From 7a8208293c0c064bb712b9004f96e8db3bc94f16 Mon Sep 17 00:00:00 2001
From: Vojtech Vitek <vv@horizon.io>
Date: Sat, 8 Mar 2025 20:50:51 +0100
Subject: [PATCH] Restrict CORS access for Builder Secret Keys

---
 middleware.go | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/middleware.go b/middleware.go
index 8acc846..f43c07c 100644
--- a/middleware.go
+++ b/middleware.go
@@ -223,9 +223,8 @@ func Session(cfg Options) func(next http.Handler) http.Handler {
 							slog.Uint64("project_id", uint64(projectClaim)),
 						)
 
-						// TODO: Uncomment once we're confident it won't disrupt major customers.
-						// cfg.ErrHandler(r, w, err)
-						// return
+						cfg.ErrHandler(r, w, err)
+						return
 					}
 				}
 			}
@@ -271,7 +270,7 @@ func AccessControl(acl Config[ACL], cfg Options) func(next http.Handler) http.Ha
 }
 
 // PropagateAccessKey propagates the access key from the context to other webrpc packages.
-// It expectes the function `WithHTTPRequestHeaders` from the proto package that requires the access key propogation.
+// It expects the function `WithHTTPRequestHeaders` from the proto package that requires the access key propogation.
 func PropagateAccessKey(headerContextFuncs ...func(context.Context, http.Header) (context.Context, error)) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {