yvachot/GeoGuessrMCP
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Expose MCP headers in CORS for session continuity

Browse source 
The 400 Bad Request on second POST was caused by CORS not exposing
the mcp-session-id header, preventing MCP Inspector from reading it
and sending it back in subsequent requests.

Without the session ID, each request created a new transport session
instead of reusing the existing one, causing protocol errors.

Fix:
- Add expose_headers to CORS middleware configuration
- Expose mcp-session-id and mcp-protocol-version headers
- Allows browser clients to read and reuse session IDs
- Applied to both streamable-http and SSE transports

This fixes the session continuity issue and eliminates 400 errors.
This commit is contained in:
Claude 2025-12-01 01:24:46 +00:00
parent 15415080da
commit dda0003226
No known key found for this signature in database
1 changed files with 7 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/geoguessr_mcp/main.py
View file

@ -86,7 +86,6 @@ def main():
def _streamable_http_app_with_middleware(): def _streamable_http_app_with_middleware():
"""Wrap app creation to inject middleware.""" """Wrap app creation to inject middleware."""
app = _original_streamable_http_app() app = _original_streamable_http_app()
# Add request logging middleware for debugging (first in chain) # Add request logging middleware for debugging (first in chain)
@ -100,7 +99,9 @@ def main():
allow_credentials=True, allow_credentials=True,
allow_methods=["*"], allow_methods=["*"],
allow_headers=["*"], allow_headers=["*"],
expose_headers=["mcp-session-id", "mcp-protocol-version"],
) )
# Add authentication middleware if enabled # Add authentication middleware if enabled
if settings.MCP_AUTH_ENABLED: if settings.MCP_AUTH_ENABLED:
app.add_middleware(AuthenticationMiddleware) app.add_middleware(AuthenticationMiddleware)
@ -117,6 +118,7 @@ def main():
def _sse_app_with_middleware(): def _sse_app_with_middleware():
"""Wrap SSE app creation to inject middleware.""" """Wrap SSE app creation to inject middleware."""
app = _original_sse_app() app = _original_sse_app()
if settings.LOG_LEVEL == "DEBUG": if settings.LOG_LEVEL == "DEBUG":
app.add_middleware(RequestLoggingMiddleware) app.add_middleware(RequestLoggingMiddleware)
@ -126,10 +128,12 @@ def main():
allow_credentials=True, allow_credentials=True,
allow_methods=["*"], allow_methods=["*"],
allow_headers=["*"], allow_headers=["*"],
expose_headers=["mcp-session-id", "mcp-protocol-version"],
) )
if settings.MCP_AUTH_ENABLED: if settings.MCP_AUTH_ENABLED:
app.add_middleware(AuthenticationMiddleware) app.add_middleware(AuthenticationMiddleware)
return app return app
mcp.sse_app = _sse_app_with_middleware mcp.sse_app = _sse_app_with_middleware
@ -144,6 +148,7 @@ def main():
logger.info(f"MCP server authentication is ENABLED with {api_key_count} API key(s)") logger.info(f"MCP server authentication is ENABLED with {api_key_count} API key(s)")
else: else:
logger.warning("MCP server authentication is DISABLED - server is publicly accessible") logger.warning("MCP server authentication is DISABLED - server is publicly accessible")
if settings.DEFAULT_NCFA_COOKIE: if settings.DEFAULT_NCFA_COOKIE:
logger.info("Default GeoGuessr authentication cookie configured from environment") logger.info("Default GeoGuessr authentication cookie configured from environment")
else: else: