Skip to content

Serve client-metadata.json with CORS — hosted-origin Bluesky sign-in was broken#41

Merged
jpdevries merged 1 commit into
mainfrom
fix/client-metadata-cors
Jul 13, 2026
Merged

Serve client-metadata.json with CORS — hosted-origin Bluesky sign-in was broken#41
jpdevries merged 1 commit into
mainfrom
fix/client-metadata-cors

Conversation

@jpdevries

Copy link
Copy Markdown
Owner

What

Adds packages/marketing/public/_headers so /client-metadata.json is served with Access-Control-Allow-Origin: *.

Why

BrowserOAuthClient.load({ clientId }) fetches the client_id URL from the browser. On my.pantryhost.app that's a cross-origin fetch to pantryhost.app, which served the metadata with no CORS header — so BlueskyAuth init fails with TypeError: Failed to fetch and hosted-origin sign-in never gets to the OAuth dance. Every successful sign-in so far happened on loopback (127.0.0.1), where the client is constructed locally without fetching metadata.

The publish-broker rollout (#38, merged) makes my.pantryhost.app the sign-in origin for all self-hosted publishers, so this is now load-bearing: reproduced on the live site — console shows the init failure on /publish-broker.

Verification

  • vite build copies _headers into dist/
  • wrangler dev (Workers assets honor _headers): curl -I -H "Origin: https://my.pantryhost.app" http://localhost:8788/client-metadata.jsonAccess-Control-Allow-Origin: *
  • Post-merge check: same curl against https://pantryhost.app/client-metadata.json, then confirm sign-in works on https://my.pantryhost.app/publish-broker

The client metadata is a public document fetched without credentials — * is the correct scope.

🤖 Generated with Claude Code

… was broken

BrowserOAuthClient.load() fetches the client_id URL from the browser,
which is cross-origin from my.pantryhost.app. pantryhost.app served the
metadata without Access-Control-Allow-Origin, so hosted-origin Bluesky
sign-in failed with "Failed to fetch" before OAuth even started — every
successful sign-in to date happened on loopback, where the client is
constructed locally. Exposed by the publish-broker rollout (#38), which
makes my.pantryhost.app the sign-in origin for self-hosted publishers.

Workers static assets honor public/_headers (verified via wrangler dev:
ACAO * present on the response). Public document, no credentials.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 13, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs
pantry-host-marketing 5483fc0 Jul 13 2026, 12:52 AM

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 13, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
pantry-host-web 5483fc0 Commit Preview URL

Branch Preview URL
Jul 13 2026, 12:53 AM

@jpdevries jpdevries merged commit 60ba702 into main Jul 13, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant