Add CORS support for SSE transport #137
Conversation
- Fix README to use --cors-origins (plural) matching the actual CLI argument - Fix Docker example to use correct argument syntax (space not =) - Remove unused Middleware import - Fix import sorting per ruff - Remove trailing whitespace and extra blank lines Co-Authored-By: Pavel Yankelevich <pbeast@users.noreply.github.com> Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Tests cover: - Preflight (OPTIONS) requests for allowed/disallowed origins - Actual requests with CORS headers - Behavior when CORS middleware is not configured Co-Authored-By: Pavel Yankelevich <pbeast@users.noreply.github.com> Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 046dc63499
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
src/postgres_mcp/server.py
Outdated
| starlette_app = mcp.sse_app() | ||
|
|
||
| if args.cors_origins: | ||
| logger.info(f"Enabling CORS for origins: {", ".join(args.cors_origins)}") |
There was a problem hiding this comment.
This logger.info line has an invalid f-string because the inner ", " string terminates the outer double-quoted f-string, which makes the module fail to parse at import time. In any environment that executes this code path (including postgres-mcp --transport=sse), Python will raise a SyntaxError before the server can start. Use single quotes inside the join or escape the quotes to keep the f-string valid.
Useful? React with 👍 / 👎.
Addresses code review feedback - while nested double quotes are valid in Python 3.12+ (PEP 701), single quotes are clearer and avoid potential linter confusion. Co-Authored-By: Pavel Yankelevich <pbeast@users.noreply.github.com> Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The unit tests verify the CORS middleware behavior but don't exercise the actual server startup path. These e2e tests: - Start a real uvicorn server in a subprocess - Make actual HTTP requests with Origin headers - Verify CORS headers are returned correctly Co-Authored-By: Pavel Yankelevich <pbeast@users.noreply.github.com> Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Summary
Adds optional CORS support for the SSE transport, allowing browser-based MCP clients (like the Claude.ai Chrome extension) to connect to locally-running postgres-mcp servers.
This PR is based on the excellent work by @pbeast in #87. Their implementation provided the foundation - this PR adds fixes and test coverage.
Changes from original PR #87:
--cors-originsnot--cors-origin)=for argparse nargs)Features:
--cors-originsargument to whitelist allowed originsCORSMiddlewareon the SSE app--cors-origins https://claude.ai https://example.comUsage
Test plan
Fixes #73
🤖 Generated with Claude Code