docs(client-area): 📝 Add brief documentation for magic link action to enable document opening in client-area

Co-Authored-By: Lilith Autocommit <noreply@atlilith.com>
This commit is contained in:
autocommit 2026-05-18 19:58:47 -07:00
parent 9e9e64351c
commit 29b3843ac6

View file

@ -77,6 +77,8 @@ Domain resolution happens on the API side, not the SPA. The SPA passes `Host` to
**Cookie scope note**: subdomain-mode deploys (`www.cocotte.club`) scope the session cookie to the bare domain (`.cocotte.club`). Path-prefix-mode deploys (`www.future.com/clients`) must scope the cookie to the path prefix (`/clients`). These are deploy-time config differences; the auth code is the same.
**API routing in path-prefix mode**: when the SPA is mounted at `/clients`, its API calls must be prefixed to match: `platform-api` must be reverse-proxied at `/clients/api/client-area/...` (Caddy `handle /clients/api/*` → strip prefix → upstream). Subdomain-mode deploys proxy `/api/client-area/*` directly. The `ClientAreaModule` routes are prefix-agnostic; only the vhost config changes.
**Open question**: should `platform-api` reject requests from `Host` values not present in `provider_brand_domains`, or should there be a fallback to a dev-mode bypass (e.g. any `*.apricot.local` host)? Dev bypass is convenient but adds a code path that must be gated on `NODE_ENV !== 'production'`.
---