mirror of
https://github.com/anomalyco/opencode.git
synced 2026-05-24 05:35:15 +00:00
da5e29b320
HttpApi auth middleware was reading ServerAuth.Config via Effect's generated
defaultLayer, which resolves Config.string('OPENCODE_SERVER_PASSWORD') once
and is memoized by Layer identity. Subsequent runtime mutation of process.env
(or Flag.OPENCODE_SERVER_PASSWORD) was never observed, so the middleware kept
serving 401 even when auth was disabled at runtime.
Hono's AuthMiddleware reads Flag.OPENCODE_SERVER_PASSWORD per request, so it
picks up mutations immediately. With Hono still the production default and
HttpApi gated by OPENCODE_EXPERIMENTAL_HTTPAPI, the gap was masked by tests
that flipped the flag back to Hono for no-auth scenarios.
Override ServerAuth.Config.defaultLayer to read Flag.* via Layer.sync at
layer-build time. Each fresh listener (memoMap) picks up current Flag values.
This matches Hono behavior across listeners; per-request mutation within a
single listener is not preserved (would require reading Flag in the middleware
itself, which is a separate concern).
Tests:
- httpapi-listen: parameterize 'tickets optional when auth disabled' across
both backends to lock in parity.
- httpapi-raw-route-auth + httpapi-ui: switch from ConfigProvider injection
(which is now a no-op since defaultLayer is Flag-backed, not Config-backed)
to ServerAuth.Config.layer({...}) for explicit overrides, or Flag mutation
for tests that exercise the production read path.
46/46 auth + PTY tests pass.
|
||
|---|---|---|
| .. | ||
| bin | ||
| migration | ||
| script | ||
| scripts | ||
| specs | ||
| src | ||
| test | ||
| .gitignore | ||
| AGENTS.md | ||
| BUN_SHELL_MIGRATION_PLAN.md | ||
| bunfig.toml | ||
| Dockerfile | ||
| drizzle.config.ts | ||
| git | ||
| package.json | ||
| parsers-config.ts | ||
| README.md | ||
| sst-env.d.ts | ||
| tsconfig.json | ||