Fix CORS OPTIONS Requests Blocked by JWT Middleware

attach/gateway.py

@@ -170,14 +170,14 @@ async def auth_config():
         allow_credentials=True,
     )
 
-    app.add_middleware(BaseHTTPMiddleware, dispatch=jwt_auth_mw)
-    app.add_middleware(BaseHTTPMiddleware, dispatch=session_mw)
-
     # Only add quota middleware if available and explicitly configured
     limit = int_env("MAX_TOKENS_PER_MIN", 60000)
     if QUOTA_AVAILABLE and limit is not None:
         app.add_middleware(TokenQuotaMiddleware)
 
+    app.add_middleware(BaseHTTPMiddleware, dispatch=jwt_auth_mw)
+    app.add_middleware(BaseHTTPMiddleware, dispatch=session_mw)
+
     # Add routes
     app.include_router(a2a_router, prefix="/a2a")
     app.include_router(proxy_router)

middleware/auth.py

@@ -29,8 +29,12 @@ async def jwt_auth_mw(request: Request, call_next):
     • Verifies it with `auth.oidc.verify_jwt`.
     • Stores the `sub` claim in `request.state.sub` for downstream middleware.
     • Rejects the request with 401 on any failure.
-    • Skips authentication for excluded paths.
+    • Skips authentication for excluded paths and OPTIONS requests.
     """
+    # Skip authentication for OPTIONS requests (CORS preflight)
+    if request.method == "OPTIONS":
+        return await call_next(request)
+
     # Skip authentication for excluded paths
     if request.url.path in EXCLUDED_PATHS:
         return await call_next(request)
@@ -48,6 +52,4 @@ async def jwt_auth_mw(request: Request, call_next):
 
     # attach the user id (sub) for the session-middleware
     request.state.sub = claims["sub"]
-
-    # continue down the middleware stack / route handler
     return await call_next(request)