mirrors/mcphub
1
0
Fork 0
mirror of https://github.com/samanhappy/mcphub.git synced 2025-12-25 03:12:13 -05:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: mirrors:v0.10.4
Branches Tags
mirrors:main mirrors:copilot/fix-access-token-refresh-issue mirrors:copilot/fix-json-schema-export-import mirrors:cluster mirrors:copilot/upgrade-glob-to-10-5-0 mirrors:copilot/fix-password-change-issue mirrors:copilot/fix-servers-page-description mirrors:copilot/fix-path-matching-issue mirrors:copilot/fix-security-dependency-issue mirrors:copilot/fix-excessive-api-calls mirrors:copilot/create-authentication-bypass-tests mirrors:copilot/fix-authentication-bypass-issue mirrors:copilot/fix-login-issue-with-base-path mirrors:copilot/fix-2755122-957825149-90b80786-8395-4845-bd6d-1c18c49b8c86 mirrors:copilot/fix-mcp-pdf-reader-error mirrors:copilot/add-one-click-install-button mirrors:copilot/fix-server-status-update mirrors:copilot/fix-jira-cloud-connection mirrors:copilot/add-cluster-functionality mirrors:codex/implement-cluster-functionality-for-mcphub mirrors:copilot/fix-playwright-parallel-execution mirrors:copilot/fix-group-adding-issue
mirrors:v0.11.9 mirrors:v0.11.8 mirrors:v0.11.7 mirrors:v0.11.6 mirrors:v0.11.5 mirrors:v0.11.4 mirrors:v0.11.3 mirrors:v0.11.2 mirrors:v0.11.1 mirrors:v0.11.0 mirrors:v0.10.6 mirrors:v0.10.5 mirrors:v0.10.4 mirrors:v0.10.3 mirrors:v0.10.2 mirrors:v0.10.1 mirrors:v0.10.0 mirrors:v0.9.16 mirrors:v0.9.15 mirrors:v0.9.14 mirrors:v0.9.13 mirrors:v0.9.12 mirrors:v0.9.11 mirrors:v0.9.10 mirrors:v0.9.9 mirrors:v0.9.8 mirrors:v0.9.7 mirrors:v0.9.6 mirrors:v0.9.5 mirrors:v0.9.4 mirrors:v0.9.3 mirrors:v0.9.2 mirrors:v0.9.1 mirrors:v0.9.0 mirrors:v0.8.7 mirrors:v0.8.6 mirrors:v0.8.5 mirrors:v0.8.4 mirrors:v0.8.3 mirrors:v0.8.2 mirrors:v0.8.1 mirrors:v0.8.0 mirrors:v0.7.7 mirrors:v0.7.6 mirrors:v0.7.5 mirrors:v0.7.4 mirrors:v0.7.3 mirrors:v0.7.2 mirrors:v0.7.1 mirrors:v0.7.0 mirrors:v0.6.2 mirrors:v0.6.1 mirrors:v0.6.0 mirrors:v0.5.4 mirrors:v0.5.3 mirrors:v0.5.2 mirrors:v0.5.1 mirrors:v0.5.0 mirrors:v0.4.3 mirrors:v0.4.2 mirrors:v0.4.1 mirrors:v0.4.0 mirrors:v0.3.8 mirrors:v0.3.7 mirrors:v0.3.6 mirrors:v0.3.5 mirrors:v0.3.4 mirrors:v0.3.3 mirrors:v0.3.2 mirrors:v0.3.1 mirrors:v0.3.0 mirrors:v0.2.0 mirrors:v0.1.1 mirrors:v0.1.0
...
compare: mirrors:copilot/create-authentication-bypass-tests
Branches Tags
mirrors:main mirrors:copilot/fix-access-token-refresh-issue mirrors:copilot/fix-json-schema-export-import mirrors:cluster mirrors:copilot/upgrade-glob-to-10-5-0 mirrors:copilot/fix-password-change-issue mirrors:copilot/fix-servers-page-description mirrors:copilot/fix-path-matching-issue mirrors:copilot/fix-security-dependency-issue mirrors:copilot/fix-excessive-api-calls mirrors:copilot/create-authentication-bypass-tests mirrors:copilot/fix-authentication-bypass-issue mirrors:copilot/fix-login-issue-with-base-path mirrors:copilot/fix-2755122-957825149-90b80786-8395-4845-bd6d-1c18c49b8c86 mirrors:copilot/fix-mcp-pdf-reader-error mirrors:copilot/add-one-click-install-button mirrors:copilot/fix-server-status-update mirrors:copilot/fix-jira-cloud-connection mirrors:copilot/add-cluster-functionality mirrors:codex/implement-cluster-functionality-for-mcphub mirrors:copilot/fix-playwright-parallel-execution mirrors:copilot/fix-group-adding-issue
mirrors:v0.11.9 mirrors:v0.11.8 mirrors:v0.11.7 mirrors:v0.11.6 mirrors:v0.11.5 mirrors:v0.11.4 mirrors:v0.11.3 mirrors:v0.11.2 mirrors:v0.11.1 mirrors:v0.11.0 mirrors:v0.10.6 mirrors:v0.10.5 mirrors:v0.10.4 mirrors:v0.10.3 mirrors:v0.10.2 mirrors:v0.10.1 mirrors:v0.10.0 mirrors:v0.9.16 mirrors:v0.9.15 mirrors:v0.9.14 mirrors:v0.9.13 mirrors:v0.9.12 mirrors:v0.9.11 mirrors:v0.9.10 mirrors:v0.9.9 mirrors:v0.9.8 mirrors:v0.9.7 mirrors:v0.9.6 mirrors:v0.9.5 mirrors:v0.9.4 mirrors:v0.9.3 mirrors:v0.9.2 mirrors:v0.9.1 mirrors:v0.9.0 mirrors:v0.8.7 mirrors:v0.8.6 mirrors:v0.8.5 mirrors:v0.8.4 mirrors:v0.8.3 mirrors:v0.8.2 mirrors:v0.8.1 mirrors:v0.8.0 mirrors:v0.7.7 mirrors:v0.7.6 mirrors:v0.7.5 mirrors:v0.7.4 mirrors:v0.7.3 mirrors:v0.7.2 mirrors:v0.7.1 mirrors:v0.7.0 mirrors:v0.6.2 mirrors:v0.6.1 mirrors:v0.6.0 mirrors:v0.5.4 mirrors:v0.5.3 mirrors:v0.5.2 mirrors:v0.5.1 mirrors:v0.5.0 mirrors:v0.4.3 mirrors:v0.4.2 mirrors:v0.4.1 mirrors:v0.4.0 mirrors:v0.3.8 mirrors:v0.3.7 mirrors:v0.3.6 mirrors:v0.3.5 mirrors:v0.3.4 mirrors:v0.3.3 mirrors:v0.3.2 mirrors:v0.3.1 mirrors:v0.3.0 mirrors:v0.2.0 mirrors:v0.1.1 mirrors:v0.1.0

9 Commits
v0.10.4 ... copilot/cr

Author SHA1 Message Date
copilot-swe-agent[bot]
dd8f58bca9 Update SECURITY_SUMMARY.md with authentication bypass fix details 
Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>
 2025-11-23 06:53:35 +00:00
copilot-swe-agent[bot]
fd3972bda2 Fix linting errors in security test 
Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>
 2025-11-23 06:52:08 +00:00
copilot-swe-agent[bot]
68c454b4b6 Complete authentication bypass fix - all tests passing (204/204) 
Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>
 2025-11-23 06:50:22 +00:00
copilot-swe-agent[bot]
9bcc96f207 Fix authentication bypass vulnerability by using loadOriginalSettings for bearer auth validation 
Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>
 2025-11-23 06:42:40 +00:00
copilot-swe-agent[bot]
259241f295 Add comprehensive authentication bypass security test - confirms vulnerability 
Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>
 2025-11-23 06:31:51 +00:00
copilot-swe-agent[bot]
c88429934c Initial plan 2025-11-23 06:19:41 +00:00
samanhappy
6de3221974 feat: Enhance user forms and user management UI (#437) 2025-11-23 13:50:55 +08:00
samanhappy
ac0b60ed4b feat: Implement keepalive functionality for SSE and StreamableHTTP connections (#442) 2025-11-22 12:07:21 +08:00
samanhappy
a57218d076 fix: Remove test routing and oauthClients configurations from settings (#441) 2025-11-22 11:27:00 +08:00
13 changed files with 1289 additions and 269 deletions
Expand all files Collapse all files

59
SECURITY_SUMMARY.md
View File

@@ -1,3 +1,54 @@
# Security Summary - MCPHub Security Fixes
## Recent Security Fixes
### Authentication Bypass Vulnerability (FIXED - 2025-11-23)
**CRITICAL FIX APPLIED**: Authentication bypass vulnerability in MCP transport endpoints
**Vulnerability Details:**
- **Severity**: Critical (CVSS 9.8 - Unauthenticated Remote Access)
- **Affected Versions**: All versions prior to this fix
- **CVE**: Pending assignment
- **Discovery**: Security researcher report
- **Status**: ✅ FIXED
**Issue:**
The MCP transport endpoints (`/:user/mcp/:group` and `/:user/sse/:group`) accepted requests without verifying credentials. An attacker could impersonate any user by simply placing their username in the URL path, bypassing all authentication and accessing privileged MCP operations.
**Root Cause:**
- `validateBearerAuth()` in `sseService.ts` was using `loadSettings()` which filters settings based on user context
- `DataServicex.filterSettings()` replaces `systemConfig` with user-specific config for non-admin users
- This caused the global `enableBearerAuth` configuration to be unavailable during validation
- Result: Bearer authentication was never enforced, even when explicitly enabled in configuration
**Impact:**
An unauthenticated attacker could:
- Impersonate any user account
- Access private MCP server groups
- Execute privileged MCP tool operations
- Exfiltrate secrets or data from configured MCP servers (Slack bots, kubectl, databases, etc.)
**Fix Applied:**
- Changed `validateBearerAuth()` to use `loadOriginalSettings()` instead of `loadSettings()`
- This ensures bearer auth validation always has access to the actual global systemConfig
- Updated all test mocks to properly test authentication
**Verification:**
- ✅ 16 new security tests added to prevent regression
- ✅ All 204 tests passing
- ✅ Unauthenticated requests now return 401 Unauthorized
- ✅ Bearer auth properly enforced when enabled
- ✅ Proper WWW-Authenticate headers returned
**Remediation:**
- Update to the latest version immediately
- Review access logs for suspicious activity
- Ensure `enableBearerAuth: true` is set in production
- Use a strong `bearerAuthKey` value
---
# Security Summary - OAuth Authorization Server Implementation
## Overview
@@ -183,5 +234,11 @@ The OAuth 2.0 authorization server implementation in MCPHub follows security bes
**Overall Security Assessment**: ✅ **SECURE** with production hardening recommendations
**Last Updated**: 2025-11-02
**Last Updated**: 2025-11-23
**Next Review**: Recommended quarterly or after major changes
## Recent Security Audit Results
-**Authentication Bypass**: FIXED (2025-11-23)
-**OAuth 2.0 Implementation**: Secure with noted limitations
- ⚠️ **Rate Limiting**: Recommendation for production deployment

61
frontend/src/components/AddUserForm.tsx
View File

@@ -57,28 +57,28 @@ const AddUserForm = ({ onAdd, onCancel }: AddUserFormProps) => {
const handleInputChange = (e: React.ChangeEvent<HTMLInputElement>) => {
const { name, value, type, checked } = e.target;
setFormData(prev => ({
setFormData((prev) => ({
...prev,
[name]: type === 'checkbox' ? checked : value
[name]: type === 'checkbox' ? checked : value,
}));
};
return (
<div className="fixed inset-0 bg-gray-600 bg-opacity-50 overflow-y-auto h-full w-full flex items-center justify-center z-50">
<div className="bg-white p-8 rounded-lg shadow-xl max-w-md w-full mx-4">
<div className="fixed inset-0 bg-black/50 z-50 flex items-center justify-center p-4">
<div className="bg-white p-8 rounded-xl shadow-2xl max-w-md w-full mx-4 border border-gray-100">
<form onSubmit={handleSubmit}>
<h2 className="text-xl font-semibold text-gray-800 mb-4">{t('users.addNew')}</h2>
<h2 className="text-xl font-bold text-gray-900 mb-6">{t('users.addNew')}</h2>
{error && (
<div className="bg-red-100 border-l-4 border-red-500 text-red-700 p-3 mb-4">
<p className="text-sm">{error}</p>
<div className="bg-red-50 border-l-4 border-red-500 text-red-700 p-4 mb-6 rounded-md">
<p className="text-sm font-medium">{error}</p>
</div>
)}
<div className="space-y-4">
<div className="space-y-5">
<div>
<label htmlFor="username" className="block text-sm font-medium text-gray-700 mb-1">
{t('users.username')} *
{t('users.username')} <span className="text-red-500">*</span>
</label>
<input
type="text"
@@ -87,7 +87,7 @@ const AddUserForm = ({ onAdd, onCancel }: AddUserFormProps) => {
value={formData.username}
onChange={handleInputChange}
placeholder={t('users.usernamePlaceholder')}
className="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-blue-500"
className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-blue-500 focus:border-transparent form-input transition-all duration-200"
required
disabled={isSubmitting}
/>
@@ -95,7 +95,7 @@ const AddUserForm = ({ onAdd, onCancel }: AddUserFormProps) => {
<div>
<label htmlFor="password" className="block text-sm font-medium text-gray-700 mb-1">
{t('users.password')} *
{t('users.password')} <span className="text-red-500">*</span>
</label>
<input
type="password"
@@ -104,43 +104,68 @@ const AddUserForm = ({ onAdd, onCancel }: AddUserFormProps) => {
value={formData.password}
onChange={handleInputChange}
placeholder={t('users.passwordPlaceholder')}
className="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-blue-500"
className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-blue-500 focus:border-transparent form-input transition-all duration-200"
required
disabled={isSubmitting}
minLength={6}
/>
</div>
<div className="flex items-center">
<div className="flex items-center pt-2">
<input
type="checkbox"
id="isAdmin"
name="isAdmin"
checked={formData.isAdmin}
onChange={handleInputChange}
className="h-4 w-4 text-blue-600 focus:ring-blue-500 border-gray-300 rounded"
className="h-5 w-5 text-blue-600 focus:ring-blue-500 border-gray-300 rounded transition-colors duration-200"
disabled={isSubmitting}
/>
<label htmlFor="isAdmin" className="ml-2 block text-sm text-gray-700">
<label
htmlFor="isAdmin"
className="ml-3 block text-sm font-medium text-gray-700 cursor-pointer select-none"
>
{t('users.adminRole')}
</label>
</div>
</div>
<div className="flex justify-end space-x-3 mt-6">
<div className="flex justify-end space-x-3 mt-8">
<button
type="button"
onClick={onCancel}
className="px-4 py-2 text-gray-700 bg-gray-200 rounded hover:bg-gray-300 transition-colors duration-200"
className="px-5 py-2.5 text-gray-700 bg-white border border-gray-300 rounded-lg hover:bg-gray-50 transition-all duration-200 font-medium btn-secondary shadow-sm"
disabled={isSubmitting}
>
{t('common.cancel')}
</button>
<button
type="submit"
className="px-4 py-2 bg-blue-600 text-white rounded hover:bg-blue-700 transition-colors duration-200 disabled:opacity-50 disabled:cursor-not-allowed"
className="px-5 py-2.5 bg-blue-600 text-white rounded-lg hover:bg-blue-700 transition-all duration-200 font-medium btn-primary shadow-md disabled:opacity-70 disabled:cursor-not-allowed flex items-center"
disabled={isSubmitting}
>
{isSubmitting && (
<svg
className="animate-spin -ml-1 mr-2 h-4 w-4 text-white"
xmlns="http://www.w3.org/2000/svg"
fill="none"
viewBox="0 0 24 24"
>
<circle
className="opacity-25"
cx="12"
cy="12"
r="10"
stroke="currentColor"
strokeWidth="4"
></circle>
<path
className="opacity-75"
fill="currentColor"
d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"
></path>
</svg>
)}
{isSubmitting ? t('common.creating') : t('users.create')}
</button>
</div>

135
frontend/src/components/EditUserForm.tsx
View File

@@ -62,93 +62,132 @@ const EditUserForm = ({ user, onEdit, onCancel }: EditUserFormProps) => {
const handleInputChange = (e: React.ChangeEvent<HTMLInputElement>) => {
const { name, value, type, checked } = e.target;
setFormData(prev => ({
setFormData((prev) => ({
...prev,
[name]: type === 'checkbox' ? checked : value
[name]: type === 'checkbox' ? checked : value,
}));
};
return (
<div className="fixed inset-0 bg-gray-600 bg-opacity-50 overflow-y-auto h-full w-full flex items-center justify-center z-50">
<div className="bg-white p-8 rounded-lg shadow-xl max-w-md w-full mx-4">
<div className="fixed inset-0 bg-black/50 z-50 flex items-center justify-center p-4">
<div className="bg-white p-8 rounded-xl shadow-2xl max-w-md w-full mx-4 border border-gray-100">
<form onSubmit={handleSubmit}>
<h2 className="text-xl font-semibold text-gray-800 mb-4">
{t('users.edit')} - {user.username}
<h2 className="text-xl font-bold text-gray-900 mb-6">
{t('users.edit')} - <span className="text-blue-600">{user.username}</span>
</h2>
{error && (
<div className="bg-red-100 border-l-4 border-red-500 text-red-700 p-3 mb-4">
<p className="text-sm">{error}</p>
<div className="bg-red-50 border-l-4 border-red-500 text-red-700 p-4 mb-6 rounded-md">
<p className="text-sm font-medium">{error}</p>
</div>
)}
<div className="space-y-4">
<div className="flex items-center">
<div className="space-y-5">
<div className="flex items-center pt-2">
<input
type="checkbox"
id="isAdmin"
name="isAdmin"
checked={formData.isAdmin}
onChange={handleInputChange}
className="h-4 w-4 text-blue-600 focus:ring-blue-500 border-gray-300 rounded"
className="h-5 w-5 text-blue-600 focus:ring-blue-500 border-gray-300 rounded transition-colors duration-200"
disabled={isSubmitting}
/>
<label htmlFor="isAdmin" className="ml-2 block text-sm text-gray-700">
<label
htmlFor="isAdmin"
className="ml-3 block text-sm font-medium text-gray-700 cursor-pointer select-none"
>
{t('users.adminRole')}
</label>
</div>
<div>
<label htmlFor="newPassword" className="block text-sm font-medium text-gray-700 mb-1">
{t('users.newPassword')}
</label>
<input
type="password"
id="newPassword"
name="newPassword"
value={formData.newPassword}
onChange={handleInputChange}
placeholder={t('users.newPasswordPlaceholder')}
className="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-blue-500"
disabled={isSubmitting}
minLength={6}
/>
</div>
<div className="border-t border-gray-100 pt-4 mt-2">
<p className="text-xs text-gray-500 uppercase font-semibold tracking-wider mb-3">
{t('users.changePassword')}
</p>
{formData.newPassword && (
<div>
<label htmlFor="confirmPassword" className="block text-sm font-medium text-gray-700 mb-1">
{t('users.confirmPassword')}
</label>
<input
type="password"
id="confirmPassword"
name="confirmPassword"
value={formData.confirmPassword}
onChange={handleInputChange}
placeholder={t('users.confirmPasswordPlaceholder')}
className="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-blue-500"
disabled={isSubmitting}
minLength={6}
/>
<div className="space-y-4">
<div>
<label
htmlFor="newPassword"
className="block text-sm font-medium text-gray-700 mb-1"
>
{t('users.newPassword')}
</label>
<input
type="password"
id="newPassword"
name="newPassword"
value={formData.newPassword}
onChange={handleInputChange}
placeholder={t('users.newPasswordPlaceholder')}
className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-blue-500 focus:border-transparent form-input transition-all duration-200"
disabled={isSubmitting}
minLength={6}
/>
</div>
{formData.newPassword && (
<div className="animate-fadeIn">
<label
htmlFor="confirmPassword"
className="block text-sm font-medium text-gray-700 mb-1"
>
{t('users.confirmPassword')}
</label>
<input
type="password"
id="confirmPassword"
name="confirmPassword"
value={formData.confirmPassword}
onChange={handleInputChange}
placeholder={t('users.confirmPasswordPlaceholder')}
className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-blue-500 focus:border-transparent form-input transition-all duration-200"
disabled={isSubmitting}
minLength={6}
/>
</div>
)}
</div>
)}
</div>
</div>
<div className="flex justify-end space-x-3 mt-6">
<div className="flex justify-end space-x-3 mt-8">
<button
type="button"
onClick={onCancel}
className="px-4 py-2 text-gray-700 bg-gray-200 rounded hover:bg-gray-300 transition-colors duration-200"
className="px-5 py-2.5 text-gray-700 bg-white border border-gray-300 rounded-lg hover:bg-gray-50 transition-all duration-200 font-medium btn-secondary shadow-sm"
disabled={isSubmitting}
>
{t('common.cancel')}
</button>
<button
type="submit"
className="px-4 py-2 bg-blue-600 text-white rounded hover:bg-blue-700 transition-colors duration-200 disabled:opacity-50 disabled:cursor-not-allowed"
className="px-5 py-2.5 bg-blue-600 text-white rounded-lg hover:bg-blue-700 transition-all duration-200 font-medium btn-primary shadow-md disabled:opacity-70 disabled:cursor-not-allowed flex items-center"
disabled={isSubmitting}
>
{isSubmitting && (
<svg
className="animate-spin -ml-1 mr-2 h-4 w-4 text-white"
xmlns="http://www.w3.org/2000/svg"
fill="none"
viewBox="0 0 24 24"
>
<circle
className="opacity-25"
cx="12"
cy="12"
r="10"
stroke="currentColor"
strokeWidth="4"
></circle>
<path
className="opacity-75"
fill="currentColor"
d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"
></path>
</svg>
)}
{isSubmitting ? t('common.updating') : t('users.update')}
</button>
</div>

