fix: add CORS headers to streaming chat response (#138)

- Add CORS headers to createUIMessageStreamResponse call in handleChatStream
- Add x-api-key to Access-Control-Allow-Headers in getCorsHeaders
- Update handleChatStream test to expect CORS headers

Fixes cross-origin requests to /api/chat endpoint being blocked.

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: sweetmantech

lib/chat/__tests__/handleChatStream.test.ts

@@ -162,6 +162,11 @@ describe("handleChatStream", () => {
       expect(mockCreateUIMessageStream).toHaveBeenCalled();
       expect(mockCreateUIMessageStreamResponse).toHaveBeenCalledWith({
         stream: mockStream,
+        headers: {
+          "Access-Control-Allow-Origin": "*",
+          "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS, PATCH",
+          "Access-Control-Allow-Headers": "Content-Type, Authorization, X-Requested-With, x-api-key",
+        },
       });
       expect(result).toBe(mockResponse);
     });

lib/chat/handleChatStream.ts

@@ -58,7 +58,7 @@ export async function handleChatStream(request: NextRequest): Promise<Response>
       },
     });
 
-    return createUIMessageStreamResponse({ stream });
+    return createUIMessageStreamResponse({ stream, headers: getCorsHeaders() });
   } catch (e) {
     console.error("/api/chat Global error:", e);
     return NextResponse.json(

lib/networking/getCorsHeaders.ts

@@ -7,6 +7,6 @@ export function getCorsHeaders(): Record<string, string> {
   return {
     "Access-Control-Allow-Origin": "*",
     "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS, PATCH",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization, X-Requested-With",
+    "Access-Control-Allow-Headers": "Content-Type, Authorization, X-Requested-With, x-api-key",
   };
 }