From 617916134fe3c947262b524826dd39680421a266 Mon Sep 17 00:00:00 2001
From: Will Anderson <will.anderson@neurontechnologies.ai>
Date: Mon, 11 May 2026 13:30:22 -0500
Subject: [PATCH] Fix supabase-config CORS: treat absent Origin header as
 allowed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

map_get returns null (0) for missing headers. str_eq(null, "") is false
because EL_CSTR(0) is NULL != "". Same-origin browser fetches don't send
Origin at all, so the missing-origin case was incorrectly being denied.

Fix: use str_starts_with(req_origin, "http") to detect a present origin.
If no origin header (null first arg → str_starts_with returns false),
origin_present is false and the request is allowed unconditionally.
---
 src/main.el | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/main.el b/src/main.el
index 9f64c5e..0287238 100644
--- a/src/main.el
+++ b/src/main.el
@@ -1167,7 +1167,11 @@ fn handle_request_inner(method: String, path: String, headers: Map, body: String
     // would not be able to silently obtain the key to make authenticated calls.
     if str_eq(path, "/api/supabase-config") {
         let req_origin: String = map_get(headers, "origin")
-        let origin_ok: Bool = str_eq(req_origin, "")
+        // map_get returns 0 (null) when the header is absent — same-origin
+        // browser fetches don't send Origin at all. str_starts_with(null, "http")
+        // returns false, so !origin_present correctly passes no-origin requests.
+        let origin_present: Bool = str_starts_with(req_origin, "http")
+        let origin_ok: Bool = !origin_present
             || str_eq(req_origin, "https://neurontechnologies.ai")
             || str_eq(req_origin, "https://www.neurontechnologies.ai")
             || str_starts_with(req_origin, "http://localhost:")