Streamable HTTP server wrapper fixes.

polaon · polaon · commit 0797ad58e564 · 2026-04-21T17:52:38.000+02:00
diff --git a/src/server/streamable_http_server.cpp b/src/server/streamable_http_server.cpp
@@ -117,7 +117,8 @@ bool StreamableHttpServerWrapper::start()
     svr_->Options(mcp_path_,
                   [this](const httplib::Request&, httplib::Response& res)
                   {
-                      res.set_header("Access-Control-Allow-Methods", "POST, OPTIONS");
+                      res.set_header("Access-Control-Allow-Methods",
+                                     "GET, POST, DELETE, OPTIONS");
                       res.set_header("Access-Control-Allow-Headers",
                                      "Content-Type, Authorization, Mcp-Session-Id");
                       apply_additional_response_headers(res);
@@ -129,6 +130,11 @@ bool StreamableHttpServerWrapper::start()
         mcp_path_,
         [this](const httplib::Request& req, httplib::Response& res)
         {
+            // Apply CORS / additional headers up-front so they are present on every
+            // response, including early returns (401, 503, 400, 404) and any exception
+            // propagated to the catch handlers below.
+            apply_additional_response_headers(res);
+
             try
             {
                 // Security: Check authentication if configured
@@ -143,8 +149,6 @@ bool StreamableHttpServerWrapper::start()
                     }
                 }
 
-                apply_additional_response_headers(res);
-
                 // Parse JSON-RPC message
                 auto message = fastmcpp::util::json::parse(req.body);
 
@@ -336,8 +340,13 @@ bool StreamableHttpServerWrapper::start()
 
     // Handle GET request to return 405 Method Not Allowed
     svr_->Get(mcp_path_,
-              [](const httplib::Request&, httplib::Response& res)
+              [this](const httplib::Request&, httplib::Response& res)
               {
+                  // CORS / additional headers must be applied on every response, including
+                  // this 405. Without this, browsers reject the response with a misleading
+                  // "No 'Access-Control-Allow-Origin' header is present" error.
+                  apply_additional_response_headers(res);
+
                   res.status = 405;
                   res.set_header("Allow", "POST");
                   res.set_header("Content-Type", "application/json");
@@ -349,6 +358,27 @@ bool StreamableHttpServerWrapper::start()
                   res.set_content(error_response.dump(), "application/json");
               });
 
+    // Handle DELETE request for session termination (MCP Streamable HTTP spec).
+    // Without this handler, httplib would fall back to its default 404 response,
+    // which does not carry the configured CORS headers - causing browsers to report
+    // a "No 'Access-Control-Allow-Origin' header is present" error.
+    svr_->Delete(mcp_path_,
+                 [this](const httplib::Request& req, httplib::Response& res)
+                 {
+                     apply_additional_response_headers(res);
+
+                     // If an Mcp-Session-Id header is provided, terminate that session.
+                     auto session_it = req.headers.find("Mcp-Session-Id");
+                     if (session_it != req.headers.end())
+                     {
+                         const std::string& session_id = session_it->second;
+                         std::lock_guard<std::mutex> lock(sessions_mutex_);
+                         sessions_.erase(session_id);
+                     }
+
+                     res.status = 204; // No Content
+                 });
+
     running_ = true;
 
     thread_ = std::thread([this]() { run_server(); });
