Skip to content

fix(api): support SDK session refresh CORS#154

Merged
markwylde merged 2 commits into
mainfrom
codex/fix-sdk-session-cors-refresh
Jun 1, 2026
Merged

fix(api): support SDK session refresh CORS#154
markwylde merged 2 commits into
mainfrom
codex/fix-sdk-session-cors-refresh

Conversation

@markwylde
Copy link
Copy Markdown
Member

@markwylde markwylde commented Jun 1, 2026

Summary

  • allow registered public SPA origins to call SDK user session and organization endpoints with credentialed CORS
  • allow first-party cookie refresh to mint tokens for the calling public SPA client while preserving strict binding for explicit refresh tokens
  • add regressions for SDK CORS and hosted cookie refresh recovery

Verification

  • node --env-file-if-exists=../../.env --test --test-reporter=spec src/controllers/token.test.ts src/controllers/user/oauthEndpoints.test.ts src/http/createServer.test.ts
  • npm run tidy
  • npm run build

Closes #153

@markwylde markwylde merged commit 69e3c9a into main Jun 1, 2026
17 checks passed
@markwylde markwylde deleted the codex/fix-sdk-session-cors-refresh branch June 1, 2026 22:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SDK organization endpoints missing CORS and cookie refresh returns 400 for Atlas

1 participant

@markwylde