vrr/opencode
2
0
Fork 0
mirror of https://github.com/anomalyco/opencode.git synced 2026-05-10 20:40:36 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 19

fix(server): apply cors before legacy auth (#26092)

Browse source
This commit is contained in:
Luke Parker 2026-05-07 08:55:09 +10:00 committed by GitHub
parent a4ab1408eb
commit 2dffdfff4a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 16 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
packages/opencode/src/server/server.ts
View file

@ -107,10 +107,10 @@ function createHono(opts: CorsOptions, selection: ServerBackend.Selection = Serv
const backendAttributes = ServerBackend.attributes(selection)
const app = new Hono()
.onError(ErrorMiddleware)
.use(AuthMiddleware)
.use(LoggerMiddleware(backendAttributes))
.use(CompressionMiddleware)
.use(CorsMiddleware(opts))
.use(LoggerMiddleware(backendAttributes))
.use(AuthMiddleware)
.use(CompressionMiddleware)
.route("/global", GlobalRoutes())
const runtime = adapter.create(app)

13
packages/opencode/test/server/httpapi-cors.test.ts
View file

@ -63,6 +63,19 @@ describe("HttpApi CORS", () => {
}),
)
it.live("adds CORS headers to legacy unauthorized responses", () =>
Effect.gen(function* () {
const response = yield* Effect.promise(async () =>
Server.Legacy().app.request("/global/config", {
headers: { origin: "https://app.opencode.ai" },
}),
)
expect(response.status).toBe(401)
expect(response.headers.get("access-control-allow-origin")).toBe("https://app.opencode.ai")
}),
)
it.live("uses custom CORS origins passed to the server", () =>
Effect.gen(function* () {
const listener = yield* Effect.acquireRelease(