From 99841f2197ac01d75414c73a6159797f341b8c03 Mon Sep 17 00:00:00 2001
From: "Claude (Chronicler #57)" <claude@firefrostgaming.com>
Date: Fri, 3 Apr 2026 16:04:43 +0000
Subject: [PATCH] fix: CORS configuration for Stripe checkout endpoint

Fixed CORS to properly handle both www and non-www origins plus OPTIONS preflight.

ISSUE:
- Subscribe button click from website showed error alert
- No request logged in Trinity Console (request blocked by CORS)
- Original config only allowed https://firefrostgaming.com (no www)
- Missing OPTIONS method for preflight requests

FIX:
- Added both origins: firefrostgaming.com and www.firefrostgaming.com
- Added OPTIONS method for CORS preflight handling
- Added optionsSuccessStatus: 200 for legacy browser support

FILES MODIFIED:
- services/arbiter-3.0/src/index.js (CORS config, 3 lines changed)

TESTING:
- Deploy to Command Center
- Test subscribe button from firefrostgaming.com
- Should now successfully create Stripe checkout session

Signed-off-by: Claude (Chronicler #57) <claude@firefrostgaming.com>
---
 services/arbiter-3.0/src/index.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/services/arbiter-3.0/src/index.js b/services/arbiter-3.0/src/index.js
index 49f5dc7..e0c1b43 100644
--- a/services/arbiter-3.0/src/index.js
+++ b/services/arbiter-3.0/src/index.js
@@ -48,9 +48,10 @@ app.use(express.urlencoded({ extended: true }));
 
 // CORS configuration - Allow Stripe checkout requests from website
 app.use('/stripe/create-checkout-session', cors({
-  origin: 'https://firefrostgaming.com',
-  methods: ['POST'],
-  credentials: false
+  origin: ['https://firefrostgaming.com', 'https://www.firefrostgaming.com'],
+  methods: ['POST', 'OPTIONS'],
+  credentials: false,
+  optionsSuccessStatus: 200
 }));
 
 // Make Discord client accessible to routes