Skip to content

fix: return 404 for invalid MCP session IDs in examples #389 #1331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lraveri wants to merge 1 commit into
base: main
Choose a base branch
from
+164 −42
Open

fix: return 404 for invalid MCP session IDs in examples #389 #1331

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 30 additions & 8 deletions examples/server/src/elicitationFormExample.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -332,9 +332,21 @@ async function main() {

try {
let transport: StreamableHTTPServerTransport;
if (sessionId && transports[sessionId]) {
// Reuse existing transport for this session
transport = transports[sessionId];
if (sessionId) {
if (transports[sessionId]) {
// Reuse existing transport for this session
transport = transports[sessionId];
} else {
res.status(404).json({
jsonrpc: '2.0',
error: {
code: -32000,
message: 'Not Found: Invalid session ID'
},
id: null
});
return;
}
} else if (!sessionId && isInitializeRequest(req.body)) {
// New initialization request - create new transport
transport = new StreamableHTTPServerTransport({
Expand Down Expand Up @@ -366,7 +378,7 @@ async function main() {
jsonrpc: '2.0',
error: {
code: -32000,
message: 'Bad Request: No valid session ID provided'
message: 'Bad Request: No session ID provided'
},
id: null
});
Expand Down Expand Up @@ -395,8 +407,13 @@ async function main() {
// Handle GET requests for SSE streams
const mcpGetHandler = async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
res.status(400).send('Missing session ID');
return;
}

if (!transports[sessionId]) {
res.status(404).send('Invalid session ID');
return;
}

Expand All @@ -410,8 +427,13 @@ async function main() {
// Handle DELETE requests for session termination
const mcpDeleteHandler = async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
res.status(400).send('Missing session ID');
return;
}

if (!transports[sessionId]) {
res.status(404).send('Invalid session ID');
return;
}

Expand Down
38 changes: 30 additions & 8 deletions examples/server/src/elicitationUrlExample.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -614,9 +614,21 @@ const mcpPostHandler = async (req: Request, res: Response) => {

try {
let transport: StreamableHTTPServerTransport;
if (sessionId && transports[sessionId]) {
// Reuse existing transport
transport = transports[sessionId];
if (sessionId) {
if (transports[sessionId]) {
// Reuse existing transport
transport = transports[sessionId];
} else {
res.status(404).json({
jsonrpc: '2.0',
error: {
code: -32000,
message: 'Not Found: Invalid session ID'
},
id: null
});
return;
}
} else if (!sessionId && isInitializeRequest(req.body)) {
const server = getServer();
// New initialization request
Expand Down Expand Up @@ -658,7 +670,7 @@ const mcpPostHandler = async (req: Request, res: Response) => {
jsonrpc: '2.0',
error: {
code: -32000,
message: 'Bad Request: No valid session ID provided'
message: 'Bad Request: No session ID provided'
},
id: null
});
Expand Down Expand Up @@ -689,8 +701,13 @@ app.post('/mcp', authMiddleware, mcpPostHandler);
// Handle GET requests for SSE streams (using built-in support from StreamableHTTP)
const mcpGetHandler = async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
res.status(400).send('Missing session ID');
return;
}

if (!transports[sessionId]) {
res.status(404).send('Invalid session ID');
return;
}

Expand Down Expand Up @@ -728,8 +745,13 @@ app.get('/mcp', authMiddleware, mcpGetHandler);
// Handle DELETE requests for session termination (according to MCP spec)
const mcpDeleteHandler = async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
res.status(400).send('Missing session ID');
return;
}

if (!transports[sessionId]) {
res.status(404).send('Invalid session ID');
return;
}

Expand Down
20 changes: 16 additions & 4 deletions examples/server/src/jsonResponseStreamableHttp.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,9 +105,21 @@ app.post('/mcp', async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
let transport: StreamableHTTPServerTransport;

if (sessionId && transports[sessionId]) {
// Reuse existing transport
transport = transports[sessionId];
if (sessionId) {
if (transports[sessionId]) {
// Reuse existing transport
transport = transports[sessionId];
} else {
res.status(404).json({
jsonrpc: '2.0',
error: {
code: -32000,
message: 'Not Found: Invalid session ID'
},
id: null
});
return;
}
} else if (!sessionId && isInitializeRequest(req.body)) {
// New initialization request - use JSON response mode
transport = new StreamableHTTPServerTransport({
Expand All @@ -132,7 +144,7 @@ app.post('/mcp', async (req: Request, res: Response) => {
jsonrpc: '2.0',
error: {
code: -32000,
message: 'Bad Request: No valid session ID provided'
message: 'Bad Request: No session ID provided'
},
id: null
});
Expand Down
38 changes: 30 additions & 8 deletions examples/server/src/simpleStreamableHttp.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -606,9 +606,21 @@ const mcpPostHandler = async (req: Request, res: Response) => {
}
try {
let transport: StreamableHTTPServerTransport;
if (sessionId && transports[sessionId]) {
// Reuse existing transport
transport = transports[sessionId];
if (sessionId) {
if (transports[sessionId]) {
// Reuse existing transport
transport = transports[sessionId];
} else {
res.status(404).json({
jsonrpc: '2.0',
error: {
code: -32000,
message: 'Not Found: Invalid session ID'
},
id: null
});
return;
}
} else if (!sessionId && isInitializeRequest(req.body)) {
// New initialization request
const eventStore = new InMemoryEventStore();
Expand Down Expand Up @@ -645,7 +657,7 @@ const mcpPostHandler = async (req: Request, res: Response) => {
jsonrpc: '2.0',
error: {
code: -32000,
message: 'Bad Request: No valid session ID provided'
message: 'Bad Request: No session ID provided'
},
id: null
});
Expand Down Expand Up @@ -680,8 +692,13 @@ if (useOAuth && authMiddleware) {
// Handle GET requests for SSE streams (using built-in support from StreamableHTTP)
const mcpGetHandler = async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
res.status(400).send('Missing session ID');
return;
}

if (!transports[sessionId]) {
res.status(404).send('Invalid session ID');
return;
}

