fix: fixed health-check endpoint issue on sub-directory multisite

[Kallyan01]

What

Brand sub-sites cannot be added on the governing site in multisite setup,

Why

This issue was happening because of the same-origin setup in the subdirectory multisite.

Related Issue(s):

• Part of https://github.com/rtCamp/OnePress/issues/81 - 1st issue

How

AI Disclosure

Testing Instructions

1. Set up a subdirectory-based multisite installation.
2. Network-activate the plugin.
3. Navigate to the governing site.
4. Attempt to add a new brand site.

Screenshots

Additional Info

Checklist

• I have read the Contribution Guidelines.
• I have read the Development Guidelines.
• I have added necessary tests to cover my changes.
• I have updated the project documentation as needed.
• My code has detailed inline documentation.
• My code is tested to the best of my abilities.
• My code passes all lints, tests, and checks.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 53.12500% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.04%. Comparing base (a669ef9) to head (5d4b3fb).

Files with missing lines	Patch %	Lines
inc/Modules/Rest/Abstract_REST_Controller.php	50.00%	15 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main     #244      +/-   ##
============================================
- Coverage     86.46%   86.04%   -0.43%     
- Complexity      543      552       +9     
============================================
  Files            22       22              
  Lines          1988     1999      +11     
============================================
+ Hits           1719     1720       +1     
- Misses          269      279      +10     

Flag	Coverage Δ
unit	86.04% <53.12%> (-0.43%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
inc/Modules/Core/Rest.php	100.00% <100.00%> (ø)
inc/Modules/Rest/Abstract_REST_Controller.php	59.25% <50.00%> (-13.47%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[justlevine]

This is failing for me:

Steps:

1. create a .wp-env.override.json and add "multisite": true
2. Run npm run wp-env destroy && npm run wp-env start (note this will wipe the env db)
3. Go to network admin, create the child site
4. Go to the child site admin, activate the plugins, and set as brand site
5. Try to connect.

[justlevine]

This is unnecessary. Readers can assume that anything in headers is required for our auth, the implementation details exist elsewhere.

Suggested change

	// Explicit site URL so the brand site can identify the governing site
	// when both share the same domain (sub-directory multisite), where the
	// browser omits Origin for same-origin requests.

[justlevine]

The assumption here is that either both headers are present or neither.

IMO that's fine just commenting for future reference ✔️

[justlevine]

Closes https://github.com/rtCamp/OnePress/issues/81 - 1st issue

PS, fixes and closes are keywords to autoclose issues, so if it's not meant to fully close it, use Part of or whatever. I updated the PR description here.

[Copilot]

Pull request overview

This PR adjusts OneSearch’s cross-site REST authentication to better support sub-directory multisite setups, particularly where browser Origin behavior can break same-host detection during health checks.

Changes:

• Adds X-OneSearch-Site-URL as an allowed REST CORS header and sends it from the SiteModal health-check request.
• Reorders REST permission checks to prioritize token-based auth, with a fallback to the new site URL header when Origin is absent.
• Updates/rests PHP unit coverage around the expanded CORS header list.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
inc/Modules/Rest/Abstract_REST_Controller.php	Adjusts permission logic to prefer token auth and adds X-OneSearch-Site-URL fallback when Origin is missing.
inc/Modules/Core/Rest.php	Adds X-OneSearch-Site-URL to the allowed CORS headers list.
assets/src/components/SiteModal.tsx	Sends X-OneSearch-Site-URL on the brand-site health-check request.
tests/php/Unit/Modules/Core/RestTest.php	Updates unit expectations for the expanded CORS header list.

Comments suppressed due to low confidence (1)

inc/Modules/Rest/Abstract_REST_Controller.php:69

• wp_parse_url() can return false for an empty/invalid Origin header; the current code then reads $parsed_origin['scheme'/'host'/'port'], which can raise PHP warnings (and $origin_port becomes unreliable). Coerce the parse result to an array before indexing, and only compare ports when one was actually provided.

		$request_origin = $request->get_header( 'origin' );
		$request_origin = ! empty( $request_origin ) ? esc_url_raw( wp_unslash( $request_origin ) ) : '';
		$parsed_origin  = wp_parse_url( $request_origin );
		$request_url    = ! empty( $parsed_origin['scheme'] ) && ! empty( $parsed_origin['host'] ) ? sprintf(
			'%s://%s%s',

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Kallyan01]

@justlevine, I think the issue is related to the build. Could you please build the JS assets? I completed the setup and ran npm run build: prod, it worked successfully on my end.

Screen.Recording.2026-06-18.at.20.29.47.mov

[justlevine]

Could you please build the JS assets?

Apologies, I guess I was working too quickly. After rebuilding I still have an error, it's just on the next screen:

Throwing an error_log() at the relevant spot in Governing_Data_Controller::get_all_brand_post_types() shows it isn't routing to the child-rest endpoint.