fix: use shared DEFAULT_CORS_CONFIG in HTTP stream transport

Closes #93

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: QuantGeekDev

src/transports/http/server.ts

@@ -4,6 +4,7 @@ import { AbstractTransport } from '../base.js';
 import { JSONRPCMessage, isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import { HttpStreamTransportConfig } from './types.js';
+import { DEFAULT_CORS_CONFIG } from '../sse/types.js';
 import { logger } from '../../core/Logger.js';
 import { ProtectedResourceMetadata } from '../../auth/metadata/protected-resource.js';
 import { handleAuthentication } from '../utils/auth-handler.js';
@@ -224,13 +225,13 @@ export class HttpStreamTransport extends AbstractTransport {
     if (!this._config.cors) return;
 
     const cors = this._config.cors;
-    res.setHeader('Access-Control-Allow-Origin', cors.allowOrigin || '*');
-    res.setHeader('Access-Control-Allow-Methods', cors.allowMethods || 'GET, POST, OPTIONS');
-    res.setHeader('Access-Control-Allow-Headers', cors.allowHeaders || 'Content-Type, Authorization, Mcp-Session-Id');
-    res.setHeader('Access-Control-Expose-Headers', cors.exposeHeaders || 'Content-Type, Authorization, Mcp-Session-Id');
-    
+    res.setHeader('Access-Control-Allow-Origin', cors.allowOrigin || DEFAULT_CORS_CONFIG.allowOrigin!);
+    res.setHeader('Access-Control-Allow-Methods', cors.allowMethods || DEFAULT_CORS_CONFIG.allowMethods!);
+    res.setHeader('Access-Control-Allow-Headers', cors.allowHeaders || DEFAULT_CORS_CONFIG.allowHeaders!);
+    res.setHeader('Access-Control-Expose-Headers', cors.exposeHeaders || DEFAULT_CORS_CONFIG.exposeHeaders!);
+
     if (includeMaxAge) {
-      res.setHeader('Access-Control-Max-Age', cors.maxAge || '86400');
+      res.setHeader('Access-Control-Max-Age', cors.maxAge || DEFAULT_CORS_CONFIG.maxAge!);
     }
   }
 

tests/transports/http/cors-consistency.test.ts

@@ -0,0 +1,39 @@
+import { describe, it, expect } from '@jest/globals';
+import { DEFAULT_CORS_CONFIG } from '../../../src/transports/sse/types.js';
+
+describe('CORS header consistency between transports', () => {
+  it('DEFAULT_CORS_CONFIG should include all necessary headers', () => {
+    expect(DEFAULT_CORS_CONFIG.allowHeaders).toContain('Content-Type');
+    expect(DEFAULT_CORS_CONFIG.allowHeaders).toContain('Authorization');
+    expect(DEFAULT_CORS_CONFIG.allowHeaders).toContain('Mcp-Session-Id');
+    expect(DEFAULT_CORS_CONFIG.allowHeaders).toContain('Last-Event-ID');
+    expect(DEFAULT_CORS_CONFIG.allowHeaders).toContain('x-api-key');
+    expect(DEFAULT_CORS_CONFIG.allowHeaders).toContain('Accept');
+  });
+
+  it('DEFAULT_CORS_CONFIG should expose necessary headers', () => {
+    expect(DEFAULT_CORS_CONFIG.exposeHeaders).toContain('Content-Type');
+    expect(DEFAULT_CORS_CONFIG.exposeHeaders).toContain('Authorization');
+    expect(DEFAULT_CORS_CONFIG.exposeHeaders).toContain('Mcp-Session-Id');
+  });
+
+  it('DEFAULT_CORS_CONFIG should allow DELETE method for session termination', () => {
+    expect(DEFAULT_CORS_CONFIG.allowMethods).toContain('DELETE');
+  });
+
+  it('HTTP stream transport should use DEFAULT_CORS_CONFIG as fallback', async () => {
+    const { readFileSync } = await import('fs');
+    const httpSource = readFileSync('src/transports/http/server.ts', 'utf-8');
+
+    // Should import DEFAULT_CORS_CONFIG
+    expect(httpSource).toContain('DEFAULT_CORS_CONFIG');
+
+    // Should NOT contain hardcoded restrictive headers
+    expect(httpSource).not.toContain("'Content-Type, Authorization, Mcp-Session-Id'");
+  });
+
+  it('DEFAULT_CORS_CONFIG should have maxAge set', () => {
+    expect(DEFAULT_CORS_CONFIG.maxAge).toBeDefined();
+    expect(DEFAULT_CORS_CONFIG.maxAge).toBe('86400');
+  });
+});