147
frontend/src/pages/UsersPage.tsx
View File

@@ -5,7 +5,8 @@ import { useUserData } from '@/hooks/useUserData';
import { useAuth } from '@/contexts/AuthContext';
import AddUserForm from '@/components/AddUserForm';
import EditUserForm from '@/components/EditUserForm';
import UserCard from '@/components/UserCard';
import { Edit, Trash, User as UserIcon } from 'lucide-react';
import DeleteDialog from '@/components/ui/DeleteDialog';
const UsersPage: React.FC = () => {
const { t } = useTranslation();
@@ -22,11 +23,12 @@ const UsersPage: React.FC = () => {
const [editingUser, setEditingUser] = useState<User | null>(null);
const [showAddForm, setShowAddForm] = useState(false);
const [userToDelete, setUserToDelete] = useState<string | null>(null);
// Check if current user is admin
if (!currentUser?.isAdmin) {
return (
<div className="bg-white shadow rounded-lg p-6">
<div className="bg-white shadow rounded-lg p-6 dashboard-card">
<p className="text-red-600">{t('users.adminRequired')}</p>
</div>
);
@@ -41,10 +43,17 @@ const UsersPage: React.FC = () => {
triggerRefresh(); // Refresh the users list after editing
};
const handleDeleteUser = async (username: string) => {
const result = await deleteUser(username);
if (!result?.success) {
setUserError(result?.message || t('users.deleteError'));
const handleDeleteClick = (username: string) => {
setUserToDelete(username);
};
const handleConfirmDelete = async () => {
if (userToDelete) {
const result = await deleteUser(userToDelete);
if (!result?.success) {
setUserError(result?.message || t('users.deleteError'));
}
setUserToDelete(null);
}
};
@@ -58,13 +67,13 @@ const UsersPage: React.FC = () => {
};
return (
<div>
<div className="container mx-auto">
<div className="flex justify-between items-center mb-8">
<h1 className="text-2xl font-bold text-gray-900">{t('pages.users.title')}</h1>
<div className="flex space-x-4">
<button
onClick={handleAddUser}
className="px-4 py-2 bg-blue-100 text-blue-800 rounded hover:bg-blue-200 flex items-center btn-primary transition-all duration-200"
className="px-4 py-2 bg-blue-600 text-white rounded hover:bg-blue-700 flex items-center btn-primary transition-all duration-200 shadow-sm"
>
<svg xmlns="http://www.w3.org/2000/svg" className="h-4 w-4 mr-2" viewBox="0 0 20 20" fill="currentColor">
<path fillRule="evenodd" d="M10 3a1 1 0 00-1 1v5H4a1 1 0 100 2h5v5a1 1 0 102 0v-5h5a1 1 0 100-2h-5V4a1 1 0 00-1-1z" clipRule="evenodd" />
@@ -75,13 +84,23 @@ const UsersPage: React.FC = () => {
</div>
{userError && (
<div className="bg-red-100 border-l-4 border-red-500 text-red-700 p-4 mb-6 error-box rounded-lg">
<p>{userError}</p>
<div className="bg-red-50 border-l-4 border-red-500 text-red-700 p-4 mb-6 error-box rounded-lg shadow-sm">
<div className="flex justify-between items-center">
<p>{userError}</p>
<button
onClick={() => setUserError(null)}
className="text-red-500 hover:text-red-700"
>
<svg xmlns="http://www.w3.org/2000/svg" className="h-5 w-5" viewBox="0 0 20 20" fill="currentColor">
<path fillRule="evenodd" d="M4.293 4.293a1 1 011.414 0L10 8.586l4.293-4.293a1 1 111.414 1.414L11.414 10l4.293 4.293a1 1 01-1.414 1.414L10 11.414l-4.293 4.293a1 1 01-1.414-1.414L8.586 10 4.293 5.707a1 1 010-1.414z" clipRule="evenodd" />
</svg>
</button>
</div>
</div>
)}
{usersLoading ? (
<div className="bg-white shadow rounded-lg p-6 loading-container">
<div className="bg-white shadow rounded-lg p-6 loading-container flex justify-center items-center h-64">
<div className="flex flex-col items-center justify-center">
<svg className="animate-spin h-10 w-10 text-blue-500 mb-4" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24">
<circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4"></circle>
@@ -91,20 +110,93 @@ const UsersPage: React.FC = () => {
</div>
</div>
) : users.length === 0 ? (
<div className="bg-white shadow rounded-lg p-6 empty-state">
<p className="text-gray-600">{t('users.noUsers')}</p>
<div className="bg-white shadow rounded-lg p-6 empty-state dashboard-card">
<div className="flex flex-col items-center justify-center py-12">
<div className="p-4 bg-gray-100 rounded-full mb-4">
<UserIcon className="h-8 w-8 text-gray-400" />
</div>
<p className="text-gray-600 text-lg font-medium">{t('users.noUsers')}</p>
<button
onClick={handleAddUser}
className="mt-4 text-blue-600 hover:text-blue-800 font-medium"
>
{t('users.addFirst')}
</button>
</div>
</div>
) : (
<div className="space-y-6">
{users.map((user) => (
<UserCard
key={user.username}
user={user}
currentUser={currentUser}
onEdit={handleEditClick}
onDelete={handleDeleteUser}
/>
))}
<div className="bg-white shadow rounded-lg overflow-hidden table-container dashboard-card">
<table className="min-w-full divide-y divide-gray-200">
<thead className="bg-gray-50">
<tr>
<th scope="col" className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
{t('users.username')}
</th>
<th scope="col" className="px-6 py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
{t('users.role')}
</th>
<th scope="col" className="px-6 py-3 text-right text-xs font-medium text-gray-500 uppercase tracking-wider">
{t('users.actions')}
</th>
</tr>
</thead>
<tbody className="bg-white divide-y divide-gray-200">
{users.map((user) => {
const isCurrentUser = currentUser?.username === user.username;
return (
<tr key={user.username} className="hover:bg-gray-50 transition-colors duration-150">
<td className="px-6 py-4 whitespace-nowrap">
<div className="flex items-center">
<div className="flex-shrink-0 h-10 w-10">
<div className="h-10 w-10 rounded-full bg-blue-100 flex items-center justify-center text-blue-600 font-bold text-lg">
{user.username.charAt(0).toUpperCase()}
</div>
</div>
<div className="ml-4">
<div className="text-sm font-medium text-gray-900 flex items-center">
{user.username}
{isCurrentUser && (
<span className="ml-2 px-2 py-0.5 text-xs bg-blue-100 text-blue-800 rounded-full border border-blue-200">
{t('users.currentUser')}
</span>
)}
</div>
</div>
</div>
</td>
<td className="px-6 py-4 whitespace-nowrap">
<span className={`px-2 py-1 inline-flex text-xs leading-5 font-semibold rounded-full ${user.isAdmin
? 'bg-purple-100 text-purple-800 border border-purple-200'
: 'bg-gray-100 text-gray-800 border border-gray-200'
}`}>
{user.isAdmin ? t('users.admin') : t('users.user')}
</span>
</td>
<td className="px-6 py-4 whitespace-nowrap text-right text-sm font-medium">
<div className="flex justify-end space-x-3">
<button
onClick={() => handleEditClick(user)}
className="text-blue-600 hover:text-blue-900 p-1 rounded hover:bg-blue-50 transition-colors"
title={t('users.edit')}
>
<Edit size={18} />
</button>
{!isCurrentUser && (
<button
onClick={() => handleDeleteClick(user.username)}
className="text-red-600 hover:text-red-900 p-1 rounded hover:bg-red-50 transition-colors"
title={t('users.delete')}
>
<Trash size={18} />
</button>
)}
</div>
</td>
</tr>
);
})}
</tbody>
</table>
</div>
)}
@@ -119,6 +211,15 @@ const UsersPage: React.FC = () => {
onCancel={() => setEditingUser(null)}
/>
)}
<DeleteDialog
isOpen={!!userToDelete}
onClose={() => setUserToDelete(null)}
onConfirm={handleConfirmDelete}
serverName={userToDelete || ''}
isGroup={false}
isUser={true}
/>
</div>
);
};

