fix(webapp): allow JWT + CORS on sessions list endpoint

ericallam · ericallam · commit ff46f33d51ae · 2026-04-20T16:04:17.000+01:00
Without allowJWT/corsStrategy, frontend clients holding public access
tokens hit 401 on GET /api/v1/sessions and browser preflights fail.
Matches the single-session GET/PATCH/close routes and the runs list
endpoint.
diff --git a/apps/webapp/app/routes/api.v1.sessions.ts b/apps/webapp/app/routes/api.v1.sessions.ts
@@ -26,6 +26,8 @@ function asArray<T>(value: T | T[] | undefined): T[] | undefined {
 export const loader = createLoaderApiRoute(
   {
     searchParams: ListSessionsQueryParams,
+    allowJWT: true,
+    corsStrategy: "all",
     findResource: async () => 1,
   },
   async ({ searchParams, authentication }) => {

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,8 @@ function asArray<T>(value: T \| T[] \| undefined): T[] \| undefined {`
`26`	`26`	`export const loader = createLoaderApiRoute(`
`27`	`27`	`{`
`28`	`28`	`searchParams: ListSessionsQueryParams,`
	`29`	`+ allowJWT: true,`
	`30`	`+ corsStrategy: "all",`
`29`	`31`	`findResource: async () => 1,`
`30`	`32`	`},`
`31`	`33`	`async ({ searchParams, authentication }) => {`