Fix remote pairing CORS responses

[ben-vargas]

What Changed

Adds CORS headers to the actual JSON responses used by remote environment pairing:

• /.well-known/t3/environment
• /api/auth/session
• /api/auth/bootstrap
• /api/auth/bootstrap/bearer
• /api/auth/websocket-token

The allowed methods and headers are shared with the existing CORS preflight configuration so OPTIONS and the real GET/POST responses stay aligned.

This also adds server tests for cross-origin environment discovery and the bearer auth bootstrap/session/websocket-token flow.

Why

Fixes #1928.

That issue was closed, but I can still reproduce it on the latest nightly I tested: 0.0.23-nightly.20260508.230.

The backend is reachable directly from the client machine, and the environment descriptor returns 200 OK from curl/browser navigation. The failure happens when the app does a cross-origin fetch from the web/Electron renderer:

Failed to fetch remote auth endpoint

The server already handles OPTIONS preflight, but the actual GET/POST responses do not include Access-Control-Allow-Origin, so Chromium blocks the readable response.

This keeps the fix on the server side instead of requiring users to run a reverse proxy that injects the missing CORS headers.

UI Changes

No UI changes.

The visible behavior change is that remote pairing succeeds instead of failing with Failed to fetch remote auth endpoint.

Checklist

• This PR is small and focused
• I explained what changed and why
• I included before/after screenshots for any UI changes
• I included a video for animation/interaction changes

Validation

• bun fmt
• bun lint
• bun typecheck
• bun run --cwd apps/server test src/server.test.ts

I also verified the fix manually by pairing two machines over Tailscale without a custom proxy.

---

Note

Medium Risk
Broadens Access-Control-Allow-* headers to additional auth and environment responses; while aligned with existing preflight config, it changes cross-origin accessibility for these endpoints and should be reviewed for unintended exposure.

Overview
Fixes remote pairing/browser fetches by adding Access-Control-Allow-* headers to the actual JSON responses (not just OPTIONS preflight) for /.well-known/t3/environment and key auth endpoints (/api/auth/session, /api/auth/bootstrap, /api/auth/bootstrap/bearer, /api/auth/ws-token), including respondToAuthError.

Extracts shared CORS allowlists into new httpCors.ts and reuses them in both the CORS middleware and response builders to keep preflight and response headers consistent. Adds/updates server tests to assert these CORS headers on cross-origin success and failure flows.

^{Reviewed by Cursor Bugbot for commit ea0ca88. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Fix CORS headers on remote pairing auth and environment responses

• Adds access-control-allow-origin, access-control-allow-methods, and access-control-allow-headers headers to all auth endpoints (/api/auth/session, /api/auth/bootstrap, /api/auth/bootstrap/bearer, /api/auth/ws-token) and /.well-known/t3/environment.
• Extracts shared CORS constants into a new httpCors.ts module so allowed methods and headers are defined once and reused across middleware and response construction.
• Adds integration tests covering CORS header presence on successful responses, error responses, and preflight requests from cross-origin clients.

^{Macroscope summarized ea0ca88.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 412dbe92-489c-4f95-b40e-a05081e47d96

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 80fe9ca. Configure here.}

[macroscopeapp]

Approvability

Verdict: Approved

Straightforward bug fix that adds existing CORS headers to HTTP responses that were missing them. The CORS policy (allow-origin: *) is unchanged - this just ensures consistency between the preflight handler and actual responses. Comprehensive tests included.

^{You can customize Macroscope's approvability policy. Learn more.}

Dismissing prior approval to re-evaluate ea0ca88