fix: return full origin with port in CORS headers for localhost

package.json

@@ -27,12 +27,12 @@
 		"patch-package": "^8.0.1",
 		"typescript": "^5.9.3",
 		"vitest": "^3.2.4",
-		"wrangler": "^4.51.0"
+		"wrangler": "^4.73.0"
 	},
 	"dependencies": {
 		"@cloudflare/workers-oauth-provider": "^0.1.0",
 		"@modelcontextprotocol/sdk": "^1.20.2",
-		"agents": "^0.2.21",
+		"agents": "^0.7.6",
 		"globalping": "^0.2.0",
 		"hono": "^4.10.6",
 		"mcpcat": "^0.1.9-beta.5",

src/index.ts

@@ -12,12 +12,23 @@ import { validateOrigin, validateHost, getCorsOptionsForRequest } from "./lib";
 import * as mcpcat from "mcpcat";
 
 export class GlobalpingMCP extends McpAgent<GlobalpingEnv, State, Props> {
-	server = new McpServer({
-		name: MCP_CONFIG.NAME,
-		version: MCP_CONFIG.VERSION,
-		icons: MCP_CONFIG.ICONS,
-		websiteUrl: MCP_CONFIG.WEBSITE_URL,
-		instructions: `You have access to Globalping, a global network measurement platform. Use it to run ping, traceroute, DNS, MTR, and HTTP tests from thousands of locations worldwide.
+	server = new McpServer(
+		{
+			name: MCP_CONFIG.NAME,
+			version: MCP_CONFIG.VERSION,
+			icons: MCP_CONFIG.ICONS,
+			websiteUrl: MCP_CONFIG.WEBSITE_URL,
+		},
+		{
+			capabilities: {
+				tools: {
+					listChanged: true,
+				},
+				resources: {},
+				prompts: {},
+				logging: {},
+			},
+			instructions: `You have access to Globalping, a global network measurement platform. Use it to run ping, traceroute, DNS, MTR, and HTTP tests from thousands of locations worldwide.
 
 Key guidelines:
 - Always use the 'locations' argument to specify where to run tests from (e.g., 'London', 'US', 'AWS').
@@ -28,15 +39,8 @@ Key guidelines:
 - If a user asks about 'routing' or 'hops', use 'traceroute' or 'mtr'.
 - If a user asks about 'website availability', use 'http'.
 - If a user asks about 'dns propagation', use 'dns'.`,
-		capabilities: {
-			tools: {
-				listChanged: true,
-			},
-			resources: {},
-			prompts: {},
-			logging: {},
 		},
-	});
+	);
 
 	// Initialize the state
 	initialState: State = {
@@ -492,9 +496,12 @@ async function handleMcpRequest(req: Request, env: GlobalpingEnv, ctx: Execution
 /**
  * Handle API token requests (direct API access without OAuth)
  */
-async function handleAPITokenRequest<
-	T extends typeof McpAgent<unknown, unknown, Record<string, unknown>>,
->(agent: T, req: Request, env: GlobalpingEnv, ctx: ExecutionContext) {
+async function handleAPITokenRequest(
+	agent: typeof GlobalpingMCP,
+	req: Request,
+	env: GlobalpingEnv,
+	ctx: ExecutionContext,
+) {
 	const { pathname } = new URL(req.url);
 
 	// Validate Host header to prevent DNS rebinding attacks (first layer)

src/lib/security.ts

@@ -225,15 +225,16 @@ export function getMatchingOrigin(requestOrigin: string | null): string | null {
 		return requestOrigin;
 	}
 
-	// For localhost/127.0.0.1/[::1] with ports, return the base origin if it matches
+	// For localhost/127.0.0.1/[::1], check the base origin (without port) against
+	// CORS_CONFIG.ALLOWED_ORIGINS, then return the origin including the port when present
 	try {
 		const originUrl = new URL(requestOrigin);
 		const hostname = originUrl.hostname.toLowerCase();
 
 		if (hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]") {
 			const baseOrigin = `${originUrl.protocol}//${hostname}`;
 			if (CORS_CONFIG.ALLOWED_ORIGINS.includes(baseOrigin)) {
-				return baseOrigin;
+				return originUrl.port ? `${baseOrigin}:${originUrl.port}` : baseOrigin;
 			}
 		}
 	} catch {

src/lib/target-validation.ts

@@ -69,7 +69,12 @@ export function isPrivateIPv6(ip: string): boolean {
 	}
 
 	// fe80::/10 - Link-local addresses
-	if (cleanIp.startsWith("fe8") || cleanIp.startsWith("fe9") || cleanIp.startsWith("fea") || cleanIp.startsWith("feb")) {
+	if (
+		cleanIp.startsWith("fe8") ||
+		cleanIp.startsWith("fe9") ||
+		cleanIp.startsWith("fea") ||
+		cleanIp.startsWith("feb")
+	) {
 		return true;
 	}
 
