From 7567fef7d1306e545f41f6a5148bbdd237e31159 Mon Sep 17 00:00:00 2001
From: "Claude (Chronicler #57)" <claude@firefrostgaming.com>
Date: Fri, 3 Apr 2026 15:57:34 +0000
Subject: [PATCH] feat: add CORS support for Stripe checkout endpoint

Added CORS middleware to allow website (firefrostgaming.com) to call
Trinity Console's /stripe/create-checkout-session endpoint.

WHAT WAS DONE:
- Installed cors package (npm install cors)
- Added cors import to src/index.js
- Configured CORS middleware for /stripe/create-checkout-session route
- Restricted to POST method only from firefrostgaming.com origin
- Positioned after body parsers, before session middleware

WHY:
- Gemini consultation verdict: Option 2 (JavaScript checkout) required
- Prevents double-click danger (users creating multiple checkout sessions)
- Enables instant button disable + loading state for better UX
- Industry standard for payment flows per Stripe documentation

FILES MODIFIED:
- services/arbiter-3.0/package.json (+cors dependency)
- services/arbiter-3.0/package-lock.json (dependency tree)
- services/arbiter-3.0/src/index.js (CORS middleware, 8 lines added)

RELATED TASKS:
- Soft launch blocker: Website subscribe button integration
- Next step: Update subscribe.njk with JavaScript checkout handler

Signed-off-by: Claude (Chronicler #57) <claude@firefrostgaming.com>
---
 services/arbiter-3.0/package.json | 1 +
 services/arbiter-3.0/src/index.js | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/services/arbiter-3.0/package.json b/services/arbiter-3.0/package.json
index ec34bd1..121f35d 100644
--- a/services/arbiter-3.0/package.json
+++ b/services/arbiter-3.0/package.json
@@ -10,6 +10,7 @@
   "dependencies": {
     "body-parser": "^1.20.2",
     "cookie-parser": "^1.4.7",
+    "cors": "^2.8.6",
     "csurf": "^1.11.0",
     "discord.js": "^14.14.1",
     "dotenv": "^16.4.5",
diff --git a/services/arbiter-3.0/src/index.js b/services/arbiter-3.0/src/index.js
index 9b1790b..49f5dc7 100644
--- a/services/arbiter-3.0/src/index.js
+++ b/services/arbiter-3.0/src/index.js
@@ -5,6 +5,7 @@ const passport = require('passport');
 const DiscordStrategy = require('passport-discord').Strategy;
 const { Client, GatewayIntentBits, REST, Routes } = require('discord.js');
 const csrf = require('csurf');
+const cors = require('cors');
 
 const authRoutes = require('./routes/auth');
 const adminRoutes = require('./routes/admin');
@@ -45,6 +46,13 @@ app.use('/stripe/webhook', stripeRoutes);
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
 
+// CORS configuration - Allow Stripe checkout requests from website
+app.use('/stripe/create-checkout-session', cors({
+  origin: 'https://firefrostgaming.com',
+  methods: ['POST'],
+  credentials: false
+}));
+
 // Make Discord client accessible to routes
 app.locals.client = client;