From 01a6cab984cf5733e2ddffc440f2be05eb3f29e1 Mon Sep 17 00:00:00 2001
From: Tiago Yamamoto <japa@rede5.com.br>
Date: Mon, 23 Feb 2026 11:51:31 -0600
Subject: [PATCH] fix: allow all gohorsejobs.com subdomains in CORS for
 backoffice

---
 backoffice/src/main.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/backoffice/src/main.ts b/backoffice/src/main.ts
index 8d535d9..aff6288 100644
--- a/backoffice/src/main.ts
+++ b/backoffice/src/main.ts
@@ -51,7 +51,10 @@ async function bootstrap() {
         ...envOrigins,
       ].filter(Boolean);
 
-      if (!origin || allowedOrigins.includes(origin)) {
+      // Allow all *.gohorsejobs.com subdomains (http and https)
+      const gohorsePattern = /^https?:\/\/([a-z0-9-]+\.)*gohorsejobs\.com$/;
+
+      if (!origin || allowedOrigins.includes(origin) || gohorsePattern.test(origin)) {
         callback(null, true);
       } else {
         callback(new Error('Not allowed by CORS'), false);