fix(pds): allow Authorization header in CORS preflight

jphastings · jphastings · commit 6266817afdce · 2026-06-01T12:06:58.000+02:00
The CORS middleware advertised `Access-Control-Allow-Headers: *`, but `*` wildcard does not cover the `Authorization` header. Authenticated cross-origin XRPC calls from web clients (e.g. PDS Moover's getRepoStatus) were being blocked at preflight. Lists the allowed headers explicitly instead.
diff --git a/.changeset/cors-authorization-header.md b/.changeset/cors-authorization-header.md
@@ -0,0 +1,7 @@
+---
+"@getcirrus/pds": patch
+---
+
+Be explicit with CORS headers so browser-based authenticated XRPC calls work (particularly PDS Moover).
+
+The CORS middleware advertised `Access-Control-Allow-Headers: *`, but the Fetch spec calls out that `*` wildcard does not cover the `Authorization` header — browsers require it to be named explicitly. As a result, authed cross-origin requests from web clients (eg. PDS Moover's `com.pdsmoover.backup.getRepoStatus`) were blocked at preflight. As `*` can't be used with other headers, all allowed headers are now listed explicitly.
diff --git a/packages/pds/src/index.ts b/packages/pds/src/index.ts
@@ -84,7 +84,16 @@ app.use(
 	cors({
 		origin: "*",
 		allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
-		allowHeaders: ["*"],
+		// `Authorization` must be listed explicitly: a `*` wildcard in
+		// Access-Control-Allow-Headers doesn't cover `Authorization`,
+		// so browsers block authed XRPC calls (e.g. PDS Moover).
+		allowHeaders: [
+			"Authorization",
+			"Content-Type",
+			"DPoP",
+			"atproto-proxy",
+			"atproto-accept-labelers",
+		],
 		exposeHeaders: ["Content-Type"],
 		maxAge: 86400,
 	}),
