fix: guard against unhandled rejections and resource leaks in HTTP transport

PatrickSys · PatrickSys · commit e031a56a1fa7 · 2026-03-25T22:19:51.000+01:00
Three issues flagged in code review:

1. Wrap entire request handler in try/catch — any await that throws
   (malformed init, SDK I/O error) previously caused an unhandled promise
   rejection that could crash the long-lived server process.

2. DELETE handler: use try/finally so sessions.delete() always runs even
   if transport.close() rejects, preventing session map leaks.

3. Init path: if transport.sessionId is null after handleRequest (malformed
   request), close the orphaned Server+Transport pair immediately rather
   than silently abandoning it.
diff --git a/src/server/http.ts b/src/server/http.ts
@@ -95,112 +95,128 @@ export async function startHttpServer(options: HttpServerOptions): Promise<HttpS
   timeoutCheck.unref();
 
   const httpServer = createHttpServer(async (req: IncomingMessage, res: ServerResponse) => {
-    const url = new URL(req.url ?? '/', `http://${host}:${port}`);
+    try {
+      const url = new URL(req.url ?? '/', `http://${host}:${port}`);
 
-    // Health check on root
-    if (url.pathname === '/' && req.method === 'GET') {
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify({ status: 'ok', sessions: sessions.size }));
-      return;
-    }
-
-    // Only handle /mcp
-    if (url.pathname !== '/mcp') {
-      res.writeHead(404, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify({ error: 'Not found' }));
-      return;
-    }
-
-    const method = req.method?.toUpperCase();
-
-    if (method === 'POST') {
-      const sessionId = req.headers['mcp-session-id'] as string | undefined;
-
-      if (sessionId && sessions.has(sessionId)) {
-        // Existing session — delegate to its transport
-        touchSession(sessionId);
-        const session = sessions.get(sessionId)!;
-        await session.transport.handleRequest(req, res);
+      // Health check on root
+      if (url.pathname === '/' && req.method === 'GET') {
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ status: 'ok', sessions: sessions.size }));
         return;
       }
 
-      if (sessionId && !sessions.has(sessionId)) {
-        // Unknown session ID — 404
+      // Only handle /mcp
+      if (url.pathname !== '/mcp') {
         res.writeHead(404, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({ error: 'Session not found' }));
+        res.end(JSON.stringify({ error: 'Not found' }));
         return;
       }
 
-      // No session ID — new initialization request
-      const { server: mcpServer, transport } = createSessionServer();
+      const method = req.method?.toUpperCase();
 
-      // Connect server to transport
-      await mcpServer.connect(transport);
+      if (method === 'POST') {
+        const sessionId = req.headers['mcp-session-id'] as string | undefined;
 
-      // Register onclose before handleRequest so cleanup always fires.
-      transport.onclose = () => {
-        const sid = transport.sessionId;
-        if (sid && sessions.has(sid)) {
-          sessions.delete(sid);
-          console.error(`[HTTP] Session ${sid} disconnected`);
+        if (sessionId && sessions.has(sessionId)) {
+          // Existing session — delegate to its transport
+          touchSession(sessionId);
+          const session = sessions.get(sessionId)!;
+          await session.transport.handleRequest(req, res);
+          return;
         }
-      };
 
-      // Handle the init request — this generates the session ID
-      await transport.handleRequest(req, res);
+        if (sessionId && !sessions.has(sessionId)) {
+          // Unknown session ID — 404
+          res.writeHead(404, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Session not found' }));
+          return;
+        }
 
-      // After handleRequest, the session ID is available
-      const newSessionId = transport.sessionId;
-      if (newSessionId) {
-        sessions.set(newSessionId, {
-          server: mcpServer,
-          transport,
-          lastActivity: Date.now()
-        });
-        console.error(`[HTTP] Session ${newSessionId} connected`);
+        // No session ID — new initialization request
+        const { server: mcpServer, transport } = createSessionServer();
 
-        // Notify caller so they can set up per-session handlers (roots refresh, etc.)
-        options.onSessionReady?.(mcpServer);
+        // Connect server to transport
+        await mcpServer.connect(transport);
+
+        // Register onclose before handleRequest so cleanup always fires.
+        transport.onclose = () => {
+          const sid = transport.sessionId;
+          if (sid && sessions.has(sid)) {
+            sessions.delete(sid);
+            console.error(`[HTTP] Session ${sid} disconnected`);
+          }
+        };
+
+        // Handle the init request — this generates the session ID
+        await transport.handleRequest(req, res);
+
+        // After handleRequest, the session ID is available
+        const newSessionId = transport.sessionId;
+        if (newSessionId) {
+          sessions.set(newSessionId, {
+            server: mcpServer,
+            transport,
+            lastActivity: Date.now()
+          });
+          console.error(`[HTTP] Session ${newSessionId} connected`);
+
+          // Notify caller so they can set up per-session handlers (roots refresh, etc.)
+          options.onSessionReady?.(mcpServer);
+        } else {
+          // Malformed init request — SDK didn't assign a session ID; clean up the orphan.
+          void transport.close().catch(() => {
+            /* best effort */
+          });
+        }
+
+        return;
       }
 
-      return;
-    }
+      if (method === 'GET') {
+        // SSE streaming for server-initiated messages
+        const sessionId = req.headers['mcp-session-id'] as string | undefined;
+        if (!sessionId || !sessions.has(sessionId)) {
+          res.writeHead(400, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Missing or invalid session ID' }));
+          return;
+        }
 
-    if (method === 'GET') {
-      // SSE streaming for server-initiated messages
-      const sessionId = req.headers['mcp-session-id'] as string | undefined;
-      if (!sessionId || !sessions.has(sessionId)) {
-        res.writeHead(400, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({ error: 'Missing or invalid session ID' }));
+        touchSession(sessionId);
+        const session = sessions.get(sessionId)!;
+        await session.transport.handleRequest(req, res);
         return;
       }
 
-      touchSession(sessionId);
-      const session = sessions.get(sessionId)!;
-      await session.transport.handleRequest(req, res);
-      return;
-    }
+      if (method === 'DELETE') {
+        const sessionId = req.headers['mcp-session-id'] as string | undefined;
+        if (!sessionId || !sessions.has(sessionId)) {
+          res.writeHead(404, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Session not found' }));
+          return;
+        }
 
-    if (method === 'DELETE') {
-      const sessionId = req.headers['mcp-session-id'] as string | undefined;
-      if (!sessionId || !sessions.has(sessionId)) {
-        res.writeHead(404, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({ error: 'Session not found' }));
+        const session = sessions.get(sessionId)!;
+        try {
+          await session.transport.close();
+        } finally {
+          sessions.delete(sessionId);
+          console.error(`[HTTP] Session ${sessionId} closed by client`);
+        }
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ status: 'session_closed' }));
         return;
       }
 
-      const session = sessions.get(sessionId)!;
-      await session.transport.close();
-      sessions.delete(sessionId);
-      console.error(`[HTTP] Session ${sessionId} closed by client`);
-      res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify({ status: 'session_closed' }));
-      return;
+      // Method not allowed
+      res.writeHead(405, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Method not allowed' }));
+    } catch (err) {
+      console.error('[HTTP] Unhandled request error:', err);
+      if (!res.headersSent) {
+        res.writeHead(500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Internal server error' }));
+      }
     }
-
-    // Method not allowed
-    res.writeHead(405, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({ error: 'Method not allowed' }));
   });
 
   // Handle server errors
