feat(api): support Skiller Web localhost links

skulidropek · skulidropek · commit dcdd8c1ab5a3 · 2026-06-06T12:51:51.000Z
diff --git a/packages/api/src/http.ts b/packages/api/src/http.ts
@@ -611,22 +611,31 @@ const resolveRequestOrigin = (request: HttpServerRequest.HttpServerRequest): str
 const resolveSkillerBackendUrl = (request: HttpServerRequest.HttpServerRequest): string =>
   resolveDockerGitSkillerBackendUrl(process.env, resolveRequestOrigin(request))
 
+const isPrivateNetworkCorsRequest = (
+  request: HttpServerRequest.HttpServerRequest
+): boolean =>
+  readHeader(request, "access-control-request-private-network")?.toLowerCase() === "true"
+
 const skillerCorsHeaders = (
   request: HttpServerRequest.HttpServerRequest
 ): Record<string, string> => {
   const origin = readHeader(request, "origin")
   if (origin === undefined || !isSkillerWebCorsOriginAllowed(origin, process.env)) {
     return {}
   }
+  const privateNetworkHeaders = isPrivateNetworkCorsRequest(request)
+    ? { "access-control-allow-private-network": "true" }
+    : {}
   return {
+    ...privateNetworkHeaders,
     "access-control-allow-credentials": "true",
     "access-control-allow-headers": readHeader(request, "access-control-request-headers") ??
       "content-type,trpc-accept,x-trpc-source",
     "access-control-allow-methods": "GET,POST,OPTIONS",
     "access-control-allow-origin": origin,
     "access-control-max-age": "600",
     "access-control-expose-headers": "content-type",
-    vary: "origin"
+    vary: "origin, access-control-request-private-network"
   }
 }
 
@@ -657,7 +666,9 @@ const skillerErrorResponse = (
 
 const isSkillerCorsPath = (pathname: string): boolean => {
   const normalized = pathname.startsWith("/api/") ? pathname.slice("/api".length) : pathname
-  return normalized === "/skiller/connect" || parseSkillerRoute(pathname) !== null
+  return normalized === "/skiller/connect" ||
+    /^\/projects\/by-key\/[^/]+(?:\/terminal-sessions\/[^/]+)?\/skiller\/context$/u.test(normalized) ||
+    parseSkillerRoute(pathname) !== null
 }
 
 const skillerCorsPreflightResponse = (
@@ -987,19 +998,29 @@ export const makeRouter = () => {
     ),
     HttpRouter.get(
       "/projects/by-key/:projectKey/skiller/context",
-      projectKeyParams.pipe(
-        Effect.flatMap(({ projectKey }) => readSkillerProjectContext(projectKey, null)),
-        Effect.flatMap((context) => jsonResponse({ ok: true, ...context }, 200)),
-        Effect.catchAll(errorResponse)
-      )
+      Effect.gen(function*(_) {
+        const request = yield* _(HttpServerRequest.HttpServerRequest)
+        return yield* _(
+          projectKeyParams.pipe(
+            Effect.flatMap(({ projectKey }) => readSkillerProjectContext(projectKey, null)),
+            Effect.flatMap((context) => skillerJsonResponse(request, { ok: true, ...context }, 200)),
+            Effect.catchAll((error) => skillerErrorResponse(request, error))
+          )
+        )
+      })
     ),
     HttpRouter.get(
       "/projects/by-key/:projectKey/terminal-sessions/:sessionId/skiller/context",
-      terminalSessionByProjectKeyParams.pipe(
-        Effect.flatMap(({ projectKey, sessionId }) => readSkillerProjectContext(projectKey, sessionId)),
-        Effect.flatMap((context) => jsonResponse({ ok: true, ...context }, 200)),
-        Effect.catchAll(errorResponse)
-      )
+      Effect.gen(function*(_) {
+        const request = yield* _(HttpServerRequest.HttpServerRequest)
+        return yield* _(
+          terminalSessionByProjectKeyParams.pipe(
+            Effect.flatMap(({ projectKey, sessionId }) => readSkillerProjectContext(projectKey, sessionId)),
+            Effect.flatMap((context) => skillerJsonResponse(request, { ok: true, ...context }, 200)),
+            Effect.catchAll((error) => skillerErrorResponse(request, error))
+          )
+        )
+      })
     ),
     HttpRouter.get(
       "/cloudflare-tunnels/panel",
diff --git a/packages/api/src/services/skiller-core.ts b/packages/api/src/services/skiller-core.ts
@@ -65,6 +65,12 @@ const configuredOrigin = (raw: string): string | null => {
 const uniqueOrigins = (origins: ReadonlyArray<string>): ReadonlyArray<string> =>
   [...new Set(origins)]
 