4
locales/en.json
View File

@@ -673,9 +673,13 @@
"password": "Password",
"newPassword": "New Password",
"confirmPassword": "Confirm Password",
"changePassword": "Change Password",
"adminRole": "Administrator",
"admin": "Admin",
"user": "User",
"role": "Role",
"actions": "Actions",
"addFirst": "Add your first user",
"permissions": "Permissions",
"adminPermissions": "Full system access",
"userPermissions": "Limited access",

4
locales/fr.json
View File

@@ -673,9 +673,13 @@
"password": "Mot de passe",
"newPassword": "Nouveau mot de passe",
"confirmPassword": "Confirmer le mot de passe",
"changePassword": "Changer le mot de passe",
"adminRole": "Administrateur",
"admin": "Admin",
"user": "Utilisateur",
"role": "Rôle",
"actions": "Actions",
"addFirst": "Ajoutez votre premier utilisateur",
"permissions": "Permissions",
"adminPermissions": "Accès complet au système",
"userPermissions": "Accès limité",

4
locales/tr.json
View File

@@ -673,9 +673,13 @@
"password": "Şifre",
"newPassword": "Yeni Şifre",
"confirmPassword": "Şifreyi Onayla",
"changePassword": "Şifre Değiştir",
"adminRole": "Yönetici",
"admin": "Yönetici",
"user": "Kullanıcı",
"role": "Rol",
"actions": "Eylemler",
"addFirst": "İlk kullanıcınızı ekleyin",
"permissions": "İzinler",
"adminPermissions": "Tam sistem erişimi",
"userPermissions": "Sınırlı erişim",

4
locales/zh.json
View File

@@ -675,9 +675,13 @@
"password": "密码",
"newPassword": "新密码",
"confirmPassword": "确认密码",
"changePassword": "修改密码",
"adminRole": "管理员",
"admin": "管理员",
"user": "用户",
"role": "角色",
"actions": "操作",
"addFirst": "添加第一个用户",
"permissions": "权限",
"adminPermissions": "完全系统访问权限",
"userPermissions": "受限访问权限",

91
mcp_settings.json
View File

@@ -43,31 +43,6 @@
}
],
"systemConfig": {
"routing": {
"enableGlobalRoute": true,
"enableGroupNameRoute": true,
"enableBearerAuth": true,
"bearerAuthKey": "t3QTQVcF4HWtF7v3IOSygxlV0RgSGuwk",
"skipAuth": false
},
"install": {
"pythonIndexUrl": "",
"npmRegistry": "",
"baseUrl": "http://localhost:3000"
},
"smartRouting": {
"enabled": false,
"dbUrl": "",
"openaiApiBaseUrl": "",
"openaiApiKey": "",
"openaiApiEmbeddingModel": ""
},
"mcpRouter": {
"apiKey": "",
"referer": "https://www.mcphubx.com",
"title": "MCPHub",
"baseUrl": "https://api.mcprouter.to/v1"
},
"oauthServer": {
"enabled": true,
"accessTokenLifetime": 3600,
@@ -88,69 +63,5 @@
"requiresAuthentication": false
}
}
},
"oauthClients": [
{
"clientId": "chatgpt-web",
"name": "ChatGPT Web",
"redirectUris": [
"https://chatgpt.com/oauth/callback"
],
"grants": [
"authorization_code",
"refresh_token"
],
"scopes": [
"read",
"write"
]
},
{
"clientId": "6377bc3d11e7a3da74373d961eda4fff",
"name": "Cherry Studio",
"redirectUris": [
"http://127.0.0.1:12346/oauth/callback"
],
"grants": [
"authorization_code",
"refresh_token"
],
"scopes": [
"read",
"write"
],
"owner": "dynamic-registration",
"metadata": {
"application_type": "web",
"client_uri": "https://github.com/CherryHQ/cherry-studio",
"token_endpoint_auth_method": "none",
"response_types": [
"code"
]
}
},
{
"clientId": "c83b7e4a47c25ac834ffc59d4439c75c",
"clientSecret": "e977d26c265977fc553ba9aecab42a84a911ac293373e3673d94d3164427e862",
"name": "ChatWise",
"redirectUris": [
"http://localhost:59735/callback/e5btzxb2e3"
],
"grants": [
"authorization_code"
],
"scopes": [
"read",
"write"
],
"owner": "dynamic-registration",
"metadata": {
"application_type": "web",
"token_endpoint_auth_method": "client_secret_basic",
"response_types": [
"code"
]
}
}
]
}
}

71
src/services/sseService.test.ts
View File

@@ -22,21 +22,23 @@ jest.mock('../config/index.js', () => {
const config = {
basePath: '/test',
};
const mockSettings = {
mcpServers: {},
systemConfig: {
routing: {
enableGlobalRoute: true,
enableGroupNameRoute: true,
enableBearerAuth: false,
bearerAuthKey: 'test-key',
},
enableSessionRebuild: false, // Default to false for tests
},
};
return {
__esModule: true,
default: config,
loadSettings: jest.fn(() => ({
mcpServers: {},
systemConfig: {
routing: {
enableGlobalRoute: true,
enableGroupNameRoute: true,
enableBearerAuth: false,
bearerAuthKey: 'test-key',
},
enableSessionRebuild: false, // Default to false for tests
},
})),
loadSettings: jest.fn(() => mockSettings),
loadOriginalSettings: jest.fn(() => mockSettings),
};
});
@@ -66,7 +68,7 @@ jest.mock('@modelcontextprotocol/sdk/types.js', () => ({
// Import mocked modules
import { getMcpServer } from './mcpService.js';
import { loadSettings } from '../config/index.js';
import { loadSettings, loadOriginalSettings } from '../config/index.js';
import { UserContextService } from './userContextService.js';
import { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse.js';
import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
@@ -152,12 +154,19 @@ const expectBearerUnauthorized = (
);
};
const setMockSettings = (settings: any): void => {
(loadSettings as jest.MockedFunction<typeof loadSettings>).mockReturnValue(settings);
(loadOriginalSettings as jest.MockedFunction<typeof loadOriginalSettings>).mockReturnValue(
settings,
);
};
describe('sseService', () => {
beforeEach(() => {
jest.clearAllMocks();
// Reset settings cache
(loadSettings as jest.MockedFunction<typeof loadSettings>).mockReturnValue({
const mockSettingsValue = {
mcpServers: {},
systemConfig: {
routing: {
@@ -168,7 +177,11 @@ describe('sseService', () => {
},
enableSessionRebuild: false, // Default to false for tests
},
});
};
setMockSettings(mockSettingsValue);
(loadOriginalSettings as jest.MockedFunction<typeof loadOriginalSettings>).mockReturnValue(
mockSettingsValue,
);
});
describe('bearer authentication', () => {
@@ -185,7 +198,7 @@ describe('sseService', () => {
});
it('should return 401 when bearer auth is enabled but no authorization header', async () => {
(loadSettings as jest.MockedFunction<typeof loadSettings>).mockReturnValue({
const mockSettingsValue = {
mcpServers: {},
systemConfig: {
routing: {
@@ -195,7 +208,11 @@ describe('sseService', () => {
bearerAuthKey: 'test-key',
},
},
});
};
setMockSettings(mockSettingsValue);
(loadOriginalSettings as jest.MockedFunction<typeof loadOriginalSettings>).mockReturnValue(
mockSettingsValue,
);
const req = createMockRequest();
const res = createMockResponse();
@@ -206,7 +223,7 @@ describe('sseService', () => {
});
it('should return 401 when bearer auth is enabled with invalid token', async () => {
(loadSettings as jest.MockedFunction<typeof loadSettings>).mockReturnValue({
setMockSettings({
mcpServers: {},
systemConfig: {
routing: {
@@ -229,7 +246,7 @@ describe('sseService', () => {
});
it('should pass when bearer auth is enabled with valid token', async () => {
(loadSettings as jest.MockedFunction<typeof loadSettings>).mockReturnValue({
setMockSettings({
mcpServers: {},
systemConfig: {
routing: {
@@ -279,7 +296,7 @@ describe('sseService', () => {
describe('handleSseConnection', () => {
it('should reject global routes when disabled', async () => {
(loadSettings as jest.MockedFunction<typeof loadSettings>).mockReturnValue({
setMockSettings({
mcpServers: {},
systemConfig: {
routing: {
@@ -375,7 +392,7 @@ describe('sseService', () => {
});
it('should return 401 when bearer auth fails', async () => {
(loadSettings as jest.MockedFunction<typeof loadSettings>).mockReturnValue({
setMockSettings({
mcpServers: {},
systemConfig: {
routing: {
@@ -400,7 +417,7 @@ describe('sseService', () => {
describe('handleMcpPostRequest', () => {
it('should reject global routes when disabled', async () => {
(loadSettings as jest.MockedFunction<typeof loadSettings>).mockReturnValue({
setMockSettings({
mcpServers: {},
systemConfig: {
routing: {
@@ -463,7 +480,7 @@ describe('sseService', () => {
it('should transparently rebuild invalid session when enabled', async () => {
// Enable session rebuild for this test
(loadSettings as jest.MockedFunction<typeof loadSettings>).mockReturnValue({
setMockSettings({
mcpServers: {},
systemConfig: {
routing: {
@@ -492,7 +509,7 @@ describe('sseService', () => {
});
it('should return 401 when bearer auth fails', async () => {
(loadSettings as jest.MockedFunction<typeof loadSettings>).mockReturnValue({
setMockSettings({
mcpServers: {},
systemConfig: {
routing: {
@@ -533,7 +550,7 @@ describe('sseService', () => {
Object.keys(transports).forEach(key => delete transports[key]);
// Enable bearer auth for this test
(loadSettings as jest.MockedFunction<typeof loadSettings>).mockReturnValue({
setMockSettings({
mcpServers: {},
systemConfig: {
routing: {
@@ -570,7 +587,7 @@ describe('sseService', () => {
it('should transparently rebuild invalid session in handleMcpOtherRequest when enabled', async () => {
// Enable bearer auth and session rebuild for this test
(loadSettings as jest.MockedFunction<typeof loadSettings>).mockReturnValue({
setMockSettings({
mcpServers: {},
systemConfig: {
routing: {
@@ -602,7 +619,7 @@ describe('sseService', () => {
});
it('should return 401 when bearer auth fails', async () => {
(loadSettings as jest.MockedFunction<typeof loadSettings>).mockReturnValue({
setMockSettings({
mcpServers: {},
systemConfig: {
routing: {

