mirror of
https://github.com/mauriceboe/TREK.git
synced 2026-06-21 14:21:46 +00:00
jubnl
fb6eaaf06d
Two follow-up fixes after the SDK auth migration:
1. CORS for browser-based OAuth clients (ChatGPT DCR 403)
The global cors({ origin: false }) intercepts OPTIONS preflight for
/oauth/register and /oauth/authorize before the SDK's own cors()
middleware inside clientRegistrationHandler/authorizationHandler
runs, causing the browser to reject the response with no
Access-Control-Allow-Origin header. ChatGPT's connector makes DCR
from the browser, so this manifested as a 403.
Fix: extend the open-CORS pre-middleware to also cover
/oauth/register and /oauth/authorize (same pattern as /.well-known).
2. WWW-Authenticate resource_metadata URL (RFC 9728 §5)
The MCP handler was advertising the base PRM path
(/.well-known/oauth-protected-resource) instead of the path-aware
variant (/.well-known/oauth-protected-resource/mcp). RFC 9728
requires the resource path to be appended when the resource URI has
a path component. The SDK registers the path-aware URL; the
WWW-Authenticate header now points to the same location.