Skip to content

Inspector client: Added proxy fetch for use by auth (to avoid CORS issues) #1047

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
BobDickinson wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Inspector client: Added proxy fetch for use by auth (to avoid CORS issues) #1047

BobDickinson wants to merge 1 commit into from
+520 −33

Conversation

@BobDickinson
Copy link
Contributor

@BobDickinson BobDickinson commented Jan 31, 2026
edited
Loading

There are many types of failures in the auth process due to CORS when authenticating from a browser environment, including response header stripping, failure to access server or auth server endpoints (including, but not limited to, server metadata endpoints), failure in token exchange, and I'm sure others.

Issue #995 and the associated PR #996 raised a similar (maybe the same?) issue.

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • Test updates

Changes Made

This PR takes a different approach than #996, which is that we remote only the fetch function to the proxy server (so it can run from a Node environment instead of the browser). When in "proxy" mode we use a client side proxyFetch function, which we pass to all auth functions (which were designed for this exact situation, such that they all take an optional fetchFn param). This prevents CORS issue from impacting auth in any way, while still relying on the auth SDK functions for all auth logic.

This change is fairly lightweight (< 100 lines of non-test code).

Related Issues

This PR is related to #995 and the associated PR #996, but takes a different approach. I am interested to learn whether this approach also solves the issues targeted there (I have tested my use cases, but not the use cases from the issue/PR or mentioned in the comments there).

Testing

  • Tested in UI mode
  • Tested in CLI mode
  • Tested with STDIO transport
  • Tested with SSE transport
  • Tested with Streamable HTTP transport
  • Added/updated automated tests
  • Manual testing performed

Test Results and/or Instructions

Tested with:

  • https://example-server.modelcontextprotocol.io/mcp - Works, as before
  • https://api.githubcopilot.com/mcp/ - Previously failed discovery due to CORS, now fails because DCR not supported, but demonstrates that this fix works

Checklist

  • Code follows the style guidelines (ran npm run prettier-fix)
  • Self-review completed
  • Code is commented where necessary
  • Documentation updated (README, comments, etc.)

@BobDickinson BobDickinson marked this pull request as ready for review January 31, 2026 00:48
@BobDickinson
Copy link
Contributor Author

BobDickinson commented Jan 31, 2026

Would appreciate you testing this in your use cases @asoorm and @jstjoe.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BobDickinson