feat: enforce bearer auth on all /api/* routes and add tests

Apply HTTP bearer token authorization to every /api/* request in the
cloudsession package by using Hono's built-in bearerAuth middleware at
the app.use("/api/*") level. This replaces the per-route
isAuthorizedAdminRequest guard with a single middleware that protects all
API endpoints uniformly.

Key changes:
- cloudsession/src/index.tsx: add bearerAuth middleware (hono/bearer-auth)
  to app.use("/api/*"). Token validated against SESSIONS_RPC_SHARED_KEY;
  if unset, all API requests are rejected. Remove the now-redundant
  isAuthorizedAdminRequest helper and its manual check in GET /api/sessions.
- opencode/src/share/share-next.ts: change rpcHeaders() to emit the
  standard Authorization: Bearer <token> header instead of the custom
  x-opencode-share-key header. Spread rpcHeaders() into all three HTTP
  transport fetch calls (POST /api/share, POST /api/share/:id/sync,
  DELETE /api/share/:id).
- cloudsession/src/api.test.ts: add SESSIONS_RPC_SHARED_KEY to the test
  env, pass Authorization: Bearer in every request helper, and add a new
  "API Authorization" suite with 9 tests covering unauthenticated (401),
  wrong-token (401), and authorised (200) scenarios for key endpoints.
- cloudsession/src/index.test.ts: add SESSIONS_RPC_SHARED_KEY to the test
  env and include Authorization: Bearer headers in all API requests.
- packages/opencode/test/share/share-next.test.ts: new test file with 5
  source-level assertions verifying the bearer header format and that every
  HTTP fetch call in share-next.ts spreads rpcHeaders().

https://claude.ai/code/session_01HbjvMV8GaSbrjysBmUwM8P

Author: claude

packages/cloudsession/src/api.test.ts

@@ -4,10 +4,12 @@ import type { AgentSession, SyncInfo, SessionIndex } from "./types"
 import { createTestFileDiff, createTestMessage, createTestModel, createTestPart, createTestSession } from "./test-utils"
 
 const SHARED_SECRET = "6ba7b810-9dad-11d1-80b4-00c04fd430c8"
+const API_KEY = "test-api-key-abc123"
 
 type TestEnv = {
   SESSIONS_STORE: R2Bucket
   SESSIONS_SHARED_SECRET: string
+  SESSIONS_RPC_SHARED_KEY: string
   API_DOMAIN: string
   SESSIONS_BROADCAST: DurableObjectNamespace
 }
@@ -84,6 +86,7 @@ function createEnv(): TestEnv {
   return {
     SESSIONS_STORE: createMockR2Bucket(),
     SESSIONS_SHARED_SECRET: SHARED_SECRET,
+    SESSIONS_RPC_SHARED_KEY: API_KEY,
     API_DOMAIN: "opencode.api.com",
     SESSIONS_BROADCAST: createMockDONamespace(),
   }
@@ -102,7 +105,7 @@ async function createShare(sessionID: string, env: TestEnv) {
     "http://localhost/api/share",
     {
       method: "POST",
-      headers: { "Content-Type": "application/json" },
+      headers: { "Content-Type": "application/json", Authorization: `Bearer ${env.SESSIONS_RPC_SHARED_KEY}` },
       body: JSON.stringify({ sessionID }),
     },
     env,
@@ -119,7 +122,7 @@ async function syncShare(
     `http://localhost/api/share/${shareID}/sync`,
     {
       method: "POST",
-      headers: { "Content-Type": "application/json" },
+      headers: { "Content-Type": "application/json", Authorization: `Bearer ${env.SESSIONS_RPC_SHARED_KEY}` },
       body: JSON.stringify(payload),
     },
     env,
@@ -132,7 +135,7 @@ async function deleteShare(shareID: string, env: TestEnv, secret: string) {
     `http://localhost/api/share/${shareID}`,
     {
       method: "DELETE",
-      headers: { "Content-Type": "application/json" },
+      headers: { "Content-Type": "application/json", Authorization: `Bearer ${env.SESSIONS_RPC_SHARED_KEY}` },
       body: JSON.stringify({ secret }),
     },
     env,
@@ -141,23 +144,35 @@ async function deleteShare(shareID: string, env: TestEnv, secret: string) {
 }
 
 async function getShare(shareID: string, env: TestEnv) {
-  const response = await request(`http://localhost/api/share/${shareID}`, { method: "GET" }, env)
+  const response = await request(
+    `http://localhost/api/share/${shareID}`,
+    { method: "GET", headers: { Authorization: `Bearer ${env.SESSIONS_RPC_SHARED_KEY}` } },
+    env,
+  )
   if (!response.ok) {
     return { response, data: null }
   }
   return { response, data: await parseJson<AgentSession>(response) }
 }
 
 async function getMetadata(shareID: string, env: TestEnv) {
-  const response = await request(`http://localhost/api/share/${shareID}/metadata`, { method: "GET" }, env)
+  const response = await request(
+    `http://localhost/api/share/${shareID}/metadata`,
+    { method: "GET", headers: { Authorization: `Bearer ${env.SESSIONS_RPC_SHARED_KEY}` } },
+    env,
+  )
   if (!response.ok) {
     return { response, data: null }
   }
   return { response, data: await parseJson<SessionIndex>(response) }
 }
 
 async function listSessions(env: TestEnv) {
-  const response = await request("http://localhost/api/sessions", { method: "GET" }, env)
+  const response = await request(
+    "http://localhost/api/sessions",
+    { method: "GET", headers: { Authorization: `Bearer ${env.SESSIONS_RPC_SHARED_KEY}` } },
+    env,
+  )
   return {
     response,
     data: await parseJson<{ sessions: SessionIndex[]; count: number }>(response),
@@ -636,3 +651,100 @@ describe("GET /", () => {
     expect(response.headers.get("Location")).toBe("/sessions")
   })
 })
+
+describe("API Authorization (bearer auth middleware)", () => {
+  let env: TestEnv
+
+  beforeEach(() => {
+    env = createEnv()
+  })
+
+  test("rejects /api/share POST with no token (401)", async () => {
+    const response = await request(
+      "http://localhost/api/share",
+      { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ sessionID: "x" }) },
+      env,
+    )
+    expect(response.status).toBe(401)
+  })
+
+  test("rejects /api/share POST with wrong token (401)", async () => {
+    const response = await request(
+      "http://localhost/api/share",
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json", Authorization: "Bearer wrong-key" },
+        body: JSON.stringify({ sessionID: "x" }),
+      },
+      env,
+    )
+    expect(response.status).toBe(401)
+  })
+
+  test("rejects /api/sessions GET with no token (401)", async () => {
+    const response = await request("http://localhost/api/sessions", { method: "GET" }, env)
+    expect(response.status).toBe(401)
+  })
+
+  test("rejects /api/sessions GET with wrong token (401)", async () => {
+    const response = await request(
+      "http://localhost/api/sessions",
+      { method: "GET", headers: { Authorization: "Bearer wrong-key" } },
+      env,
+    )
+    expect(response.status).toBe(401)
+  })
+
+  test("rejects /api/share/:id GET with no token (401)", async () => {
+    const response = await request("http://localhost/api/share/someid", { method: "GET" }, env)
+    expect(response.status).toBe(401)
+  })
+
+  test("rejects /api/share/:id/sync POST with no token (401)", async () => {
+    const response = await request(
+      "http://localhost/api/share/someid/sync",
+      { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ secret: "x", data: [] }) },
+      env,
+    )
+    expect(response.status).toBe(401)
+  })
+
+  test("rejects /api/share/:id DELETE with no token (401)", async () => {
+    const response = await request(
+      "http://localhost/api/share/someid",
+      { method: "DELETE", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ secret: "x" }) },
+      env,
+    )
+    expect(response.status).toBe(401)
+  })
+
+  test("allows /api/share POST with valid token", async () => {
+    const response = await request(
+      "http://localhost/api/share",
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json", Authorization: `Bearer ${API_KEY}` },
+        body: JSON.stringify({ sessionID: "valid-session" }),
+      },
+      env,
+    )
+    expect(response.status).toBe(200)
+  })
+
+  test("rejects all /api/* routes when SESSIONS_RPC_SHARED_KEY is not configured", async () => {
+    const unconfiguredEnv = {
+      ...createEnv(),
+      SESSIONS_RPC_SHARED_KEY: "",
+    }
+    const response = await request(
+      "http://localhost/api/share",
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json", Authorization: "Bearer anything" },
+        body: JSON.stringify({ sessionID: "x" }),
+      },
+      unconfiguredEnv,
+    )
+    expect(response.status).toBe(401)
+  })
+})

packages/cloudsession/src/index.test.ts

@@ -12,6 +12,7 @@ import {
 } from "./test-utils"
 
 const sharedSecret = "6ba7b810-9dad-11d1-80b4-00c04fd430c8"
+const apiKey = "test-api-key-abc123"
 
