From 454556f77958d48b028237d7d64f0491c709343c Mon Sep 17 00:00:00 2001 From: Hammad Tariq Date: Thu, 24 Jul 2025 17:44:05 -0700 Subject: [PATCH] fixed the auth.py issue with CORS options --- attach/gateway.py | 6 +++--- middleware/auth.py | 8 +++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/attach/gateway.py b/attach/gateway.py index ba286d9..25064a1 100644 --- a/attach/gateway.py +++ b/attach/gateway.py @@ -170,14 +170,14 @@ async def auth_config(): allow_credentials=True, ) - app.add_middleware(BaseHTTPMiddleware, dispatch=jwt_auth_mw) - app.add_middleware(BaseHTTPMiddleware, dispatch=session_mw) - # Only add quota middleware if available and explicitly configured limit = int_env("MAX_TOKENS_PER_MIN", 60000) if QUOTA_AVAILABLE and limit is not None: app.add_middleware(TokenQuotaMiddleware) + app.add_middleware(BaseHTTPMiddleware, dispatch=jwt_auth_mw) + app.add_middleware(BaseHTTPMiddleware, dispatch=session_mw) + # Add routes app.include_router(a2a_router, prefix="/a2a") app.include_router(proxy_router) diff --git a/middleware/auth.py b/middleware/auth.py index e9fd448..01d7db3 100644 --- a/middleware/auth.py +++ b/middleware/auth.py @@ -29,8 +29,12 @@ async def jwt_auth_mw(request: Request, call_next): • Verifies it with `auth.oidc.verify_jwt`. • Stores the `sub` claim in `request.state.sub` for downstream middleware. • Rejects the request with 401 on any failure. - • Skips authentication for excluded paths. + • Skips authentication for excluded paths and OPTIONS requests. """ + # Skip authentication for OPTIONS requests (CORS preflight) + if request.method == "OPTIONS": + return await call_next(request) + # Skip authentication for excluded paths if request.url.path in EXCLUDED_PATHS: return await call_next(request) @@ -48,6 +52,4 @@ async def jwt_auth_mw(request: Request, call_next): # attach the user id (sub) for the session-middleware request.state.sub = claims["sub"] - - # continue down the middleware stack / route handler return await call_next(request)