From c2d61c0eee9f81dd6335ed51c3424a9bd5e34dd8 Mon Sep 17 00:00:00 2001
From: Ignacio Amigo <ignacio.amigo@lambdaclass.com>
Date: Tue, 31 Mar 2026 00:46:07 -0300
Subject: [PATCH 1/2] refactor(cors): move layers

---
 crates/rpc/src/server/mod.rs | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/crates/rpc/src/server/mod.rs b/crates/rpc/src/server/mod.rs
index 90b0bccd9..7f0dfae8a 100644
--- a/crates/rpc/src/server/mod.rs
+++ b/crates/rpc/src/server/mod.rs
@@ -87,19 +87,20 @@ impl Rpc {
                 .make_span_with(grpc_trace_fn),
             )
             .layer(HealthCheckLayer)
+            .layer(cors_for_grpc_web_layer())
+            // Note: must wrap the accept/rate-limit layers so grpc-web callers receive
+            // grpc-web-compatible error responses instead of opaque transport failures.
+            .layer(GrpcWebLayer::new())
             .layer(grpc::rate_limit_concurrent_connections(self.grpc_options))
             .layer(grpc::rate_limit_per_ip(self.grpc_options)?)
-            // Note: must come before the accept layer, as otherwise accept rejections
+            // Note: must come after the CORS layer, as otherwise accept rejections
             // do _not_ get CORS headers applied, masking the accept error in
             // web-clients (which would experience CORS rejection).
-            .layer(cors_for_grpc_web_layer())
             .layer(
                 AcceptHeaderLayer::new(&rpc_version, genesis.commitment())
                     .with_genesis_enforced_method("SubmitProvenTransaction")
                     .with_genesis_enforced_method("SubmitProvenBatch"),
             )
-            // Enables gRPC-web support.
-            .layer(GrpcWebLayer::new())
             .add_service(api_service)
             // Enables gRPC reflection service.
             .add_service(reflection_service)

From c68ce64411a7188fa3b91cf7623cfe212a7d5996 Mon Sep 17 00:00:00 2001
From: Ignacio Amigo <ignacio.amigo@lambdaclass.com>
Date: Tue, 31 Mar 2026 01:16:29 -0300
Subject: [PATCH 2/2] chore: changelog

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c662ddb5b..f6d25106b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,7 +17,7 @@
 - Introduce `SyncChainMmr` RPC endpoint to sync chain MMR deltas within specified block ranges ([#1591](https://github.com/0xMiden/node/issues/1591)).
 - Fixed `TransactionHeader` serialization for row insertion on database & fixed transaction cursor on retrievals ([#1701](https://github.com/0xMiden/node/issues/1701)).
 - Added KMS signing support in validator ([#1677](https://github.com/0xMiden/node/pull/1677)).
-- Added per-IP gRPC rate limiting across services as well as global concurrent connection limit ([#1746](https://github.com/0xMiden/node/issues/1746)).
+- Added per-IP gRPC rate limiting across services as well as global concurrent connection limit ([#1746](https://github.com/0xMiden/node/issues/1746), [#1865](https://github.com/0xMiden/node/pull/1865)).
 - Added limit to execution cycles for a transaction network, configurable through CLI args (`--ntx-builder.max-tx-cycles`) ([#1801](https://github.com/0xMiden/node/issues/1801)).
 
 ### Changes