pomerium
/
pomerium
/
22002134029
45%
|
Ran
|
Jobs
1
|
Files
671
|
Run time
1min
|
Badge
Embed ▾
README BADGES
|
coverage: 44.372% (-0.01%) from 44.385%
push
github
web-flowfix(mcp): CORS header consistency and e2e tests (#6109) ## Summary Fixes CORS header inconsistencies across MCP proxy layers, corrects the 401 response reason phrase for MCP routes, and adds comprehensive e2e tests that validate CORS headers on responses **as they come out of Pomerium**. ### Changes 1. **`authorize/check_response.go`** — Three fixes in `requireLoginResponse`: - **Scoped "Unauthenticated" → "Unauthorized" rename** for MCP server routes only. RFC 9110 §15.5.2 defines the status as "401 Unauthorized" — this is the canonical reason phrase. The MCP Inspector client-side `is401Error` detection ([`useConnection.ts`](https://github.com/modelcontextprotocol/inspector/blob/1f424f252/client/src/lib/hooks/useConnection.ts#L387)) string-matches `"Unauthorized"` in error messages; "Unauthenticated" didn't match, so the OAuth flow was never triggered. Non-MCP routes retain `"Unauthenticated"` to preserve existing Pomerium behavior. - **Propagate `SetWWWAuthenticateHeader` error** instead of suppressing it with `_ =`, matching the existing error-handling pattern in `handleResultDenied`. - **Add CORS headers** to the MCP 401 response via `SetCORSHeaders`. 2. **`internal/mcp/handler.go`** — Add `"authorization"` to CORS `AllowedHeaders` on OAuth handler endpoints. The token endpoint supports `client_secret_basic` authentication which sends credentials in the `Authorization` header (RFC 6749 §2.3.1, OAuth 2.1 §3.2). 3. **`internal/mcp/e2e/mcp_cors_test.go`** *(new)* — E2e test `TestMCPCORSHeaders` with 6 subtests validating CORS headers across all three proxy layers: - **ext_authz layer** (`cors.go`): unauthenticated 401 response + OPTIONS preflight - **Metadata handler** (`handler_metadata.go`): `.well-known/oauth-protected-resource` + `.well-known/oauth-authorization-server` - **OAuth handler** (`handler.go`): dynamic client registration endpoint - **Full stack**: complete OAuth flow → authenticated request reac... (continued)
13 of 35 new or added lines in 5 files covered. (37.14%)
28 existing lines in 9 files now uncovered.32468 of 73172 relevant lines covered (44.37%)
117.12 hits per line
New Missed Lines in Diff
| Lines | Coverage | ∆ | File |
|---|---|---|---|
| 2 |
87.23 |
-0.2% | authorize/check_response.go |
| 3 |
20.93 |
-0.5% | internal/mcp/handler_metadata.go |
| 4 |
50.0 |
-0.53% | authorize/grpc.go |
| 4 |
0.0 |
0.0% | internal/mcp/handler.go |
| 9 |
0.0 |
internal/mcp/cors.go |
Uncovered Existing Lines
| Lines | Coverage | ∆ | File |
|---|---|---|---|
| 1 |
75.41 |
0.0% | pkg/storage/postgres/registry.go |
| 2 |
58.38 |
-0.51% | internal/controlplane/server.go |
| 2 |
89.19 |
-5.41% | pkg/fanout/fanout.go |
| 2 |
85.4 |
-0.63% | pkg/grpc/databroker/syncer.go |
| 2 |
88.18 |
0.0% | pkg/storage/postgres/postgres.go |
| 3 |
90.69 |
2.94% | config/config_source.go |
| 3 |
95.83 |
-3.13% | pkg/identity/manager/schedulers.go |
| 4 |
90.91 |
-3.64% | pkg/fanout/receive.go |
| 9 |
77.78 |
-1.94% | pkg/storage/postgres/backend.go |
Jobs
| ID | Job ID | Ran | Files | Coverage | |
|---|---|---|---|---|---|
| 1 | 22002134029.1 | 671 |
44.37 |
GitHub Action Run |
