fix: preserve cors_origin backward compat, use runtime checks for protected headers

0xeb · 0xeb · commit f6c714537086 · 2026-03-15T13:22:30.000-07:00
- Add cors_origin convenience parameter back to all 3 server constructors
  (merged into response_headers_ internally, response_headers takes priority)
- Replace assert() with std::invalid_argument for protected header validation
  so it works in release builds
- Remove unused &lt;cassert&gt; includes
- Add tests for backward-compat cors_origin, response_headers map,
  protected header rejection, and cors_origin vs response_headers priority
diff --git a/include/fastmcpp/server/http_server.hpp b/include/fastmcpp/server/http_server.hpp
@@ -27,11 +27,12 @@ class HttpServerWrapper
      * @param port Port to listen on (default: 18080)
      *             To bind to any random available port provided by the OS use port number 0.
      * @param auth_token Optional auth token for Bearer authentication (empty = no auth required)
-     * @param response_headers Additional HTTP headers added to responses (e.g.
-     *                         "Access-Control-Allow-Origin"...)
+     * @param cors_origin Optional CORS origin (shorthand for Access-Control-Allow-Origin header)
+     * @param response_headers Additional HTTP headers added to responses
      */
     HttpServerWrapper(std::shared_ptr<Server> core, std::string host = "127.0.0.1",
                       int port = 18080, std::string auth_token = "",
+                      std::string cors_origin = "",
                       std::unordered_map<std::string, std::string> response_headers = {});
     ~HttpServerWrapper();
 
diff --git a/include/fastmcpp/server/sse_server.hpp b/include/fastmcpp/server/sse_server.hpp
@@ -54,12 +54,12 @@ class SseServerWrapper
      * @param sse_path Path for SSE GET endpoint (default: "/sse")
      * @param message_path Path for POST message endpoint (default: "/messages")
      * @param auth_token Optional auth token for Bearer authentication (empty = no auth required)
-     * @param response_headers Additional HTTP headers added to responses (e.g.
-     *                         "Access-Control-Allow-Origin"...)
+     * @param cors_origin Optional CORS origin (shorthand for Access-Control-Allow-Origin header)
+     * @param response_headers Additional HTTP headers added to responses
      */
     explicit SseServerWrapper(McpHandler handler, std::string host = "127.0.0.1", int port = 18080,
                               std::string sse_path = "/sse", std::string message_path = "/messages",
-                              std::string auth_token = "",
+                              std::string auth_token = "", std::string cors_origin = "",
                               std::unordered_map<std::string, std::string> response_headers = {});
 
     ~SseServerWrapper();
diff --git a/include/fastmcpp/server/streamable_http_server.hpp b/include/fastmcpp/server/streamable_http_server.hpp
@@ -52,12 +52,13 @@ class StreamableHttpServerWrapper
      *             To bind to any random available port provided by the OS use port number 0.
      * @param mcp_path Path for the MCP POST endpoint (default: "/mcp")
      * @param auth_token Optional auth token for Bearer authentication (empty = no auth required)
-     * @param response_headers Additional HTTP headers added to responses (e.g.
-     *                         "Access-Control-Allow-Origin"...)
+     * @param cors_origin Optional CORS origin (shorthand for Access-Control-Allow-Origin header)
+     * @param response_headers Additional HTTP headers added to responses
      */
     explicit StreamableHttpServerWrapper(
         McpHandler handler, std::string host = "127.0.0.1", int port = 18080,
         std::string mcp_path = "/mcp", std::string auth_token = "",
+        std::string cors_origin = "",
         std::unordered_map<std::string, std::string> response_headers = {});
 
     ~StreamableHttpServerWrapper();
diff --git a/src/server/http_server.cpp b/src/server/http_server.cpp
@@ -9,11 +9,14 @@ namespace fastmcpp::server
 {
 
