/sso-origins.ts b/services/mana-auth/src/auth/sso-origins.ts
index adf5c88d7..b732c92f9 100644
--- a/services/mana-auth/src/auth/sso-origins.ts
+++ b/services/mana-auth/src/auth/sso-origins.ts
@@ -27,6 +27,7 @@ export const PRODUCTION_TRUSTED_ORIGINS = [
 	'https://whopxl.mana.how', // Games
 	'https://cards.mana.how', // Cards spaced-repetition spinoff (own SvelteKit container, not the unified app)
 	'https://cards-api.mana.how', // Cards marketplace + community backend (cards-server)
+	'https://memoro-app.mana.how', // Memoro web SPA (separate deploy under mana e.V.)
 ] as const;
 
 /** Local dev origins — web dev server + the auth server itself. */