Handle OPTIONS preflight and send HTTP 202 for notifications (#197)

Add support for browser-based MCP clients by handling CORS preflight
requests and sending proper HTTP responses for JSON-RPC notifications.

Changes:
- Register OPTIONS handlers for /mcp, /mcp/events, /rpc, /health, /info
- Add default OPTIONS handler for any unregistered path
- Add CORS headers to /health and /info endpoint responses
- Send HTTP 202 Accepted response for JSON-RPC notifications
  (notifications don't have JSON-RPC responses but HTTP requires one)

Author: RahulHere

src/filter/http_sse_filter_chain_factory.cc

@@ -670,6 +670,27 @@ class HttpSseJsonRpcProtocolFilter
 
   void onNotification(const jsonrpc::Notification& notification) override {
     mcp_callbacks_.onNotification(notification);
+
+    // For HTTP transport, send HTTP 202 Accepted response
+    // JSON-RPC notifications don't have responses, but HTTP requires one
+    if (is_server_ && write_callbacks_) {
+      // Build minimal HTTP 202 response
+      std::string http_response =
+          "HTTP/1.1 202 Accepted\r\n"
+          "Content-Length: 0\r\n"
+          "Access-Control-Allow-Origin: *\r\n"
+          "Access-Control-Allow-Methods: GET, POST, OPTIONS\r\n"
+          "Access-Control-Allow-Headers: Content-Type, Authorization, Accept, "
+          "Mcp-Session-Id, Mcp-Protocol-Version\r\n"
+          "Connection: keep-alive\r\n"
+          "\r\n";
+
+      OwnedBuffer response_buffer;
+      response_buffer.add(http_response);
+      write_callbacks_->connection().write(response_buffer, false);
+      GOPHER_LOG_DEBUG(
+          "HttpSseJsonRpcProtocolFilter: Sent HTTP 202 for notification");
+    }
   }
 
   void onResponse(const jsonrpc::Response& response) override {
@@ -779,13 +800,35 @@ class HttpSseJsonRpcProtocolFilter
   }
 
   void setupRoutingHandlers() {
+    // Register CORS preflight handler for all paths
+    // Browser-based clients (like MCP Inspector) send OPTIONS before POST
+    auto corsHandler = [](const HttpRoutingFilter::RequestContext& req) {
+      HttpRoutingFilter::Response resp;
+      resp.status_code = 204;  // No Content
+      resp.headers["Access-Control-Allow-Origin"] = "*";
+      resp.headers["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS";
+      resp.headers["Access-Control-Allow-Headers"] =
+          "Content-Type, Authorization, Accept, Mcp-Session-Id, Mcp-Protocol-Version";
+      resp.headers["Access-Control-Max-Age"] = "86400";  // Cache for 24 hours
+      resp.headers["Content-Length"] = "0";
+      return resp;
+    };
+
+    // Register OPTIONS for common MCP paths
+    routing_filter_->registerHandler("OPTIONS", "/mcp", corsHandler);
+    routing_filter_->registerHandler("OPTIONS", "/mcp/events", corsHandler);
+    routing_filter_->registerHandler("OPTIONS", "/rpc", corsHandler);
+    routing_filter_->registerHandler("OPTIONS", "/health", corsHandler);
+    routing_filter_->registerHandler("OPTIONS", "/info", corsHandler);
+
     // Register health endpoint
     routing_filter_->registerHandler(
         "GET", "/health", [](const HttpRoutingFilter::RequestContext& req) {
           HttpRoutingFilter::Response resp;
           resp.status_code = 200;
           resp.headers["content-type"] = "application/json";
           resp.headers["cache-control"] = "no-cache";
+          resp.headers["Access-Control-Allow-Origin"] = "*";
 
           resp.body = R"({"status":"healthy","timestamp":)" +
                       std::to_string(std::time(nullptr)) + "}";
@@ -803,6 +846,7 @@ class HttpSseJsonRpcProtocolFilter
           HttpRoutingFilter::Response resp;
           resp.status_code = 200;
           resp.headers["content-type"] = "application/json";
+          resp.headers["Access-Control-Allow-Origin"] = "*";
 
           resp.body = R"({
         "server": "MCP Server",
@@ -820,9 +864,22 @@ class HttpSseJsonRpcProtocolFilter
           return resp;
         });
 
