Skip to content

fix(hub): add PATCH to CORS allowMethods so session rename works#391

Merged
tiann merged 1 commit intotiann:mainfrom
hqhq1025:fix/cors-and-sidechain-leaks
Apr 5, 2026
Merged

fix(hub): add PATCH to CORS allowMethods so session rename works#391
tiann merged 1 commit intotiann:mainfrom
hqhq1025:fix/cors-and-sidechain-leaks

Conversation

@hqhq1025
Copy link
Copy Markdown
Collaborator

@hqhq1025 hqhq1025 commented Apr 3, 2026

Problem

The "Rename Session" dialog in the web UI always fails with "Failed to rename. Please try again."

Root cause

The rename endpoint uses PATCH /api/sessions/:id, but the CORS middleware in hub/src/web/server.ts only allows:

allowMethods: ['GET', 'POST', 'DELETE', 'OPTIONS']

PATCH is missing. Browsers send a preflight OPTIONS request before any PATCH request. The server's preflight response doesn't include PATCH in Access-Control-Allow-Methods, so the browser blocks the actual request — it never reaches the route handler.

Fix

Add 'PATCH' to allowMethods:

allowMethods: ['GET', 'POST', 'PATCH', 'DELETE', 'OPTIONS']

Test plan

  • Open web UI → click session menu → "Rename Session" → enter new name → Save → should succeed

@hqhq1025
fix(hub): add PATCH to CORS allowMethods so session rename works
868a844 
The rename endpoint uses PATCH /api/sessions/:id, but the CORS
middleware only allowed GET, POST, DELETE, OPTIONS. Browsers send a
preflight OPTIONS request for PATCH; without it in allowMethods the
preflight fails and the request never reaches the handler, causing
"Failed to rename" in the web UI every time.

via [HAPI](https://hapi.run)

Co-Authored-By: HAPI <noreply@hapi.run>
github-actions[bot]
github-actions bot reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Findings

  • No issues identified in the added/modified lines.

Summary

  • Review mode: initial
  • No issues found in the diff. Residual risk: automated coverage for the browser-facing CORS preflight and rename flow was not found in repo/docs; existing session route tests in hub/src/web/routes/sessions.test.ts:1 cover other endpoints, not PATCH /api/sessions/:id.

Testing

  • Not run (automation): bun is unavailable in this runner (bun: command not found).

HAPI Bot

@tiann tiann merged commit f970072 into tiann:main Apr 5, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hqhq1025 @tiann