Skip to content

Fix CORS_ORIGIN wildcard patterns in @objectstack/hono adapter#1178

Merged
xuyushun441-sys merged 1 commit intomainfrom
copilot/update-fix-task-issue
Apr 17, 2026
Merged

Fix CORS_ORIGIN wildcard patterns in @objectstack/hono adapter#1178
xuyushun441-sys merged 1 commit intomainfrom
copilot/update-fix-task-issue

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 17, 2026

PR #1177 unified wildcard matching across the Vercel OPTIONS short-circuit and plugin-hono-server, but missed a third path: createHonoApp() in @objectstack/hono. Since apps/server routes all non-OPTIONS traffic through this adapter on Vercel, preflights succeeded but the ensuing POST/GET responses shipped without Access-Control-Allow-Origin — the browser blocked every real request.

Root cause

createHonoApp() passed CORS_ORIGIN straight into Hono's cors() middleware, which does exact-string comparison and treats * as a literal character:

// CORS_ORIGIN="https://*.objectui.org,http://localhost:*"
app.use('*', cors({ origin: ['https://*.objectui.org', 'http://localhost:*'] }));
// → no match for https://app.objectui.org → no Access-Control-Allow-Origin header

Changes

  • packages/adapters/hono/src/index.ts — detect wildcard patterns via hasWildcardPattern and swap in a createOriginMatcher function for Hono's origin option. Branch logic mirrors plugin-hono-server exactly, preserving the single source of truth established in Fix CORS_ORIGIN wildcard patterns on Vercel deployments #1177.
  • packages/adapters/hono/package.json — add workspace dep on @objectstack/plugin-hono-server (no cycle; the plugin depends only on core + spec).
  • packages/adapters/hono/src/hono.test.ts — 5 new tests covering subdomain wildcards, port wildcards, comma-separated lists, rejection of unmatched origins, and wildcard preflight.
  • CHANGELOG.md — follow-up entry under Unreleased / Fixed.

Invariant worth preserving

All three Hono-based CORS sites must route wildcard handling through @objectstack/plugin-hono-server:

  1. apps/server/server/index.ts — Vercel OPTIONS short-circuit
  2. packages/plugins/plugin-hono-server/src/hono-plugin.ts
  3. packages/adapters/hono/src/index.tscreateHonoApp()this PR

Any future CORS change needs to touch all three or risk the same split-brain failure mode.

@xuyushun441-sys
fix(hono-adapter): support CORS_ORIGIN wildcard patterns in createHon…
46adf77 
…oApp

Agent-Logs-Url: https://github.com/objectstack-ai/framework/sessions/ed3eba80-26bc-4802-a749-a8441033eaf0

Co-authored-by: xuyushun441-sys <255036401+xuyushun441-sys@users.noreply.github.com>
@vercel
Copy link
Copy Markdown

vercel bot commented Apr 17, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
objectstack-demo Ready Ready Preview, Comment Apr 17, 2026 11:10am
spec Ready Ready Preview, Comment Apr 17, 2026 11:10am

Request Review

@xuyushun441-sys xuyushun441-sys marked this pull request as ready for review April 17, 2026 11:10
@xuyushun441-sys xuyushun441-sys merged commit 4737f9c into main Apr 17, 2026
3 checks passed
Copilot AI mentioned this pull request Apr 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

Copilot code review Copilot

@xuyushun441-sys xuyushun441-sys

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xuyushun441-sys