feat: implement CORS support in Hono server and auth manager for enhanced security

Author: hotlong

packages/adapters/hono/src/index.ts

@@ -1,11 +1,31 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
 import { Hono } from 'hono';
+import { cors } from 'hono/cors';
 import { type ObjectKernel, HttpDispatcher, HttpDispatcherResult } from '@objectstack/runtime';
 
+export interface ObjectStackHonoCorsOptions {
+  /** Enable or disable CORS. Defaults to true. */
+  enabled?: boolean;
+  /** Allowed origins. Defaults to env `CORS_ORIGIN` or '*'. Comma-separated string or array. */
+  origin?: string | string[];
+  /** Allowed methods. */
+  methods?: string[];
+  /** Allow credentials (cookies, authorization headers). */
+  credentials?: boolean;
+  /** Preflight cache max-age in seconds. */
+  maxAge?: number;
+  /** Allowed headers. */
+  allowHeaders?: string[];
+  /** Exposed headers. */
+  exposeHeaders?: string[];
+}
+
 export interface ObjectStackHonoOptions {
   kernel: ObjectKernel;
   prefix?: string;
+  /** CORS configuration. Set to `false` to disable entirely. */
+  cors?: ObjectStackHonoCorsOptions | false;
 }
 
 /**
@@ -49,6 +69,52 @@ export function createHonoApp(options: ObjectStackHonoOptions): Hono {
   const prefix = options.prefix || '/api';
   const dispatcher = new HttpDispatcher(options.kernel);
 
+  // ─── CORS Middleware ──────────────────────────────────────────────────────
+  // Enabled by default. Controlled via options.cors or environment variables:
+  //   CORS_ENABLED     – "false" to disable (default: true)
+  //   CORS_ORIGIN      – comma-separated origins or "*" (default: "*")
+  //   CORS_CREDENTIALS – "false" to disallow credentials (default: true)
+  //   CORS_MAX_AGE     – preflight cache seconds (default: 86400)
+  const corsDisabledByEnv = process.env.CORS_ENABLED === 'false';
+  if (options.cors !== false && !corsDisabledByEnv) {
+    const corsOpts = typeof options.cors === 'object' ? options.cors : {};
+    const enabled = corsOpts.enabled ?? true;
+
+    if (enabled) {
+      // Resolve origins: options > env > default '*'
+      let configuredOrigin: string | string[];
+      if (corsOpts.origin) {
+        configuredOrigin = corsOpts.origin;
+      } else if (process.env.CORS_ORIGIN) {
+        const envOrigin = process.env.CORS_ORIGIN.trim();
+        configuredOrigin = envOrigin.includes(',') ? envOrigin.split(',').map(s => s.trim()) : envOrigin;
+      } else {
+        configuredOrigin = '*';
+      }
+
+      const credentials = corsOpts.credentials ?? (process.env.CORS_CREDENTIALS !== 'false');
+      const maxAge = corsOpts.maxAge ?? (process.env.CORS_MAX_AGE ? parseInt(process.env.CORS_MAX_AGE, 10) : 86400);
+
+      // When credentials is true, browsers reject wildcard '*' for Access-Control-Allow-Origin.
+      // Use a function to reflect the request's Origin header instead.
+      let origin: string | string[] | ((origin: string) => string | undefined | null);
+      if (credentials && configuredOrigin === '*') {
+        origin = (requestOrigin: string) => requestOrigin || '*';
+      } else {
+        origin = configuredOrigin;
+      }
+
+      app.use('*', cors({
+        origin: origin as any,
+        allowMethods: corsOpts.methods || ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'HEAD', 'OPTIONS'],
+        allowHeaders: corsOpts.allowHeaders || ['Content-Type', 'Authorization', 'X-Requested-With'],
+        exposeHeaders: corsOpts.exposeHeaders || [],
+        credentials,
+        maxAge,
+      }));
+    }
+  }
+
   const errorJson = (c: any, message: string, code: number = 500) => {
     return c.json({ success: false, error: { message, code } }, code);
   };

packages/plugins/plugin-auth/src/auth-manager.ts

@@ -157,7 +157,23 @@ export class AuthManager {
       plugins: this.buildPluginList(),
 
       // Trusted origins for CSRF protection (supports wildcards like "https://*.example.com")
-      ...(this.config.trustedOrigins?.length ? { trustedOrigins: this.config.trustedOrigins } : {}),
+      // Auto-includes origins from CORS_ORIGIN env var so CORS and CSRF stay in sync.
+      ...(() => {
+        const origins: string[] = [...(this.config.trustedOrigins || [])];
+        // Sync with CORS_ORIGIN env var (comma-separated)
+        const corsOrigin = process.env.CORS_ORIGIN;
+        if (corsOrigin && corsOrigin !== '*') {
+          corsOrigin.split(',').map(s => s.trim()).filter(Boolean).forEach(o => {
+            if (!origins.includes(o)) origins.push(o);
+          });
+        }
+        // When CORS allows all origins (default) and no explicit trustedOrigins,
+        // trust all localhost ports in development for convenience.
+        if (!origins.length && (!corsOrigin || corsOrigin === '*')) {
+          origins.push('http://localhost:*');
+        }
+        return origins.length ? { trustedOrigins: origins } : {};
+      })(),
 