234
src/services/sseService.ts
View File

@@ -5,14 +5,16 @@ import { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse.js';
import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
import { isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
import { deleteMcpServer, getMcpServer } from './mcpService.js';
import { loadSettings } from '../config/index.js';
import { loadSettings, loadOriginalSettings } from '../config/index.js';
import config from '../config/index.js';
import { UserContextService } from './userContextService.js';
import { RequestContextService } from './requestContextService.js';
import { IUser } from '../types/index.js';
import { resolveOAuthUserFromToken } from '../utils/oauthBearer.js';
export const transports: { [sessionId: string]: { transport: Transport; group: string; needsInitialization?: boolean } } = {};
export const transports: {
[sessionId: string]: { transport: Transport; group: string; needsInitialization?: boolean };
} = {};
// Session creation locks to prevent concurrent session creation conflicts
const sessionCreationLocks: { [sessionId: string]: Promise<StreamableHTTPServerTransport> } = {};
@@ -29,7 +31,8 @@ type BearerAuthResult =
};
const validateBearerAuth = (req: Request): BearerAuthResult => {
const settings = loadSettings();
// Use original settings to get the actual systemConfig, not filtered by user context
const settings = loadOriginalSettings();
const routingConfig = settings.systemConfig?.routing || {
enableGlobalRoute: true,
enableGroupNameRoute: true,
@@ -211,7 +214,25 @@ export const handleSseConnection = async (req: Request, res: Response): Promise<
const transport = new SSEServerTransport(messagesPath, res);
transports[transport.sessionId] = { transport, group: group };
// Send keepalive ping every 30 seconds to prevent client from closing connection
const keepAlive = setInterval(() => {
try {
// Send a ping notification to keep the connection alive
transport.send({ jsonrpc: '2.0', method: 'ping' });
console.log(`Sent keepalive ping for SSE session: ${transport.sessionId}`);
} catch (e) {
// If sending a ping fails, the connection is likely broken.
// Log the error and clear the interval to prevent further attempts.
console.warn(
`Failed to send keepalive ping for SSE session ${transport.sessionId}, cleaning up interval:`,
e,
);
clearInterval(keepAlive);
}
}, 30000); // Send ping every 30 seconds
res.on('close', () => {
clearInterval(keepAlive);
delete transports[transport.sessionId];
deleteMcpServer(transport.sessionId);
console.log(`SSE connection closed: ${transport.sessionId}`);
@@ -276,66 +297,125 @@ export const handleSseMessage = async (req: Request, res: Response): Promise<voi
};
// Helper function to create a session with a specific sessionId
async function createSessionWithId(sessionId: string, group: string, username?: string): Promise<StreamableHTTPServerTransport> {
console.log(`[SESSION REBUILD] Starting session rebuild for ID: ${sessionId}${username ? ` for user: ${username}` : ''}`);
async function createSessionWithId(
sessionId: string,
group: string,
username?: string,
): Promise<StreamableHTTPServerTransport> {
console.log(
`[SESSION REBUILD] Starting session rebuild for ID: ${sessionId}${username ? ` for user: ${username}` : ''}`,
);
// Create a new server instance to ensure clean state
const server = getMcpServer(sessionId, group);
const transport = new StreamableHTTPServerTransport({
sessionIdGenerator: () => sessionId, // Use the specified sessionId
onsessioninitialized: (initializedSessionId) => {
console.log(`[SESSION REBUILD] onsessioninitialized triggered for ID: ${initializedSessionId}`); // New log
console.log(
`[SESSION REBUILD] onsessioninitialized triggered for ID: ${initializedSessionId}`,
); // New log
if (initializedSessionId === sessionId) {
transports[sessionId] = { transport, group };
console.log(`[SESSION REBUILD] Session ${sessionId} initialized successfully${username ? ` for user: ${username}` : ''}`);
console.log(
`[SESSION REBUILD] Session ${sessionId} initialized successfully${username ? ` for user: ${username}` : ''}`,
);
} else {
console.warn(`[SESSION REBUILD] Session ID mismatch: expected ${sessionId}, got ${initializedSessionId}`);
console.warn(
`[SESSION REBUILD] Session ID mismatch: expected ${sessionId}, got ${initializedSessionId}`,
);
}
},
});
// Send keepalive ping every 30 seconds to prevent client from closing connection
const keepAlive = setInterval(() => {
try {
// Send a ping notification to keep the connection alive
transport.send({ jsonrpc: '2.0', method: 'ping' });
console.log(`Sent keepalive ping for StreamableHTTP session: ${sessionId}`);
} catch (e) {
// If sending a ping fails, the connection is likely broken.
// Log the error and clear the interval to prevent further attempts.
console.warn(
`Failed to send keepalive ping for StreamableHTTP session ${sessionId}, cleaning up interval:`,
e,
);
clearInterval(keepAlive);
}
}, 30000); // Send ping every 30 seconds
transport.onclose = () => {
console.log(`[SESSION REBUILD] Transport closed: ${sessionId}`);
clearInterval(keepAlive);
delete transports[sessionId];
deleteMcpServer(sessionId);
};
// Connect to MCP server
await server.connect(transport);
// Wait for the server to fully initialize
await new Promise(resolve => setTimeout(resolve, 500));
await new Promise((resolve) => setTimeout(resolve, 500));
// Ensure the transport is properly initialized
if (!transports[sessionId]) {
console.warn(`[SESSION REBUILD] Transport not found in transports after initialization, forcing registration`);
console.warn(
`[SESSION REBUILD] Transport not found in transports after initialization, forcing registration`,
);
transports[sessionId] = { transport, group, needsInitialization: true };
} else {
// Mark the session as needing initialization
transports[sessionId].needsInitialization = true;
}
console.log(`[SESSION REBUILD] Session ${sessionId} created but not yet initialized. It will be initialized on first use.`);
console.log(
`[SESSION REBUILD] Session ${sessionId} created but not yet initialized. It will be initialized on first use.`,
);
console.log(`[SESSION REBUILD] Successfully rebuilt session ${sessionId} in group: ${group}`);
return transport;
}
// Helper function to create a completely new session
async function createNewSession(group: string, username?: string): Promise<StreamableHTTPServerTransport> {
async function createNewSession(
group: string,
username?: string,
): Promise<StreamableHTTPServerTransport> {
const newSessionId = randomUUID();
console.log(`[SESSION NEW] Creating new session with ID: ${newSessionId}${username ? ` for user: ${username}` : ''}`);
console.log(
`[SESSION NEW] Creating new session with ID: ${newSessionId}${username ? ` for user: ${username}` : ''}`,
);
const transport = new StreamableHTTPServerTransport({
sessionIdGenerator: () => newSessionId,
onsessioninitialized: (sessionId) => {
transports[sessionId] = { transport, group };
console.log(`[SESSION NEW] New session ${sessionId} initialized successfully${username ? ` for user: ${username}` : ''}`);
console.log(
`[SESSION NEW] New session ${sessionId} initialized successfully${username ? ` for user: ${username}` : ''}`,
);
},
});
// Send keepalive ping every 30 seconds to prevent client from closing connection
const keepAlive = setInterval(() => {
try {
// Send a ping notification to keep the connection alive
transport.send({ jsonrpc: '2.0', method: 'ping' });
console.log(`Sent keepalive ping for StreamableHTTP session: ${newSessionId}`);
} catch (e) {
// If sending a ping fails, the connection is likely broken.
// Log the error and clear the interval to prevent further attempts.
console.warn(
`Failed to send keepalive ping for StreamableHTTP session ${newSessionId}, cleaning up interval:`,
e,
);
clearInterval(keepAlive);
}
}, 30000); // Send ping every 30 seconds
transport.onclose = () => {
console.log(`[SESSION NEW] Transport closed: ${newSessionId}`);
clearInterval(keepAlive);
delete transports[newSessionId];
deleteMcpServer(newSessionId);
};
@@ -380,32 +460,40 @@ export const handleMcpPostRequest = async (req: Request, res: Response): Promise
}
let transport: StreamableHTTPServerTransport;
let transportInfo: typeof transports[string] | undefined;
let transportInfo: (typeof transports)[string] | undefined;
if (sessionId) {
transportInfo = transports[sessionId];
}
if (sessionId && transportInfo) {
// Case 1: Session exists and is valid, reuse it
console.log(`[SESSION REUSE] Reusing existing session: ${sessionId}${username ? ` for user: ${username}` : ''}`);
console.log(
`[SESSION REUSE] Reusing existing session: ${sessionId}${username ? ` for user: ${username}` : ''}`,
);
transport = transportInfo.transport as StreamableHTTPServerTransport;
} else if (sessionId) {
// Case 2: SessionId exists but transport is missing (server restart), check if session rebuild is enabled
const settings = loadSettings();
const enableSessionRebuild = settings.systemConfig?.enableSessionRebuild || false;
if (enableSessionRebuild) {
