fix(hono-adapter): always expose set-auth-token via CORS#1179
Merged
xuyushun441-sys merged 1 commit intomainfrom Apr 17, 2026
Merged
fix(hono-adapter): always expose set-auth-token via CORS#1179xuyushun441-sys merged 1 commit intomainfrom
set-auth-token via CORS#1179xuyushun441-sys merged 1 commit intomainfrom
Conversation
…igin auth Agent-Logs-Url: https://github.com/objectstack-ai/framework/sessions/343b8511-f629-420e-b9aa-2a850e84ce47 Co-authored-by: xuyushun441-sys <255036401+xuyushun441-sys@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
xuyushun441-sys
April 17, 2026 11:38
View session
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #1177 and #1178. Those fixed CORS preflight and wildcard origin matching across the three Hono-based code paths, but cross-origin auth was still broken on Vercel:
createHonoApp()defaultedexposeHeadersto[], diverging fromplugin-hono-server(which sets['set-auth-token']since151dd19c). Sinceapps/serverroutes all traffic throughcreateHonoApp()on Vercel, browsers strippedset-auth-tokenfrom every response, preventing the better-authbearer()plugin from delivering rotated session tokens — sessions silently broke on any cross-origin refresh even though preflight and the request both succeeded.Changes
packages/adapters/hono/src/index.ts— always includeset-auth-tokeninexposeHeaders, merged and deduped with user-supplied values; mirrorsplugin-hono-serverlines 155–161.packages/adapters/hono/src/hono.test.ts— three new cases: default exposesset-auth-token, user-supplied exposeHeaders are merged (not replaced), no duplication when both include it.CHANGELOG.md— Unreleased / Fixed entry.Invariant worth preserving
All three Hono-based CORS sites must default
exposeHeadersto includeset-auth-token:packages/plugins/plugin-hono-server/src/hono-plugin.tspackages/adapters/hono/src/index.ts—createHonoApp()← this PRcors()apps/server/server/index.tsis unaffected — its short-circuit handles OPTIONS only, andAccess-Control-Expose-Headersapplies to actual responses, which flow throughcreateHonoApp().