       // Advanced options (cross-subdomain cookies, secure cookies, CSRF, etc.)
       ...(this.config.advanced ? {

packages/plugins/plugin-hono-server/src/adapter.ts

@@ -3,15 +3,23 @@
 // Export IHttpServer from core
 export * from '@objectstack/core';
 
-import { 
-    IHttpServer, 
-    RouteHandler, 
-    Middleware 
+import {
+    IHttpServer,
+    RouteHandler,
+    Middleware
 } from '@objectstack/core';
 import { Hono } from 'hono';
 import { serve } from '@hono/node-server';
 import { serveStatic } from '@hono/node-server/serve-static';
 
+export interface HonoCorsOptions {
+    enabled?: boolean;
+    origins?: string | string[];
+    methods?: string[];
+    credentials?: boolean;
+    maxAge?: number;
+}
+
 /**
  * Hono Implementation of IHttpServer
  */
@@ -137,7 +145,7 @@ export class HonoHttpServer implements IHttpServer {
     patch(path: string, handler: RouteHandler) {
         this.app.patch(path, this.wrap(handler));
     }
-    
+
     use(pathOrHandler: string | Middleware, handler?: Middleware) {
         if (typeof pathOrHandler === 'string' && handler) {
              // Path based middleware
@@ -217,6 +225,4 @@ export class HonoHttpServer implements IHttpServer {
             this.server.close();
         }
     }
-
-
 }

packages/plugins/plugin-hono-server/src/hono-plugin.ts

@@ -4,7 +4,8 @@ import { Plugin, PluginContext, IHttpServer, IDataEngine } from '@objectstack/co
 import {
     RestServerConfig,
 } from '@objectstack/spec/api';
-import { HonoHttpServer } from './adapter';
+import { HonoHttpServer, HonoCorsOptions } from './adapter';
+import { cors } from 'hono/cors';
 import { serveStatic } from '@hono/node-server/serve-static';
 import * as fs from 'fs';
 import * as path from 'path';
@@ -45,14 +46,22 @@ export interface HonoPluginOptions {
      * @default false
      */
     spaFallback?: boolean;
+
+    /**
+     * CORS configuration. Set to `false` to disable entirely.
+     * Enabled by default with origin '*'.
+     * Can also be controlled via environment variables:
+     *   CORS_ENABLED, CORS_ORIGIN, CORS_CREDENTIALS, CORS_MAX_AGE
+     */
+    cors?: HonoCorsOptions | false;
 }
 
 /**
  * Hono Server Plugin
- * 
+ *
  * Provides HTTP server capabilities using Hono framework.
  * Registers the IHttpServer service so other plugins can register routes.
- * 
+ *
  * Route registration is handled by plugins:
  * - `@objectstack/rest` → CRUD, metadata, discovery, UI, batch
  * - `createDispatcherPlugin()` → auth, graphql, analytics, packages, etc.
@@ -61,17 +70,17 @@ export class HonoServerPlugin implements Plugin {
     name = 'com.objectstack.server.hono';
     type = 'server';
     version = '0.9.0';
-    
+
     // Constants
     private static readonly DEFAULT_ENDPOINT_PRIORITY = 100;
     private static readonly CORE_ENDPOINT_PRIORITY = 950;
     private static readonly DISCOVERY_ENDPOINT_PRIORITY = 900;
-    
+
     private options: HonoPluginOptions;
     private server: HonoHttpServer;
 
