makiolaj/GearBox
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 10 Wiki Activity

Compare commits

base: makiolaj:v1.4.0
Branches Tags
makiolaj:Develop makiolaj:feature/catalog-enrichment-upsert makiolaj:feature/user-menu-dropdown makiolaj:feature/v1.4-collection-tools
makiolaj:v2.2 makiolaj:v1.4.3 makiolaj:v1.4.2 makiolaj:v1.4.1 makiolaj:v1.4.0 makiolaj:v1.3.2 makiolaj:v1.3.1 makiolaj:v1.3.0 makiolaj:v1.2 makiolaj:v1.2.0 makiolaj:v1.1.4 makiolaj:v1.1.3 makiolaj:v1.1.2 makiolaj:v1.1.1 makiolaj:v1.1 makiolaj:v1.0
..
compare: makiolaj:v1.4.2
Branches Tags
makiolaj:Develop makiolaj:feature/catalog-enrichment-upsert makiolaj:feature/user-menu-dropdown makiolaj:feature/v1.4-collection-tools
makiolaj:v2.2 makiolaj:v1.4.3 makiolaj:v1.4.2 makiolaj:v1.4.1 makiolaj:v1.4.0 makiolaj:v1.3.2 makiolaj:v1.3.1 makiolaj:v1.3.0 makiolaj:v1.2 makiolaj:v1.2.0 makiolaj:v1.1.4 makiolaj:v1.1.3 makiolaj:v1.1.2 makiolaj:v1.1.1 makiolaj:v1.1 makiolaj:v1.0

2 Commits
v1.4.0 ... v1.4.2

Author SHA1 Message Date
Jean-Luc Makiola
b71833ef79 fix: await verifyAccessToken in MCP middleware
All checks were successful
CI / ci (push) Successful in 31s
Details
CI / e2e (push) Successful in 1m4s
Details 
verifyAccessToken is async and returns a Promise. Without await,
the Promise object is always truthy, so any Bearer token (even
invalid ones) was accepted. This fixes MCP OAuth authentication.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-04 11:03:30 +02:00
Jean-Luc Makiola
9c7bc2881c fix: add CORS headers for OAuth and MCP endpoints
All checks were successful
CI / ci (push) Successful in 31s
Details
CI / e2e (push) Successful in 1m2s
Details 
Required for claude.ai browser-based OAuth flows that make
cross-origin requests to discovery, token, and MCP endpoints.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-04 10:48:22 +02:00
4 changed files with 7 additions and 1 deletions
Expand all files Collapse all files

BIN
e2e/test.db-shm Normal file
View File

Binary file not shown.

BIN
e2e/test.db-wal Normal file
View File

Binary file not shown.

6
src/server/index.ts
View File

@@ -1,5 +1,6 @@
import { Hono } from "hono";
import { serveStatic } from "hono/bun";
import { cors } from "hono/cors";
import { db as prodDb } from "../db/index.ts";
import { seedDefaults } from "../db/seed.ts";
import { mcpRoutes } from "./mcp/index.ts";
@@ -34,6 +35,11 @@ app.get("/api/health", (c) => {
return c.json({ status: "ok" });
});
// CORS for OAuth and MCP endpoints (required for claude.ai browser-based flows)
app.use("/.well-known/*", cors());
app.use("/oauth/*", cors());
app.use("/mcp/*", cors());
// OAuth routes (must be before /api/* middleware)
app.use("/oauth/*", async (c, next) => {
c.set("db", prodDb);

2
src/server/mcp/index.ts
View File

@@ -99,7 +99,7 @@ mcpRoutes.use("/*", async (c, next) => {
const authHeader = c.req.header("Authorization");
if (authHeader?.startsWith("Bearer ")) {
const token = authHeader.slice(7);
if (verifyAccessToken(db, token)) {
if (await verifyAccessToken(db, token)) {
return next();
}
return c.json({ error: "invalid_token" }, 401);