refactor: remove legacy stateless session handling logic and associated regression tests

Author: guglielmo-san

mcp/streamable.go

@@ -343,10 +343,6 @@ func (h *StreamableHTTPHandler) serveStateless(w http.ResponseWriter, req *http.
 		return
 	}
 
-	// Peek at the body to determine whether this is a new-protocol request.
-	// New-protocol requests are fully sessionless: even under the legacy
-	// `allowsessionsinstateless` compat flag, we must not read or generate
-	// a session ID for them.
 	connectOpts, usesNewProtocol, err := h.ephemeralConnectOpts(req)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusBadRequest)
@@ -401,15 +397,12 @@ func (h *StreamableHTTPHandler) serveStatelessLegacyDELETE(w http.ResponseWriter
 // For old-protocol requests, default session state is synthesized so that
 // the session's init gate doesn't reject the request. For new-protocol
 // requests, no state is synthesized: the request carries its identity in
-// `_meta`, and [ServerSession.InitializeParams] returning nil is the
-// migration signal that handlers should read identity via the per-request
-// accessors on [ServerRequest].
+// `_meta`.
 //
 // It is used for both stateless servers and stateful servers with no session ID.
 //
 // The returned usesNewProtocol bool reports whether any request in the body
-// carried `_meta.protocolVersion`. Callers may use it to suppress legacy
-// session-handling behavior (e.g., reading Mcp-Session-Id) for such requests.
+// carried `_meta.protocolVersion`.
 func (h *StreamableHTTPHandler) ephemeralConnectOpts(req *http.Request) (opts *ServerSessionOptions, usesNewProtocol bool, err error) {
 	protocolVersion := protocolVersionFromContext(req.Context())
 	if protocolVersion == "" {

