From dda00032260195c577f5e90240b4b8fdbeaa1507 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 1 Dec 2025 01:24:46 +0000
Subject: [PATCH] Expose MCP headers in CORS for session continuity

The 400 Bad Request on second POST was caused by CORS not exposing
the mcp-session-id header, preventing MCP Inspector from reading it
and sending it back in subsequent requests.

Without the session ID, each request created a new transport session
instead of reusing the existing one, causing protocol errors.

Fix:
- Add expose_headers to CORS middleware configuration
- Expose mcp-session-id and mcp-protocol-version headers
- Allows browser clients to read and reuse session IDs
- Applied to both streamable-http and SSE transports

This fixes the session continuity issue and eliminates 400 errors.
---
 src/geoguessr_mcp/main.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/geoguessr_mcp/main.py b/src/geoguessr_mcp/main.py
index cb81fc1..a803a88 100644
--- a/src/geoguessr_mcp/main.py
+++ b/src/geoguessr_mcp/main.py
@@ -86,7 +86,6 @@ def main():
 
     def _streamable_http_app_with_middleware():
         """Wrap app creation to inject middleware."""
-
         app = _original_streamable_http_app()
 
         # Add request logging middleware for debugging (first in chain)
@@ -100,7 +99,9 @@ def main():
             allow_credentials=True,
             allow_methods=["*"],
             allow_headers=["*"],
+            expose_headers=["mcp-session-id", "mcp-protocol-version"],
         )
+
         # Add authentication middleware if enabled
         if settings.MCP_AUTH_ENABLED:
             app.add_middleware(AuthenticationMiddleware)
@@ -117,6 +118,7 @@ def main():
         def _sse_app_with_middleware():
             """Wrap SSE app creation to inject middleware."""
             app = _original_sse_app()
+
             if settings.LOG_LEVEL == "DEBUG":
                 app.add_middleware(RequestLoggingMiddleware)
 
@@ -126,10 +128,12 @@ def main():
                 allow_credentials=True,
                 allow_methods=["*"],
                 allow_headers=["*"],
-
+                expose_headers=["mcp-session-id", "mcp-protocol-version"],
             )
+
             if settings.MCP_AUTH_ENABLED:
                 app.add_middleware(AuthenticationMiddleware)
+
             return app
 
         mcp.sse_app = _sse_app_with_middleware
@@ -144,6 +148,7 @@ def main():
         logger.info(f"MCP server authentication is ENABLED with {api_key_count} API key(s)")
     else:
         logger.warning("MCP server authentication is DISABLED - server is publicly accessible")
+
     if settings.DEFAULT_NCFA_COOKIE:
         logger.info("Default GeoGuessr authentication cookie configured from environment")
     else: