test fixes

KKonstantinov · KKonstantinov · commit d9202053e8cf · 2026-03-27T00:41:32.000+02:00
diff --git a/packages/middleware/express/test/express.test.ts b/packages/middleware/express/test/express.test.ts
@@ -141,15 +141,13 @@ describe('@modelcontextprotocol/express', () => {
         });
 
         test('should skip host header validation when skipHostHeaderValidation is true', () => {
+            // HTTP-level verification is in integration tests (test/integration/test/server.test.ts)
             const app = createMcpExpressApp({ host: '127.0.0.1', skipHostHeaderValidation: true });
-
             expect(app).toBeDefined();
-            // Localhost validation would normally be applied, but skipHostHeaderValidation disables it
         });
 
         test('should skip host header validation for 0.0.0.0 when skipHostHeaderValidation is true', () => {
             const app = createMcpExpressApp({ host: '0.0.0.0', skipHostHeaderValidation: true });
-
             expect(app).toBeDefined();
         });
 
diff --git a/test/integration/test/server.test.ts b/test/integration/test/server.test.ts
@@ -2308,31 +2308,34 @@ describe('createMcpExpressApp', () => {
         expect(response.status).toBe(403);
     });
 
-    test('should warn when binding to 0.0.0.0', () => {
-        const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
-        createMcpExpressApp({ host: '0.0.0.0' });
-        expect(warnSpy).toHaveBeenCalledWith(expect.stringContaining('0.0.0.0'));
-        warnSpy.mockRestore();
+    test('should not apply host validation for 0.0.0.0 without allowedHosts', async () => {
+        const app = createMcpExpressApp({ host: '0.0.0.0' });
+        app.post('/test', (_req: Request, res: Response) => {
+            res.json({ success: true });
+        });
+
+        // No host validation applied, so any host should be accepted
+        const response = await supertest(app).post('/test').set('Host', 'anything.com:3000').send({});
+        expect(response.status).toBe(200);
     });
 
-    test('should warn when binding to :: (IPv6 all interfaces)', () => {
-        const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
-        createMcpExpressApp({ host: '::' });
-        expect(warnSpy).toHaveBeenCalledWith(expect.stringContaining('::'));
-        warnSpy.mockRestore();
+    test('should skip host validation when skipHostHeaderValidation is true', async () => {
+        const app = createMcpExpressApp({ host: '127.0.0.1', skipHostHeaderValidation: true });
+        app.post('/test', (_req: Request, res: Response) => {
+            res.json({ success: true });
+        });
+
+        // Localhost validation would normally block this, but skipHostHeaderValidation disables it
+        const response = await supertest(app).post('/test').set('Host', 'evil.com:3000').send({});
+        expect(response.status).toBe(200);
     });
 
     test('should use custom allowedHosts when provided', async () => {
-        const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
         const app = createMcpExpressApp({ host: '0.0.0.0', allowedHosts: ['myapp.local', 'localhost'] });
         app.post('/test', (_req: Request, res: Response) => {
             res.json({ success: true });
         });
 
-        // Should not warn when allowedHosts is provided
-        expect(warnSpy).not.toHaveBeenCalled();
-        warnSpy.mockRestore();
-
         // Should allow myapp.local
         const allowedResponse = await supertest(app).post('/test').set('Host', 'myapp.local:3000').send({});
         expect(allowedResponse.status).toBe(200);
