Merge pull request #1175 from objectstack-ai/copilot/fix-cors-header-issue

xuyushun441-sys · web-flow · commit db088d2431a0 · 2026-04-17T12:39:00.000+08:00
fix(server): preserve CORS headers on Vercel preflight and bootstrap-failure paths
diff --git a/apps/server/CHANGELOG.md b/apps/server/CHANGELOG.md
@@ -4,6 +4,10 @@
 
 ### Patch Changes
 
+- **Fixed missing `Access-Control-Allow-Origin` header on Vercel deployment.** Two code paths in `server/index.ts` previously returned raw `Response` objects that bypassed the Hono app (and therefore the CORS middleware registered inside `createHonoApp`):
+  - `OPTIONS` preflight requests went through full kernel bootstrap, which is slow and can fail on cold start — causing the browser to see a preflight with no CORS headers and block every subsequent `/api/v1/*` GET.
+  - Bootstrap-failure `503` responses had no CORS headers at all, surfacing in the browser as a generic "missing Access-Control-Allow-Origin" error instead of the real status code.
+  - Fix: `OPTIONS` is now short-circuited **before** `ensureApp()` with a proper CORS preflight response; the `503` bootstrap-failure response is now wrapped with the same CORS headers via `withCorsHeaders()`. Both helpers honour the same `CORS_ENABLED` / `CORS_ORIGIN` / `CORS_CREDENTIALS` / `CORS_MAX_AGE` env vars as the Hono adapter, so behaviour is identical whether or not the kernel has finished booting.
 - **Unified Studio mount path to `/_studio/` for all deployments** (CLI embedded, Vercel, self-host).
   - `vercel.json`: studio SPA now serves under `/_studio/:path*` with a dedicated rewrite to `/_studio/index.html`. Root `/` and bare `/_studio` redirect to `/_studio/`. Asset caching headers scoped to `/_studio/assets/*`. `VITE_BASE=/_studio/` is set in `build.env`.
   - `scripts/build-vercel.sh`: studio dist is copied to `public/_studio/` (previously `public/`), so Vercel serves it under the same sub-path the CLI uses. This resolves the deep-link / sidebar-click routing failures that occurred when the Studio was mounted at the public root.
diff --git a/apps/server/server/index.ts b/apps/server/server/index.ts
@@ -72,6 +72,128 @@ async function ensureApp(): Promise<Hono> {
     return _app;
 }
 
