From 2dffdfff4aa02d5c4df128035d0bfce2fd309ebd Mon Sep 17 00:00:00 2001 From: Luke Parker <10430890+Hona@users.noreply.github.com> Date: Thu, 7 May 2026 08:55:09 +1000 Subject: [PATCH] fix(server): apply cors before legacy auth (#26092) --- packages/opencode/src/server/server.ts | 6 +++--- packages/opencode/test/server/httpapi-cors.test.ts | 13 +++++++++++++ 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/packages/opencode/src/server/server.ts b/packages/opencode/src/server/server.ts index ca86599955..bc09667c29 100644 --- a/packages/opencode/src/server/server.ts +++ b/packages/opencode/src/server/server.ts @@ -107,10 +107,10 @@ function createHono(opts: CorsOptions, selection: ServerBackend.Selection = Serv const backendAttributes = ServerBackend.attributes(selection) const app = new Hono() .onError(ErrorMiddleware) - .use(AuthMiddleware) - .use(LoggerMiddleware(backendAttributes)) - .use(CompressionMiddleware) .use(CorsMiddleware(opts)) + .use(LoggerMiddleware(backendAttributes)) + .use(AuthMiddleware) + .use(CompressionMiddleware) .route("/global", GlobalRoutes()) const runtime = adapter.create(app) diff --git a/packages/opencode/test/server/httpapi-cors.test.ts b/packages/opencode/test/server/httpapi-cors.test.ts index 72265ad9bd..8d7e95dfbf 100644 --- a/packages/opencode/test/server/httpapi-cors.test.ts +++ b/packages/opencode/test/server/httpapi-cors.test.ts @@ -63,6 +63,19 @@ describe("HttpApi CORS", () => { }), ) + it.live("adds CORS headers to legacy unauthorized responses", () => + Effect.gen(function* () { + const response = yield* Effect.promise(async () => + Server.Legacy().app.request("/global/config", { + headers: { origin: "https://app.opencode.ai" }, + }), + ) + + expect(response.status).toBe(401) + expect(response.headers.get("access-control-allow-origin")).toBe("https://app.opencode.ai") + }), + ) + it.live("uses custom CORS origins passed to the server", () => Effect.gen(function* () { const listener = yield* Effect.acquireRelease(