From 29b3843ac6e10bdce6d3e9c58df1d815da2bbdbd Mon Sep 17 00:00:00 2001 From: autocommit Date: Mon, 18 May 2026 19:58:47 -0700 Subject: [PATCH] =?UTF-8?q?docs(client-area):=20=F0=9F=93=9D=20Add=20brief?= =?UTF-8?q?=20documentation=20for=20magic=20link=20action=20to=20enable=20?= =?UTF-8?q?document=20opening=20in=20client-area?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Lilith Autocommit --- .../codebase/@features/client-area/docs/client-area.brief.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/@platform/codebase/@features/client-area/docs/client-area.brief.md b/@platform/codebase/@features/client-area/docs/client-area.brief.md index 5b3a134..f86e16e 100644 --- a/@platform/codebase/@features/client-area/docs/client-area.brief.md +++ b/@platform/codebase/@features/client-area/docs/client-area.brief.md @@ -77,6 +77,8 @@ Domain resolution happens on the API side, not the SPA. The SPA passes `Host` to **Cookie scope note**: subdomain-mode deploys (`www.cocotte.club`) scope the session cookie to the bare domain (`.cocotte.club`). Path-prefix-mode deploys (`www.future.com/clients`) must scope the cookie to the path prefix (`/clients`). These are deploy-time config differences; the auth code is the same. +**API routing in path-prefix mode**: when the SPA is mounted at `/clients`, its API calls must be prefixed to match: `platform-api` must be reverse-proxied at `/clients/api/client-area/...` (Caddy `handle /clients/api/*` → strip prefix → upstream). Subdomain-mode deploys proxy `/api/client-area/*` directly. The `ClientAreaModule` routes are prefix-agnostic; only the vhost config changes. + **Open question**: should `platform-api` reject requests from `Host` values not present in `provider_brand_domains`, or should there be a fallback to a dev-mode bypass (e.g. any `*.apricot.local` host)? Dev bypass is convenient but adds a code path that must be gated on `NODE_ENV !== 'production'`. ---