@miaws/miaw 1.18.3 → 1.18.5

package/test/server/httpapi-authorization.test.ts

@@ -0,0 +1,174 @@
+import { NodeHttpServer } from "@effect/platform-node"
+import { describe, expect } from "bun:test"
+import { Effect, Layer, Option, Schema } from "effect"
+import { HttpClient, HttpClientRequest, HttpRouter } from "effect/unstable/http"
+import { HttpApi, HttpApiBuilder, HttpApiEndpoint, HttpApiError, HttpApiGroup } from "effect/unstable/httpapi"
+import { ServerAuth } from "../../src/server/auth"
+import {
+  Authorization,
+  authorizationLayer,
+  ServerAuthorization,
+  serverAuthorizationLayer,
+} from "../../src/server/routes/instance/httpapi/middleware/authorization"
+import { testEffect } from "../lib/effect"
+
+const Api = HttpApi.make("test-authorization").add(
+  HttpApiGroup.make("test")
+    .add(
+      HttpApiEndpoint.get("probe", "/probe", {
+        success: Schema.String,
+      }),
+      HttpApiEndpoint.get("missing", "/missing", {
+        success: Schema.String,
+        error: HttpApiError.NotFound,
+      }),
+    )
+    .middleware(Authorization),
+)
+
+const ServerApi = HttpApi.make("test-server-authorization").add(
+  HttpApiGroup.make("test.v2")
+    .add(
+      HttpApiEndpoint.get("probe", "/api/probe", {
+        success: Schema.String,
+      }),
+    )
+    .middleware(ServerAuthorization),
+)
+
+const handlers = HttpApiBuilder.group(Api, "test", (handlers) =>
+  handlers
+    .handle("probe", () => Effect.succeed("ok"))
+    .handle("missing", () => Effect.fail(new HttpApiError.NotFound({}))),
+)
+
+const serverHandlers = HttpApiBuilder.group(ServerApi, "test.v2", (handlers) =>
+  handlers.handle("probe", () => Effect.succeed("ok")),
+)
+
+const apiLayer = HttpRouter.serve(
+  HttpApiBuilder.layer(Api).pipe(Layer.provide(handlers), Layer.provide(authorizationLayer)),
+  { disableListenLog: true, disableLogger: true },
+).pipe(Layer.provideMerge(NodeHttpServer.layerTest))
+
+const v2ApiLayer = HttpRouter.serve(
+  HttpApiBuilder.layer(ServerApi).pipe(Layer.provide(serverHandlers), Layer.provide(serverAuthorizationLayer)),
+  { disableListenLog: true, disableLogger: true },
+).pipe(Layer.provideMerge(NodeHttpServer.layerTest))
+
+const noAuthLayer = ServerAuth.Config.layer({ password: Option.none(), username: "miaw" })
+const secretLayer = ServerAuth.Config.layer({ password: Option.some("secret"), username: "miaw" })
+const kitSecretLayer = ServerAuth.Config.layer({ password: Option.some("secret"), username: "kit" })
+
+const it = testEffect(apiLayer.pipe(Layer.provide(noAuthLayer)))
+const itSecret = testEffect(apiLayer.pipe(Layer.provide(secretLayer)))
+const itKitSecret = testEffect(apiLayer.pipe(Layer.provide(kitSecretLayer)))
+const itV2Secret = testEffect(v2ApiLayer.pipe(Layer.provide(secretLayer)))
+
+const basic = (username: string, password: string) => ServerAuth.header({ username, password }) ?? ""
+
+const token = (username: string, password: string) => Buffer.from(`${username}:${password}`).toString("base64")
+
+const getProbe = (headers?: Record<string, string>) =>
+  HttpClientRequest.get("/probe").pipe(
+    headers ? HttpClientRequest.setHeaders(headers) : (request) => request,
+    HttpClient.execute,
+  )
+
+describe("HttpApi authorization middleware", () => {
+  it.live("allows requests when server password is not configured", () =>
+    Effect.gen(function* () {
+      const response = yield* getProbe()
+
+      expect(response.status).toBe(200)
+      expect(yield* response.json).toBe("ok")
+    }),
+  )
+
+  itSecret.live("requires configured password for basic auth", () =>
+    Effect.gen(function* () {
