First attempt at introducing CORS support

Author: aittalam

cmd/daemon.go

@@ -22,10 +22,12 @@ import (
 // DaemonCmd should be used to represent the 'daemon' command.
 type DaemonCmd struct {
 	*cmd.BaseCmd
-	Dev       bool
-	Addr      string
-	cfgLoader config.Loader
-	ctxLoader configcontext.Loader
+	Dev             bool
+	Addr            string
+	EnableCORS      bool
+	CORSOrigins     []string
+	cfgLoader       config.Loader
+	ctxLoader       configcontext.Loader
 }
 
 // NewDaemonCmd creates a newly configured (Cobra) command.
@@ -36,13 +38,14 @@ func NewDaemonCmd(baseCmd *cmd.BaseCmd, opt ...cmdopts.CmdOption) (*cobra.Comman
 	}
 
 	c := &DaemonCmd{
-		BaseCmd:   baseCmd,
-		cfgLoader: opts.ConfigLoader,
-		ctxLoader: opts.ContextLoader,
+		BaseCmd:    baseCmd,
+		cfgLoader:  opts.ConfigLoader,
+		ctxLoader:  opts.ContextLoader,
+		CORSOrigins: []string{},
 	}
 
 	cobraCommand := &cobra.Command{
-		Use:   "daemon [--dev] [--addr]",
+		Use:   "daemon [--dev] [--addr] [--enable-cors] [--cors-origins]",
 		Short: "Launches an `mcpd` daemon instance",
 		Long:  "Launches an `mcpd` daemon instance, which starts MCP servers and provides routing via HTTP API",
 		RunE:  c.run,
@@ -62,6 +65,21 @@ func NewDaemonCmd(baseCmd *cmd.BaseCmd, opt ...cmdopts.CmdOption) (*cobra.Comman
 		"Address for the daemon to bind (not applicable in --dev mode)",
 	)
 
+	// Add CORS flags
+	cobraCommand.Flags().BoolVar(
+		&c.EnableCORS,
+		"enable-cors",
+		false,
+		"Enable Cross-Origin Resource Sharing (CORS) for browser clients",
+	)
+
+	cobraCommand.Flags().StringSliceVar(
+		&c.CORSOrigins,
+		"cors-origins",
+		[]string{"*"},
+		"Comma-separated list of allowed CORS origins (default: * for all origins)",
+	)
+
 	cobraCommand.MarkFlagsMutuallyExclusive("dev", "addr")
 
 	return cobraCommand, nil
@@ -93,7 +111,9 @@ func (c *DaemonCmd) run(_ *cobra.Command, _ []string) error {
 	if err != nil {
 		return fmt.Errorf("error configuring mcpd daemon options: %w", err)
 	}
-	d, err := daemon.NewDaemon(addr, opts)
+
+	// Pass CORS configuration to daemon creation
+	d, err := daemon.NewDaemon(addr, opts, c.EnableCORS, c.CORSOrigins)
 	if err != nil {
 		return fmt.Errorf("failed to create mcpd daemon instance: %w", err)
 	}
@@ -128,6 +148,11 @@ func (c *DaemonCmd) run(_ *cobra.Command, _ []string) error {
 			banner += fmt.Sprintf("  Log file:\t%s => (%s)\n", flags.LogPath, flags.LogLevel)
 		}
 
+		// Add CORS status to banner
+		if c.EnableCORS {
+			banner += fmt.Sprintf("  CORS enabled:\t%v (origins: %s)\n", c.EnableCORS, strings.Join(c.CORSOrigins, ", "))
+		}
+
 		banner += "\nPress Ctrl+C to stop.\n\n"
 		fmt.Print(banner)
 	}

internal/daemon/daemon.go

@@ -64,7 +64,7 @@ func NewDaemonOpts(logger hclog.Logger, cfgLoader config.Loader, ctxLoader confi
 