mcp/streamable_test.go

@@ -3375,179 +3375,3 @@ func TestStreamableStateless_NewProtocolSession_NoFakeInit(t *testing.T) {
 		t.Errorf("req.ClientCapabilities() = %+v, want non-nil Sampling", capture.reqClientCapabilities)
 	}
 }
-
-func TestStreamableStateless_OldProtocolUnchanged(t *testing.T) {
-	// Regression: an old-protocol request to a stateless server must still
-	// observe a non-nil (synthetic) InitializeParams on the session, so
-	// existing handlers and the init gate continue to work.
-	capture := &statelessHandlerCapture{}
-	mcpServer := NewServer(testImpl, nil)
-	AddTool(mcpServer, &Tool{Name: "capture", Description: "captures request info"},
-		func(ctx context.Context, req *CallToolRequest, args struct{}) (*CallToolResult, any, error) {
-			capture.mu.Lock()
-			defer capture.mu.Unlock()
-			capture.sessionInitParams = req.Session.InitializeParams()
-			capture.reqProtocolVersion = req.ProtocolVersion()
-			return &CallToolResult{Content: []Content{&TextContent{Text: "ok"}}}, nil, nil
-		})
-
-	handler := NewStreamableHTTPHandler(
-		func(*http.Request) *Server { return mcpServer },
-		&StreamableHTTPOptions{Stateless: true},
-	)
-	httpServer := httptest.NewServer(handler)
-	defer httpServer.Close()
-
-	body, err := json.Marshal(map[string]any{
-		"jsonrpc": "2.0",
-		"id":      1,
-		"method":  "tools/call",
-		"params":  map[string]any{"name": "capture", "arguments": map[string]any{}},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	httpReq, err := http.NewRequest(http.MethodPost, httpServer.URL, bytes.NewReader(body))
-	if err != nil {
-		t.Fatal(err)
-	}
-	httpReq.Header.Set("Content-Type", "application/json")
-	httpReq.Header.Set("Accept", "application/json, text/event-stream")
-	httpReq.Header.Set("MCP-Protocol-Version", protocolVersion20250618)
-
-	resp, err := http.DefaultClient.Do(httpReq)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		respBody, _ := io.ReadAll(resp.Body)
-		t.Fatalf("status = %d, want 200; body = %s", resp.StatusCode, respBody)
-	}
-
-	capture.mu.Lock()
-	defer capture.mu.Unlock()
-	if capture.sessionInitParams == nil {
-		t.Errorf("Session.InitializeParams() = nil, want synthetic non-nil for old-protocol session")
-	}
-	if got, want := capture.reqProtocolVersion, protocolVersion20250618; got != want {
-		t.Errorf("req.ProtocolVersion() = %q (via synthetic session), want %q from MCP-Protocol-Version header", got, want)
-	}
-}
-
-func TestStreamableStateless_LegacySessionIgnoredForNewProtocol(t *testing.T) {
-	// Under the legacy `allowsessionsinstateless=1` compat flag, stateless
-	// servers normally read Mcp-Session-Id from the request and call
-	// GetSessionID. For new-protocol requests, those legacy behaviors must
-	// be skipped: the session is fully sessionless.
-	prev := allowsessionsinstateless
-	allowsessionsinstateless = "1"
-	t.Cleanup(func() { allowsessionsinstateless = prev })
-
-	var capturedSessionID string
-	mcpServer := NewServer(testImpl, nil)
-	AddTool(mcpServer, &Tool{Name: "capture", Description: "captures session id"},
-		func(ctx context.Context, req *CallToolRequest, args struct{}) (*CallToolResult, any, error) {
-			capturedSessionID = req.Session.ID()
-			return &CallToolResult{Content: []Content{&TextContent{Text: "ok"}}}, nil, nil
-		})
-
-	getSessionIDCalled := false
-	handler := NewStreamableHTTPHandler(
-		func(*http.Request) *Server { return mcpServer },
-		&StreamableHTTPOptions{Stateless: true},
-	)
-	// Patch the server's GetSessionID to detect whether it was consulted.
-	mcpServer.opts.GetSessionID = func() string {
-		getSessionIDCalled = true
-		return "should-not-be-used"
-	}
-	httpServer := httptest.NewServer(handler)
-	defer httpServer.Close()
-
-	body := newProtocolBody(t, "capture", struct{}{})
-	httpReq, err := http.NewRequest(http.MethodPost, httpServer.URL, bytes.NewReader(body))
-	if err != nil {
-		t.Fatal(err)
-	}
-	httpReq.Header.Set("Content-Type", "application/json")
-	httpReq.Header.Set("Accept", "application/json, text/event-stream")
-	// Explicitly send a session-ID header that the legacy compat path would
-	// normally honor. For new-protocol requests it must be ignored.
-	httpReq.Header.Set(sessionIDHeader, "legacy-client-supplied-id")
-
-	resp, err := http.DefaultClient.Do(httpReq)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		respBody, _ := io.ReadAll(resp.Body)
-		t.Fatalf("status = %d, want 200; body = %s", resp.StatusCode, respBody)
-	}
-
-	if capturedSessionID != "" {
-		t.Errorf("Session.ID() = %q, want empty (new-protocol request must ignore Mcp-Session-Id)", capturedSessionID)
-	}
-	if getSessionIDCalled {
-		t.Errorf("server.opts.GetSessionID was consulted for a new-protocol request; want it to be skipped")
-	}
-	if echoed := resp.Header.Get(sessionIDHeader); echoed != "" {
-		t.Errorf("response %s header = %q, want empty for new-protocol request", sessionIDHeader, echoed)
-	}
-}
-
-func TestStreamableStateless_LegacySessionHonoredForOldProtocol(t *testing.T) {
-	// Regression: under `allowsessionsinstateless=1`, an OLD-protocol request
-	// must still see the legacy session-handling behavior (Mcp-Session-Id
-	// honored, GetSessionID consulted) so existing deployments don't break.
-	prev := allowsessionsinstateless
-	allowsessionsinstateless = "1"
-	t.Cleanup(func() { allowsessionsinstateless = prev })
-
-	var capturedSessionID string
-	mcpServer := NewServer(testImpl, nil)
-	AddTool(mcpServer, &Tool{Name: "capture", Description: "captures session id"},
-		func(ctx context.Context, req *CallToolRequest, args struct{}) (*CallToolResult, any, error) {
-			capturedSessionID = req.Session.ID()
-			return &CallToolResult{Content: []Content{&TextContent{Text: "ok"}}}, nil, nil
-		})
-
-	handler := NewStreamableHTTPHandler(
-		func(*http.Request) *Server { return mcpServer },
-		&StreamableHTTPOptions{Stateless: true},
-	)
-	httpServer := httptest.NewServer(handler)
-	defer httpServer.Close()
-
-	body, err := json.Marshal(map[string]any{
-		"jsonrpc": "2.0",
-		"id":      1,
-		"method":  "tools/call",
-		"params":  map[string]any{"name": "capture", "arguments": map[string]any{}},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	httpReq, err := http.NewRequest(http.MethodPost, httpServer.URL, bytes.NewReader(body))
-	if err != nil {
-		t.Fatal(err)
-	}
-	httpReq.Header.Set("Content-Type", "application/json")
-	httpReq.Header.Set("Accept", "application/json, text/event-stream")
-	httpReq.Header.Set(sessionIDHeader, "old-protocol-session-id")
-
-	resp, err := http.DefaultClient.Do(httpReq)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		respBody, _ := io.ReadAll(resp.Body)
-		t.Fatalf("status = %d, want 200; body = %s", resp.StatusCode, respBody)
-	}
-
-	if capturedSessionID != "old-protocol-session-id" {
-		t.Errorf("Session.ID() = %q, want %q (legacy header should be honored for old-protocol requests)", capturedSessionID, "old-protocol-session-id")
-	}
-}