+      const [missing, badPassword, good] = yield* Effect.all(
+        [
+          getProbe(),
+          getProbe({ authorization: basic("miaw", "wrong") }),
+          getProbe({ authorization: basic("miaw", "secret") }),
+        ],
+        { concurrency: "unbounded" },
+      )
+
+      expect(missing.status).toBe(401)
+      expect(missing.headers["www-authenticate"] ?? "").toContain("Basic")
+      expect(badPassword.status).toBe(401)
+      expect(badPassword.headers["www-authenticate"] ?? "").toContain("Basic")
+      expect(good.status).toBe(200)
+    }),
+  )
+
+  itKitSecret.live("respects configured basic auth username", () =>
+    Effect.gen(function* () {
+      const [defaultUser, configuredUser] = yield* Effect.all(
+        [getProbe({ authorization: basic("miaw", "secret") }), getProbe({ authorization: basic("kit", "secret") })],
+        { concurrency: "unbounded" },
+      )
+
+      expect(defaultUser.status).toBe(401)
+      expect(configuredUser.status).toBe(200)
+    }),
+  )
+
+  itSecret.live("accepts auth token query credentials", () =>
+    Effect.gen(function* () {
+      const response = yield* HttpClient.get(`/probe?auth_token=${encodeURIComponent(token("miaw", "secret"))}`)
+
+      expect(response.status).toBe(200)
+    }),
+  )
+
+  itSecret.live("prefers auth token query credentials over basic auth", () =>
+    Effect.gen(function* () {
+      const response = yield* HttpClientRequest.get(
+        `/probe?auth_token=${encodeURIComponent(token("miaw", "secret"))}`,
+      ).pipe(HttpClientRequest.setHeader("authorization", basic("miaw", "wrong")), HttpClient.execute)
+
+      expect(response.status).toBe(200)
+    }),
+  )
+
+  itSecret.live("preserves handler errors when basic auth succeeds", () =>
+    Effect.gen(function* () {
+      const response = yield* HttpClientRequest.get("/missing").pipe(
+        HttpClientRequest.setHeader("authorization", basic("miaw", "secret")),
+        HttpClient.execute,
+      )
+
+      expect(response.status).toBe(404)
+    }),
+  )
+
+  itSecret.live("preserves handler errors when auth token query succeeds", () =>
+    Effect.gen(function* () {
+      const response = yield* HttpClient.get(`/missing?auth_token=${encodeURIComponent(token("miaw", "secret"))}`)
+
+      expect(response.status).toBe(404)
+    }),
+  )
+
+  itSecret.live("rejects malformed auth token query credentials", () =>
+    Effect.gen(function* () {
+      const response = yield* HttpClient.get("/probe?auth_token=not-base64")
+
+      expect(response.status).toBe(401)
+    }),
+  )
+
+  itV2Secret.live("returns bodyful v2 unauthorized errors", () =>
+    Effect.gen(function* () {
+      const response = yield* HttpClient.get("/api/probe")
+      const body = yield* response.json
+
+      expect(response.status).toBe(401)
+      expect(response.headers["www-authenticate"] ?? "").toContain("Basic")
+      expect(body).toEqual({ _tag: "UnauthorizedError", message: "Authentication required" })
+    }),
+  )
+})

package/test/server/httpapi-compression.test.ts

@@ -0,0 +1,151 @@
+import { afterEach, describe, expect, test } from "bun:test"
+import { gunzipSync, inflateSync } from "node:zlib"
+import { Server } from "../../src/server/server"
+import { resetDatabase } from "../fixture/db"
+import { disposeAllInstances, tmpdir } from "../fixture/fixture"
+
+afterEach(async () => {
+  await disposeAllInstances()
+  await resetDatabase()
+})
+
+function app() {
+  return Server.Default().app
+}
+
+// /config echoes the config back. Padding the config pushes the response body
+// well past the 1024 B threshold so we can observe compression behavior.
