Desktop handoff returns wrong denBaseUrl when deployed to Cloud Run — missing /api/den path

[joelstucki-taulia]

Summary

When den-api is deployed to Google Cloud Run, the desktop handoff deep link is generated with an incorrect denBaseUrl — it omits the required /api/den path suffix. The desktop client then tries to call /v1/auth/desktop-handoff/exchange directly on the web frontend, which doesn't exist there, resulting in a 404.

Root Cause

In ee/apps/den-api/src/routes/auth/desktop-handoff.ts, resolveDesktopDenBaseUrl() calls isWebAppHost() to determine whether to append /api/den via withDenProxyPath(). isWebAppHost() only allows a hardcoded set of hostnames (app.openworklabs.com, app.openwork.software, app.*) and private IPs.

Cloud Run hostnames (e.g. den-web-1078079989666.us-central1.run.app) are not in this allowlist, so the function returns the bare origin without /api/den.

Steps to Reproduce

1. Deploy den-api and den-web to Google Cloud Run
2. Sign in via the web dashboard
3. Click "Sign in with OpenWork Cloud" to generate a desktop handoff link
4. The generated deep link contains denBaseUrl=https://your-den-web.run.app (no /api/den)
5. The desktop app hits https://your-den-web.run.app/v1/auth/desktop-handoff/exchange → 404

Fix

Add .run.app to the isWebAppHost() allowlist in desktop-handoff.ts:

return normalized === "app.openworklabs.com"
  || normalized === "app.openwork.software"
  || normalized.startsWith("app.")
  || normalized.endsWith(".run.app")  // add this

Or better, make the allowlist configurable via an environment variable so self-hosted deployments can specify their own hostname.

Environment

• Google Cloud Run
• Any custom domain deployment would hit the same issue