Generalize popup auth to trigger inside any iframe, not just specific domains

Replace domain regex check with iframe detection (window !== window.parent)
so popup-based OAuth works in any embedded context.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: roymiloh

src/modules/auth.ts

@@ -7,12 +7,9 @@ import {
   ResetPasswordParams,
 } from "./auth.types";
 
-const POPUP_AUTH_DOMAIN_REGEX =
-  /^(preview-sandbox--|preview--|checkpoint--)[^.]+\./;
-
-function isPopupAuthDomain(): boolean {
+function isInsideIframe(): boolean {
   if (typeof window === "undefined") return false;
-  return POPUP_AUTH_DOMAIN_REGEX.test(window.location.hostname);
+  return window !== window.parent;
 }
 
 /**
@@ -147,9 +144,9 @@ export function createAuthModule(
 
       const loginUrl = `${options.appBaseUrl}/api${authPath}?${queryParams}`;
 
-      // On preview/sandbox/checkpoint domains the app runs inside an iframe —
-      // use a popup to avoid OAuth providers blocking iframe navigation.
-      if (isPopupAuthDomain()) {
+      // When running inside an iframe, use a popup to avoid OAuth providers
+      // blocking iframe navigation.
+      if (isInsideIframe()) {
         const popupLoginUrl = `${loginUrl}&popup_origin=${encodeURIComponent(window.location.origin)}`;
         return loginViaPopup(popupLoginUrl, redirectUrl, window.location.origin);
       }