Fix postMessage origin check to use current window origin

The popup sends its message after the backend redirects it back to our
app's domain, so event.origin is window.location.origin, not the
Base44 server's origin.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: roymiloh

src/modules/auth.ts

@@ -151,11 +151,7 @@ export function createAuthModule(
       // use a popup to avoid OAuth providers blocking iframe navigation.
       if (isPopupAuthDomain()) {
         const popupLoginUrl = `${loginUrl}&popup_origin=${encodeURIComponent(window.location.origin)}`;
-        return loginViaPopup(
-          popupLoginUrl,
-          redirectUrl,
-          new URL(options.appBaseUrl).origin
-        );
+        return loginViaPopup(popupLoginUrl, redirectUrl, window.location.origin);
       }
 
       // Default: full-page redirect