fix(server): apply cors before legacy auth (anomalyco#26092)

Hona · web-flow · commit 2dffdfff4aa0 · 2026-05-07T08:55:09.000+10:00
diff --git a/packages/opencode/src/server/server.ts b/packages/opencode/src/server/server.ts
@@ -107,10 +107,10 @@ function createHono(opts: CorsOptions, selection: ServerBackend.Selection = Serv
   const backendAttributes = ServerBackend.attributes(selection)
   const app = new Hono()
     .onError(ErrorMiddleware)
-    .use(AuthMiddleware)
+    .use(CorsMiddleware(opts))
     .use(LoggerMiddleware(backendAttributes))
+    .use(AuthMiddleware)
     .use(CompressionMiddleware)
-    .use(CorsMiddleware(opts))
     .route("/global", GlobalRoutes())
 
   const runtime = adapter.create(app)
diff --git a/packages/opencode/test/server/httpapi-cors.test.ts b/packages/opencode/test/server/httpapi-cors.test.ts
@@ -63,6 +63,19 @@ describe("HttpApi CORS", () => {
     }),
   )
 
+  it.live("adds CORS headers to legacy unauthorized responses", () =>
+    Effect.gen(function* () {
+      const response = yield* Effect.promise(async () =>
+        Server.Legacy().app.request("/global/config", {
+          headers: { origin: "https://app.opencode.ai" },
+        }),
+      )
+
+      expect(response.status).toBe(401)
+      expect(response.headers.get("access-control-allow-origin")).toBe("https://app.opencode.ai")
+    }),
+  )
+
   it.live("uses custom CORS origins passed to the server", () =>
     Effect.gen(function* () {
       const listener = yield* Effect.acquireRelease(