 // NewDaemon creates a new Daemon instance with proper initialization.
 // Use this function instead of directly creating a Daemon struct.
-func NewDaemon(apiAddr string, opts *Opts) (*Daemon, error) {
+func NewDaemon(apiAddr string, opts *Opts, enableCORS bool, corsOrigins []string) (*Daemon, error) {
 	if err := IsValidAddr(apiAddr); err != nil {
 		return nil, fmt.Errorf("invalid API address '%s': %w", apiAddr, err)
 	}
@@ -94,7 +94,7 @@ func NewDaemon(apiAddr string, opts *Opts) (*Daemon, error) {
 
 	healthTracker := NewHealthTracker(serverNames)
 	clientManager := NewClientManager()
-	apiServer, err := NewApiServer(opts.logger, clientManager, healthTracker, apiAddr)
+	apiServer, err := NewApiServer(opts.logger, clientManager, healthTracker, apiAddr, enableCORS, corsOrigins)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create daemon API server: %w", err)
 	}

internal/daemon/server.go

@@ -7,12 +7,14 @@ import (
 	"net/http"
 	"net/url"
 	"reflect"
+	"strings"
 	"time"
 
 	"github.com/danielgtaylor/huma/v2"
 	"github.com/danielgtaylor/huma/v2/adapters/humachi"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
+	"github.com/go-chi/cors"
 	"github.com/hashicorp/go-hclog"
 
 	"github.com/mozilla-ai/mcpd/v2/internal/api"
@@ -26,13 +28,17 @@ type ApiServer struct {
 	healthTracker contracts.MCPHealthMonitor
 	logger        hclog.Logger
 	addr          string
+	enableCORS    bool
+	corsOrigins   []string
 }
 
 func NewApiServer(
 	logger hclog.Logger,
 	accessor contracts.MCPClientAccessor,
 	monitor contracts.MCPHealthMonitor,
 	addr string,
+	enableCORS bool,
+	corsOrigins []string,
 ) (*ApiServer, error) {
 	if logger == nil || reflect.ValueOf(logger).IsNil() {
 		return nil, fmt.Errorf("logger cannot be nil")
@@ -52,13 +58,42 @@ func NewApiServer(
 		clientManager: accessor,
 		healthTracker: monitor,
 		addr:          addr,
+		enableCORS:    enableCORS,
+		corsOrigins:   corsOrigins,
 	}, nil
 }
 
 func (a *ApiServer) Start(ctx context.Context) error {
 	// Create router.
 	mux := chi.NewMux()
 	mux.Use(middleware.StripSlashes)
+
+	// Add CORS middleware if enabled
+	if a.enableCORS {
+		a.logger.Info("Enabling CORS", "origins", a.corsOrigins)
+
+		corsOptions := cors.Options{
+			AllowedOrigins:   a.corsOrigins,
+			AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
+			AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token", "X-Requested-With"},
+			ExposedHeaders:   []string{"Link"},
+			AllowCredentials: false,
+			MaxAge:           300, // Maximum value not ignored by any of major browsers
+		}
+
+		// Handle wildcard origins properly
+		for i, origin := range corsOptions.AllowedOrigins {
+			if origin == "*" {
+				corsOptions.AllowedOrigins = []string{"*"}
+				corsOptions.AllowCredentials = false
+				break
+			}
+			corsOptions.AllowedOrigins[i] = strings.TrimSpace(origin)
+		}
+
+		mux.Use(cors.Handler(corsOptions))
+	}
+
 	config := huma.DefaultConfig("mcpd docs", cmd.Version())
 	router := humachi.New(mux, config)
 
@@ -85,6 +120,9 @@ func (a *ApiServer) Start(ctx context.Context) error {
 	// Start the API.
 	go func() {
 		a.logger.Info("Starting API server", "address", a.addr, "prefix", apiPathPrefix)
+		if a.enableCORS {
+			a.logger.Info("CORS enabled", "origins", a.corsOrigins)
+		}
 		if err := srv.ListenAndServe(); err != nil && !stdErrors.Is(err, http.ErrServerClosed) {
 			errCh <- err
 		}