From ffd9327e3e7869c3d7eab9c4b89cce4f015049ac Mon Sep 17 00:00:00 2001
From: Alexander Schmidt <alexander@schmidt.eco>
Date: Fri, 27 Mar 2026 09:44:11 +0100
Subject: [PATCH] Allow self-hosted origins in API verification

---
 api/_helpers.php | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/api/_helpers.php b/api/_helpers.php
index 8b9e206..14eab5f 100644
--- a/api/_helpers.php
+++ b/api/_helpers.php
@@ -14,13 +14,19 @@ function send_security_headers(): void {
 
 // ── Origin verification ───────────────────────────────────────────────────────
 function verify_origin(): void {
-    $allowed = [
-        'https://xmrpay.link',
-        'http://mc6wfeaqc7oijgdcudrr5zsotmwok3jzk3tu2uezzyjisn7nzzjjizyd.onion',
-    ];
     $origin = $_SERVER['HTTP_ORIGIN'] ?? '';
     // Allow same-origin (no Origin header from direct same-origin requests)
     if ($origin === '') return;
+
+    // Dynamically allow the host this instance runs on
+    $scheme = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? 'https' : 'http';
+    $self_origin = $scheme . '://' . ($_SERVER['HTTP_HOST'] ?? '');
+
+    $allowed = [
+        $self_origin,
+        'https://xmrpay.link',
+        'http://mc6wfeaqc7oijgdcudrr5zsotmwok3jzk3tu2uezzyjisn7nzzjjizyd.onion',
+    ];
     if (!in_array($origin, $allowed, true)) {
         http_response_code(403);
         echo json_encode(['error' => 'Origin not allowed']);