fix(rpc): move CORS layer above AcceptHeaderLayer (#1707)

WiktorStarczewski · Mirko-von-Leipzig · web-flow · commit b35fa56c9454 · 2026-02-25T13:50:46.000+01:00
* fix(rpc): move CORS layer above AcceptHeaderLayer

When AcceptHeaderLayer rejects a request due to an unsupported SDK
version, it short-circuits the response via futures::future::ready()
which bypasses all downstream middleware. Since the CORS layer was
below AcceptHeaderLayer, rejection responses had no CORS headers,
causing browsers to block the error entirely.

* chore: add changelog entry for CORS layer fix

* chore: move changelog entry to v0.13.6 (TBD)

* Update crates/rpc/src/server/mod.rs

Co-authored-by: Mirko &lt;48352201+Mirko-von-Leipzig@users.noreply.github.com&gt;

* Update CHANGELOG.md

Co-authored-by: Mirko &lt;48352201+Mirko-von-Leipzig@users.noreply.github.com&gt;

---------

Co-authored-by: Mirko &lt;48352201+Mirko-von-Leipzig@users.noreply.github.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## v0.13.6 (TBD)
+
+- Fixed CORS headers missing from version-rejection responses ([#1707](https://github.com/0xMiden/node/pull/1707)).
+
 ## v0.13.5 (2026-02-19)
 
 - OpenTelemetry traces are now flushed before program termination on panic ([#1643](https://github.com/0xMiden/miden-node/pull/1643)).
diff --git a/crates/rpc/src/server/mod.rs b/crates/rpc/src/server/mod.rs
@@ -84,12 +84,15 @@ impl Rpc {
             .layer(CatchPanicLayer::custom(catch_panic_layer_fn))
             .layer(TraceLayer::new_for_grpc().make_span_with(grpc_trace_fn))
             .layer(HealthCheckLayer)
+            // Note: must come before the accept layer, as otherwise accept rejections
+            // do _not_ get CORS headers applied, masking the accept error in
+            // web-clients (which would experience CORS rejection).
+            .layer(cors_for_grpc_web_layer())
             .layer(
                 AcceptHeaderLayer::new(&rpc_version, genesis.commitment())
                     .with_genesis_enforced_method("SubmitProvenTransaction")
                     .with_genesis_enforced_method("SubmitProvenBatch"),
             )
-            .layer(cors_for_grpc_web_layer())
             // Enables gRPC-web support.
             .layer(GrpcWebLayer::new())
             .add_service(api_service)
