feat(auth): Add *.cannabrands.app to trusted origins whitelist

Adds pattern-based origin matching to support wildcard subdomains.
All *.cannabrands.app origins now bypass API key authentication.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/src/auth/middleware.ts

@@ -29,6 +29,11 @@ const TRUSTED_ORIGINS = [
   'http://localhost:5173',
 ];
 
+// Pattern-based trusted origins (wildcards)
+const TRUSTED_ORIGIN_PATTERNS = [
+  /^https:\/\/.*\.cannabrands\.app$/,  // *.cannabrands.app
+];
+
 // Trusted IPs for internal pod-to-pod communication
 const TRUSTED_IPS = [
   '127.0.0.1',
@@ -42,9 +47,17 @@ const TRUSTED_IPS = [
 function isTrustedRequest(req: Request): boolean {
   // Check origin header
   const origin = req.headers.origin;
-  if (origin && TRUSTED_ORIGINS.includes(origin)) {
+  if (origin) {
+    if (TRUSTED_ORIGINS.includes(origin)) {
       return true;
     }
+    // Check pattern-based origins (wildcards like *.cannabrands.app)
+    for (const pattern of TRUSTED_ORIGIN_PATTERNS) {
+      if (pattern.test(origin)) {
+        return true;
+      }
+    }
+  }
 
   // Check referer header (for same-origin requests without CORS)
   const referer = req.headers.referer;
@@ -54,6 +67,18 @@ function isTrustedRequest(req: Request): boolean {
         return true;
       }
     }
+    // Check pattern-based referers
+    try {
+      const refererUrl = new URL(referer);
+      const refererOrigin = refererUrl.origin;
+      for (const pattern of TRUSTED_ORIGIN_PATTERNS) {
+        if (pattern.test(refererOrigin)) {
+          return true;
+        }
+      }
+    } catch {
+      // Invalid referer URL, skip
+    }
   }
 
   // Check IP for internal requests (pod-to-pod, localhost)