Expose WWW-Authenticate and X-Request-ID in CORS headers (v0.6.2)

rustyconover · claude · rustyconover · commit 25ef386a725b · 2026-03-25T17:55:36.000-04:00
Browsers cannot read non-safelisted response headers from cross-origin
responses unless they appear in Access-Control-Expose-Headers.  Always
expose WWW-Authenticate (needed for OAuth discovery from 401 responses)
and X-Request-ID (for client-side debugging) when CORS is enabled.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "vgi-rpc"
-version = "0.6.1"
+version = "0.6.2"
 description = "Vector Gateway Interface - RPC framework based on Apache Arrow"
 readme = "README.md"
 requires-python = ">=3.13"
diff --git a/tests/test_http.py b/tests/test_http.py
@@ -1114,6 +1114,16 @@ def test_cors_specific_origin(self) -> None:
         resp = tc.simulate_options("/add", headers={"Origin": "http://example.com"})
         assert resp.headers.get("access-control-allow-origin") == "http://example.com"
 
+    def test_cors_exposes_www_authenticate_and_request_id(self) -> None:
+        """CORS always exposes WWW-Authenticate and X-Request-ID headers."""
+        server = RpcServer(RpcFixtureService, RpcFixtureServiceImpl())
+        app = make_wsgi_app(server, signing_key=b"test", cors_origins="*")
+        tc = falcon.testing.TestClient(app)
+        resp = tc.simulate_options("/add", headers={"Origin": "http://example.com"})
+        expose = resp.headers.get("access-control-expose-headers", "")
+        assert "WWW-Authenticate" in expose
+        assert "X-Request-ID" in expose
+
     def test_no_cors_by_default(self) -> None:
         """Without cors_origins, no CORS headers are added."""
         server = RpcServer(RpcFixtureService, RpcFixtureServiceImpl())
diff --git a/uv.lock b/uv.lock
diff --git a/vgi_rpc/http/_server.py b/vgi_rpc/http/_server.py
@@ -2132,7 +2132,9 @@ def make_wsgi_app(
     if otel_config is not None:
         middleware.append(_OtelFalconMiddleware())
 
-    cors_expose: list[str] = []
+    # Always expose auth and request-id headers; capability headers are
+    # appended conditionally below.
+    cors_expose: list[str] = ["WWW-Authenticate", _REQUEST_ID_HEADER]
 
     # Build capability headers
     capability_headers: dict[str, str] = {}
@@ -2162,9 +2164,10 @@ def make_wsgi_app(
         www_authenticate = _build_www_authenticate(_validated_oauth_metadata, prefix)
 
     if cors_origins is not None:
-        cors_kwargs: dict[str, Any] = {"allow_origins": cors_origins}
-        if cors_expose:
-            cors_kwargs["expose_headers"] = cors_expose
+        cors_kwargs: dict[str, Any] = {
+            "allow_origins": cors_origins,
+            "expose_headers": cors_expose,
+        }
         middleware.append(falcon.CORSMiddleware(**cors_kwargs))
     if authenticate is not None:
         on_auth_failure: Callable[[str | None, str], None] | None = None