+function fatConfig() {
+  const instructions: string[] = []
+  for (let i = 0; i < 50; i++) {
+    instructions.push(`padding-instruction-${i}-${"x".repeat(40)}`)
+  }
+  return {
+    formatter: false,
+    lsp: false,
+    username: "compression-test-user",
+    instructions,
+  }
+}
+
+describe("HttpApi compression", () => {
+  describe("encodes responses", () => {
+    test("gzips JSON when Accept-Encoding includes gzip and body exceeds threshold", async () => {
+      await using tmp = await tmpdir({ config: fatConfig() })
+      const response = await app().request("/config", {
+        headers: { "x-miaw-directory": tmp.path, "accept-encoding": "gzip" },
+      })
+      expect(response.status).toBe(200)
+      expect(response.headers.get("content-encoding")).toBe("gzip")
+      const compressed = new Uint8Array(await response.arrayBuffer())
+      const decompressed = gunzipSync(compressed)
+      const json = JSON.parse(new TextDecoder().decode(decompressed))
+      expect(json).toMatchObject({ username: "compression-test-user" })
+      expect(compressed.byteLength).toBeLessThan(decompressed.byteLength)
+    })
+
+    test("uses deflate when only deflate is acceptable", async () => {
+      await using tmp = await tmpdir({ config: fatConfig() })
+      const response = await app().request("/config", {
+        headers: { "x-miaw-directory": tmp.path, "accept-encoding": "deflate" },
+      })
+      expect(response.status).toBe(200)
+      expect(response.headers.get("content-encoding")).toBe("deflate")
+      const compressed = new Uint8Array(await response.arrayBuffer())
+      const decompressed = inflateSync(compressed)
+      const json = JSON.parse(new TextDecoder().decode(decompressed))
+      expect(json).toMatchObject({ username: "compression-test-user" })
+    })
+
+    test("prefers gzip when both gzip and deflate are acceptable", async () => {
+      await using tmp = await tmpdir({ config: fatConfig() })
+      const response = await app().request("/config", {
+        headers: { "x-miaw-directory": tmp.path, "accept-encoding": "gzip, deflate" },
+      })
+      expect(response.headers.get("content-encoding")).toBe("gzip")
+    })
+
+    test("does not include the original Content-Length when compressed", async () => {
+      await using tmp = await tmpdir({ config: fatConfig() })
+      const response = await app().request("/config", {
+        headers: { "x-miaw-directory": tmp.path, "accept-encoding": "gzip" },
+      })
+      const compressed = new Uint8Array(await response.arrayBuffer())
+      const declared = response.headers.get("content-length")
+      // Either absent (transfer-encoding chunked) or matches the compressed length.
+      if (declared !== null) expect(Number(declared)).toBe(compressed.byteLength)
+    })
+  })
+
+  describe("skips", () => {
+    test("when no Accept-Encoding header is present", async () => {
+      await using tmp = await tmpdir({ config: fatConfig() })
+      const response = await app().request("/config", {
+        headers: { "x-miaw-directory": tmp.path },
+      })
+      expect(response.headers.get("content-encoding")).toBeNull()
+    })
+
+    test("when Accept-Encoding only allows unsupported encodings", async () => {
+      await using tmp = await tmpdir({ config: fatConfig() })
+      const response = await app().request("/config", {
+        headers: { "x-miaw-directory": tmp.path, "accept-encoding": "br" },
+      })
+      expect(response.headers.get("content-encoding")).toBeNull()
+    })
+
+    test("when the response body is below the 1024-byte threshold", async () => {
+      // A bare config produces a tiny response (~few hundred bytes).
