feat: add cors configuration

Author: QuantGeekDev

README.md

@@ -95,7 +95,52 @@ const server = new MCPServer({
     options: {
       port: 8080,            // Optional (default: 8080)
       endpoint: "/sse",      // Optional (default: "/sse")
-      messageEndpoint: "/messages" // Optional (default: "/messages")
+      messageEndpoint: "/messages", // Optional (default: "/messages")
+      cors: {
+        allowOrigin: "*",    // Optional (default: "*")
+        allowMethods: "GET, POST, OPTIONS", // Optional (default: "GET, POST, OPTIONS")
+        allowHeaders: "Content-Type, Authorization, x-api-key", // Optional (default: "Content-Type, Authorization, x-api-key")
+        exposeHeaders: "Content-Type, Authorization, x-api-key", // Optional (default: "Content-Type, Authorization, x-api-key")
+        maxAge: "86400"      // Optional (default: "86400")
+      }
+    }
+  }
+});
+```
+
+#### CORS Configuration
+
+The SSE transport supports flexible CORS configuration. By default, it uses permissive settings suitable for development. For production, you should configure CORS according to your security requirements:
+
+```typescript
+const server = new MCPServer({
+  transport: {
+    type: "sse",
+    options: {
+      // Restrict to specific origin
+      cors: {
+        allowOrigin: "https://myapp.com",
+        allowMethods: "GET, POST",
+        allowHeaders: "Content-Type, Authorization",
+        exposeHeaders: "Content-Type, Authorization",
+        maxAge: "3600"
+      }
+    }
+  }
+});
+
+// Or with multiple allowed origins
+const server = new MCPServer({
+  transport: {
+    type: "sse",
+    options: {
+      cors: {
+        allowOrigin: "https://app1.com, https://app2.com",
+        allowMethods: "GET, POST, OPTIONS",
+        allowHeaders: "Content-Type, Authorization, Custom-Header",
+        exposeHeaders: "Content-Type, Authorization",
+        maxAge: "86400"
+      }
     }
   }
 });

src/transports/sse/server.ts

@@ -6,21 +6,14 @@ import getRawBody from "raw-body"
 import { APIKeyAuthProvider } from "../../auth/providers/apikey.js"
 import { DEFAULT_AUTH_ERROR } from "../../auth/types.js"
 import { AbstractTransport } from "../base.js"
-import { DEFAULT_SSE_CONFIG, SSETransportConfig, SSETransportConfigInternal } from "./types.js"
+import { DEFAULT_SSE_CONFIG, SSETransportConfig, SSETransportConfigInternal, DEFAULT_CORS_CONFIG, CORSConfig } from "./types.js"
 import { logger } from "../../core/Logger.js"
 import { getRequestHeader, setResponseHeaders } from "../../utils/headers.js"
 
 interface ExtendedIncomingMessage extends IncomingMessage {
   body?: ClientRequest
 }
 
-const CORS_HEADERS = {
-  "Access-Control-Allow-Origin": "*",
-  "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
-  "Access-Control-Allow-Headers": "Content-Type, Authorization, x-api-key",
-  "Access-Control-Expose-Headers": "Content-Type, Authorization, x-api-key"
-}
-
 const SSE_HEADERS = {
   "Content-Type": "text/event-stream",
   "Cache-Control": "no-cache",
@@ -52,6 +45,31 @@ export class SSEServerTransport extends AbstractTransport {
     })}`)
   }
 
+  private getCorsHeaders(includeMaxAge: boolean = false): Record<string, string> {
+    // Ensure all CORS properties are present by merging with defaults
+    const corsConfig = {
+      allowOrigin: DEFAULT_CORS_CONFIG.allowOrigin,
+      allowMethods: DEFAULT_CORS_CONFIG.allowMethods,
+      allowHeaders: DEFAULT_CORS_CONFIG.allowHeaders,
+      exposeHeaders: DEFAULT_CORS_CONFIG.exposeHeaders,
+      maxAge: DEFAULT_CORS_CONFIG.maxAge,
+      ...this._config.cors
+    } as Required<CORSConfig>
+
+    const headers: Record<string, string> = {
+      "Access-Control-Allow-Origin": corsConfig.allowOrigin,
+      "Access-Control-Allow-Methods": corsConfig.allowMethods,
+      "Access-Control-Allow-Headers": corsConfig.allowHeaders,
+      "Access-Control-Expose-Headers": corsConfig.exposeHeaders
+    }
+
+    if (includeMaxAge) {
+      headers["Access-Control-Max-Age"] = corsConfig.maxAge
+    }
+
+    return headers
+  }
+
   async start(): Promise<void> {
     if (this._server) {
       throw new Error("SSE transport already started")
@@ -88,16 +106,12 @@ export class SSEServerTransport extends AbstractTransport {
     logger.debug(`Incoming request: ${req.method} ${req.url}`)
 
