@decocms/runtime 1.0.0-alpha.26 → 1.0.0-alpha.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/index.ts +27 -2
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@decocms/runtime",
3
- "version": "1.0.0-alpha.26",
3
+ "version": "1.0.0-alpha.28",
4
4
  "type": "module",
5
5
  "dependencies": {
6
6
  "@cloudflare/workers-types": "^4.20250617.0",
package/src/index.ts CHANGED
@@ -238,11 +238,25 @@ export const withBindings = <TEnv>({
238
238
  return env as TEnv;
239
239
  };
240
240
 
241
+ const DEFAULT_CORS_OPTIONS = {
242
+ origin: (origin: string) => {
243
+ // Allow localhost and configured origins
244
+ if (origin.includes("localhost") || origin.includes("127.0.0.1")) {
245
+ return origin;
246
+ }
247
+ // TODO: Configure allowed origins from environment
248
+ return origin;
249
+ },
250
+ credentials: true,
251
+ allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
252
+ allowHeaders: ["Content-Type", "Authorization", "mcp-protocol-version"],
253
+ };
254
+
241
255
  export const withRuntime = <TEnv, TSchema extends z.ZodTypeAny = never>(
242
256
  userFns: UserDefaultExport<TEnv, TSchema>,
243
257
  ) => {
244
258
  const server = createMCPServer<TEnv, TSchema>(userFns);
245
- const corsOptions = userFns.cors;
259
+ const corsOptions = userFns.cors ?? DEFAULT_CORS_OPTIONS;
246
260
  const oauth = userFns.oauth;
247
261
  const oauthHandlers = oauth ? createOAuthHandlers(oauth) : null;
248
262
 
@@ -296,7 +310,18 @@ export const withRuntime = <TEnv, TSchema extends z.ZodTypeAny = never>(
296
310
  if (url.pathname === "/mcp") {
297
311
  // If OAuth is configured, require authentication
298
312
  if (oauthHandlers && !oauthHandlers.hasAuth(req)) {
299
- return oauthHandlers.createUnauthorizedResponse(req);
313
+ // Clone request to check method without consuming the original body
314
+ const clonedReq = req.clone();
315
+ try {
316
+ const body = (await clonedReq.json()) as { method?: string };
317
+ // Allow tools/list to pass without auth
318
+ if (body?.method !== "tools/list") {
319
+ return oauthHandlers.createUnauthorizedResponse(req);
320
+ }
321
+ } catch {
322
+ // If body parsing fails, require auth
323
+ return oauthHandlers.createUnauthorizedResponse(req);
324
+ }
300
325
  }
301
326
 
302
327
  return server.fetch(req, env, ctx);