+      await using tmp = await tmpdir({ config: { formatter: false, lsp: false } })
+      const response = await app().request("/config", {
+        headers: { "x-miaw-directory": tmp.path, "accept-encoding": "gzip" },
+      })
+      expect(response.status).toBe(200)
+      const body = new Uint8Array(await response.arrayBuffer())
+      expect(body.byteLength).toBeLessThan(1024)
+      expect(response.headers.get("content-encoding")).toBeNull()
+    })
+
+    test("HEAD requests", async () => {
+      await using tmp = await tmpdir({ config: fatConfig() })
+      const response = await app().request("/config", {
+        method: "HEAD",
+        headers: { "x-miaw-directory": tmp.path, "accept-encoding": "gzip" },
+      })
+      expect(response.headers.get("content-encoding")).toBeNull()
+    })
+  })
+
+  describe("streaming exclusions", () => {
+    test("/event SSE is not compressed", async () => {
+      await using tmp = await tmpdir({ config: { formatter: false, lsp: false } })
+      const controller = new AbortController()
+      const response = await app().request("/event", {
+        headers: { "x-miaw-directory": tmp.path, "accept-encoding": "gzip" },
+        signal: controller.signal,
+      })
+      try {
+        expect(response.status).toBe(200)
+        expect(response.headers.get("content-encoding")).toBeNull()
+      } finally {
+        controller.abort()
+        await response.body?.cancel().catch(() => {})
+      }
+    })
+
+    test("/global/event SSE is not compressed", async () => {
+      const controller = new AbortController()
+      const response = await app().request("/global/event", {
+        headers: { "accept-encoding": "gzip" },
+        signal: controller.signal,
+      })
+      try {
+        expect(response.status).toBe(200)
+        expect(response.headers.get("content-encoding")).toBeNull()
+      } finally {
+        controller.abort()
+        await response.body?.cancel().catch(() => {})
+      }
+    })
+  })
+})

package/test/server/httpapi-config.test.ts

@@ -0,0 +1,110 @@
+import { afterEach, describe, expect } from "bun:test"
+import path from "path"
+import { Server } from "../../src/server/server"
+import { Effect, Fiber } from "effect"
+import { resetDatabase } from "../fixture/db"
+import { disposeAllInstances, tmpdir } from "../fixture/fixture"
+import { it } from "../lib/effect"
+import { waitGlobalBusEvent } from "./global-bus"
+
+function app() {
+  return Server.Default().app
+}
+
+function waitDisposed(directory: string) {
+  return waitGlobalBusEvent({
+    message: "timed out waiting for instance disposal",
+    predicate: (event) => event.payload.type === "server.instance.disposed" && event.directory === directory,
+  })
+}
+
+const tmpdirEffect = (options: Parameters<typeof tmpdir>[0]) =>
+  Effect.acquireRelease(
+    Effect.promise(() => tmpdir(options)),
+    (tmp) => Effect.promise(() => tmp[Symbol.asyncDispose]()),
+  )
+
+afterEach(async () => {
+  await disposeAllInstances()
+  await resetDatabase()
+})
+
+describe("config HttpApi", () => {
+  it.live(
+    "serves config update through the default server app",
+    Effect.gen(function* () {
+      const tmp = yield* tmpdirEffect({ config: { formatter: false, lsp: false } })
+      const disposed = yield* waitDisposed(tmp.path).pipe(Effect.forkScoped({ startImmediately: true }))
+
+      const response = yield* Effect.promise(() =>
+        Promise.resolve(
+          app().request("/config", {
+            method: "PATCH",
+            headers: {
+              "content-type": "application/json",