     if (req.method === "OPTIONS") {
-      const preflightHeaders = {
-        ...CORS_HEADERS,
-        "Access-Control-Max-Age": "86400"
-      }
-      setResponseHeaders(res, preflightHeaders)
+      setResponseHeaders(res, this.getCorsHeaders(true))
       res.writeHead(204).end()
       return
     }
 
-    setResponseHeaders(res, CORS_HEADERS)
+    setResponseHeaders(res, this.getCorsHeaders())
 
     const url = new URL(req.url!, `http://${req.headers.host}`)
     const sessionId = url.searchParams.get("sessionId")
@@ -194,7 +208,7 @@ export class SSEServerTransport extends AbstractTransport {
 
     const headers = {
       ...SSE_HEADERS,
-      ...CORS_HEADERS,
+      ...this.getCorsHeaders(),
       ...this._config.headers
     }
     setResponseHeaders(res, headers)
@@ -301,12 +315,6 @@ export class SSEServerTransport extends AbstractTransport {
         params: params
       })}`);
 
-      logger.debug(`Processing RPC message: ${JSON.stringify({
-        id: rpcMessage.id,
-        method: rpcMessage.method,
-        params: rpcMessage.params
-      })}`)
-
       if (!this._onmessage) {
         throw new Error("No message handler registered")
       }

src/transports/sse/types.ts

@@ -1,5 +1,40 @@
 import { AuthConfig } from "../../auth/types.js";
 
+/**
+ * CORS configuration options for SSE transport
+ */
+export interface CORSConfig {
+  /**
+   * Access-Control-Allow-Origin header
+   * @default "*"
+   */
+  allowOrigin?: string;
+
+  /**
+   * Access-Control-Allow-Methods header
+   * @default "GET, POST, OPTIONS"
+   */
+  allowMethods?: string;
+
+  /**
+   * Access-Control-Allow-Headers header
+   * @default "Content-Type, Authorization, x-api-key"
+   */
+  allowHeaders?: string;
+
+  /**
+   * Access-Control-Expose-Headers header
+   * @default "Content-Type, Authorization, x-api-key"
+   */
+  exposeHeaders?: string;
+
+  /**
+   * Access-Control-Max-Age header for preflight requests
+   * @default "86400"
+   */
+  maxAge?: string;
+}
+
 /**
  * Configuration options for SSE transport
  */
@@ -32,6 +67,11 @@ export interface SSETransportConfig {
    */
   headers?: Record<string, string>;
 
+  /**
+   * CORS configuration
+   */
+  cors?: CORSConfig;
+
   /**
    * Authentication configuration
    */
@@ -41,9 +81,21 @@ export interface SSETransportConfig {
 /**
  * Internal configuration type with required fields except headers
  */
-export type SSETransportConfigInternal = Required<Omit<SSETransportConfig, 'headers' | 'auth'>> & {
+export type SSETransportConfigInternal = Required<Omit<SSETransportConfig, 'headers' | 'auth' | 'cors'>> & {
   headers?: Record<string, string>;
   auth?: AuthConfig;
+  cors?: CORSConfig;
+};
+
+/**
+ * Default CORS configuration
+ */
+export const DEFAULT_CORS_CONFIG: CORSConfig = {
+  allowOrigin: "*",
+  allowMethods: "GET, POST, OPTIONS",
+  allowHeaders: "Content-Type, Authorization, x-api-key",
+  exposeHeaders: "Content-Type, Authorization, x-api-key",
+  maxAge: "86400"
 };
 
 /**