From 3e90ade322ec90ad1a2ba646a86b5c1cd2820037 Mon Sep 17 00:00:00 2001
From: Paul Carleton <paulcarletonjr@gmail.com>
Date: Mon, 6 Oct 2025 15:32:49 +0100
Subject: [PATCH 1/2] Update metadata.ts

cc @KKonstantinov fixes #715
---
 src/server/auth/handlers/metadata.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/server/auth/handlers/metadata.ts b/src/server/auth/handlers/metadata.ts
index d8ca0e62d..e0f07a99b 100644
--- a/src/server/auth/handlers/metadata.ts
+++ b/src/server/auth/handlers/metadata.ts
@@ -10,7 +10,7 @@ export function metadataHandler(metadata: OAuthMetadata | OAuthProtectedResource
     // Configure CORS to allow any origin, to make accessible to web-based MCP clients
     router.use(cors());
 
-    router.use(allowedMethods(['GET']));
+    router.use(allowedMethods(['GET', 'OPTIONS']));
     router.get('/', (req, res) => {
         res.status(200).json(metadata);
     });

From ab7943253ada206451a9577cf26e97902367d29a Mon Sep 17 00:00:00 2001
From: Paul Carleton <paulcarletonjr@gmail.com>
Date: Mon, 13 Oct 2025 15:41:17 +0100
Subject: [PATCH 2/2] Update metadata.test.ts

---
 src/server/auth/handlers/metadata.test.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/server/auth/handlers/metadata.test.ts b/src/server/auth/handlers/metadata.test.ts
index 32feb6429..bdaa45b15 100644
--- a/src/server/auth/handlers/metadata.test.ts
+++ b/src/server/auth/handlers/metadata.test.ts
@@ -29,7 +29,7 @@ describe('Metadata Handler', () => {
         const response = await supertest(app).post('/.well-known/oauth-authorization-server').send({});
 
         expect(response.status).toBe(405);
-        expect(response.headers.allow).toBe('GET');
+        expect(response.headers.allow).toBe('GET, OPTIONS');
         expect(response.body).toEqual({
             error: 'method_not_allowed',
             error_description: 'The method POST is not allowed for this endpoint'