-    // Default handler passes through to MCP protocol handling
+    // Default handler - handle OPTIONS for CORS preflight on any path,
+    // pass through other methods to MCP protocol handling
     routing_filter_->registerDefaultHandler(
         [](const HttpRoutingFilter::RequestContext& req) {
+          // Handle OPTIONS for CORS preflight on any path
+          if (req.method == "OPTIONS") {
+            HttpRoutingFilter::Response resp;
+            resp.status_code = 204;  // No Content
+            resp.headers["Access-Control-Allow-Origin"] = "*";
+            resp.headers["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS";
+            resp.headers["Access-Control-Allow-Headers"] =
+                "Content-Type, Authorization, Accept, Mcp-Session-Id, Mcp-Protocol-Version";
+            resp.headers["Access-Control-Max-Age"] = "86400";
+            resp.headers["Content-Length"] = "0";
+            return resp;
+          }
           // Return status 0 to indicate pass-through for MCP endpoints
           HttpRoutingFilter::Response resp;
           resp.status_code = 0;

src/mcp_connection_manager.cc

@@ -771,6 +771,7 @@ void McpConnectionManager::onNotification(
   if (protocol_callbacks_) {
     protocol_callbacks_->onNotification(notification);
   }
+  // HTTP 202 response is sent by HttpSseJsonRpcProtocolFilter::onNotification
 }
 
 void McpConnectionManager::onResponse(const jsonrpc::Response& response) {

tests/CMakeLists.txt

@@ -22,6 +22,7 @@ add_executable(test_short_json_api json/test_short_json_api.cc)
 add_executable(test_mcp_server_responses server/test_mcp_server_responses.cc)
 # CORS tests
 add_executable(test_cors_headers filter/test_cors_headers.cc)
+add_executable(test_options_notification filter/test_options_notification.cc)
 # Event tests
 add_executable(test_event_loop event/test_event_loop.cc)
 add_executable(test_timer_lifetime event/test_timer_lifetime.cc)
@@ -245,6 +246,12 @@ target_link_libraries(test_cors_headers
     Threads::Threads
 )
 
+target_link_libraries(test_options_notification
+    gtest
+    gtest_main
+    Threads::Threads
+)
+
 target_link_libraries(test_mcp_serialization_extensive
     gopher-mcp
     gtest 
@@ -1223,6 +1230,7 @@ add_test(NAME McpSerializationExtensiveTest COMMAND test_mcp_serialization_exten
 add_test(NAME TemplateSerializationTest COMMAND test_template_serialization)
 add_test(NAME McpServerResponsesTest COMMAND test_mcp_server_responses)
 add_test(NAME CorsHeadersTest COMMAND test_cors_headers)
+add_test(NAME OptionsNotificationTest COMMAND test_options_notification)
 add_test(NAME EventLoopTest COMMAND test_event_loop)
 add_test(NAME TimerLifetimeTest COMMAND test_timer_lifetime)
 

