nextcloud-mcp-server/app-hooks/patches/cors-bearer-token.patch

diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
index 4453f5a7d4b..f1ca9b48d21 100644
--- a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
@@ -73,6 +73,13 @@ class CORSMiddleware extends Middleware {
 			$user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
 			$pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
 
+			// Allow Bearer token authentication for CORS requests
+			// Bearer tokens are stateless and don't require CSRF protection
+			$authorizationHeader = $this->request->getHeader('Authorization');
+			if (!empty($authorizationHeader) && str_starts_with($authorizationHeader, 'Bearer ')) {
+				return;
+			}
+
 			// Allow to use the current session if a CSRF token is provided
 			if ($this->request->passesCSRFCheck()) {
 				return;