From fe71704bf8f5ea39ae81d2a0181ed616e76fa48b Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 30 Nov 2025 01:13:09 +0000
Subject: [PATCH] Fix authentication middleware to allow OPTIONS requests

CORS preflight requests (OPTIONS) don't include Authorization headers
by browser design. The middleware was blocking these requests with 401.

Solution:
- Skip authentication check for OPTIONS requests
- OPTIONS requests are handled by CORS middleware only
- Actual requests (GET, POST) still require authentication

This fixes the "401 Unauthorized" error on OPTIONS /mcp when using
MCP Inspector or other browser-based clients with authentication enabled.
---
 src/geoguessr_mcp/middleware/auth.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/geoguessr_mcp/middleware/auth.py b/src/geoguessr_mcp/middleware/auth.py
index 45e7827..7476226 100644
--- a/src/geoguessr_mcp/middleware/auth.py
+++ b/src/geoguessr_mcp/middleware/auth.py
@@ -54,6 +54,11 @@ class AuthenticationMiddleware(BaseHTTPMiddleware):
         if request.url.path == "/health":
             return await call_next(request)
 
+        # Skip authentication for OPTIONS requests (CORS preflight)
+        # OPTIONS requests don't include Authorization headers by design
+        if request.method == "OPTIONS":
+            return await call_next(request)
+
         # Check for Authorization header
         auth_header = request.headers.get("Authorization")