fix(cors): re-enable credentials on chat/form embed CORS policy

[waleedlatif1]

Summary

PR #4658 set `Access-Control-Allow-Credentials: false` on `/api/chat/[identifier]/` and `/api/form/[identifier]/` under the (wrong) assumption that those routes authenticate via signed tokens rather than cookies. They actually authenticate via the `chat_auth_` / form auth cookie set by `setDeploymentAuthCookie`. With `Allow-Credentials: false`, the browser drops the cookie on subsequent embed calls after login, producing 401s on password / email-OTP / SSO-protected embeds.

Restore the pre-consolidation behavior: reflected origin + `Allow-Credentials: true` on embed routes. Wildcard fallback (Origin header absent) still drops credentials to stay CORS-spec-compliant.

Verification

• Updated proxy tests assert `credentials: true` for embed paths and `credentials: false` for the wildcard fallback
• `bunx vitest run proxy.test.ts` → 12/12 ✅
• Type-check clean

Test plan

• Email-OTP-protected chat embed: complete login, then post a message → 200, not 401
• Password-protected chat embed: same
• SSO-protected chat embed: same
• Public chat embed: unchanged
• Workspace chat manage UI: unchanged (uses default credentialed policy)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		May 20, 2026 5:26pm

[cursor]

PR Summary

Medium Risk
Changes CORS behavior for public embed endpoints to send Access-Control-Allow-Credentials: true, which can affect cross-origin cookie/session handling and must stay compliant with origin reflection rules.

Overview
Restores credentialed CORS for /api/chat/[identifier]/* and /api/form/[identifier]/* by reflecting the request Origin and setting credentials: true so embed requests can send auth cookies.

Keeps the CORS-spec invariant by dropping credentials when Origin is absent (falls back to origin: '*'), and updates proxy.test.ts to cover both the credentialed embed case and the non-credentialed wildcard fallback (including future subroutes).

^{Reviewed by Cursor Bugbot for commit f8ac423. Configure here.}

[greptile-apps]

Greptile Summary

This PR restores Access-Control-Allow-Credentials: true on embed CORS routes (/api/chat/[identifier]/* and /api/form/[identifier]/*), reverting a regression introduced in #4658. The fix ties credentials dynamically to the presence of the Origin request header: reflected origin with credentials: true when an origin is present, wildcard * with credentials: false when it is absent — maintaining CORS spec compliance throughout.

• proxy.ts: Replaces the static credentials: false on the embed CORS rule with credentials: !!requestOrigin, correctly unlocking cookie delivery for password/OTP/SSO-protected embeds while keeping the wildcard-fallback path credential-free.
• proxy.test.ts: Renames and adds test cases to assert credentials: true on origin-present requests and credentials: false on the wildcard fallback; all 12 tests pass.

Confidence Score: 5/5

Safe to merge — the change correctly restores cookie delivery for protected embed routes without breaking the wildcard-fallback invariant.

The fix is narrow and well-targeted: a single expression (!!requestOrigin) ties credential mode to the presence of the Origin header, exactly matching the CORS spec. The wildcard-fallback path remains credential-free. All 12 tests pass and the test suite explicitly asserts the no-credentials wildcard invariant across every CORS rule. No regressions in workspace-internal routes, workflow execute, or auth endpoints.

No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/proxy.ts	Embed CORS policy corrected: credentials is now tied to the presence of the Origin header (!!requestOrigin), fixing cookie delivery for protected embeds while keeping the wildcard fallback credential-free.
apps/sim/proxy.test.ts	Tests updated to assert credentials: true on embed paths with an Origin header and credentials: false on the wildcard fallback. A new dedicated test for the wildcard-fallback invariant is added.

_{Reviews (2): Last reviewed commit: "chore(cors): restore concise TSDoc on pr..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit f8ac423. Configure here.}