@@ -104,9 +109,11 @@ export function isLoopbackIPv4(ip: string): boolean {
  */
 export function isLoopbackIPv6(ip: string): boolean {
 	const cleanIp = ip.replace(/^\[|\]$/g, "").toLowerCase();
-
-	// ::1 is the only IPv6 loopback
-	return cleanIp === "::1" || cleanIp === "0:0:0:0:0:0:0:1" || cleanIp === "0000:0000:0000:0000:0000:0000:0000:0001";
+	try {
+		return new URL(`http://[${cleanIp}]`).origin === "http://[::1]";
+	} catch {
+		return false;
+	}
 }
 
 /**

src/mcp/tools.ts

@@ -46,7 +46,9 @@ export function registerGlobalpingTools(agent: GlobalpingMCP, getToken: () => st
 			inputSchema: {
 				target: z
 					.string()
-					.describe("Public domain name or IP address to test (e.g., 'google.com', '1.1.1.1'). Private IPs (RFC1918), localhost, and link-local addresses are not supported."),
+					.describe(
+						"Public domain name or IP address to test (e.g., 'google.com', '1.1.1.1'). Private IPs (RFC1918), localhost, and link-local addresses are not supported.",
+					),
 				locations: z
 					.union([z.array(z.string()), z.string()])
 					.optional()
@@ -142,7 +144,9 @@ export function registerGlobalpingTools(agent: GlobalpingMCP, getToken: () => st
 			inputSchema: {
 				target: z
 					.string()
-					.describe("Public domain name or IP address to test (e.g., 'cloudflare.com', '1.1.1.1'). Private IPs (RFC1918), localhost, and link-local addresses are not supported."),
+					.describe(
+						"Public domain name or IP address to test (e.g., 'cloudflare.com', '1.1.1.1'). Private IPs (RFC1918), localhost, and link-local addresses are not supported.",
+					),
 				locations: z
 					.union([z.array(z.string()), z.string()])
 					.optional()
@@ -243,7 +247,11 @@ export function registerGlobalpingTools(agent: GlobalpingMCP, getToken: () => st
 				readOnlyHint: true,
 			},
 			inputSchema: {
-				target: z.string().describe("Public domain name to resolve (e.g., 'google.com'). Private domains, localhost, and link-local addresses are not supported."),
+				target: z
+					.string()
+					.describe(
+						"Public domain name to resolve (e.g., 'google.com'). Private domains, localhost, and link-local addresses are not supported.",
+					),
 				locations: z
 					.union([z.array(z.string()), z.string()])
 					.optional()
@@ -373,7 +381,9 @@ export function registerGlobalpingTools(agent: GlobalpingMCP, getToken: () => st
 				target: z
 					.string()
 					.min(1)
-					.describe("Public destination hostname or IP address to run the MTR against. Private IPs (RFC1918), localhost, and link-local addresses are not supported."),
+					.describe(
+						"Public destination hostname or IP address to run the MTR against. Private IPs (RFC1918), localhost, and link-local addresses are not supported.",
+					),
 				locations: z
 					.union([z.array(z.string()), z.string()])
 					.optional()
@@ -478,7 +488,11 @@ export function registerGlobalpingTools(agent: GlobalpingMCP, getToken: () => st
 				readOnlyHint: true,
 			},
 			inputSchema: {
-				target: z.string().describe("Public domain name or IP address to test (e.g., 'example.com'). Private IPs (RFC1918), localhost, and link-local addresses are not supported."),
+				target: z
+					.string()
+					.describe(
+						"Public domain name or IP address to test (e.g., 'example.com'). Private IPs (RFC1918), localhost, and link-local addresses are not supported.",
+					),
 				locations: z
 					.union([z.array(z.string()), z.string()])
 					.optional()

src/types/globalping.ts

@@ -1,8 +1,6 @@
 /**
  * Types for the Globalping API based on https://api.globalping.io/v1/spec.yaml
  */
-import type { DurableObjectNamespace } from "@cloudflare/workers-types";
-
 // OAuth types
 export interface GlobalpingOAuthConfig {
 	clientId: string;
@@ -19,13 +17,9 @@ export interface GlobalpingOAuthTokenResponse {
 	created_at?: number;
 }
 