 const createMockR2Bucket = () => {
   const storage = new Map<string, string>()
@@ -67,6 +68,7 @@ const createMockR2Bucket = () => {
 const createEnv = () => ({
   SESSIONS_STORE: createMockR2Bucket(),
   SESSIONS_SHARED_SECRET: sharedSecret,
+  SESSIONS_RPC_SHARED_KEY: apiKey,
   API_DOMAIN: "test.opencode.ai",
   SESSIONS_BROADCAST: {
     idFromName: () => ({ toString: () => "mock-id" }),
@@ -88,7 +90,7 @@ const createShare = async (sessionID: string, env: ReturnType<typeof createEnv>)
     "http://localhost/api/share",
     {
       method: "POST",
-      headers: { "Content-Type": "application/json" },
+      headers: { "Content-Type": "application/json", Authorization: `Bearer ${env.SESSIONS_RPC_SHARED_KEY}` },
       body: JSON.stringify({ sessionID }),
     },
     env,
@@ -106,7 +108,7 @@ const syncShare = async (
     `http://localhost/api/share/${shareID}/sync`,
     {
       method: "POST",
-      headers: { "Content-Type": "application/json" },
+      headers: { "Content-Type": "application/json", Authorization: `Bearer ${env.SESSIONS_RPC_SHARED_KEY}` },
       body: JSON.stringify(payload),
     },
     env,
@@ -150,7 +152,11 @@ describe("Sessions API", () => {
     expect(syncResult.syncCount).toBe(1)
 
     // Retrieve from GET /api/share/:id.
-    const shareResponse = await request(`http://localhost/api/share/${share.id}`, { method: "GET" }, env)
+    const shareResponse = await request(
+      `http://localhost/api/share/${share.id}`,
+      { method: "GET", headers: { Authorization: `Bearer ${env.SESSIONS_RPC_SHARED_KEY}` } },
+      env,
+    )
     expect(shareResponse.status).toBe(200)
 
     const shareSession = await parseJson<AgentSession>(shareResponse)
@@ -178,7 +184,11 @@ describe("Sessions API", () => {
       data: [{ type: "session", data: createTestSession({ id: "session-b" }) }],
     })
 
-    const response = await request("http://localhost/api/sessions", { method: "GET" }, env)
+    const response = await request(
+      "http://localhost/api/sessions",
+      { method: "GET", headers: { Authorization: `Bearer ${env.SESSIONS_RPC_SHARED_KEY}` } },
+      env,
+    )
     expect(response.status).toBe(200)
 
     const result = await parseJson<{ sessions: SessionIndex[]; count: number }>(response)

packages/cloudsession/src/index.tsx

@@ -1,5 +1,6 @@
 import { Hono } from "hono"
 import { cors } from "hono/cors"
+import { bearerAuth } from "hono/bearer-auth"
 import { newWorkersRpcResponse } from "capnweb"
 import { zValidator } from "@hono/zod-validator"
 import { z } from "zod"
@@ -34,23 +35,20 @@ function isAuthorizedRpcRequest(c: { req: { header: (name: string) => string | u
   return received === configured
 }
 
-function isAuthorizedAdminRequest(c: { req: { header: (name: string) => string | undefined }; env: Env }) {
-  // The admin key reuses the same SESSIONS_RPC_SHARED_KEY env var.
-  // If it is not configured the endpoint is inaccessible to prevent
-  // unauthenticated enumeration of all sessions.
-  const configured = c.env.SESSIONS_RPC_SHARED_KEY
-  if (!configured) return false
-  const received = c.req.header("x-opencode-share-key")
-  return received === configured
-}
-
 /**
  * Main Hono application
  */
 const app = new Hono<{ Bindings: Env }>()
 
-// Enable CORS for API routes only (not for WebSocket or HTML routes)
-app.use("/api/*", cors())
+// Enable CORS and require bearer auth for all API routes.
+// SESSIONS_RPC_SHARED_KEY must be configured — if absent every request is rejected.
+app.use(
+  "/api/*",
+  cors(),
+  bearerAuth({
+    verifyToken: (token, c) => !!c.env.SESSIONS_RPC_SHARED_KEY && token === c.env.SESSIONS_RPC_SHARED_KEY,
+  }),
+)
 
 app.all("/rpc/share", async (c) => {
   if (!isAuthorizedRpcRequest(c)) {
@@ -332,9 +330,6 @@ app.get("/api/share/:id/metadata", async (c) => {
  * GET /api/sessions
  */
 app.get("/api/sessions", async (c) => {
-  if (!isAuthorizedAdminRequest(c)) {
-    return c.json({ error: "Unauthorized" }, 401)
-  }
   const { index } = getStorageAdapter(c)
   const list = await index.list({ prefix: "index/" })
 

packages/opencode/src/share/share-next.ts

@@ -28,7 +28,7 @@ export namespace ShareNext {
 
   function rpcHeaders(): Record<string, string> | undefined {
     if (!rpcKey) return undefined
-    return { "x-opencode-share-key": rpcKey }
+    return { Authorization: `Bearer ${rpcKey}` }
   }
 
