fix(webapp): CORS + allowJWT on public session create + append preflight

ericallam · ericallam · commit f4406d7b8de1 · 2026-04-23T18:06:32.000+01:00
Two fixes needed by browser clients hitting the public session API
(TriggerChatTransport's direct accessToken path, WebSocket-less
session drivers, anything origin'd off the dashboard):

- POST /api/v1/sessions: allowJWT: true + corsStrategy: "all" on
  the action. Pre-fix, the create endpoint only accepted secret-key
  auth, so any browser-originated sessions.create(...) 401'd. The
  loader (list) already had these; matches that shape.
- POST /realtime/v1/sessions/:session/:io/append: export both
  { action, loader } so Remix routes the OPTIONS preflight to the
  route builder's CORS handler. With only { action } exported, the
  preflight returns 400 'No loader for route' and Chrome surfaces
  the follow-up POST as net::ERR_FAILED. Same pattern as
  /api/v1/tasks/:id/trigger (which already exports both).

Validated by an end-to-end UI smoke on references/ai-chat:
new chat → send → streamed assistant reply in ~4s → second turn
reuses the same session + run, lastEventId advances 10 → 21.
diff --git a/.server-changes/sessions-public-api-cors.md b/.server-changes/sessions-public-api-cors.md
@@ -0,0 +1,11 @@
+---
+area: webapp
+type: fix
+---
+
+CORS + preflight parity on the public session API so browser-side chat transports can hit the session endpoints without being blocked:
+
+- `POST /api/v1/sessions` (session upsert) gains `allowJWT: true` + `corsStrategy: "all"` so PATs minted by `chat.createTriggerAction` (and other browser-side session flows) pass the route's auth + respond to CORS preflight. Previously this route only accepted secret-key auth, which broke any browser-originated `sessions.create(...)` call — including the transport's direct `accessToken` fallback path.
+- `POST /realtime/v1/sessions/:session/:io/append` now exports both `{ action, loader }`. The route builder installs the OPTIONS preflight handler on the `loader` even for write-only routes; without the loader export, the CORS preflight was returning 400 ("No loader for route") and Chrome treated the follow-up `POST` as `net::ERR_FAILED`.
+
+Validated by an end-to-end UI smoke against the `references/ai-chat` app: brand-new chat → send → streamed assistant reply in ~4s → follow-up turn on the same session → `lastEventId` advances from 10 → 21.
diff --git a/apps/webapp/app/routes/api.v1.sessions.ts b/apps/webapp/app/routes/api.v1.sessions.ts
@@ -90,6 +90,8 @@ const { action } = createActionApiRoute(
     body: CreateSessionRequestBody,
     method: "POST",
     maxContentLength: 1024 * 32, // 32KB — metadata is the only thing that grows
+    allowJWT: true,
+    corsStrategy: "all",
   },
   async ({ authentication, body }) => {
     try {
diff --git a/apps/webapp/app/routes/realtime.v1.sessions.$session.$io.append.ts b/apps/webapp/app/routes/realtime.v1.sessions.$session.$io.append.ts
@@ -27,7 +27,7 @@ const ParamsSchema = z.object({
 // below S2's ceiling. See https://s2.dev/docs/limits.
 const MAX_APPEND_BODY_BYTES = 1024 * 512;
 
-const { action } = createActionApiRoute(
+const { action, loader } = createActionApiRoute(
   {
     params: ParamsSchema,
     method: "POST",
@@ -125,4 +125,4 @@ const { action } = createActionApiRoute(
   }
 );
 
-export { action };
+export { action, loader };

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ const ParamsSchema = z.object({`
`27`	`27`	`// below S2's ceiling. See https://s2.dev/docs/limits.`
`28`	`28`	`const MAX_APPEND_BODY_BYTES = 1024 * 512;`
`29`	`29`
`30`		`-const { action } = createActionApiRoute(`
	`30`	`+const { action, loader } = createActionApiRoute(`
`31`	`31`	`{`
`32`	`32`	`params: ParamsSchema,`
`33`	`33`	`method: "POST",`
`@@ -125,4 +125,4 @@ const { action } = createActionApiRoute(`
`125`	`125`	`}`
`126`	`126`	`);`
`127`	`127`
`128`		`-export { action };`
	`128`	`+export { action, loader };`