@@ -360,6 +360,40 @@ async def test_cors_preflight_allows_loopback_origin_by_default(self, test_clien
360360 assert response .status_code == 200
361361 assert response .headers .get ("access-control-allow-origin" ) == origin
362362
363+ @pytest .mark .anyio
364+ async def test_cors_origin_regex_override (self , mock_oauth_provider : MockOAuthProvider ):
365+ auth_routes = create_auth_routes (
366+ mock_oauth_provider ,
367+ AnyHttpUrl ("https://auth.example.com" ),
368+ AnyHttpUrl ("https://docs.example.com" ),
369+ client_registration_options = ClientRegistrationOptions (
370+ enabled = True ,
371+ valid_scopes = ["read" , "write" , "profile" ],
372+ default_scopes = ["read" , "write" ],
373+ ),
374+ revocation_options = RevocationOptions (enabled = True ),
375+ cors_origin_regex = r"^https://allowed\.example$" ,
376+ )
377+ app = Starlette (routes = auth_routes )
378+
379+ async with httpx .AsyncClient (transport = httpx .ASGITransport (app = app ), base_url = "https://mcptest.com" ) as client :
380+ allowed = "https://allowed.example"
381+ blocked = "http://localhost:5173"
382+
383+ response = await client .get (
384+ "/.well-known/oauth-authorization-server" ,
385+ headers = {"Origin" : allowed },
386+ )
387+ assert response .status_code == 200
388+ assert response .headers .get ("access-control-allow-origin" ) == allowed
389+
390+ response = await client .get (
391+ "/.well-known/oauth-authorization-server" ,
392+ headers = {"Origin" : blocked },
393+ )
394+ assert response .status_code == 200
395+ assert "access-control-allow-origin" not in response .headers
396+
363397 @pytest .mark .anyio
364398 async def test_token_validation_error (self , test_client : httpx .AsyncClient ):
365399 """Test token endpoint error - validation error."""
0 commit comments