+// ---------------------------------------------------------------------------
+// CORS headers — applied to responses that bypass the Hono app
+// (bootstrap failures, preflight short-circuit). Mirrors the defaults of
+// `createHonoApp()` so behaviour is identical whether or not the kernel
+// has finished booting. See packages/adapters/hono/src/index.ts.
+//
+// Controlled by the same environment variables as the Hono adapter:
+//   CORS_ENABLED, CORS_ORIGIN, CORS_CREDENTIALS, CORS_MAX_AGE.
+// ---------------------------------------------------------------------------
+
+const CORS_ALLOW_METHODS = 'GET,POST,PUT,DELETE,PATCH,HEAD,OPTIONS';
+const CORS_ALLOW_HEADERS = 'Content-Type,Authorization,X-Requested-With';
+
+function corsEnabled(): boolean {
+    return process.env.CORS_ENABLED !== 'false';
+}
+
+function corsCredentials(): boolean {
+    return process.env.CORS_CREDENTIALS !== 'false';
+}
+
+function corsMaxAge(): number {
+    return process.env.CORS_MAX_AGE ? parseInt(process.env.CORS_MAX_AGE, 10) : 86400;
+}
+
+/**
+ * Resolve the `Access-Control-Allow-Origin` value for a given request.
+ *
+ * - If `CORS_ORIGIN` is unset, reflects the request `Origin` (or `*` when
+ *   credentials are disabled and no `Origin` is sent).
+ * - If `CORS_ORIGIN` is a comma-separated list, matches against it.
+ * - Returns `null` if the origin is disallowed.
+ */
+function resolveAllowOrigin(requestOrigin: string | null): string | null {
+    const credentials = corsCredentials();
+    const envOrigin = process.env.CORS_ORIGIN?.trim();
+
+    if (!envOrigin) {
+        // Default: reflect origin (credentials-safe). Fall back to '*' only
+        // when no Origin header is sent and credentials are disabled.
+        if (requestOrigin) return requestOrigin;
+        return credentials ? null : '*';
+    }
+
+    if (envOrigin === '*') {
+        if (credentials) return requestOrigin || null;
+        return '*';
+    }
+
+    const allowed = envOrigin.includes(',')
+        ? envOrigin.split(',').map((s: string) => s.trim()).filter(Boolean)
+        : [envOrigin];
+
+    if (requestOrigin && allowed.includes(requestOrigin)) return requestOrigin;
+    // Exact match with the single configured origin is allowed as a safe default
+    if (allowed.length === 1 && !requestOrigin) return allowed[0];
+    return null;
+}
+
+/**
+ * Apply CORS headers to a Response that was produced outside of the Hono app
+ * (e.g., bootstrap-failure 503). Headers are added to a cloned Response so
+ * the original is never mutated. Non-browser requests (no `Origin`) are
+ * passed through untouched.
+ */
+function withCorsHeaders(response: Response, request: Request): Response {
+    if (!corsEnabled()) return response;
+
+    const requestOrigin = request.headers.get('origin');
+    const allowOrigin = resolveAllowOrigin(requestOrigin);
+    if (!allowOrigin) return response;
+
+    // Clone so we can mutate headers — Response headers may be locked.
+    const headers = new Headers(response.headers);
+    headers.set('Access-Control-Allow-Origin', allowOrigin);
+    if (corsCredentials()) {
+        headers.set('Access-Control-Allow-Credentials', 'true');
+    }
+    // Vary on Origin whenever we reflect it, per CORS spec recommendation.
+    const existingVary = headers.get('Vary');
+    if (!existingVary) {
+        headers.set('Vary', 'Origin');
+    } else if (!/(^|,\s*)Origin(\s*,|$)/i.test(existingVary)) {
+        headers.set('Vary', `${existingVary}, Origin`);
+    }
+
+    return new Response(response.body, {
+        status: response.status,
+        statusText: response.statusText,
+        headers,
+    });
+}
+
+/**
+ * Build a CORS preflight (OPTIONS) response without requiring the kernel to
+ * be booted. Browsers block the subsequent simple request if preflight fails
+ * for any reason, so this path must never depend on bootstrap success.
+ */
+function buildPreflightResponse(request: Request): Response {
+    const requestOrigin = request.headers.get('origin');
+    const allowOrigin = resolveAllowOrigin(requestOrigin);
+
+    // No Origin header or disallowed origin → 204 without CORS headers
+    // (matches Hono's cors() behaviour for non-browser/disallowed requests).
+    if (!allowOrigin) {
+        return new Response(null, { status: 204 });
+    }
+
+    const requestedHeaders = request.headers.get('access-control-request-headers');
+    const headers = new Headers({
+        'Access-Control-Allow-Origin': allowOrigin,
+        'Access-Control-Allow-Methods': CORS_ALLOW_METHODS,
+        'Access-Control-Allow-Headers': requestedHeaders || CORS_ALLOW_HEADERS,
+        'Access-Control-Max-Age': String(corsMaxAge()),
+        Vary: 'Origin, Access-Control-Request-Headers',
+    });
+    if (corsCredentials()) {
+        headers.set('Access-Control-Allow-Credentials', 'true');
+    }
+    return new Response(null, { status: 204, headers });
+}
+
 // ---------------------------------------------------------------------------
 // Body extraction — reads Vercel's pre-buffered request body.
 // ---------------------------------------------------------------------------
@@ -125,13 +247,27 @@ function resolvePublicUrl(
 // ---------------------------------------------------------------------------
 
 export default getRequestListener(async (request, env) => {
+    const method = request.method.toUpperCase();
+    const incoming = (env as VercelEnv)?.incoming;
+    const url = resolvePublicUrl(request.url, incoming);
+
+    // ─── CORS Preflight short-circuit ──────────────────────────────────────
+    // OPTIONS requests must never depend on kernel bootstrap. If we let them
+    // fall through to ensureApp() a slow/failed cold start would cause the
+    // browser to see a missing Access-Control-Allow-Origin on the preflight,
+    // which then blocks every subsequent `/api/v1/*` request.
+    if (method === 'OPTIONS') {
+        console.log(`[Vercel] OPTIONS ${url} (preflight short-circuit)`);
+        return buildPreflightResponse(request);
+    }
+
     let app: Hono;
     try {
         app = await ensureApp();
     } catch (err: unknown) {
         const message = err instanceof Error ? err.message : String(err);
         console.error('[Vercel] Handler error — bootstrap did not complete:', message);
-        return new Response(
+        const errorResponse = new Response(
             JSON.stringify({
                 success: false,
                 error: {
@@ -141,16 +277,15 @@ export default getRequestListener(async (request, env) => {
             }),
             { status: 503, headers: { 'content-type': 'application/json' } },
         );
+        // Ensure CORS headers are present even on bootstrap failure so that
+        // browsers surface the real status code instead of a generic CORS
+        // error. Without this the frontend sees "missing Access-Control-Allow-Origin".
+        return withCorsHeaders(errorResponse, request);
     }
 
-    const method = request.method.toUpperCase();
-    const incoming = (env as VercelEnv)?.incoming;
-
-    const url = resolvePublicUrl(request.url, incoming);
-
     console.log(`[Vercel] ${method} ${url}`);
 
-    if (method !== 'GET' && method !== 'HEAD' && method !== 'OPTIONS' && incoming) {
+    if (method !== 'GET' && method !== 'HEAD' && incoming) {
         const contentType = incoming.headers?.['content-type'];
         const contentTypeStr = Array.isArray(contentType) ? contentType[0] : contentType;
         const body = extractBody(incoming, method, contentTypeStr);