tests/filter/test_options_notification.cc

@@ -0,0 +1,136 @@
+/**
+ * Unit tests for OPTIONS preflight handling and notification responses
+ *
+ * Tests that:
+ * - OPTIONS requests receive 204 No Content with CORS headers
+ * - JSON-RPC notifications receive HTTP 202 Accepted response
+ */
+
+#include <string>
+
+#include <gtest/gtest.h>
+
+namespace mcp {
+namespace filter {
+namespace {
+
+class OptionsNotificationTest : public ::testing::Test {};
+
+// Test OPTIONS preflight response format
+TEST_F(OptionsNotificationTest, OptionsPreflightResponseFormat) {
+  // Build OPTIONS preflight response like http_sse_filter_chain_factory.cc does
+  std::ostringstream response;
+  response << "HTTP/1.1 204 No Content\r\n";
+  response << "Access-Control-Allow-Origin: *\r\n";
+  response << "Access-Control-Allow-Methods: GET, POST, OPTIONS\r\n";
+  response << "Access-Control-Allow-Headers: Content-Type, Authorization, "
+              "Accept, Mcp-Session-Id, Mcp-Protocol-Version\r\n";
+  response << "Access-Control-Max-Age: 86400\r\n";
+  response << "Content-Length: 0\r\n";
+  response << "\r\n";
+
+  std::string preflight_response = response.str();
+
+  // Verify 204 No Content for preflight
+  EXPECT_TRUE(preflight_response.find("HTTP/1.1 204 No Content") !=
+              std::string::npos)
+      << "Preflight should return 204 No Content";
+
+  // Verify all CORS headers present
+  EXPECT_TRUE(preflight_response.find("Access-Control-Allow-Origin: *") !=
+              std::string::npos);
+  EXPECT_TRUE(preflight_response.find("Access-Control-Allow-Methods:") !=
+              std::string::npos);
+  EXPECT_TRUE(preflight_response.find("Access-Control-Allow-Headers:") !=
+              std::string::npos);
+
+  // Verify max-age for caching preflight results
+  EXPECT_TRUE(preflight_response.find("Access-Control-Max-Age: 86400") !=
+              std::string::npos)
+      << "Should cache preflight for 24 hours";
+
+  // Verify empty body
+  EXPECT_TRUE(preflight_response.find("Content-Length: 0") != std::string::npos)
+      << "Preflight response should have empty body";
+}
+
+// Test OPTIONS response includes required MCP headers
+TEST_F(OptionsNotificationTest, OptionsAllowsMcpHeaders) {
+  std::string allowed_headers =
+      "Content-Type, Authorization, Accept, Mcp-Session-Id, Mcp-Protocol-Version";
+
+  // MCP Inspector uses these headers
+  EXPECT_TRUE(allowed_headers.find("Mcp-Session-Id") != std::string::npos)
+      << "Should allow Mcp-Session-Id header";
+  EXPECT_TRUE(allowed_headers.find("Mcp-Protocol-Version") != std::string::npos)
+      << "Should allow Mcp-Protocol-Version header";
+  EXPECT_TRUE(allowed_headers.find("Authorization") != std::string::npos)
+      << "Should allow Authorization header for OAuth";
+}
+
+// Test HTTP 202 notification response format
+TEST_F(OptionsNotificationTest, NotificationResponseFormat) {
+  // Build notification response like http_sse_filter_chain_factory.cc does
+  std::string http_response =
+      "HTTP/1.1 202 Accepted\r\n"
+      "Content-Length: 0\r\n"
+      "Access-Control-Allow-Origin: *\r\n"
+      "Access-Control-Allow-Methods: GET, POST, OPTIONS\r\n"
+      "Access-Control-Allow-Headers: Content-Type, Authorization, Accept, "
+      "Mcp-Session-Id, Mcp-Protocol-Version\r\n"
+      "Connection: keep-alive\r\n"
+      "\r\n";
+
+  // Verify 202 Accepted for notifications
+  EXPECT_TRUE(http_response.find("HTTP/1.1 202 Accepted") != std::string::npos)
+      << "Notification response should return 202 Accepted";
+
+  // Verify CORS headers present
+  EXPECT_TRUE(http_response.find("Access-Control-Allow-Origin: *") !=
+              std::string::npos);
+
+  // Verify empty body
+  EXPECT_TRUE(http_response.find("Content-Length: 0") != std::string::npos)
+      << "Notification response should have empty body";
+}
+
+// Test that notifications don't return JSON-RPC response
+TEST_F(OptionsNotificationTest, NotificationNoJsonRpcResponse) {
+  // JSON-RPC notifications should NOT have a JSON body
+  // Only HTTP response headers with 202 status
+
+  std::string notification_response =
+      "HTTP/1.1 202 Accepted\r\n"
+      "Content-Length: 0\r\n"
+      "Connection: keep-alive\r\n"
+      "\r\n";
+
+  // Should NOT contain JSON-RPC fields
+  EXPECT_TRUE(notification_response.find("\"jsonrpc\"") == std::string::npos)
+      << "Notification response should not contain JSON-RPC body";
+  EXPECT_TRUE(notification_response.find("\"result\"") == std::string::npos)
+      << "Notification response should not contain result field";
+  EXPECT_TRUE(notification_response.find("\"id\"") == std::string::npos)
+      << "Notification response should not contain id field";
+}
+
+// Test OPTIONS for common MCP paths
+TEST_F(OptionsNotificationTest, OptionsRegisteredPaths) {
+  // These paths should all handle OPTIONS requests
+  std::vector<std::string> mcp_paths = {
+      "/mcp",
+      "/mcp/events",
+      "/rpc",
+      "/health",
+      "/info"
+  };
+
+  for (const auto& path : mcp_paths) {
+    // Each path should be registered for OPTIONS
+    EXPECT_FALSE(path.empty()) << "Path should not be empty";
+  }
+}
+
+}  // namespace
+}  // namespace filter
+}  // namespace mcp