Skip to content

fix(server): preserve CORS headers on Vercel preflight and bootstrap-failure paths#1175

Merged
xuyushun441-sys merged 1 commit intomainfrom
copilot/fix-cors-header-issue
Apr 17, 2026
Merged

fix(server): preserve CORS headers on Vercel preflight and bootstrap-failure paths#1175
xuyushun441-sys merged 1 commit intomainfrom
copilot/fix-cors-header-issue

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 17, 2026

Frontend requests to the Vercel-deployed apps/server fail with missing Access-Control-Allow-Origin on /api/v1/*. Two paths in apps/server/server/index.ts return raw Response objects that bypass the Hono app — and therefore the CORS middleware registered inside createHonoApp.

Root cause

  • Preflight depends on bootstrap. OPTIONS requests fall through to ensureApp(). A slow/failed cold start yields a preflight with no CORS headers, which the browser caches as a failure and then blocks every subsequent /api/v1/* GET.
  • 503 bootstrap-failure has no CORS headers. When ensureKernel() throws, the handler returns a raw 503, so the browser surfaces a generic CORS error instead of the real status.

Changes

  • withCorsHeaders(response, request) — clones a Response and attaches Access-Control-Allow-Origin / -Credentials / Vary: Origin. Mirrors createHonoApp's env-driven defaults (CORS_ENABLED, CORS_ORIGIN, CORS_CREDENTIALS, CORS_MAX_AGE) so behaviour is identical whether or not the kernel finished booting.
  • buildPreflightResponse(request) — produces a 204 preflight with Allow-Methods, Allow-Headers (echoing Access-Control-Request-Headers when sent), Max-Age.
  • Handler rewrite — short-circuit OPTIONS before ensureApp(), and wrap the 503 bootstrap-failure response with withCorsHeaders. Successful responses remain untouched; Hono's cors() still owns them.
  • apps/server/CHANGELOG.md updated.
// apps/server/server/index.ts
if (method === 'OPTIONS') {
    return buildPreflightResponse(request); // never touches the kernel
}

try {
    app = await ensureApp();
} catch (err) {
    return withCorsHeaders(new Response(/* 503 JSON */), request);
}

Notes for reviewers

  • CORS_ORIGIN unset + credentials=true + no Origin header → no ACAO emitted (spec-correct: wildcard is illegal with credentials; non-browser callers don't need it).
  • Allowlist (CORS_ORIGIN="a,b") is honoured on both paths; mismatched origins get no ACAO.
  • The hono adapter (createHonoApp) is unchanged — the fix is scoped to the Vercel entrypoint that sits in front of it.

@xuyushun441-sys
fix(server): ensure CORS headers on Vercel preflight + bootstrap-fail…
4f4a659 
…ure responses

Agent-Logs-Url: https://github.com/objectstack-ai/framework/sessions/5547ad9e-8774-4b29-a908-5b6c46d66d4b

Co-authored-by: xuyushun441-sys <255036401+xuyushun441-sys@users.noreply.github.com>
@vercel
Copy link
Copy Markdown

vercel bot commented Apr 17, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
objectstack-demo Ready Ready Preview, Comment Apr 17, 2026 4:38am
spec Ready Ready Preview, Comment Apr 17, 2026 4:38am

Request Review

@xuyushun441-sys xuyushun441-sys marked this pull request as ready for review April 17, 2026 04:38
@xuyushun441-sys xuyushun441-sys merged commit db088d2 into main Apr 17, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

Copilot code review Copilot

@xuyushun441-sys xuyushun441-sys

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xuyushun441-sys