From 292d5923cfdbdb220ce8b5c62d37cf80410ba43d Mon Sep 17 00:00:00 2001
From: Deivid Soto <hello@torrentclaw.com>
Date: Sun, 31 May 2026 14:20:49 +0200
Subject: [PATCH] fix(stream): allow unarr.app origins for /stream + /hls CORS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The daemon's baked-in CORS allowlist had the torrentclaw.com family but not
unarr.app — so on the unarr brand the browser dropped every /hls + /stream
response (no Access-Control-Allow-Origin) and the player reported "can't
connect to your agent" even though the agent was reachable. Add unarr.app +
www.unarr.app. (Dev over Tailscale uses cors_extra_origins for the raw IP
origin.) Found while testing the web player from an iPhone over Tailscale.
---
 internal/engine/validate.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/internal/engine/validate.go b/internal/engine/validate.go
index 0efd4de..a89371c 100644
--- a/internal/engine/validate.go
+++ b/internal/engine/validate.go
@@ -36,6 +36,11 @@ var defaultCORSAllowedOrigins = []string{
 	"https://staging.torrentclaw.com",
 	"https://torrentclaw.to",
 	"https://www.torrentclaw.to",
+	// unarr brand (separate deployment). The web player + agent endpoints run
+	// under unarr.app; without these the browser drops every /hls + /stream
+	// response (no Access-Control-Allow-Origin) and playback fails on unarr.
+	"https://unarr.app",
+	"https://www.unarr.app",
 	// Tor mirror — Tor Browser sends `Origin: http://<addr>.onion` (plain
 	// http, no port). Mirror address is the BUILT_IN_ONION constant from
 	// torrentclaw-web/src/lib/mirrors-config.ts; rotates rarely, kept in