feat(server): support configurable max request payload size (#521)

Add maxRequestBodySize parameter to StreamableHttpServerTransport.Configuration,
defaulting to 4 MB. This allows consumers to set a lower request body size limit
without manual payload counting.

- Add maxRequestBodySize: Long to Configuration with require(> 0) validation
- Replace hardcoded MAXIMUM_MESSAGE_SIZE with configurable value in parseBody()
- Use Long for content-length comparison to avoid Int overflow
- Error message displays exact byte limit for clarity at any configured size
- Note: body.length check after receiveText() uses character count (pre-existing
  behavior); byte-accurate fallback is tracked separately

Author: jskjw157

kotlin-sdk-server/api/kotlin-sdk-server.api

@@ -222,13 +222,14 @@ public final class io/modelcontextprotocol/kotlin/sdk/server/StreamableHttpServe
 }
 
 public final class io/modelcontextprotocol/kotlin/sdk/server/StreamableHttpServerTransport$Configuration {
-	public synthetic fun <init> (ZZLjava/util/List;Ljava/util/List;Lio/modelcontextprotocol/kotlin/sdk/server/EventStore;Lkotlin/time/Duration;ILkotlin/jvm/internal/DefaultConstructorMarker;)V
-	public synthetic fun <init> (ZZLjava/util/List;Ljava/util/List;Lio/modelcontextprotocol/kotlin/sdk/server/EventStore;Lkotlin/time/Duration;Lkotlin/jvm/internal/DefaultConstructorMarker;)V
+	public synthetic fun <init> (ZZLjava/util/List;Ljava/util/List;Lio/modelcontextprotocol/kotlin/sdk/server/EventStore;Lkotlin/time/Duration;JILkotlin/jvm/internal/DefaultConstructorMarker;)V
+	public synthetic fun <init> (ZZLjava/util/List;Ljava/util/List;Lio/modelcontextprotocol/kotlin/sdk/server/EventStore;Lkotlin/time/Duration;JLkotlin/jvm/internal/DefaultConstructorMarker;)V
 	public final fun getAllowedHosts ()Ljava/util/List;
 	public final fun getAllowedOrigins ()Ljava/util/List;
 	public final fun getEnableDnsRebindingProtection ()Z
 	public final fun getEnableJsonResponse ()Z
 	public final fun getEventStore ()Lio/modelcontextprotocol/kotlin/sdk/server/EventStore;
+	public final fun getMaxRequestBodySize ()J
 	public final fun getRetryInterval-FghU774 ()Lkotlin/time/Duration;
 }
 

kotlin-sdk-server/detekt-baseline-main.xml

@@ -4,6 +4,7 @@
   <CurrentIssues>
     <ID>InjectDispatcher:FeatureNotificationService.kt:FeatureNotificationService$Default</ID>
     <ID>LongParameterList:KtorServer.kt:private suspend fun RoutingContext.streamableTransport: StreamableHttpServerTransport?</ID>
+    <ID>LongParameterList:StreamableHttpServerTransport.kt:StreamableHttpServerTransport.Configuration</ID>
     <ID>MagicNumber:StdioServerTransport.kt:StdioServerTransport$8192</ID>
     <ID>MaxLineLength:SSEServerTransport.kt:SseServerTransport$"SSEServerTransport already started! If using Server class, note that connect() calls start() automatically."</ID>
     <ID>MaxLineLength:SSEServerTransport.kt:SseServerTransport$*</ID>

kotlin-sdk-server/src/commonMain/kotlin/io/modelcontextprotocol/kotlin/sdk/server/StreamableHttpServerTransport.kt

@@ -45,7 +45,7 @@ import kotlin.uuid.Uuid
 internal const val MCP_SESSION_ID_HEADER = "mcp-session-id"
 private const val MCP_PROTOCOL_VERSION_HEADER = "mcp-protocol-version"
 private const val MCP_RESUMPTION_TOKEN_HEADER = "Last-Event-ID"
-private const val MAXIMUM_MESSAGE_SIZE = 4 * 1024 * 1024 // 4 MB
+private const val DEFAULT_MAX_REQUEST_BODY_SIZE: Long = 4L * 1024 * 1024 // 4 MB
 private const val MIN_PRIMING_EVENT_PROTOCOL_VERSION = "2025-11-25"
 
 /**
@@ -141,6 +141,9 @@ public class StreamableHttpServerTransport(private val configuration: Configurat
      *
      * @property retryInterval Retry interval for event handling or reconnection attempts.
      *              Defaults to `null`.
+     *
+     * @property maxRequestBodySize Maximum allowed size (in bytes) for incoming request bodies.
+     *              Defaults to 4 MB (4,194,304 bytes).
      */
     public class Configuration(
         public val enableJsonResponse: Boolean = false,
@@ -149,7 +152,14 @@ public class StreamableHttpServerTransport(private val configuration: Configurat
         public val allowedOrigins: List<String>? = null,
         public val eventStore: EventStore? = null,
         public val retryInterval: Duration? = null,
-    )
+        public val maxRequestBodySize: Long = DEFAULT_MAX_REQUEST_BODY_SIZE,
+    ) {
+        init {
+            require(maxRequestBodySize > 0) {
+                "maxRequestBodySize must be greater than 0"
+            }
+        }
+    }
 
     public var sessionId: String? = null
         private set
@@ -659,24 +669,25 @@ public class StreamableHttpServerTransport(private val configuration: Configurat
         }
     }
 
