fix(examples): improve server-utils with stateful sessions and security

ochafik · claude · ochafik · commit c251e40a918d · 2025-12-11T19:04:28.000+01:00
Address critical issues in the shared server utility: 1. Stateful sessions: Use sessionIdGenerator + onsessioninitialized to persist StreamableHTTPServerTransport across requests 2. Unified session store: Single Map for both transport types with proper type discrimination 3. Error handling: Try/catch on all endpoints with JSON-RPC errors 4. DNS rebinding protection: Use SDK's createMcpExpressApp helper 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/examples/shared/server-utils.ts b/examples/shared/server-utils.ts
@@ -1,35 +1,36 @@
 /**
  * Shared utilities for running MCP servers with multiple transports.
  *
- * This module provides a unified way to start MCP servers supporting:
- * - stdio transport (for local CLI tools)
- * - Streamable HTTP transport (current spec)
- * - Legacy SSE transport (deprecated, for backwards compatibility)
+ * Supports:
+ * - stdio transport (--stdio flag)
+ * - Streamable HTTP transport (/mcp) - stateful sessions
+ * - Legacy SSE transport (/sse, /messages) - backwards compatibility
  */
 
 import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { createMcpExpressApp } from "@modelcontextprotocol/sdk/server/express.js";
 import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
-import cors from "cors";
-import express, { type Request, type Response } from "express";
+import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
+import { randomUUID } from "node:crypto";
+import type { Request, Response } from "express";
 
 export interface ServerOptions {
-  /** Port to listen on for HTTP mode. Defaults to 3001 or PORT env variable. */
+  /** Port to listen on. Defaults to PORT env var or 3001. */
   port?: number;
-  /** Server name for logging. Defaults to "MCP Server". */
+  /** Server name for logging. */
   name?: string;
 }
 
+type Transport = StreamableHTTPServerTransport | SSEServerTransport;
+
 /**
- * Starts an MCP server with support for stdio and HTTP transports.
- *
- * Transport is selected based on command line arguments:
- * - `--stdio`: Uses stdio transport for local process communication
- * - Otherwise: Starts HTTP server with Streamable HTTP and legacy SSE support
+ * Starts an MCP server with stdio and HTTP transports.
  *
- * @param server - The MCP server instance to start
- * @param options - Optional configuration
+ * HTTP mode provides:
+ * - /mcp (GET/POST/DELETE): Streamable HTTP with stateful sessions
+ * - /sse (GET) + /messages (POST): Legacy SSE for older clients
  */
 export async function startServer(
   server: McpServer,
@@ -40,74 +41,116 @@ export async function startServer(
   const name = options.name ?? "MCP Server";
 
   if (process.argv.includes("--stdio")) {
-    const transport = new StdioServerTransport();
-    await server.connect(transport);
+    await server.connect(new StdioServerTransport());
     console.error(`${name} running in stdio mode`);
-  } else {
-    const app = express();
-    app.use(cors());
-    app.use(express.json());
-
-    // Streamable HTTP transport (current spec) - handles GET, POST, DELETE
-    app.all("/mcp", async (req: Request, res: Response) => {
-      try {
-        const transport = new StreamableHTTPServerTransport({
-          sessionIdGenerator: undefined,
-          enableJsonResponse: true,
-        });
-        res.on("close", () => {
-          transport.close();
+    return;
+  }
+
+  // Unified session store for both transport types
+  const sessions = new Map<string, Transport>();
+
+  // Express with DNS rebinding protection
+  const app = createMcpExpressApp();
+
+  // Streamable HTTP (stateful)
+  app.all("/mcp", async (req: Request, res: Response) => {
+    try {
+      const sessionId = req.headers["mcp-session-id"] as string | undefined;
+      let transport = sessionId
+        ? (sessions.get(sessionId) as StreamableHTTPServerTransport | undefined)
+        : undefined;
+
+      // Session exists but wrong transport type
+      if (sessionId && sessions.has(sessionId) && !transport) {
+        return res.status(400).json({
+          jsonrpc: "2.0",
+          error: { code: -32000, message: "Session uses different transport" },
+          id: null,
         });
+      }
 
