Expose MCP headers in CORS for session continuity

The 400 Bad Request on second POST was caused by CORS not exposing the mcp-session-id header, preventing MCP Inspector from reading it and sending it back in subsequent requests. Without the session ID, each request created a new transport session instead of reusing the existing one, causing protocol errors. Fix: - Add expose_headers to CORS middleware configuration - Expose mcp-session-id and mcp-protocol-version headers - Allows browser clients to read and reuse session IDs - Applied to both streamable-http and SSE transports This fixes the session continuity issue and eliminates 400 errors.
2025-12-01 01:24:46 +00:00 · 2025-12-01 01:24:46 +00:00 · dda0003226
commit dda0003226
parent 15415080da
1 changed files with 7 additions and 2 deletions
--- a/src/geoguessr_mcp/main.py
+++ b/src/geoguessr_mcp/main.py
@ -86,7 +86,6 @@ def main():

    def _streamable_http_app_with_middleware():
        """Wrap app creation to inject middleware."""
-
        app = _original_streamable_http_app()

        # Add request logging middleware for debugging (first in chain)
@ -100,7 +99,9 @@ def main():
            allow_credentials=True,
            allow_methods=["*"],
            allow_headers=["*"],
+            expose_headers=["mcp-session-id", "mcp-protocol-version"],
        )
+
        # Add authentication middleware if enabled
        if settings.MCP_AUTH_ENABLED:
            app.add_middleware(AuthenticationMiddleware)
@ -117,6 +118,7 @@ def main():
        def _sse_app_with_middleware():
            """Wrap SSE app creation to inject middleware."""
            app = _original_sse_app()
+
            if settings.LOG_LEVEL == "DEBUG":
                app.add_middleware(RequestLoggingMiddleware)

@ -126,10 +128,12 @@ def main():
                allow_credentials=True,
                allow_methods=["*"],
                allow_headers=["*"],
-
+                expose_headers=["mcp-session-id", "mcp-protocol-version"],
            )
+
            if settings.MCP_AUTH_ENABLED:
                app.add_middleware(AuthenticationMiddleware)
+
            return app

        mcp.sse_app = _sse_app_with_middleware
@ -144,6 +148,7 @@ def main():
        logger.info(f"MCP server authentication is ENABLED with {api_key_count} API key(s)")
    else:
        logger.warning("MCP server authentication is DISABLED - server is publicly accessible")
+
    if settings.DEFAULT_NCFA_COOKIE:
        logger.info("Default GeoGuessr authentication cookie configured from environment")
    else: