Root Cause Analysis

The CORS error occurs because the MCP SDK's auth() function in
/client/src/lib/mcp-oauth.ts:130-133 attempts to fetch OAuth metadata
directly from
https://mcp.asana.com/.well-known/oauth-authorization-server/sse from the
browser.

Problem: Browser security policies prevent direct cross-origin requests
to external OAuth metadata endpoints without proper CORS headers. The
Asana MCP server doesn't include CORS headers allowing requests from your
localhost origins.

Current server CORS config (/server/index.ts:14-17):
app.use('*', cors({
origin: ['http://localhost:8080', 'http://localhost:3000'],
credentials: true,
}))

This only configures CORS for your own server, not for proxying external
requests.

Proposed Fix

Add a server-side proxy endpoint to handle OAuth metadata discovery,
bypassing browser CORS restrictions:

1. Add OAuth proxy route in /server/routes/mcp/index.ts
2. Create OAuth metadata proxy handler that fetches from external servers
   server-side
3. Update client OAuth code to use the proxy endpoint instead of direct
   requests

This approach:

• ✅ Bypasses browser CORS restrictions (server-to-server requests don't
  have CORS)
• ✅ Maintains security (your server validates and forwards requests)
• ✅ Works with existing OAuth flow
• ✅ Minimal changes to existing code