Generate media proxy origin config on deploy

deploy/README.md

@@ -110,11 +110,9 @@ ProxyPassReverse /listen/8000/  http://127.0.0.1:8000/
 
 `deploy/php/media_proxy.php` is copied into your publish directory by `deploy_client.sh`.
 
-The proxy also requires the same `CHGRID_HOST_ORIGIN` value in the PHP/Apache environment so only your own site origin can read from it. For Apache, one simple option is:
+When `server/.env` contains `CHGRID_HOST_ORIGIN`, `deploy_client.sh` also generates `media_proxy.config.php` in the publish directory so the proxy can enforce the same origin without extra Apache-specific config.
 
-```apache
-SetEnv CHGRID_HOST_ORIGIN https://example.com
-```
+If you deploy the PHP proxy some other way, you can still provide `CHGRID_HOST_ORIGIN` directly through your PHP/web-server environment.
 
 Use:
 

deploy/php/media_proxy.php

@@ -147,6 +147,24 @@ function normalize_origin($value)
     return $scheme . '://' . $host . $port;
 }
 
+function load_proxy_host_origin()
+{
+    $fromEnv = normalize_origin(getenv('CHGRID_HOST_ORIGIN'));
+    if ($fromEnv !== '') {
+        return $fromEnv;
+    }
+
+    $configPath = __DIR__ . '/media_proxy.config.php';
+    if (!is_file($configPath)) {
+        return '';
+    }
+    $config = require $configPath;
+    if (!is_array($config) || !isset($config['host_origin'])) {
+        return '';
+    }
+    return normalize_origin($config['host_origin']);
+}
+
 function host_matches_suffix($host, $suffix)
 {
     if ($suffix === '') {
@@ -412,7 +430,7 @@ function resolve_safe_redirect_chain($initialUrl, $allowlistSuffixes, $requestHe
 // Optional allowlist env var: CHGRID_MEDIA_PROXY_ALLOWLIST=dropbox.com,example.com
 $allowlistEnv = getenv('CHGRID_MEDIA_PROXY_ALLOWLIST');
 $allowlistSuffixes = parse_allowlist_suffixes($allowlistEnv);
-$allowedOrigin = normalize_origin(getenv('CHGRID_HOST_ORIGIN'));
+$allowedOrigin = load_proxy_host_origin();
 if ($allowedOrigin === '') {
     send_text(500, 'CHGRID_HOST_ORIGIN is required');
 }

deploy/scripts/deploy_client.sh

@@ -7,6 +7,7 @@ PUBLISH_DIR="${2:-$REPO_ROOT/deploy/publish/chgrid}"
 BASE_PATH="${3:-/chgrid/}"
 CLIENT_DIR="$REPO_ROOT/client"
 PHP_PROXY_DIR="$REPO_ROOT/deploy/php"
+SERVER_ENV_FILE="$REPO_ROOT/server/.env"
 PUBLIC_HTACCESS_SRC="$REPO_ROOT/deploy/apache/chgrid-public-htaccess"
 
 if [[ ! -d "$CLIENT_DIR" ]]; then
@@ -30,6 +31,26 @@ if [[ -d "$PHP_PROXY_DIR" ]]; then
   rsync -a "$PHP_PROXY_DIR/" "$PUBLISH_DIR/"
 fi
 
+if [[ -f "$SERVER_ENV_FILE" ]]; then
+  set -a
+  # shellcheck disable=SC1090
+  source "$SERVER_ENV_FILE"
+  set +a
+fi
+
+if [[ -n "${CHGRID_HOST_ORIGIN:-}" ]]; then
+  escaped_host_origin=${CHGRID_HOST_ORIGIN//\\/\\\\}
+  escaped_host_origin=${escaped_host_origin//\'/\\\'}
+  cat > "$PUBLISH_DIR/media_proxy.config.php" <<EOF
+<?php
+return array(
+    'host_origin' => '$escaped_host_origin',
+);
+EOF
+else
+  rm -f "$PUBLISH_DIR/media_proxy.config.php"
+fi
+
 if [[ -f "$PUBLIC_HTACCESS_SRC" ]]; then
   cp "$PUBLIC_HTACCESS_SRC" "$PUBLISH_DIR/.htaccess"
 fi