fix(cors): scope embed CORS rule to /api/{chat,form}/[identifier] only

The embed policy (reflected origin, credentials:false) was matching
workspace-internal session-authed routes — /api/chat, /api/chat/manage/*,
/api/chat/validate, and the form equivalents — which need the default
credentialed policy. Tighten the matcher to the embed paths only and add
tests covering the exclusion.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/proxy.test.ts

@@ -45,7 +45,14 @@ describe('resolveApiCorsPolicy', () => {
   })
 
   it('reflects origin for chat and form embeds, never sets credentials', () => {
-    for (const path of ['/api/chat/abc', '/api/form', '/api/form/xyz']) {
+    const paths = [
+      '/api/chat/abc',
+      '/api/chat/abc/otp',
+      '/api/chat/abc/sso',
+      '/api/form/xyz',
+      '/api/form/xyz/otp',
+    ]
+    for (const path of paths) {
       const policy = resolveApiCorsPolicy(makeRequest(path, 'https://customer.example'))
       expect(policy).toEqual({
         origin: 'https://customer.example',
@@ -56,10 +63,26 @@ describe('resolveApiCorsPolicy', () => {
     }
   })
 
-  it('falls back to wildcard for chat/form when no origin header is present', () => {
+  it('falls back to wildcard for chat/form embeds when no origin header is present', () => {
     expect(resolveApiCorsPolicy(makeRequest('/api/chat/abc')).origin).toBe('*')
   })
 
+  it('uses the default credentialed policy for workspace-internal chat/form routes', () => {
+    const paths = [
+      '/api/chat',
+      '/api/chat/manage/abc',
+      '/api/chat/validate',
+      '/api/form',
+      '/api/form/manage/abc',
+      '/api/form/validate',
+    ]
+    for (const path of paths) {
+      const policy = resolveApiCorsPolicy(makeRequest(path, 'https://customer.example'))
+      expect(policy.origin).toBe('https://app.sim.test')
+      expect(policy.credentials).toBe(true)
+    }
+  })
+
   it('serves workflow execute with wildcard origin and PUT method', () => {
     const policy = resolveApiCorsPolicy(
       makeRequest('/api/workflows/workflow-123/execute', 'https://other.example')

apps/sim/proxy.ts

@@ -22,6 +22,14 @@ const DEFAULT_API_ALLOWED_HEADERS =
 const WORKFLOW_EXECUTE_HEADERS =
   'X-CSRF-Token, X-Requested-With, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version, X-API-Key'
 
+/**
+ * Matches embed endpoints: /api/{chat,form}/{identifier} and subroutes
+ * (/otp, /sso). The identifier segment explicitly excludes the
+ * workspace-internal subpaths `manage` and `validate` so those continue
+ * to use the default credentialed policy.
+ */
+const EMBED_PATH = /^\/api\/(chat|form)\/(?!manage(\/|$)|validate(\/|$))[^/]+(\/(otp|sso))?$/
+
 interface CorsRule {
   match: (pathname: string) => boolean
   policy: (request: NextRequest) => CorsPolicy
@@ -56,9 +64,13 @@ const CORS_RULES: readonly CorsRule[] = [
     }),
   },
   {
-    // Chat and form embeds run on customer domains; reflect the request
-    // origin and omit credentials (auth uses signed tokens, not cookies).
-    match: (p) => p === '/api/form' || p.startsWith('/api/form/') || p.startsWith('/api/chat/'),
+    // Embed endpoints: /api/chat/[identifier] and /api/form/[identifier]
+    // (plus their /otp and /sso subroutes). These run on customer domains —
+    // reflect the request origin and omit credentials (auth uses signed
+    // tokens, not cookies). Workspace-internal subpaths (`manage`, `validate`,
+    // and the bare collection routes) are deliberately excluded so they
+    // continue to receive the default credentialed policy.
+    match: (p) => EMBED_PATH.test(p),
     policy: (request) => ({
       origin: request.headers.get('origin') || '*',
       credentials: false,