Expand Down Expand Up @@ -711,8 +728,13 @@ if (useOAuth && authMiddleware) {
// Handle DELETE requests for session termination (according to MCP spec)
const mcpDeleteHandler = async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
res.status(400).send('Missing session ID');
return;
}

if (!transports[sessionId]) {
res.status(404).send('Invalid session ID');
return;
}

Expand Down
27 changes: 22 additions & 5 deletions examples/server/src/simpleTaskInteractive.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -679,10 +679,17 @@ app.post('/mcp', async (req: Request, res: Response) => {
await server.connect(transport);
await transport.handleRequest(req, res, req.body);
return;
} else if (sessionId) {
res.status(404).json({
jsonrpc: '2.0',
error: { code: -32000, message: 'Not Found: Invalid session ID' },
id: null
});
return;
} else {
res.status(400).json({
jsonrpc: '2.0',
error: { code: -32000, message: 'Bad Request: No valid session ID' },
error: { code: -32000, message: 'Bad Request: No session ID' },
id: null
});
return;
Expand All @@ -704,8 +711,13 @@ app.post('/mcp', async (req: Request, res: Response) => {
// Handle GET requests for SSE streams
app.get('/mcp', async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
res.status(400).send('Missing session ID');
return;
}

if (!transports[sessionId]) {
res.status(404).send('Invalid session ID');
return;
}

Expand All @@ -716,8 +728,13 @@ app.get('/mcp', async (req: Request, res: Response) => {
// Handle DELETE requests for session termination
app.delete('/mcp', async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
res.status(400).send('Missing session ID');
return;
}

if (!transports[sessionId]) {
res.status(404).send('Invalid session ID');
return;
}

Expand Down
16 changes: 13 additions & 3 deletions examples/server/src/sseAndStreamableHttpCompatibleServer.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,13 +96,13 @@ app.all('/mcp', async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
let transport: StreamableHTTPServerTransport;

if (sessionId && transports[sessionId]) {
if (sessionId) {
// Check if the transport is of the correct type
const existingTransport = transports[sessionId];
if (existingTransport instanceof StreamableHTTPServerTransport) {
// Reuse existing transport
transport = existingTransport;
} else {
} else if (existingTransport) {
// Transport exists but is not a StreamableHTTPServerTransport (could be SSEServerTransport)
res.status(400).json({
jsonrpc: '2.0',
Expand All @@ -113,6 +113,16 @@ app.all('/mcp', async (req: Request, res: Response) => {
id: null
});
return;
} else {
res.status(404).json({
jsonrpc: '2.0',
error: {
code: -32000,
message: 'Not Found: Invalid session ID'
},
id: null
});
return;
}
} else if (!sessionId && req.method === 'POST' && isInitializeRequest(req.body)) {
const eventStore = new InMemoryEventStore();
Expand Down Expand Up @@ -144,7 +154,7 @@ app.all('/mcp', async (req: Request, res: Response) => {
jsonrpc: '2.0',
error: {
code: -32000,
message: 'Bad Request: No valid session ID provided'
message: 'Bad Request: No session ID provided'
},
id: null
});
Expand Down
29 changes: 23 additions & 6 deletions examples/server/src/standaloneSseWithGetStreamableHttp.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,21 @@ app.post('/mcp', async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
let transport: StreamableHTTPServerTransport;

if (sessionId && transports[sessionId]) {
// Reuse existing transport
transport = transports[sessionId];
if (sessionId) {
if (transports[sessionId]) {
// Reuse existing transport
transport = transports[sessionId];
} else {
res.status(404).json({
jsonrpc: '2.0',
error: {
code: -32000,
message: 'Not Found: Invalid session ID'
},
id: null
});
return;
}
} else if (!sessionId && isInitializeRequest(req.body)) {
// New initialization request
transport = new StreamableHTTPServerTransport({
Expand All @@ -70,7 +82,7 @@ app.post('/mcp', async (req: Request, res: Response) => {
jsonrpc: '2.0',
error: {
code: -32000,
message: 'Bad Request: No valid session ID provided'
message: 'Bad Request: No session ID provided'
},
id: null
});
Expand All @@ -97,8 +109,13 @@ app.post('/mcp', async (req: Request, res: Response) => {
// Handle GET requests for SSE streams (now using built-in support from StreamableHTTP)
app.get('/mcp', async (req: Request, res: Response) => {
const sessionId = req.headers['mcp-session-id'] as string | undefined;
if (!sessionId || !transports[sessionId]) {
res.status(400).send('Invalid or missing session ID');
if (!sessionId) {
res.status(400).send('Missing session ID');
return;
}

if (!transports[sessionId]) {
res.status(404).send('Invalid session ID');
return;
}

Expand Down
Loading