Skip to content

Returning undefined from discoverOAuthMetadata for CORS errors #717

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 1, 2025
Merged

Returning undefined from discoverOAuthMetadata for CORS errors #717

merged 3 commits into from
Jul 1, 2025
+35 −25

Conversation

geelen
Copy link
Contributor

@geelen geelen commented Jul 1, 2025

PR #687 caused all web MCP client (e.g. use-mcp) to fail for "legacy servers" (unless they had permissive CORS headers on 404 responses) and PR #692's fallback didn't quite work. I've fixed that so that CORS errors are handled more consistently, and the fallback works more often.

The issue was if the server returns a 404 for /.well-known/oauth-authorization-server/xyz that didn't have the access-control-allow-origin, a TypeError was being thrown. There was logic there already to handle a TypeError for a preflight request (cause by custom headers), but not the fallback. I refactored so all combinations return undefined.

How Has This Been Tested?

Verified using use-mcp inspector: https://inspector.use-mcp.dev/ and a server that requires auth (e.g. https://bindings.mcp.cloudflare.com/mcp)

Breaking Changes

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Returning undefined from discoverOAuthMetadata for CORS errors
2301ec9 
This behaviour was already happening for the root URL, but the new `fetchWithCorsRetry` logic differed.

The issue was if the server returns a 404 for `/.well-known/oauth-authorization-server/xyz` that didn't have the `access-control-allow-origin`, a TypeError was being thrown. There was logic there already to handle a TypeError for a _preflight_ request (cause by custom headers), but not the fallback. I refactored so all combinations return `undefined`.
@geelen geelen force-pushed the fix-cors-on-well-known branch from 404100a to 2301ec9 Compare July 1, 2025 11:27
@geelen geelen mentioned this pull request Jul 1, 2025
Open
@pcarleton pcarleton self-assigned this Jul 1, 2025
pcarleton and others added 2 commits July 1, 2025 16:15
@pcarleton @claude
Add test for CORS error handling that should return undefined
15bfa04 
This test covers the scenario where both the initial request with headers
and the retry without headers fail with CORS TypeErrors. The desired
behavior is to return undefined instead of throwing.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
@pcarleton
fix test comment
8916e83
pcarleton
pcarleton approved these changes Jul 1, 2025
View reviewed changes
Copy link
Contributor

@pcarleton pcarleton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for this.

I added a test to clarify my understanding, made sure it failed on main, and then passes here.

@pcarleton pcarleton merged commit 6f5e53b into modelcontextprotocol:main Jul 1, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pcarleton pcarleton pcarleton approved these changes

Assignees

@pcarleton pcarleton

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@geelen @pcarleton