Ask Claude to implement CORS as needed by public clients.

kentonv · kentonv · commit 16ed01f825d5 · 2025-03-07T19:01:29.000-06:00
prompt: To fully support "public" clients, we need to support CORS on all the endpoints implemented by OAuthProvider. For convenience, we should also automatically enable CORS on API endpoints implemented by the app. (We should not, however, enable CORS on anything handled by the default handler.)

Claude wasn't aware of the best way to mutate Response headers.

prompt: The way you construct the final `Response` here could be lossy if the platform supports properties other than `status`, `statusText`, and `headers`. The better way to modify response headers it to first use `response = new Response(response.body, response)` to make the response mutable, then use `response.headers.set(name, value)` to modify the response headers directly.

Initially Claude allowed credentials but only the GET, POST, and OPTIONS methods, and only the `Content-Type` and `Authorization` headers.

prompt: Two things: (1) Let's not allow credentials. APIs should be authenticated strictly based on the access token, not the user's cookies. (2) Let's set access-control-allow-methods to `*` to allow all methods.

prompt: Let's also allow all headers.

prompt: Oops, the `Authorization` header needs to be listed explicitly, it is special and not included in `*`. But we need to allow it for passing access tokens.
diff --git a/oauth-provider.ts b/oauth-provider.ts
@@ -651,25 +651,50 @@ class OAuthProviderImpl {
   async fetch(request: Request, env: any, ctx: ExecutionContext): Promise<Response> {
     const url = new URL(request.url);
 
+    // Special handling for OPTIONS requests (CORS preflight)
+    if (request.method === 'OPTIONS') {
+      // For API routes and OAuth endpoints, respond with CORS headers
+      if (this.isApiRequest(url) ||
+          url.pathname === '/.well-known/oauth-authorization-server' ||
+          this.isTokenEndpoint(url) ||
+          (this.options.clientRegistrationEndpoint && this.isClientRegistrationEndpoint(url))) {
+
+        // Create an empty 204 No Content response with CORS headers
+        return this.addCorsHeaders(
+          new Response(null, {
+            status: 204,
+            headers: { 'Content-Length': '0' }
+          }),
+          request
+        );
+      }
+
+      // For other routes, pass through to the default handler
+    }
+
     // Handle .well-known/oauth-authorization-server
     if (url.pathname === '/.well-known/oauth-authorization-server') {
-      return this.handleMetadataDiscovery(url);
+      const response = await this.handleMetadataDiscovery(url);
+      return this.addCorsHeaders(response, request);
     }
 
     // Handle token endpoint
     if (this.isTokenEndpoint(url)) {
-      return this.handleTokenRequest(request, env);
+      const response = await this.handleTokenRequest(request, env);
+      return this.addCorsHeaders(response, request);
     }
 
     // Handle client registration endpoint
     if (this.options.clientRegistrationEndpoint &&
         this.isClientRegistrationEndpoint(url)) {
-      return this.handleClientRegistration(request, env);
+      const response = await this.handleClientRegistration(request, env);
+      return this.addCorsHeaders(response, request);
     }
 
     // Check if it's an API request
     if (this.isApiRequest(url)) {
-      return this.handleApiRequest(request, env, ctx);
+      const response = await this.handleApiRequest(request, env, ctx);
+      return this.addCorsHeaders(response, request);
     }
 
     // Inject OAuth helpers into env if not already present
@@ -678,6 +703,7 @@ class OAuthProviderImpl {
     }
 
     // Call the default handler based on its type
+    // Note: We don't add CORS headers to default handler responses
     if (this.defaultHandlerType === HandlerType.EXPORTED_HANDLER) {
       // It's an object with a fetch method
       return (this.options.defaultHandler as ExportedHandler).fetch(request, env, ctx);
@@ -783,6 +809,35 @@ class OAuthProviderImpl {
     }
   }
 
+  /**
+   * Adds CORS headers to a response
+   * @param response - The response to add CORS headers to
+   * @param request - The original request
+   * @returns A new Response with CORS headers added
+   */
+  private addCorsHeaders(response: Response, request: Request): Response {
+    // Get the Origin header from the request
+    const origin = request.headers.get('Origin');
+
+    // If there's no Origin header, return the original response
+    if (!origin) {
+      return response;
+    }
+
+    // Create a new response that copies all properties from the original response
+    // This makes the response mutable so we can modify its headers
+    const newResponse = new Response(response.body, response);
+
+    // Add CORS headers
+    newResponse.headers.set('Access-Control-Allow-Origin', origin);
+    newResponse.headers.set('Access-Control-Allow-Methods', '*');
+    // Include Authorization explicitly since it's not included in * for security reasons
+    newResponse.headers.set('Access-Control-Allow-Headers', 'Authorization, *');
+    newResponse.headers.set('Access-Control-Max-Age', '86400'); // 24 hours
+
+    return newResponse;
+  }
+
   /**
    * Handles the OAuth metadata discovery endpoint
    * Implements RFC 8414 for OAuth Server Metadata
