fix: Update TARGET_HOST to use dynamic origin for CMS compatibility

ots-signs/layoutauth.html

@@ -101,7 +101,9 @@
 
   <script>
     (function () {
-      var TARGET_HOST = "https://app.ots-signs.com";
+      // Use the current host so this page works on any CMS deployment
+      // (demo.ots-signs.com, app.ots-signs.com/slug, etc.) without hardcoding.
+      var TARGET_HOST = window.location.origin;
 
       /**
        * Validate that `to` is a safe relative path:
@@ -123,14 +125,17 @@
       }
 
       /**
-       * Extract the customer slug from the CMS base path.
-       * The CMS always runs at /{customerslug}/cms/…
-       * so pathname.split('/')[1] gives the slug.
+       * Derive the CMS root URL from the layoutauth.html page URL itself.
+       * The file always lives at <cmsBase>/theme/custom/…/layoutauth.html,
+       * so everything before "/theme/custom/" is the CMS base path.
+       *
+       * Examples:
+       *   https://demo.ots-signs.com/theme/custom/…  → cmsBase = ""
+       *   https://app.ots-signs.com/acme/cms/theme/… → cmsBase = "/acme/cms"
        */
-      function getSlug() {
-        var parts = window.location.pathname.split("/");
-        // parts[0] = "" (before leading /), parts[1] = customerslug
-        return parts[1] || "";
+      function getCmsBase() {
+        var parts = window.location.pathname.split("/theme/custom/");
+        return parts[0] || "";
       }
 
       function getQueryParam(name) {
@@ -146,11 +151,11 @@
       }
 
       var to = getQueryParam("to");
-      var slug = getSlug();
+      var cmsBase = getCmsBase();
 
       var destination = isValidPath(to)
         ? TARGET_HOST + to
-        : TARGET_HOST + (slug ? "/" + slug : "");
+        : TARGET_HOST + cmsBase + "/";
 
       // Update the visible fallback link
       var link = document.getElementById("fallback-link");
@@ -161,12 +166,9 @@
       var message   = document.getElementById("message");
 
       // Check CMS web session auth by fetching the CMS root and following redirects.
-      // The CMS always runs at /{slug}/cms/:
-      //   - Unauthenticated: 302 → /cms/login    (final response.url contains "/login")
-      //   - Authenticated:   302 → /cms/dashboard (final response.url does NOT contain "/login")
-      // Both cases produce an opaqueredirect with redirect:'manual', so we instead let
-      // the browser follow redirects and inspect where it ultimately lands.
-      var cmsRootUrl = window.location.origin + "/" + slug + "/cms/";
+      //   - Unauthenticated: 302 → /login  (final response.url contains "/login")
+      //   - Authenticated:   302 → /dashboard (final response.url does NOT contain "/login")
+      var cmsRootUrl = window.location.origin + cmsBase + "/";
 
       fetch(cmsRootUrl, {
         method: "GET",