@newhomestar/sdk 0.8.11 → 0.8.12

package/dist/index.js

@@ -1,4 +1,5 @@
 import dotenv from "dotenv";
+import cors from "cors";
 import { createClient } from "@supabase/supabase-js";
 import { OpenFgaClient } from "@openfga/sdk";
 import { createServer } from "node:http";
@@ -648,6 +649,17 @@ import { auth } from "express-oauth2-jwt-bearer";
  */
 export function runHttpServer(def, opts = {}) {
     const app = express();
+    // ── CORS (must be registered BEFORE auth so OPTIONS preflight bypasses JWKS) ──
+    // Permissive by default — integrations are called by the Odyssey admin UI
+    // from browser origins (localhost:3000, admin dashboards, etc.). The actual
+    // security boundary is the JWT Bearer token verified by JWKS below.
+    app.use(cors({
+        origin: true, // reflect request origin
+        credentials: true,
+        methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
+        allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
+        maxAge: 86400,
+    }));
     app.use(bodyParser.json());
     // ── Determine whether auth is enabled ──
     const skipAuth = opts.skipAuth ??

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@newhomestar/sdk",
-  "version": "0.8.11",
+  "version": "0.8.12",
   "description": "Type-safe SDK for building Nova pipelines (workers & functions)",
   "homepage": "https://github.com/newhomestar/nova-node-sdk#readme",
   "bugs": {
@@ -41,6 +41,7 @@
     "@orpc/server": "1.7.4",
     "@supabase/supabase-js": "^2.39.0",
     "body-parser": "^1.20.2",
+    "cors": "^2.8.6",
     "dotenv": "^16.4.3",
     "express": "^4.18.2",
     "express-oauth2-jwt-bearer": "^1.7.4",
@@ -51,6 +52,7 @@
     "zod": ">=4.0.0"
   },
   "devDependencies": {
+    "@types/cors": "^2.8.19",
     "@types/node": "^20.11.17",
     "typescript": "^5.4.4",
     "zod": "^4.3.0"