+              "x-miaw-directory": tmp.path,
+            },
+            body: JSON.stringify({ username: "patched-user", formatter: false, lsp: false }),
+          }),
+        ),
+      )
+
+      expect(response.status).toBe(200)
+      expect(yield* Effect.promise(() => response.json())).toMatchObject({
+        username: "patched-user",
+        formatter: false,
+        lsp: false,
+      })
+      yield* Fiber.join(disposed)
+      expect(yield* Effect.promise(() => Bun.file(path.join(tmp.path, "config.json")).json())).toMatchObject({
+        username: "patched-user",
+        formatter: false,
+        lsp: false,
+      })
+    }),
+  )
+
+  it.live(
+    "serves config with active provider model status",
+    Effect.gen(function* () {
+      const tmp = yield* tmpdirEffect({
+        config: {
+          formatter: false,
+          lsp: false,
+          provider: {
+            omniroute: {
+              models: {
+                "gpt-4o": {
+                  status: "active",
+                },
+              },
+            },
+          },
+        },
+      })
+
+      const response = yield* Effect.promise(() =>
+        Promise.resolve(
+          app().request("/config", {
+            headers: {
+              "x-miaw-directory": tmp.path,
+            },
+          }),
+        ),
+      )
+
+      expect(response.status).toBe(200)
+      expect(yield* Effect.promise(() => response.json())).toMatchObject({
+        provider: {
+          omniroute: {
+            models: {
+              "gpt-4o": {
+                status: "active",
+              },
+            },
+          },
+        },
+      })
+    }),
+  )
+})

package/test/server/httpapi-control-plane.test.ts

@@ -0,0 +1,63 @@
+import { NodeHttpServer } from "@effect/platform-node"
+import { describe, expect } from "bun:test"
+import { Context, Effect, Layer, Option, Ref } from "effect"
+import { HttpBody, HttpClient, HttpClientRequest, HttpRouter } from "effect/unstable/http"
+import { HttpApiBuilder } from "effect/unstable/httpapi"
+import { MoveSession } from "@miaw/core/control-plane/move-session"
+import { AbsolutePath } from "@miaw/core/schema"
+import { SessionV2 } from "@miaw/core/session"
+import { Auth } from "../../src/auth"
+import { Config } from "../../src/config/config"
+import { Installation } from "../../src/installation"
+import { ServerAuth } from "../../src/server/auth"
+import { RootHttpApi } from "../../src/server/routes/instance/httpapi/api"
+import { controlHandlers } from "../../src/server/routes/instance/httpapi/handlers/control"
+import { controlPlaneHandlers } from "../../src/server/routes/instance/httpapi/handlers/control-plane"
+import { globalHandlers } from "../../src/server/routes/instance/httpapi/handlers/global"
+import { authorizationLayer } from "../../src/server/routes/instance/httpapi/middleware/authorization"
+import { schemaErrorLayer } from "../../src/server/routes/instance/httpapi/middleware/schema-error"
+import { testEffect } from "../lib/effect"
+
+const input = MoveSession.Input.make({
+  sessionID: SessionV2.ID.make("ses_move"),
+  destination: { directory: AbsolutePath.make("/destination") },
+  moveChanges: true,
+})
+const called = Ref.makeUnsafe<MoveSession.Input | undefined>(undefined)
+
+const apiLayer = HttpRouter.serve(
+  HttpApiBuilder.layer(RootHttpApi).pipe(
+    Layer.provide([controlHandlers, controlPlaneHandlers, globalHandlers]),
+    Layer.provide([authorizationLayer, schemaErrorLayer]),
+    // Raw HttpApi routes expose an opaque handler context at the request boundary.
