Exempt CORS preflight OPTIONS from auth middleware (v0.6.1)

rustyconover · claude · rustyconover · commit ff6f995b546d · 2026-03-25T15:58:03.000-04:00
Browsers do not send credentials on CORS preflight requests, so
_AuthMiddleware must skip OPTIONS to let CORSMiddleware respond
with the proper Access-Control-* headers.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "vgi-rpc"
-version = "0.6.0"
+version = "0.6.1"
 description = "Vector Gateway Interface - RPC framework based on Apache Arrow"
 readme = "README.md"
 requires-python = ">=3.13"
diff --git a/tests/test_http.py b/tests/test_http.py
@@ -1074,6 +1074,21 @@ def test_no_auth_middleware_when_authenticate_is_none(self) -> None:
         assert result == "anonymous"
         client.close()
 
+    def test_cors_preflight_bypasses_auth(self) -> None:
+        """OPTIONS preflight must not be rejected by auth middleware."""
+        server = RpcServer(_AuthService, _AuthServiceImpl())
+        app = make_wsgi_app(
+            server,
+            signing_key=b"test",
+            cors_origins="*",
+            authenticate=_test_authenticate,
+        )
+        tc = falcon.testing.TestClient(app)
+        # Simulate a CORS preflight — no Authorization header
+        resp = tc.simulate_options("/whoami", headers={"Origin": "http://example.com"})
+        assert resp.status != "401 Unauthorized"
+        assert resp.headers.get("access-control-allow-origin") == "*"
+
 
 # ---------------------------------------------------------------------------
 # Tests: CORS
diff --git a/vgi_rpc/http/_server.py b/vgi_rpc/http/_server.py
@@ -1822,10 +1822,12 @@ def process_request(self, req: falcon.Request, resp: falcon.Response) -> None:
         The 401 response is plain text (not Arrow IPC) because at this
         stage no method has been resolved and the output schema is unknown.
 
-        Well-known paths (``/.well-known/``) are exempt from authentication
-        so that clients can discover OAuth metadata before authenticating.
+        CORS preflight ``OPTIONS`` requests and well-known paths
+        (``/.well-known/``) are exempt from authentication so that browsers
+        can complete the preflight handshake without credentials and clients
+        can discover OAuth metadata before authenticating.
         """
-        if req.path.startswith("/.well-known/"):
+        if req.method == "OPTIONS" or req.path.startswith("/.well-known/"):
             return
         try:
             auth = self._authenticate(req)