   // Single reused RPC session — avoids re-creating the HTTP client on every call.
@@ -89,7 +89,7 @@ export namespace ShareNext {
       const [baseUrl, initialData] = await Promise.all([getUrl(), initialDataPromise])
       result = await fetch(`${baseUrl}/api/share`, {
         method: "POST",
-        headers: { "Content-Type": "application/json" },
+        headers: { "Content-Type": "application/json", ...rpcHeaders() },
         body: JSON.stringify({ sessionID }),
       })
         .then((x) => x.json())
@@ -183,7 +183,7 @@ export namespace ShareNext {
   async function syncHttp(share: { id: string; secret: string }, data: Data[], baseUrl: string) {
     await fetch(`${baseUrl}/api/share/${share.id}/sync`, {
       method: "POST",
-      headers: { "Content-Type": "application/json" },
+      headers: { "Content-Type": "application/json", ...rpcHeaders() },
       body: JSON.stringify({ secret: share.secret, data }),
     })
   }
@@ -201,7 +201,7 @@ export namespace ShareNext {
       const baseUrl = await getUrl()
       await fetch(`${baseUrl}/api/share/${share.id}`, {
         method: "DELETE",
-        headers: { "Content-Type": "application/json" },
+        headers: { "Content-Type": "application/json", ...rpcHeaders() },
         body: JSON.stringify({ secret: share.secret }),
       })
     }

packages/opencode/test/share/share-next.test.ts

@@ -0,0 +1,55 @@
+/**
+ * Tests for ShareNext bearer-auth changes.
+ *
+ * Source-level assertions are used for the opencode package because share-next.ts
+ * is imported transitively by many integration test files, making module-level
+ * env var injection unreliable across the full test suite.  The behavioural
+ * verification lives in the cloudsession package's api.test.ts which exercises
+ * the full request/response cycle end-to-end.
+ */
+import { describe, test, expect } from "bun:test"
+
+describe("ShareNext — bearer auth header format (source verification)", () => {
+  test("rpcHeaders() uses Authorization: Bearer, not x-opencode-share-key", async () => {
+    const src = await Bun.file("./src/share/share-next.ts").text()
+    // New bearer format must be present
+    expect(src).toContain("Authorization: `Bearer ${rpcKey}`")
+    // The old custom header must be gone
+    expect(src).not.toContain('"x-opencode-share-key"')
+  })
+
+  test("POST /api/share fetch call spreads rpcHeaders() into headers", async () => {
+    const src = await Bun.file("./src/share/share-next.ts").text()
+    // The create-share fetch must spread auth headers
+    expect(src).toContain("/api/share`,")
+    // Find the fetch call block for /api/share (POST)
+    const match = src.match(/fetch\(`\$\{baseUrl\}\/api\/share`,[\s\S]{0,300}?\}[\s\S]{0,50}?\)/)
+    expect(match).not.toBeNull()
+    expect(match![0]).toContain("...rpcHeaders()")
+  })
+
+  test("POST /api/share/:id/sync fetch call spreads rpcHeaders() into headers", async () => {
+    const src = await Bun.file("./src/share/share-next.ts").text()
+    const match = src.match(/fetch\(`\$\{baseUrl\}\/api\/share\/\$\{share\.id\}\/sync`,[\s\S]{0,300}?\}[\s\S]{0,50}?\)/)
+    expect(match).not.toBeNull()
+    expect(match![0]).toContain("...rpcHeaders()")
+  })
+
+  test("DELETE /api/share/:id fetch call spreads rpcHeaders() into headers", async () => {
+    const src = await Bun.file("./src/share/share-next.ts").text()
+    const match = src.match(/fetch\(`\$\{baseUrl\}\/api\/share\/\$\{share\.id\}`,[\s\S]{0,300}?\}[\s\S]{0,50}?\)/)
+    expect(match).not.toBeNull()
+    expect(match![0]).toContain("...rpcHeaders()")
+  })
+
+  test("no fetch call with Content-Type header omits rpcHeaders()", async () => {
+    const src = await Bun.file("./src/share/share-next.ts").text()
+    // Every headers block that has Content-Type must also spread rpcHeaders()
+    const headerBlocks = src.match(/headers:\s*\{[^}]+\}/g) ?? []
+    for (const block of headerBlocks) {
+      if (block.includes("Content-Type")) {
+        expect(block).toContain("...rpcHeaders()")
+      }
+    }
+  })
+})