refactor(cors): replace manual CORS middleware with hono/cors

Fixes a bug where routes returning raw `new Response()` (RSS, Atom, entries) were not receiving CORS headers — hono/cors applies headers after next(), covering all response paths. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-20 22:03:48 +00:00 · 2026-05-21 23:46:21 +02:00
parent ece237c0af
commit 57e0cc5413
5 changed files with 104 additions and 94 deletions
@@ -1,4 +1,5 @@
 import { Hono } from "hono";
+import { cors } from "hono/cors";
 import { handle as handleInbound } from "./routes/inbound";
 import { handle as handleRSS } from "./routes/rss";
 import { handle as handleAtom } from "./routes/atom";
@@ -9,7 +10,6 @@ import { hubRouter } from "./routes/hub";
 import { handleCloudflareEmail } from "./lib/cloudflare-email";
 import { Env } from "./types";

-// Define allowed origins for CORS
 const ALLOWED_ORIGINS = ["https://getmynews.app", "https://www.getmynews.app"];

 // Fallback ForwardEmail.net IP addresses in case API fetch fails
@@ -84,23 +84,15 @@ async function getForwardEmailIps(): Promise<string[]> {
  }
 }

-// CORS middleware
-app.use("*", async (c, next) => {
-  const origin = c.req.header("Origin");
-  if (origin && ALLOWED_ORIGINS.includes(origin)) {
-    c.header("Access-Control-Allow-Origin", origin);
-    c.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
-    c.header("Access-Control-Allow-Headers", "Content-Type, Authorization");
-    c.header("Access-Control-Max-Age", "86400");
-  }
-
-  // Handle preflight requests
-  if (c.req.method === "OPTIONS") {
-    return c.body(null, 204);
-  }
-
-  await next();
-});
+app.use(
+  "*",
+  cors({
+    origin: ALLOWED_ORIGINS,
+    allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+    allowHeaders: ["Content-Type", "Authorization"],
+    maxAge: 86400,
+  }),
+);

 // Group routes by functionality
 const api = new Hono();