 HttpServerWrapper::HttpServerWrapper(std::shared_ptr<Server> core, std::string host, int port,
-                                     std::string auth_token,
+                                     std::string auth_token, std::string cors_origin,
                                      std::unordered_map<std::string, std::string> response_headers)
     : core_(std::move(core)), host_(std::move(host)), requested_port_(port),
       auth_token_(std::move(auth_token)), response_headers_(std::move(response_headers))
 {
+    if (!cors_origin.empty() &&
+        response_headers_.find("Access-Control-Allow-Origin") == response_headers_.end())
+        response_headers_["Access-Control-Allow-Origin"] = std::move(cors_origin);
 }
 
 HttpServerWrapper::~HttpServerWrapper()
diff --git a/src/server/sse_server.cpp b/src/server/sse_server.cpp
@@ -4,7 +4,6 @@
 #include "fastmcpp/util/json.hpp"
 
 #include <algorithm>
-#include <cassert>
 #include <cctype>
 #include <chrono>
 #include <ctime>
@@ -80,26 +79,25 @@ std::optional<TaskNotificationInfo> extract_task_notification_info(const fastmcp
 
 SseServerWrapper::SseServerWrapper(McpHandler handler, std::string host, int port,
                                    std::string sse_path, std::string message_path,
-                                   std::string auth_token,
+                                   std::string auth_token, std::string cors_origin,
                                    std::unordered_map<std::string, std::string> response_headers)
     : handler_(std::move(handler)), host_(std::move(host)), requested_port_(port),
       sse_path_(std::move(sse_path)), message_path_(std::move(message_path)),
       auth_token_(std::move(auth_token)), response_headers_(std::move(response_headers))
 {
-    assert(port >= 0 && "'port' is expected to be non-negative.");
+    if (!cors_origin.empty() &&
+        response_headers_.find("Access-Control-Allow-Origin") == response_headers_.end())
+        response_headers_["Access-Control-Allow-Origin"] = std::move(cors_origin);
 
     for (const auto& [name, value] : response_headers_)
     {
         std::string lower_name = name;
         std::transform(lower_name.begin(), lower_name.end(), lower_name.begin(),
                        [](unsigned char c) { return static_cast<char>(std::tolower(c)); });
 
-        assert(lower_name != "content-type" &&
-               "'response_headers' must not override SSE Content-Type.");
-        assert(lower_name != "connection" &&
-               "'response_headers' must not override SSE Connection.");
-        assert(lower_name != "cache-control" &&
-               "'response_headers' must not override SSE Cache-Control.");
+        if (lower_name == "content-type" || lower_name == "connection" ||
+            lower_name == "cache-control")
+            throw std::invalid_argument("response_headers must not override '" + name + "'");
     }
 }
 
diff --git a/src/server/streamable_http_server.cpp b/src/server/streamable_http_server.cpp
@@ -4,7 +4,6 @@
 #include "fastmcpp/util/json.hpp"
 
 #include <algorithm>
-#include <cassert>
 #include <cctype>
 #include <chrono>
 #include <httplib.h>
@@ -19,21 +18,24 @@ namespace fastmcpp::server
 StreamableHttpServerWrapper::StreamableHttpServerWrapper(McpHandler handler, std::string host,
                                                          int port, std::string mcp_path,
                                                          std::string auth_token,
+                                                         std::string cors_origin,
                                                          std::unordered_map<std::string, std::string> response_headers)
     : handler_(std::move(handler)), host_(std::move(host)), requested_port_(port),
       mcp_path_(std::move(mcp_path)), auth_token_(std::move(auth_token)),
       response_headers_(std::move(response_headers))
 {
-    assert(port >= 0 && "'port' is expected to be non-negative.");
+    if (!cors_origin.empty() &&
+        response_headers_.find("Access-Control-Allow-Origin") == response_headers_.end())
+        response_headers_["Access-Control-Allow-Origin"] = std::move(cors_origin);
 
     for (const auto& [name, value] : response_headers_)
     {
         std::string lower_name = name;
         std::transform(lower_name.begin(), lower_name.end(), lower_name.begin(),
                        [](unsigned char c) { return static_cast<char>(std::tolower(c)); });
 
