Refactor logic into separated CORS middleware and update related tests

Author: RossTarrant

pkg/http/handler.go

@@ -3,13 +3,11 @@ package http
 import (
 	"context"
 	"errors"
-	"strings"
 	"log/slog"
 	"net/http"
 
 	ghcontext "github.com/github/github-mcp-server/pkg/context"
 	"github.com/github/github-mcp-server/pkg/github"
-	"github.com/github/github-mcp-server/pkg/http/headers"
 	"github.com/github/github-mcp-server/pkg/http/middleware"
 	"github.com/github/github-mcp-server/pkg/http/oauth"
 	"github.com/github/github-mcp-server/pkg/inventory"
@@ -415,39 +413,3 @@ func PATScopeFilter(b *inventory.Builder, r *http.Request, fetcher scopes.Fetche
 
 	return b
 }
-
-// corsAllowHeaders is the precomputed Access-Control-Allow-Headers value.
-var corsAllowHeaders = strings.Join([]string{
-	"Content-Type",
-	"Mcp-Session-Id",
-	"Mcp-Protocol-Version",
-	"Last-Event-ID",
-	headers.AuthorizationHeader,
-	headers.MCPReadOnlyHeader,
-	headers.MCPToolsetsHeader,
-	headers.MCPToolsHeader,
-	headers.MCPExcludeToolsHeader,
-	headers.MCPFeaturesHeader,
-	headers.MCPLockdownHeader,
-	headers.MCPInsidersHeader,
-}, ", ")
-
-// SetCorsHeaders is middleware that sets CORS headers to allow browser-based
-// MCP clients to connect from any origin. This is safe because the server
-// authenticates via bearer tokens (not cookies), so cross-origin requests
-// cannot exploit ambient credentials.
-func SetCorsHeaders(h http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Access-Control-Allow-Origin", "*")
-		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS")
-		w.Header().Set("Access-Control-Max-Age", "86400")
-		w.Header().Set("Access-Control-Expose-Headers", "Mcp-Session-Id, WWW-Authenticate")
-		w.Header().Set("Access-Control-Allow-Headers", corsAllowHeaders)
-
-		if r.Method == http.MethodOptions {
-			w.WriteHeader(http.StatusOK)
-			return
-		}
-		h.ServeHTTP(w, r)
-	})
-}

pkg/http/handler_test.go

@@ -662,41 +662,6 @@ func buildStaticInventoryFromTools(cfg *ServerConfig, tools []inventory.ServerTo
 	return inv.AvailableTools(ctx), inv.AvailableResourceTemplates(ctx), inv.AvailablePrompts(ctx)
 }
 
-func TestSetCorsHeaders(t *testing.T) {
-	inner := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-		w.WriteHeader(http.StatusOK)
-	})
-	handler := SetCorsHeaders(inner)
-
-	t.Run("OPTIONS preflight returns 200 with CORS headers", func(t *testing.T) {
-		req := httptest.NewRequest(http.MethodOptions, "/", nil)
-		req.Header.Set("Origin", "http://localhost:6274")
-		rr := httptest.NewRecorder()
-		handler.ServeHTTP(rr, req)
-
-		assert.Equal(t, http.StatusOK, rr.Code)
-		assert.Equal(t, "*", rr.Header().Get("Access-Control-Allow-Origin"))
-		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Methods"), "POST")
-		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "Authorization")
-		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "Content-Type")
-		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "Mcp-Session-Id")
-		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "X-MCP-Lockdown")
-		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "X-MCP-Insiders")
-		assert.Contains(t, rr.Header().Get("Access-Control-Expose-Headers"), "Mcp-Session-Id")
-		assert.Contains(t, rr.Header().Get("Access-Control-Expose-Headers"), "WWW-Authenticate")
-	})
-
-	t.Run("POST request includes CORS headers", func(t *testing.T) {
-		req := httptest.NewRequest(http.MethodPost, "/", nil)
-		req.Header.Set("Origin", "http://localhost:6274")
-		rr := httptest.NewRecorder()
-		handler.ServeHTTP(rr, req)
-
-		assert.Equal(t, http.StatusOK, rr.Code)
-		assert.Equal(t, "*", rr.Header().Get("Access-Control-Allow-Origin"))
-	})
-}
-
 func TestCrossOriginProtection(t *testing.T) {
 	jsonRPCBody := `{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"test","version":"0.1"}}}`
 