-// Environment interface
-export interface GlobalpingEnv {
-	GLOBALPING_CLIENT_ID: string;
-	globalping_mcp_object: DurableObjectNamespace;
-	OAUTH_KV: KVNamespace;
-	MCPCAT_PROJECT_ID?: string;
-}
+// Environment interface - extends Cloudflare.Env which is auto-generated by `wrangler types`
+// and includes the properly-typed DurableObjectNamespace<GlobalpingMCP> binding
+export interface GlobalpingEnv extends Cloudflare.Env {}
 
 /**
  * Globalping API Types

test/unit/lib/security.test.ts

@@ -225,8 +225,8 @@ describe("getMatchingOrigin", () => {
 	});
 
 	it("should return exact match for localhost with ports", () => {
-		expect(getMatchingOrigin("http://localhost:3000")).toBe("http://localhost");
-		expect(getMatchingOrigin("http://127.0.0.1:8080")).toBe("http://127.0.0.1");
+		expect(getMatchingOrigin("http://localhost:3000")).toBe("http://localhost:3000");
+		expect(getMatchingOrigin("http://127.0.0.1:8080")).toBe("http://127.0.0.1:8080");
 	});
 
 	it("should return base origin for localhost without ports", () => {
@@ -235,10 +235,10 @@ describe("getMatchingOrigin", () => {
 	});
 
 	it("should return exact match for IPv6 localhost with ports", () => {
-		expect(getMatchingOrigin("http://[::1]:3000")).toBe("http://[::1]");
-		expect(getMatchingOrigin("http://[::1]:8080")).toBe("http://[::1]");
-		expect(getMatchingOrigin("https://[::1]:8443")).toBe("https://[::1]");
-		expect(getMatchingOrigin("https://[::1]:3000")).toBe("https://[::1]");
+		expect(getMatchingOrigin("http://[::1]:3000")).toBe("http://[::1]:3000");
+		expect(getMatchingOrigin("http://[::1]:8080")).toBe("http://[::1]:8080");
+		expect(getMatchingOrigin("https://[::1]:8443")).toBe("https://[::1]:8443");
+		expect(getMatchingOrigin("https://[::1]:3000")).toBe("https://[::1]:3000");
 	});
 
 	it("should return base origin for IPv6 localhost without ports", () => {
@@ -276,7 +276,7 @@ describe("getCorsOptionsForRequest", () => {
 
 		const corsOptions = getCorsOptionsForRequest(mockRequest);
 
-		expect(corsOptions.origin).toBe("http://localhost");
+		expect(corsOptions.origin).toBe("http://localhost:3000");
 		expect(typeof corsOptions.origin).toBe("string");
 	});
 
@@ -290,7 +290,7 @@ describe("getCorsOptionsForRequest", () => {
 
 		const corsOptionsHttp = getCorsOptionsForRequest(mockRequestHttp);
 
-		expect(corsOptionsHttp.origin).toBe("http://[::1]");
+		expect(corsOptionsHttp.origin).toBe("http://[::1]:3000");
 		expect(typeof corsOptionsHttp.origin).toBe("string");
 
 		const mockRequestHttps = {
@@ -302,7 +302,7 @@ describe("getCorsOptionsForRequest", () => {
 
 		const corsOptionsHttps = getCorsOptionsForRequest(mockRequestHttps);
 
-		expect(corsOptionsHttps.origin).toBe("https://[::1]");
+		expect(corsOptionsHttps.origin).toBe("https://[::1]:8443");
 		expect(typeof corsOptionsHttps.origin).toBe("string");
 	});
 
@@ -319,7 +319,7 @@ describe("getCorsOptionsForRequest", () => {
 			} as unknown as Request;
 
 			const corsOptions = getCorsOptionsForRequest(mockRequest);
-			expect(corsOptions.origin).toBe("http://[::1]");
+			expect(corsOptions.origin).toBe(`http://[::1]:${port}`);
 		}
 	});