-        assert(lower_name != "content-type" &&
-               "'response_headers' must not override streamable HTTP Content-Type.");
+        if (lower_name == "content-type")
+            throw std::invalid_argument("response_headers must not override '" + name + "'");
     }
 }
 
diff --git a/tests/server/auth_cors_security.cpp b/tests/server/auth_cors_security.cpp
@@ -151,15 +151,14 @@ int main()
         std::cout << "  [PASS] HTTP server does not set CORS by default\n";
     }
 
-    // Test 5: HTTP server should set CORS header when explicitly configured
+    // Test 5: HTTP server should set CORS header when using cors_origin convenience param
     {
-        std::cout << "Test: HTTP server sets CORS header when configured...\n";
+        std::cout << "Test: HTTP server sets CORS header via cors_origin param...\n";
 
         auto srv = std::make_shared<Server>();
         srv->route("test", [](const Json&) { return Json{{"result", "ok"}}; });
 
-        HttpServerWrapper http_server(srv, "127.0.0.1", 18603, "",
-                                      {{"Access-Control-Allow-Origin", "https://example.com"}});
+        HttpServerWrapper http_server(srv, "127.0.0.1", 18603, "", "https://example.com");
         if (!http_server.start())
         {
             std::cerr << "Failed to start HTTP server\n";
@@ -231,8 +230,7 @@ int main()
         auto srv = std::make_shared<Server>();
         srv->route("test", [](const Json&) { return Json{{"result", "ok"}}; });
 
-        HttpServerWrapper http_server(srv, "127.0.0.1", 18605, "",
-                                      {{"Access-Control-Allow-Origin", "https://example.com"}});
+        HttpServerWrapper http_server(srv, "127.0.0.1", 18605, "", "https://example.com");
         if (!http_server.start())
         {
             std::cerr << "Failed to start HTTP server with CORS config\n";
@@ -284,7 +282,7 @@ int main()
         { return Json{{"jsonrpc", "2.0"}, {"id", req["id"]}, {"result", {}}}; };
 
         SseServerWrapper sse_server(handler, "127.0.0.1", 18605, "/sse", "/messages", "",
-                                    {{"Access-Control-Allow-Origin", "https://example.com"}});
+                                    "https://example.com");
         if (!sse_server.start())
         {
             std::cerr << "Failed to start SSE server with CORS config\n";
@@ -328,6 +326,129 @@ int main()
         std::cout << "  [PASS] SSE message endpoint handles CORS preflight\n";
     }
 