+    // oxlint-disable-next-line typescript-eslint/no-unsafe-type-assertion
+    HttpRouter.provideRequest(Layer.succeedContext(Context.empty() as Context.Context<unknown>)),
+  ),
+  { disableListenLog: true, disableLogger: true },
+).pipe(
+  Layer.provideMerge(NodeHttpServer.layerTest),
+  Layer.provide(Layer.mock(Auth.Service)({})),
+  Layer.provide(Layer.mock(Config.Service)({})),
+  Layer.provide(Layer.mock(Installation.Service)({})),
+  Layer.provide(
+    Layer.mock(MoveSession.Service)({
+      moveSession: (value) => Ref.set(called, value),
+    }),
+  ),
+  Layer.provide(ServerAuth.Config.layer({ password: Option.none(), username: "miaw" })),
+)
+const it = testEffect(apiLayer)
+
+describe("control-plane HttpApi", () => {
+  it.live("moves a session through the root control-plane route", () =>
+    Effect.gen(function* () {
+      const response = yield* HttpClientRequest.post("/experimental/control-plane/move-session").pipe(
+        HttpClientRequest.setBody(HttpBody.jsonUnsafe(input)),
+        HttpClient.execute,
+      )
+
+      expect(response.status).toBe(204)
+      expect(yield* Ref.get(called)).toEqual(input)
+    }),
+  )
+})

package/test/server/httpapi-cors-vary.test.ts

@@ -0,0 +1,63 @@
+import { afterEach, describe, expect, test } from "bun:test"
+import { Server } from "../../src/server/server"
+import { resetDatabase } from "../fixture/db"
+import { disposeAllInstances } from "../fixture/fixture"
+
+afterEach(async () => {
+  await disposeAllInstances()
+  await resetDatabase()
+})
+
+function app() {
+  return Server.Default().app
+}
+
+const PREFLIGHT_HEADERS = {
+  origin: "http://localhost:3000",
+  "access-control-request-method": "POST",
+  "access-control-request-headers": "content-type, x-miaw-directory",
+}
+
+// effect-smol's HttpMiddleware.cors overwrites `Vary: Origin` with
+// `Vary: Access-Control-Request-Headers` on OPTIONS preflight responses
+// (the two share the same record key during the spread). With dynamic
+// origin echoing, missing Vary: Origin lets shared caches serve a preflight
+// cached for one origin against a different origin. corsVaryFixLayer
+// restores the merged form.
+describe("CORS preflight Vary header", () => {
+  test("HTTP API backend preflight Vary contains Origin", async () => {
+    const response = await app().request("/global/config", {
+      method: "OPTIONS",
+      headers: PREFLIGHT_HEADERS,
+    })
+
+    expect([200, 204]).toContain(response.status)
+    expect(response.headers.get("access-control-allow-origin")).toBe("http://localhost:3000")
+    expect((response.headers.get("vary") ?? "").toLowerCase()).toContain("origin")
+  })
+
+  test("HTTP API backend preflight Vary still preserves Access-Control-Request-Headers", async () => {
+    const response = await app().request("/global/config", {
+      method: "OPTIONS",
+      headers: PREFLIGHT_HEADERS,
+    })
+
+    const vary = (response.headers.get("vary") ?? "").toLowerCase()
+    expect(vary).toContain("origin")
+    expect(vary).toContain("access-control-request-headers")
+  })
+
+  test("HTTP API backend does not duplicate Origin in Vary", async () => {
+    const response = await app().request("/global/config", {
+      method: "OPTIONS",
+      headers: PREFLIGHT_HEADERS,
+    })
+
+    const vary = response.headers.get("vary") ?? ""
+    const originCount = vary
+      .split(",")
+      .map((s: string) => s.trim().toLowerCase())
+      .filter((s: string) => s === "origin").length
+    expect(originCount).toBe(1)
+  })
+})

package/test/server/httpapi-cors.test.ts

@@ -0,0 +1,122 @@
+import { NodeHttpServer, NodeServices } from "@effect/platform-node"
+import { Flag } from "@miaw/core/flag/flag"
+import { describe, expect } from "bun:test"
+import { Config, ConfigProvider, Effect, Layer } from "effect"
+import { HttpClient, HttpClientRequest, HttpRouter, HttpServer } from "effect/unstable/http"
+import * as Socket from "effect/unstable/socket/Socket"
+import { Server } from "../../src/server/server"
