diff --git a/server/src/app.ts b/server/src/app.ts index be9694f3..e86de386 100644 --- a/server/src/app.ts +++ b/server/src/app.ts @@ -95,11 +95,19 @@ export function createApp(): express.Application { const hstsActive = shouldForceHttps || process.env.NODE_ENV === 'production'; const hstsIncludeSubdomains = process.env.HSTS_INCLUDE_SUBDOMAINS === 'true'; - // RFC 8414 / RFC 9728: discovery docs are world-readable โ€” open CORS regardless of deployment config - // Covers both the base path and the RFC 9728 path-based variant (/.well-known/oauth-protected-resource/mcp) + // RFC 8414 / RFC 9728 / RFC 7591: discovery docs and DCR are world-readable/writable โ€” + // open CORS for external MCP clients regardless of the deployment's ALLOWED_ORIGINS config. + // /oauth/register and /oauth/authorize need it because browser-based clients (ChatGPT, etc.) + // send a CORS preflight that the global cors({ origin: false }) would answer WITHOUT + // Access-Control-Allow-Origin, causing the browser to reject the response before the + // SDK's own cors() middleware inside clientRegistrationHandler/authorizationHandler runs. app.use( (req: Request, _res: Response, next: NextFunction) => { - if (req.path.startsWith('/.well-known/oauth-')) { + if ( + req.path.startsWith('/.well-known/oauth-') || + req.path === '/oauth/register' || + req.path === '/oauth/authorize' + ) { cors({ origin: '*', credentials: false })(req, _res, next); } else { next(); diff --git a/server/src/mcp/index.ts b/server/src/mcp/index.ts index e46c03db..2984811a 100644 --- a/server/src/mcp/index.ts +++ b/server/src/mcp/index.ts @@ -154,8 +154,9 @@ sessionSweepInterval.unref(); function setAuthChallenge(res: Response, error = 'invalid_token'): void { const base = (getAppUrl() || '').replace(/\/+$/, ''); + // RFC 9728 ยง5: resource with path component /mcp โ†’ PRM URL must include the path res.set('WWW-Authenticate', - `Bearer realm="TREK MCP", resource_metadata="${base}/.well-known/oauth-protected-resource", error="${error}"`); + `Bearer realm="TREK MCP", resource_metadata="${base}/.well-known/oauth-protected-resource/mcp", error="${error}"`); } interface VerifyTokenResult {