pkg/http/middleware/cors.go

@@ -0,0 +1,43 @@
+package middleware
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/github/github-mcp-server/pkg/http/headers"
+)
+
+// SetCorsHeaders is middleware that sets CORS headers to allow browser-based
+// MCP clients to connect from any origin. This is safe because the server
+// authenticates via bearer tokens (not cookies), so cross-origin requests
+// cannot exploit ambient credentials.
+func SetCorsHeaders(h http.Handler) http.Handler {
+	allowHeaders := strings.Join([]string{
+		"Content-Type",
+		"Mcp-Session-Id",
+		"Mcp-Protocol-Version",
+		"Last-Event-ID",
+		headers.AuthorizationHeader,
+		headers.MCPReadOnlyHeader,
+		headers.MCPToolsetsHeader,
+		headers.MCPToolsHeader,
+		headers.MCPExcludeToolsHeader,
+		headers.MCPFeaturesHeader,
+		headers.MCPLockdownHeader,
+		headers.MCPInsidersHeader,
+	}, ", ")
+
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS")
+		w.Header().Set("Access-Control-Max-Age", "86400")
+		w.Header().Set("Access-Control-Expose-Headers", "Mcp-Session-Id, WWW-Authenticate")
+		w.Header().Set("Access-Control-Allow-Headers", allowHeaders)
+
+		if r.Method == http.MethodOptions {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		h.ServeHTTP(w, r)
+	})
+}

pkg/http/middleware/cors_test.go

@@ -0,0 +1,45 @@
+package middleware_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/github/github-mcp-server/pkg/http/middleware"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSetCorsHeaders(t *testing.T) {
+	inner := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+	handler := middleware.SetCorsHeaders(inner)
+
+	t.Run("OPTIONS preflight returns 200 with CORS headers", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodOptions, "/", nil)
+		req.Header.Set("Origin", "http://localhost:6274")
+		rr := httptest.NewRecorder()
+		handler.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusOK, rr.Code)
+		assert.Equal(t, "*", rr.Header().Get("Access-Control-Allow-Origin"))
+		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Methods"), "POST")
+		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "Authorization")
+		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "Content-Type")
+		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "Mcp-Session-Id")
+		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "X-MCP-Lockdown")
+		assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "X-MCP-Insiders")
+		assert.Contains(t, rr.Header().Get("Access-Control-Expose-Headers"), "Mcp-Session-Id")
+		assert.Contains(t, rr.Header().Get("Access-Control-Expose-Headers"), "WWW-Authenticate")
+	})
+
+	t.Run("POST request includes CORS headers", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodPost, "/", nil)
+		req.Header.Set("Origin", "http://localhost:6274")
+		rr := httptest.NewRecorder()
+		handler.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusOK, rr.Code)
+		assert.Equal(t, "*", rr.Header().Get("Access-Control-Allow-Origin"))
+	})
+}

pkg/http/server.go

@@ -13,6 +13,7 @@ import (
 
 	ghcontext "github.com/github/github-mcp-server/pkg/context"
 	"github.com/github/github-mcp-server/pkg/github"
+	"github.com/github/github-mcp-server/pkg/http/middleware"
 	"github.com/github/github-mcp-server/pkg/http/oauth"
 	"github.com/github/github-mcp-server/pkg/inventory"
 	"github.com/github/github-mcp-server/pkg/lockdown"
@@ -180,7 +181,7 @@ func RunHTTPServer(cfg ServerConfig) error {
 	}
 
 	r.Group(func(r chi.Router) {
-		r.Use(SetCorsHeaders)
+		r.Use(middleware.SetCorsHeaders)
 
 		// Register Middleware First, needs to be before route registration
 		handler.RegisterMiddleware(r)