+    // Test 9: HTTP server CORS via response_headers map (new API)
+    {
+        std::cout << "Test: HTTP server sets CORS header via response_headers map...\n";
+
+        auto srv = std::make_shared<Server>();
+        srv->route("test", [](const Json&) { return Json{{"result", "ok"}}; });
+
+        HttpServerWrapper http_server(srv, "127.0.0.1", 18606, "", "",
+                                      {{"Access-Control-Allow-Origin", "*"},
+                                       {"X-Custom-Header", "custom-value"}});
+        if (!http_server.start())
+        {
+            std::cerr << "Failed to start HTTP server\n";
+            return 1;
+        }
+
+        std::this_thread::sleep_for(std::chrono::milliseconds(100));
+
+        httplib::Client client("127.0.0.1", 18606);
+        auto res = client.Post("/test", R"({"x":1})", "application/json");
+
+        if (!res || res->status != 200)
+        {
+            std::cerr << "  [FAIL] Request failed\n";
+            http_server.stop();
+            return 1;
+        }
+
+        auto cors_it = res->headers.find("Access-Control-Allow-Origin");
+        if (cors_it == res->headers.end() || cors_it->second != "*")
+        {
+            std::cerr << "  [FAIL] CORS header missing or incorrect\n";
+            http_server.stop();
+            return 1;
+        }
+
+        auto custom_it = res->headers.find("X-Custom-Header");
+        if (custom_it == res->headers.end() || custom_it->second != "custom-value")
+        {
+            std::cerr << "  [FAIL] Custom header missing or incorrect\n";
+            http_server.stop();
+            return 1;
+        }
+
+        http_server.stop();
+        std::cout << "  [PASS] HTTP server sets headers via response_headers map\n";
+    }
+
+    // Test 10: SSE server rejects protected headers (Content-Type)
+    {
+        std::cout << "Test: SSE server rejects protected Content-Type header...\n";
+
+        auto handler = [](const Json& req) -> Json
+        { return Json{{"jsonrpc", "2.0"}, {"id", req["id"]}, {"result", {}}}; };
+
+        bool threw = false;
+        try
+        {
+            SseServerWrapper sse_server(handler, "127.0.0.1", 18607, "/sse", "/messages", "", "",
+                                        {{"Content-Type", "text/plain"}});
+        }
+        catch (const std::invalid_argument& e)
+        {
+            threw = true;
+            std::string msg = e.what();
+            if (msg.find("Content-Type") == std::string::npos)
+            {
+                std::cerr << "  [FAIL] Exception message should mention Content-Type: " << msg
+                          << "\n";
+                return 1;
+            }
+        }
+
+        if (!threw)
+        {
+            std::cerr << "  [FAIL] Should have thrown std::invalid_argument\n";
+            return 1;
+        }
+
+        std::cout << "  [PASS] SSE server rejects protected Content-Type header\n";
+    }
+
+    // Test 11: cors_origin is overridden when response_headers also sets it
+    {
+        std::cout << "Test: response_headers takes priority over cors_origin...\n";
+
+        auto srv = std::make_shared<Server>();
+        srv->route("test", [](const Json&) { return Json{{"result", "ok"}}; });
+
+        // cors_origin="*" but response_headers overrides with specific origin
+        HttpServerWrapper http_server(srv, "127.0.0.1", 18608, "", "*",
+                                      {{"Access-Control-Allow-Origin", "https://specific.com"}});
+        if (!http_server.start())
+        {
+            std::cerr << "Failed to start HTTP server\n";
+            return 1;
+        }
+
+        std::this_thread::sleep_for(std::chrono::milliseconds(100));
+
+        httplib::Client client("127.0.0.1", 18608);
+        auto res = client.Post("/test", R"({"x":1})", "application/json");
+
+        if (!res || res->status != 200)
+        {
+            std::cerr << "  [FAIL] Request failed\n";
+            http_server.stop();
+            return 1;
+        }
+
+        auto cors_it = res->headers.find("Access-Control-Allow-Origin");
+        if (cors_it == res->headers.end() || cors_it->second != "https://specific.com")
+        {
+            std::cerr << "  [FAIL] response_headers should take priority, got: "
+                      << (cors_it != res->headers.end() ? cors_it->second : "missing") << "\n";
+            http_server.stop();
+            return 1;
+        }
+
+        http_server.stop();
+        std::cout << "  [PASS] response_headers takes priority over cors_origin\n";
+    }
+
     std::cout << "\n[OK] All HTTP/SSE auth and CORS security tests passed!\n";
     return 0;
 }

Original file line number	Diff line number	Diff line change
`@@ -9,11 +9,14 @@ namespace fastmcpp::server`
`9`	`9`	`{`
`10`	`10`
`11`	`11`	`HttpServerWrapper::HttpServerWrapper(std::shared_ptr<Server> core, std::string host, int port,`
`12`		`- std::string auth_token,`
	`12`	`+ std::string auth_token, std::string cors_origin,`
`13`	`13`	`std::unordered_map<std::string, std::string> response_headers)`
`14`	`14`	`: core_(std::move(core)), host_(std::move(host)), requested_port_(port),`
`15`	`15`	`auth_token_(std::move(auth_token)), response_headers_(std::move(response_headers))`
`16`	`16`	`{`
	`17`	`+ if (!cors_origin.empty() &&`
	`18`	`+ response_headers_.find("Access-Control-Allow-Origin") == response_headers_.end())`
	`19`	`+ response_headers_["Access-Control-Allow-Origin"] = std::move(cors_origin);`
`17`	`20`	`}`
`18`	`21`
`19`	`22`	`HttpServerWrapper::~HttpServerWrapper()`