     constructor(options: HonoPluginOptions = {}) {
-        this.options = { 
+        this.options = {
             port: 3000,
             registerStandardEndpoints: true,
             useApiRegistry: true,
@@ -86,17 +95,61 @@ export class HonoServerPlugin implements Plugin {
      * Init phase - Setup HTTP server and register as service
      */
     init = async (ctx: PluginContext) => {
-        ctx.logger.debug('Initializing Hono server plugin', { 
+        ctx.logger.debug('Initializing Hono server plugin', {
             port: this.options.port,
-            staticRoot: this.options.staticRoot 
+            staticRoot: this.options.staticRoot
         });
-        
+
         // Register HTTP server service as IHttpServer
         // Register as 'http.server' to match core requirements
         ctx.registerService('http.server', this.server);
         // Alias 'http-server' for backward compatibility
         ctx.registerService('http-server', this.server);
         ctx.logger.debug('HTTP server service registered', { serviceName: 'http.server' });
+
+        // ─── CORS Middleware ──────────────────────────────────────────────────
+        // Enabled by default. Controlled via options.cors or environment variables.
+        const corsDisabledByEnv = process.env.CORS_ENABLED === 'false';
+        if (this.options.cors !== false && !corsDisabledByEnv) {
+            const corsOpts = typeof this.options.cors === 'object' ? this.options.cors : {};
+            const enabled = corsOpts.enabled ?? true;
+
+            if (enabled) {
+                let configuredOrigin: string | string[];
+                if (corsOpts.origins) {
+                    configuredOrigin = corsOpts.origins;
+                } else if (process.env.CORS_ORIGIN) {
+                    const envOrigin = process.env.CORS_ORIGIN.trim();
+                    configuredOrigin = envOrigin.includes(',') ? envOrigin.split(',').map(s => s.trim()) : envOrigin;
+                } else {
+                    configuredOrigin = '*';
+                }
+
+                const credentials = corsOpts.credentials ?? (process.env.CORS_CREDENTIALS !== 'false');
+                const maxAge = corsOpts.maxAge ?? (process.env.CORS_MAX_AGE ? parseInt(process.env.CORS_MAX_AGE, 10) : 86400);
+
+                // When credentials is true, browsers reject wildcard '*' for Access-Control-Allow-Origin.
+                // Use a function to reflect the request's Origin header instead.
+                let origin: string | string[] | ((origin: string) => string | undefined | null);
+                if (credentials && configuredOrigin === '*') {
+                    origin = (requestOrigin: string) => requestOrigin || '*';
+                } else {
+                    origin = configuredOrigin;
+                }
+
+                const rawApp = this.server.getRawApp();
+                rawApp.use('*', cors({
+                    origin: origin as any,
+                    allowMethods: corsOpts.methods || ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'HEAD', 'OPTIONS'],
+                    allowHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
+                    exposeHeaders: [],
+                    credentials,
+                    maxAge,
+                }));
+
+                ctx.logger.debug('CORS middleware enabled', { origin: configuredOrigin, credentials });
+            }
+        }
     }
 
     /**
@@ -112,8 +165,8 @@ export class HonoServerPlugin implements Plugin {
         try {
             const rawKernel = ctx.getKernel() as any;
             if (rawKernel.plugins) {
-                const loadedPlugins = rawKernel.plugins instanceof Map 
-                    ? Array.from(rawKernel.plugins.values()) 
+                const loadedPlugins = rawKernel.plugins instanceof Map
+                    ? Array.from(rawKernel.plugins.values())
                     : Array.isArray(rawKernel.plugins) ? rawKernel.plugins : Object.values(rawKernel.plugins);
 
                 for (const plugin of (loadedPlugins as any[])) {
@@ -123,10 +176,10 @@ export class HonoServerPlugin implements Plugin {
                         // Derive base route from name: @org/console -> console
                         const slug = plugin.slug || plugin.name.split('/').pop();
                         const baseRoute = `/${slug}`;
-                        
-                        ctx.logger.debug(`Auto-mounting UI Plugin: ${plugin.name}`, { 
-                            path: baseRoute, 
-                            root: plugin.staticPath 
+
+                        ctx.logger.debug(`Auto-mounting UI Plugin: ${plugin.name}`, {
+                            path: baseRoute,
+                            root: plugin.staticPath
                         });
 
                         mounts.push({
@@ -161,7 +214,7 @@ export class HonoServerPlugin implements Plugin {
 
         if (mounts.length > 0) {
             const rawApp = this.server.getRawApp();
-            
+
             for (const mount of mounts) {
                 const mountRoot = path.resolve(process.cwd(), mount.root);
 
@@ -173,22 +226,22 @@ export class HonoServerPlugin implements Plugin {
                 const mountPath = mount.path || '/';
                 const normalizedPath = mountPath.startsWith('/') ? mountPath : `/${mountPath}`;
                 const routePattern = normalizedPath === '/' ? '/*' : `${normalizedPath.replace(/\/$/, '')}/*`;
-                
+
                 // Routes to register: both /mount and /mount/*
                 const routes = normalizedPath === '/' ? [routePattern] : [normalizedPath, routePattern];
 
-                ctx.logger.debug('Mounting static files', { 
-                    to: routes, 
-                    from: mountRoot, 
-                    rewrite: mount.rewrite, 
-                    spa: mount.spa 
+                ctx.logger.debug('Mounting static files', {
+                    to: routes,
+                    from: mountRoot,
+                    rewrite: mount.rewrite,
+                    spa: mount.spa
                 });
 
                 routes.forEach(route => {
                     // 1. Serve Static Files
                     rawApp.get(
-                        route, 
-                        serveStatic({ 
+                        route,
+                        serveStatic({
                             root: mount.root,
                             rewriteRequestPath: (reqPath) => {
                                 if (mount.rewrite && normalizedPath !== '/') {
@@ -208,12 +261,12 @@ export class HonoServerPlugin implements Plugin {
                             // Skip if API path check
                             const config = this.options.restConfig || {};
                             const basePath = config.api?.basePath || '/api';
-                            
+
                             if (c.req.path.startsWith(basePath)) {
                                 return next();
                             }
 
-                            return serveStatic({ 
+                            return serveStatic({
                                 root: mount.root,
                                 rewriteRequestPath: () => 'index.html'
                             })(c, next);
@@ -232,7 +285,7 @@ export class HonoServerPlugin implements Plugin {
 
             const port = this.options.port ?? 3000;
             ctx.logger.debug('Starting HTTP server', { port });
-            
+
             await this.server.listen(port);
 
             const actualPort = this.server.getPort();