fix: Allow OPTIONS requests on /openapi.json for CORS preflight (#1518)

crivetimihai · putz612 · web-flow · commit 142e453258a1 · 2025-11-27T22:27:56.000Z
* fix: Allow OPTIONS requests on /openapi.json for CORS preflight

This change exempts OPTIONS requests from authentication on documentation
endpoints (/docs, /redoc, /openapi.json) to support CORS preflight requests.

Issue: Browser-based OpenAPI integrations (like Open WebUI) were failing
because CORS preflight OPTIONS requests cannot include Authorization headers
per RFC 7231 Section 4.3.7, but the DocsAuthMiddleware was enforcing
authentication on all requests including OPTIONS.

Solution: Check request.method == 'OPTIONS' before applying authentication,
allowing CORS preflight to succeed while still requiring authentication
for GET requests to actually fetch the OpenAPI spec.

This maintains security (GET still requires auth) while enabling proper
CORS support for browser-based integrations.

Fixes browser-based OpenAPI tool integration (Open WebUI, Swagger UI, etc.)
when AUTH_REQUIRED=false or when using proper authentication flows.

* style: Remove extra blank line in DocsAuthMiddleware

Fix minor style issue with double blank line after OPTIONS check.

Signed-off-by: Mihai Criveti &lt;crivetimihai@gmail.com&gt;

---------

Signed-off-by: Mihai Criveti &lt;crivetimihai@gmail.com&gt;
Co-authored-by: Jason Sievert &lt;jsievert@gmail.com&gt;
diff --git a/mcpgateway/main.py b/mcpgateway/main.py
@@ -910,6 +910,10 @@ class DocsAuthMiddleware(BaseHTTPMiddleware):
     If a request to one of these paths is made without a valid token,
     the request is rejected with a 401 or 403 error.
 
+    Note:
+        OPTIONS requests are exempt from authentication to support CORS preflight
+        as per RFC 7231 Section 4.3.7 (OPTIONS must not require authentication).
+
     Note:
         When DOCS_ALLOW_BASIC_AUTH is enabled, Basic Authentication
         is also accepted using BASIC_AUTH_USER and BASIC_AUTH_PASSWORD credentials.
@@ -951,6 +955,10 @@ async def dispatch(self, request: Request, call_next):
         """
         protected_paths = ["/docs", "/redoc", "/openapi.json"]
 
+        # Allow OPTIONS requests to pass through for CORS preflight (RFC 7231)
+        if request.method == "OPTIONS":
+            return await call_next(request)
+
         if any(request.url.path.startswith(p) for p in protected_paths):
             try:
                 token = request.headers.get("Authorization")
