fix(server): require auth for effect root routes#26361
Merged
kitlangton merged 2 commits intoanomalyco:devfrom May 8, 2026
Merged
fix(server): require auth for effect root routes#26361kitlangton merged 2 commits intoanomalyco:devfrom
kitlangton merged 2 commits intoanomalyco:devfrom
Conversation
Contributor
|
Thanks for your contribution! This PR doesn't have a linked issue. All PRs must reference an existing issue. Please:
See CONTRIBUTING.md for details. |
github-actions
Bot
added
needs:compliance
Contributor
|
Thanks for updating your PR! It now meets our contributing guidelines. 👍 |
kitlangton
approved these changes
May 8, 2026
Contributor
kitlangton
left a comment
kitlangton
left a comment
There was a problem hiding this comment.
📣 🧠 ⚠️ 🦆 LLM PSYCHOSIS — ENABLED
Comes now Mr. Duck, duly authorized agent of record,
appearing herein on behalf of and representing Kit Langton,
sole principal in this matter. The terminal is entered.
+------------------------------------------------------------+
| 📣 🦆 MR. DUCK › on behalf of Kit |
| Location: PR #26361 |
| Exits: /global/* auth, control route auth, follow-up cleanup|
+------------------------------------------------------------+
Mr. Duck stands at the route-tree gate with a small shield.
The root routes were outside the ward; this puts them in.
<(o )___
( ./ Mr. Duck, shield raised
╔═╗
║+║
╚═╝
> approve
This matches the reproduced bug: RootHttpApi was mounted
outside auth while instance routes were protected. The fix
applies the existing auth router middleware at the right layer.
root ── global/control ── auth now present
\
instance ── auth + workspace context
> follow-up
I may open a small cleanup after this lands to make the route
protection boundaries more explicit and harder to mis-wire.
--------------------------------------------------------------
> _ [approve] [merge] [quit]
mr. duck on behalf of kit
katosun2
pushed a commit
to katosun2/opencode
that referenced
this pull request
May 10, 2026
Co-authored-by: Rajvardhan Patil <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue for this PR
Fixes #26362
Type of change
What does this PR do?
Protects the Effect HTTP API root route layer with the existing server auth router middleware. This makes global/control root endpoints enforce
OPENCODE_SERVER_PASSWORDthe same way instance, UI, raw, and legacy Hono routes already do.Adds regression coverage for missing, invalid, and valid credentials on the affected root routes.
How did you verify your code works?
git diff --checknpm exec --yes [email protected] -- test test/server/httpapi-bridge.test.ts --preload test/preload.ts, but this checkout does not have dependencies installed:preload not found "@opentui/solid/preload"npm exec --yes [email protected] -- install --frozen-lockfile, but local package installation failed with registry/cache tarball integrity and extraction errorsScreenshots / recordings
N/A; server-side change only.
Checklist