k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-22 06:41:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: add /mcp to open-CORS pre-middleware

Browse Source 
External MCP clients (ChatGPT, Claude.ai, MCP Inspector) call /mcp
cross-origin with Bearer tokens. The OPTIONS preflight was hitting the
SPA catch-all because the global cors({ origin: false }) didn't add
Access-Control-Allow-Origin. Without a valid CORS response the browser
blocked the subsequent POST, preventing the 401 WWW-Authenticate header
from being read — ChatGPT reported 'does not implement OAuth'.
This commit is contained in:
jubnl
2026-05-05 13:57:52 +02:00
parent 8e14434a1b
commit af10ab1c93
1 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/app.ts
+7 -7
View File
@@ -95,18 +95,18 @@ export function createApp(): express.Application {
const hstsActive = shouldForceHttps || process.env.NODE_ENV === 'production'; const hstsActive = shouldForceHttps || process.env.NODE_ENV === 'production';
const hstsIncludeSubdomains = process.env.HSTS_INCLUDE_SUBDOMAINS === 'true'; const hstsIncludeSubdomains = process.env.HSTS_INCLUDE_SUBDOMAINS === 'true';
// RFC 8414 / RFC 9728 / RFC 7591: discovery docs and DCR are world-readable/writable // RFC 8414 / RFC 9728 / RFC 7591: discovery docs and DCR are world-readable/writable.
// open CORS for external MCP clients regardless of the deployment's ALLOWED_ORIGINS config. // /mcp needs open CORS so external MCP clients (ChatGPT, Claude.ai, Inspector) can call it
// /oauth/register and /oauth/authorize need it because browser-based clients (ChatGPT, etc.) // with Bearer tokens from any origin. /oauth/register and /oauth/authorize need it for
// send a CORS preflight that the global cors({ origin: false }) would answer WITHOUT // browser-based DCR/authorization preflights — the global cors({ origin: false }) would
// Access-Control-Allow-Origin, causing the browser to reject the response before the // answer OPTIONS without Access-Control-Allow-Origin before the SDK's own cors() runs.
// SDK's own cors() middleware inside clientRegistrationHandler/authorizationHandler runs.
app.use( app.use(
(req: Request, _res: Response, next: NextFunction) => { (req: Request, _res: Response, next: NextFunction) => {
if ( if (
req.path.startsWith('/.well-known/oauth-') || req.path.startsWith('/.well-known/oauth-') ||
req.path === '/oauth/register' || req.path === '/oauth/register' ||
req.path === '/oauth/authorize' req.path === '/oauth/authorize' ||
req.path === '/mcp'
) { ) {
cors({ origin: '*', credentials: false })(req, _res, next); cors({ origin: '*', credentials: false })(req, _res, next);
} else { } else {