mirror of
https://github.com/anomalyco/opencode.git
synced 2026-05-20 02:50:40 +00:00
da5e29b320
HttpApi auth middleware was reading ServerAuth.Config via Effect's generated
defaultLayer, which resolves Config.string('OPENCODE_SERVER_PASSWORD') once
and is memoized by Layer identity. Subsequent runtime mutation of process.env
(or Flag.OPENCODE_SERVER_PASSWORD) was never observed, so the middleware kept
serving 401 even when auth was disabled at runtime.
Hono's AuthMiddleware reads Flag.OPENCODE_SERVER_PASSWORD per request, so it
picks up mutations immediately. With Hono still the production default and
HttpApi gated by OPENCODE_EXPERIMENTAL_HTTPAPI, the gap was masked by tests
that flipped the flag back to Hono for no-auth scenarios.
Override ServerAuth.Config.defaultLayer to read Flag.* via Layer.sync at
layer-build time. Each fresh listener (memoMap) picks up current Flag values.
This matches Hono behavior across listeners; per-request mutation within a
single listener is not preserved (would require reading Flag in the middleware
itself, which is a separate concern).
Tests:
- httpapi-listen: parameterize 'tickets optional when auth disabled' across
both backends to lock in parity.
- httpapi-raw-route-auth + httpapi-ui: switch from ConfigProvider injection
(which is now a no-op since defaultLayer is Flag-backed, not Config-backed)
to ServerAuth.Config.layer({...}) for explicit overrides, or Flag mutation
for tests that exercise the production read path.
46/46 auth + PTY tests pass.