+import { InstancePaths } from "../../src/server/routes/instance/httpapi/groups/instance"
+import { HttpApiApp } from "../../src/server/routes/instance/httpapi/server"
+import { resetDatabase } from "../fixture/db"
+import { testEffect } from "../lib/effect"
+
+const testStateLayer = Layer.effectDiscard(
+  Effect.gen(function* () {
+    const original = {
+      MIAW_SERVER_PASSWORD: Flag.MIAW_SERVER_PASSWORD,
+    }
+    Flag.MIAW_SERVER_PASSWORD = "secret"
+    yield* Effect.promise(() => resetDatabase())
+    yield* Effect.addFinalizer(() =>
+      Effect.promise(async () => {
+        Flag.MIAW_SERVER_PASSWORD = original.MIAW_SERVER_PASSWORD
+        await resetDatabase()
+      }),
+    )
+  }),
+)
+
+const servedRoutes: Layer.Layer<never, Config.ConfigError, HttpServer.HttpServer> = HttpRouter.serve(
+  HttpApiApp.routes,
+  { disableListenLog: true, disableLogger: true },
+)
+
+const it = testEffect(
+  Layer.mergeAll(
+    testStateLayer,
+    servedRoutes.pipe(
+      Layer.provide(Socket.layerWebSocketConstructorGlobal),
+      Layer.provideMerge(NodeHttpServer.layerTest),
+      Layer.provideMerge(NodeServices.layer),
+    ),
+  ),
+)
+
+describe("HttpApi CORS", () => {
+  it.live("allows browser preflight requests without credentials", () =>
+    Effect.gen(function* () {
+      const response = yield* HttpClientRequest.options(InstancePaths.path).pipe(
+        HttpClientRequest.setHeaders({
+          origin: "http://localhost:3000",
+          "access-control-request-method": "GET",
+          "access-control-request-headers": "authorization",
+        }),
+        HttpClient.execute,
+      )
+
+      expect(response.status).toBe(204)
+      expect(response.headers["access-control-allow-origin"]).toBe("http://localhost:3000")
+      expect(response.headers["access-control-allow-headers"]).toBe("authorization")
+    }),
+  )
+
+  it.live("adds CORS headers to unauthorized responses", () =>
+    Effect.gen(function* () {
+      const handler = HttpRouter.toWebHandler(
+        HttpApiApp.createRoutes().pipe(
+          Layer.provide(ConfigProvider.layer(ConfigProvider.fromUnknown({ MIAW_SERVER_PASSWORD: "secret" }))),
+        ),
+        { disableLogger: true },
+      ).handler
+      const response = yield* Effect.promise(() =>
+        handler(
+          new Request(new URL("/global/config", "http://localhost"), {
+            headers: { origin: "https://app.miaw" },
+          }),
+          HttpApiApp.context,
+        ),
+      )
+
+      expect(response.status).toBe(401)
+      expect(response.headers.get("access-control-allow-origin")).toBe("https://app.miaw")
+    }),
+  )
+
+  it.live("uses custom CORS origins passed to the server", () =>
+    Effect.gen(function* () {
+      const listener = yield* Effect.acquireRelease(
+        Effect.promise(() => Server.listen({ hostname: "127.0.0.1", port: 0, cors: ["https://custom.example"] })),
+        (listener) => Effect.promise(() => listener.stop(true)),
+      )
+
+      const response = yield* Effect.promise(() =>
+        fetch(new URL(InstancePaths.path, listener.url), {
+          method: "OPTIONS",
+          headers: {
+            origin: "https://custom.example",
+            "access-control-request-method": "GET",
+            "access-control-request-headers": "authorization",
+          },
+        }),
+      )
+
+      expect(response.status).toBe(204)
+      expect(response.headers.get("access-control-allow-origin")).toBe("https://custom.example")
+      expect(response.headers.get("access-control-allow-headers")).toBe("authorization")
+
+      const rejected = yield* Effect.promise(() =>
+        fetch(new URL(InstancePaths.path, listener.url), {
+          method: "OPTIONS",
+          headers: {
+            origin: "https://evil.example",
+            "access-control-request-method": "GET",
+            "access-control-request-headers": "authorization",
+          },
+        }),
+      )
+
+      expect(rejected.status).toBe(204)
+      expect(rejected.headers.get("access-control-allow-origin")).not.toBe("https://evil.example")
+    }),
+  )
+})