+const defaultSkillerWebCorsOrigins = [
+  "https://skiller-web-henna.vercel.app",
+  "http://localhost:5180",
+  "http://127.0.0.1:5180"
+] as const
+
 export const resolveConfiguredSkillerWebUrl = (
   env: Record<string, string | undefined>
 ): ConfiguredSkillerWebUrl => {
@@ -111,8 +117,7 @@ export const configuredSkillerWebCorsOrigins = (
   return uniqueOrigins([
     ...fromWeb,
     ...fromAllowed,
-    "http://localhost:5180",
-    "http://127.0.0.1:5180"
+    ...defaultSkillerWebCorsOrigins
   ])
 }
 
diff --git a/packages/api/tests/skiller-core.test.ts b/packages/api/tests/skiller-core.test.ts
@@ -65,11 +65,13 @@ describe("skiller container filesystem mapping", () => {
     expect(configuredSkillerWebCorsOrigins(env)).toEqual([
       "https://skiller.example",
       "https://preview.example",
+      "https://skiller-web-henna.vercel.app",
       "http://localhost:5180",
       "http://127.0.0.1:5180"
     ])
     expect(isSkillerWebCorsOriginAllowed("https://skiller.example", env)).toBe(true)
     expect(isSkillerWebCorsOriginAllowed("https://preview.example", env)).toBe(true)
+    expect(isSkillerWebCorsOriginAllowed("https://skiller-web-henna.vercel.app", env)).toBe(true)
     expect(isSkillerWebCorsOriginAllowed("https://preview.example.evil", env)).toBe(false)
     expect(isSkillerWebCorsOriginAllowed(undefined, env)).toBe(false)
   })
diff --git a/packages/api/tests/skiller-cors.test.ts b/packages/api/tests/skiller-cors.test.ts
@@ -0,0 +1,72 @@
+import * as HttpApp from "@effect/platform/HttpApp"
+import * as HttpRouter from "@effect/platform/HttpRouter"
+import { NodeContext } from "@effect/platform-node"
+import { describe, expect, it } from "@effect/vitest"
+import { Effect } from "effect"
+
+import { makeRouter } from "../src/http.js"
+
+const SKILLER_WEB_PRODUCTION_ORIGIN = "https://skiller-web-henna.vercel.app"
+
+const apiHandler = HttpApp.toWebHandler(
+  Effect.provide(Effect.flatten(HttpRouter.toHttpApp(makeRouter())), NodeContext.layer)
+)
+
+const requestApiRoute = (path: string, init: RequestInit) =>
+  Effect.tryPromise({
+    try: () => apiHandler(new Request(`http://127.0.0.1${path}`, init)),
+    catch: (cause) => new Error(String(cause))
+  })
+
+const skillerPrivateNetworkPreflight = (path: string) =>
+  requestApiRoute(path, {
+    method: "OPTIONS",
+    headers: {
+      "access-control-request-method": "POST",
+      "access-control-request-private-network": "true",
+      origin: SKILLER_WEB_PRODUCTION_ORIGIN
+    }
+  })
+
+describe("skiller web CORS", () => {
+  it("allows production Skiller Web private-network preflight requests", () =>
+    Effect.runPromise(
+      Effect.gen(function*(_) {
+        const paths = [
+          "/skiller/connect",
+          "/api/skiller/connect",
+          "/skiller/trpc/list_projects",
+          "/skiller/events",
+          "/projects/by-key/project-proof/skiller/context",
+          "/projects/by-key/project-proof/terminal-sessions/session-proof/skiller/context"
+        ] as const
+
+        for (const path of paths) {
+          const response = yield* _(skillerPrivateNetworkPreflight(path))
+
+          expect(response.status).toBe(204)
+          expect(response.headers.get("access-control-allow-origin")).toBe(SKILLER_WEB_PRODUCTION_ORIGIN)
+          expect(response.headers.get("access-control-allow-private-network")).toBe("true")
+          expect(response.headers.get("vary")).toContain("access-control-request-private-network")
+        }
+      })
+    ))
+
+  it("rejects private-network preflight requests from unknown origins", () =>
+    Effect.runPromise(
+      Effect.gen(function*(_) {
+        const response = yield* _(requestApiRoute("/skiller/connect", {
+          method: "OPTIONS",
+          headers: {
+            "access-control-request-method": "POST",
+            "access-control-request-private-network": "true",
+            origin: "https://skiller-web-henna.vercel.app.evil.example"
+          }
+        }))
+
+        expect(response.status).toBe(403)
+        expect(response.headers.get("access-control-allow-private-network")).toBeNull()
+        expect(response.headers.get("access-control-allow-origin")).toBeNull()
+      })
+    ))
+})
