fix: route cloud workspace-session through callCloudProxy to avoid CORS#738
Conversation
Fixes issue OpenHands#737: cloud conversation workspace-session call bypasses proxy, fails with CORS The useWorkspaceSession hook was making direct browser POST requests to cloud runtime sandboxes (*.prod-runtime.all-hands.dev) which don't allow CORS from localhost. This violates the rule documented in AGENTS.md that all browser → cloud backend calls must go through callCloudProxy(). Changes: - Add cloud/local branch in queryFn based on active backend kind - Cloud conversations route through callCloudProxy with session-api-key auth - Local conversations continue using RemoteWorkspace directly - Updated tests to cover both cloud and local paths
|
@openhands-agent is attempting to deploy a commit to the openhands Team on Vercel. A member of the Team first needs to authorize it. |
all-hands-bot
left a comment
all-hands-bot
left a comment
There was a problem hiding this comment.
🟢 Good taste - Clean bug fix that correctly implements the established cloud proxy pattern.
What this fixes: Cloud conversations were making direct browser calls to *.prod-runtime.all-hands.dev/api/auth/workspace-session, which violated CORS policy and the repo's API access conventions (AGENTS.md Rule 2: all cloud runtime calls must go through callCloudProxy).
Implementation: Adds backend detection in queryFn - cloud path routes through callCloudProxy with proper hostOverride, authMode: "session-api-key", and session key; local path unchanged. Both paths return the same { baseUrl } shape.
Test coverage: Comprehensive - verifies cloud path parameters, error handling, local path preservation, and mutual exclusion (cloud doesn't call RemoteWorkspace, local doesn't call callCloudProxy).
[RISK ASSESSMENT]
🟡 MEDIUM - Touches auth/session logic but fixes a completely broken path with no regression risk. Cloud workspace sessions didn't work before; now they follow the correct proxy pattern. Local behavior unchanged.
VERDICT:
✅ Worth merging - Textbook implementation of the cloud proxy pattern, well-tested, fixes a real bug.
Was this automated review useful? React with 👍 or 👎 to this review to help us measure review quality.
Workflow run: https://github.com/OpenHands/agent-canvas/actions/runs/26302540347
|
scvreenshot and logs of successful fix 
|
|
@hieptl I know you recently removed the proxy functionality - Would you mind 👀 ? 🙏 |
…pace-session-cors
Hello @tofarr, I currently have an open pull request to remove the cloud proxy. However, I have not merged it yet because the CORS issue still occurs when fetching the list of changes and with some other APIs, as the frontend is calling the runtime APIs directly. To address this properly, I may need to either enable CORS for the runtime APIs or implement an OpenHands API layer to forward requests to the runtime APIs. Given this, I have approved and will proceed with merging this pull request for now. Thank you very much! 🙏 |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
5 participants
Summary
Fixes issue #737: cloud conversation workspace-session call bypasses proxy, fails with CORS
Problem
When a cloud backend conversation is loaded,
use-workspace-session.tsmakes a direct browserPOSTto*.prod-runtime.all-hands.dev/api/auth/workspace-session. The browser's same-origin policy blocks the preflight with:Root Cause
use-workspace-session.tsbuilds its client viagetAgentServerClientOptions({ conversationUrl, sessionApiKey }). WhenconversationUrlpoints at a cloud sandbox, the call goes directly from the browser to the cloud domain, violating the AGENTS.md rule that all browser → cloud calls must go throughcallCloudProxy().Solution
Added a cloud/local branch in
queryFn:callCloudProxy()withsession-api-keyauthRemoteWorkspacedirectly (unchanged)Testing
All 10 tests pass.
This PR was created by an AI agent (OpenHands) on behalf of @jamiechicago312.