-        await server.connect(transport);
-        await transport.handleRequest(req, res, req.body);
-      } catch (error) {
-        console.error("Error handling MCP request:", error);
-        if (!res.headersSent) {
-          res.status(500).json({
+      // New session requires initialize request
+      if (!transport) {
+        if (req.method !== "POST" || !isInitializeRequest(req.body)) {
+          return res.status(400).json({
             jsonrpc: "2.0",
-            error: { code: -32603, message: "Internal server error" },
+            error: { code: -32000, message: "Bad request: not initialized" },
             id: null,
           });
         }
+
+        transport = new StreamableHTTPServerTransport({
+          sessionIdGenerator: () => randomUUID(),
+          onsessioninitialized: (id) => {
+            sessions.set(id, transport!);
+          },
+        });
+        const t = transport;
+        t.onclose = () => {
+          if (t.sessionId) sessions.delete(t.sessionId);
+        };
+        await server.connect(transport);
       }
-    });
 
-    // Legacy SSE transport (deprecated) - for backwards compatibility
-    const sseTransports = new Map<string, SSEServerTransport>();
+      await transport.handleRequest(req, res, req.body);
+    } catch (error) {
+      console.error("MCP error:", error);
+      if (!res.headersSent) {
+        res.status(500).json({
+          jsonrpc: "2.0",
+          error: { code: -32603, message: "Internal server error" },
+          id: null,
+        });
+      }
+    }
+  });
 
-    app.get("/sse", async (_req: Request, res: Response) => {
+  // Legacy SSE
+  app.get("/sse", async (_req: Request, res: Response) => {
+    try {
       const transport = new SSEServerTransport("/messages", res);
-      sseTransports.set(transport.sessionId, transport);
-      res.on("close", () => {
-        sseTransports.delete(transport.sessionId);
-      });
+      sessions.set(transport.sessionId, transport);
+      res.on("close", () => sessions.delete(transport.sessionId));
       await server.connect(transport);
-    });
+    } catch (error) {
+      console.error("SSE error:", error);
+      if (!res.headersSent) res.status(500).end();
+    }
+  });
 
-    app.post("/messages", async (req: Request, res: Response) => {
-      const sessionId = req.query.sessionId as string;
-      const transport = sseTransports.get(sessionId);
-      if (!transport) {
-        res.status(404).json({ error: "Session not found" });
-        return;
+  app.post("/messages", async (req: Request, res: Response) => {
+    try {
+      const transport = sessions.get(req.query.sessionId as string);
+      if (!(transport instanceof SSEServerTransport)) {
+        return res.status(404).json({
+          jsonrpc: "2.0",
+          error: { code: -32001, message: "Session not found" },
+          id: null,
+        });
       }
       await transport.handlePostMessage(req, res, req.body);
-    });
-
-    const httpServer = app.listen(port, () => {
-      console.log(`${name} listening on http://localhost:${port}/mcp`);
-    });
-
-    const shutdown = () => {
-      console.log("\nShutting down...");
-      httpServer.close(() => {
-        console.log("Server closed");
-        process.exit(0);
-      });
-    };
-
-    process.on("SIGINT", shutdown);
-    process.on("SIGTERM", shutdown);
-  }
+    } catch (error) {
+      console.error("Message error:", error);
+      if (!res.headersSent) {
+        res.status(500).json({
+          jsonrpc: "2.0",
+          error: { code: -32603, message: "Internal server error" },
+          id: null,
+        });
+      }
+    }
+  });
+
+  const httpServer = app.listen(port, () => {
+    console.log(`${name} listening on http://localhost:${port}/mcp`);
+  });
+
+  const shutdown = () => {
+    console.log("\nShutting down...");
+    sessions.forEach((t) => t.close().catch(() => {}));
+    httpServer.close(() => process.exit(0));
+  };
+
+  process.on("SIGINT", shutdown);
+  process.on("SIGTERM", shutdown);
 }
