fix: return 401 from /global/health when credentials are provided but invalid

Zexi · claude · Zexi · commit 7c75568bf29b · 2026-05-15T19:00:09.000+02:00
Unauthenticated probes still get 200 so the SPA can discover the server
before the user has entered any credentials. But when an SDK or health-check
supplies explicit credentials that do not match, the endpoint now returns 401.
This makes the server-list health indicator accurately reflect auth status
instead of showing green even when the configured password is wrong.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/packages/opencode/src/server/routes/instance/httpapi/middleware/authorization.ts b/packages/opencode/src/server/routes/instance/httpapi/middleware/authorization.ts
@@ -153,9 +153,19 @@ export const authorizationLayer = Layer.effect(
     return Authorization.of((effect) =>
       Effect.gen(function* () {
         const request = yield* HttpServerRequest.HttpServerRequest
-        // Health endpoint must be public so the SPA can render before credentials
-        // are configured — otherwise the user can never reach the credential UI.
-        if (new URL(request.url, "http://localhost").pathname === "/global/health") return yield* effect
+        if (new URL(request.url, "http://localhost").pathname === "/global/health") {
+          // Allow unauthenticated probes so the SPA can discover the server before
+          // the user has entered credentials. But if credentials ARE supplied and
+          // wrong, return 401 — otherwise the health indicator stays green even
+          // when the configured password is incorrect.
+          const credential = yield* credentialFromRequest(request)
+          const hasCredentials = !!credential.username || Redacted.value(credential.password).length > 0
+          if (!hasCredentials || ServerAuth.authorized(credential, config)) return yield* effect
+          yield* HttpEffect.appendPreResponseHandler((_request, response) =>
+            Effect.succeed(HttpServerResponse.setHeader(response, "www-authenticate", WWW_AUTHENTICATE)),
+          )
+          return yield* new HttpApiError.Unauthorized({})
+        }
         return yield* credentialFromRequest(request).pipe(
           Effect.flatMap((credential) => validateCredential(effect, credential, config)),
         )