-    @Suppress("ReturnCount", "MagicNumber")
+    @Suppress("ReturnCount")
     private suspend fun parseBody(call: ApplicationCall): List<JSONRPCMessage>? {
-        val contentLength = call.request.header(HttpHeaders.ContentLength)?.toIntOrNull() ?: 0
-        if (contentLength > MAXIMUM_MESSAGE_SIZE) {
+        val maxSize = configuration.maxRequestBodySize
+        val contentLength = call.request.header(HttpHeaders.ContentLength)?.toLongOrNull() ?: 0L
+        if (contentLength > maxSize) {
             call.reject(
                 HttpStatusCode.PayloadTooLarge,
                 RPCError.ErrorCode.INVALID_REQUEST,
-                "Invalid Request: message size exceeds maximum of ${MAXIMUM_MESSAGE_SIZE / (1024 * 1024)} MB",
+                "Invalid Request: message size exceeds maximum of $maxSize bytes",
             )
             return null
         }
 
         val body = call.receiveText()
-        if (body.length > MAXIMUM_MESSAGE_SIZE) {
+        if (body.length.toLong() > maxSize) {
             call.reject(
                 HttpStatusCode.PayloadTooLarge,
                 RPCError.ErrorCode.INVALID_REQUEST,
-                "Invalid Request: message size exceeds maximum of ${MAXIMUM_MESSAGE_SIZE / (1024 * 1024)} MB",
+                "Invalid Request: message size exceeds maximum of $maxSize bytes",
             )
             return null
         }

kotlin-sdk-server/src/jvmTest/kotlin/io/modelcontextprotocol/kotlin/sdk/server/StreamableHttpServerTransportTest.kt

@@ -3,6 +3,7 @@ package io.modelcontextprotocol.kotlin.sdk.server
 import io.kotest.matchers.collections.shouldContainAll
 import io.kotest.matchers.equals.shouldBeEqual
 import io.kotest.matchers.shouldBe
+import io.kotest.matchers.shouldNotBe
 import io.ktor.client.HttpClient
 import io.ktor.client.call.body
 import io.ktor.client.plugins.logging.LogLevel
@@ -383,6 +384,68 @@ class StreamableHttpServerTransportTest {
         response.status shouldBe HttpStatusCode.PayloadTooLarge
     }
 
+    @Test
+    fun `POST with custom max request body size rejects oversized payload`() = testApplication {
+        configTestServer()
+
+        val client = createTestClient()
+
+        val customMaxSize = 1024L // 1 KB
+        val transport = StreamableHttpServerTransport(
+            StreamableHttpServerTransport.Configuration(
+                enableJsonResponse = true,
+                maxRequestBodySize = customMaxSize,
+            ),
+        )
+        transport.onMessage { message ->
+            if (message is JSONRPCRequest) {
+                transport.send(JSONRPCResponse(message.id, EmptyResult()))
+            }
+        }
+
+        configureTransportEndpoint(transport)
+
+        val oversizedPayload = "x".repeat(customMaxSize.toInt() + 1)
+
+        val response = client.post(path) {
+            addStreamableHeaders()
+            setBody(oversizedPayload)
+        }
+
+        response.status shouldBe HttpStatusCode.PayloadTooLarge
+    }
+
+    @Test
+    fun `POST at exactly custom max request body size is not rejected as payload too large`() = testApplication {
+        configTestServer()
+
+        val client = createTestClient()
+
+        val payloadBody = "x".repeat(256)
+        val transport = StreamableHttpServerTransport(
+            StreamableHttpServerTransport.Configuration(
+                enableJsonResponse = true,
+                maxRequestBodySize = payloadBody.length.toLong(),
+            ),
+        )
+        transport.onMessage { message ->
+            if (message is JSONRPCRequest) {
+                transport.send(JSONRPCResponse(message.id, EmptyResult()))
+            }
+        }
+
+        configureTransportEndpoint(transport)
+
+        val response = client.post(path) {
+            addStreamableHeaders()
+            setBody(payloadBody)
+        }
+
+        // Size check should pass — the body is exactly at the limit
+        response.status shouldNotBe HttpStatusCode.PayloadTooLarge
+        response.status shouldBe HttpStatusCode.BadRequest
+    }
+
     private fun ApplicationTestBuilder.configureTransportEndpoint(transport: StreamableHttpServerTransport) {
         application {
             routing {