console.log(`[SESSION AUTO-REBUILD] Session ${sessionId} not found, initiating transparent rebuild${username ? ` for user: ${username}` : ''}`);
console.log(
`[SESSION AUTO-REBUILD] Session ${sessionId} not found, initiating transparent rebuild${username ? ` for user: ${username}` : ''}`,
);
// Prevent concurrent session creation
if (sessionCreationLocks[sessionId] !== undefined) {
console.log(`[SESSION AUTO-REBUILD] Session creation in progress for ${sessionId}, waiting...`);
console.log(
`[SESSION AUTO-REBUILD] Session creation in progress for ${sessionId}, waiting...`,
);
transport = await sessionCreationLocks[sessionId];
} else {
sessionCreationLocks[sessionId] = createSessionWithId(sessionId, group, username);
try {
transport = await sessionCreationLocks[sessionId];
console.log(`[SESSION AUTO-REBUILD] Successfully transparently rebuilt session: ${sessionId}`);
console.log(
`[SESSION AUTO-REBUILD] Successfully transparently rebuilt session: ${sessionId}`,
);
} catch (error) {
console.error(`[SESSION AUTO-REBUILD] Failed to rebuild session ${sessionId}:`, error);
throw error;
@@ -419,7 +507,9 @@ export const handleMcpPostRequest = async (req: Request, res: Response): Promise
}
} else {
// Session rebuild is disabled, return error
console.warn(`[SESSION ERROR] Session ${sessionId} not found and session rebuild is disabled${username ? ` for user: ${username}` : ''}`);
console.warn(
`[SESSION ERROR] Session ${sessionId} not found and session rebuild is disabled${username ? ` for user: ${username}` : ''}`,
);
res.status(400).json({
jsonrpc: '2.0',
error: {
@@ -432,11 +522,15 @@ export const handleMcpPostRequest = async (req: Request, res: Response): Promise
}
} else if (isInitializeRequest(req.body)) {
// Case 3: No sessionId and this is an initialize request, create new session
console.log(`[SESSION CREATE] No session ID provided for initialize request, creating new session${username ? ` for user: ${username}` : ''}`);
console.log(
`[SESSION CREATE] No session ID provided for initialize request, creating new session${username ? ` for user: ${username}` : ''}`,
);
transport = await createNewSession(group, username);
} else {
// Case 4: No sessionId and not an initialize request, return error
console.warn(`[SESSION ERROR] No session ID provided for non-initialize request (method: ${req.body?.method})${username ? ` for user: ${username}` : ''}`);
console.warn(
`[SESSION ERROR] No session ID provided for non-initialize request (method: ${req.body?.method})${username ? ` for user: ${username}` : ''}`,
);
res.status(400).json({
jsonrpc: '2.0',
error: {
@@ -456,8 +550,10 @@ export const handleMcpPostRequest = async (req: Request, res: Response): Promise
// Check if the session needs initialization (for rebuilt sessions)
if (transportInfo && transportInfo.needsInitialization) {
console.log(`[MCP] Session ${sessionId} needs initialization, performing proactive initialization`);
console.log(
`[MCP] Session ${sessionId} needs initialization, performing proactive initialization`,
);
try {
// Create a mock response object that doesn't actually send headers
const mockRes = {
@@ -466,9 +562,9 @@ export const handleMcpPostRequest = async (req: Request, res: Response): Promise
json: () => {},
status: () => mockRes,
send: () => {},
headersSent: false
headersSent: false,
} as any;
// First, send the initialize request
const initializeRequest = {
method: 'initialize',
@@ -477,26 +573,26 @@ export const handleMcpPostRequest = async (req: Request, res: Response): Promise
capabilities: {},
clientInfo: {
name: 'MCPHub-Client',
version: '1.0.0'
}
version: '1.0.0',
},
},
jsonrpc: '2.0',
id: `init-${sessionId}-${Date.now()}`
id: `init-${sessionId}-${Date.now()}`,
};
console.log(`[MCP] Sending initialize request for session ${sessionId}`);
// Use mock response to avoid sending actual HTTP response
await transport.handleRequest(req, mockRes, initializeRequest);
// Then send the initialized notification
const initializedNotification = {
method: 'notifications/initialized',
jsonrpc: '2.0'
jsonrpc: '2.0',
};
console.log(`[MCP] Sending initialized notification for session ${sessionId}`);
await transport.handleRequest(req, mockRes, initializedNotification);
// Mark the session as initialized
transportInfo.needsInitialization = false;
console.log(`[MCP] Session ${sessionId} successfully initialized`);
@@ -512,8 +608,10 @@ export const handleMcpPostRequest = async (req: Request, res: Response): Promise
} catch (error: any) {
// Check if this is a "Server not initialized" error for a newly rebuilt session
if (sessionId && error.message && error.message.includes('Server not initialized')) {
console.log(`[SESSION AUTO-REBUILD] Server not initialized for ${sessionId}. Attempting to initialize with the current request.`);
console.log(
`[SESSION AUTO-REBUILD] Server not initialized for ${sessionId}. Attempting to initialize with the current request.`,
);
// Check if the current request is an 'initialize' request
if (isInitializeRequest(req.body)) {
// If it is, we can just retry it. The transport should now be in the transports map.
@@ -529,35 +627,41 @@ export const handleMcpPostRequest = async (req: Request, res: Response): Promise
capabilities: {},
clientInfo: {
name: 'MCPHub-Client',
version: '1.0.0'
}
version: '1.0.0',
},
},
jsonrpc: '2.0',
id: `init-${sessionId}-${Date.now()}`
id: `init-${sessionId}-${Date.now()}`,
};
console.log(`[SESSION AUTO-REBUILD] Sending initialize request for ${sessionId} before handling the actual request.`);
console.log(
`[SESSION AUTO-REBUILD] Sending initialize request for ${sessionId} before handling the actual request.`,
);
try {
// Temporarily replace the body to send the initialize request
const originalBody = req.body;
req.body = initializeRequest;
await transport.handleRequest(req, res, req.body);
// Now, send the notifications/initialized
const initializedNotification = {
method: 'notifications/initialized',
jsonrpc: '2.0'
jsonrpc: '2.0',
};
req.body = initializedNotification;
await transport.handleRequest(req, res, req.body);
// Restore the original body and retry the original request
req.body = originalBody;
console.log(`[SESSION AUTO-REBUILD] Initialization complete for ${sessionId}. Retrying original request.`);
console.log(
`[SESSION AUTO-REBUILD] Initialization complete for ${sessionId}. Retrying original request.`,
);
await transport.handleRequest(req, res, req.body);
} catch (initError) {
console.error(`[SESSION AUTO-REBUILD] Failed to initialize session ${sessionId} on-the-fly:`, initError);
console.error(
`[SESSION AUTO-REBUILD] Failed to initialize session ${sessionId} on-the-fly:`,
initError,
);
// Re-throw the original error if initialization fails
throw error;
}
@@ -597,34 +701,40 @@ export const handleMcpOtherRequest = async (req: Request, res: Response) => {
}
let transportEntry = transports[sessionId];
// If session doesn't exist, attempt transparent rebuild if enabled
if (!transportEntry) {
const settings = loadSettings();
const enableSessionRebuild = settings.systemConfig?.enableSessionRebuild || false;
if (enableSessionRebuild) {
console.log(`[SESSION AUTO-REBUILD] Session ${sessionId} not found in handleMcpOtherRequest, initiating transparent rebuild`);
console.log(
`[SESSION AUTO-REBUILD] Session ${sessionId} not found in handleMcpOtherRequest, initiating transparent rebuild`,
);
try {
// Check if user context exists
if (!currentUser) {
res.status(401).send('User context not found');
return;
}
// Create session with same ID using existing function
const group = req.params.group;
const rebuiltSession = await createSessionWithId(sessionId, group, currentUser.username);
if (rebuiltSession) {
console.log(`[SESSION AUTO-REBUILD] Successfully transparently rebuilt session: ${sessionId}`);
console.log(
`[SESSION AUTO-REBUILD] Successfully transparently rebuilt session: ${sessionId}`,
);
transportEntry = transports[sessionId];
}
} catch (error) {
console.error(`[SESSION AUTO-REBUILD] Failed to rebuild session ${sessionId}:`, error);
}
} else {
console.warn(`[SESSION ERROR] Session ${sessionId} not found and session rebuild is disabled in handleMcpOtherRequest`);
console.warn(
`[SESSION ERROR] Session ${sessionId} not found and session rebuild is disabled in handleMcpOtherRequest`,
);
res.status(400).send('Invalid or missing session ID');
return;
}

439
tests/security/auth-bypass.test.ts Normal file
View File

@@ -0,0 +1,439 @@
/**
* Security tests for authentication bypass vulnerability
*
* This test suite verifies that the MCP transport endpoints properly authenticate users
* and prevent unauthorized access through user impersonation.
*
* Vulnerability description:
* - User-scoped routes (/:user/mcp/:group and /:user/sse/:group) trust the path segment
* - No validation that the caller has permission to access that user's resources
* - Bearer auth configuration (enableBearerAuth) is not properly enforced
*/
// Mock openid-client before importing services
jest.mock('openid-client', () => ({
discovery: jest.fn(),
dynamicClientRegistration: jest.fn(),
ClientSecretPost: jest.fn(() => jest.fn()),
ClientSecretBasic: jest.fn(() => jest.fn()),
None: jest.fn(() => jest.fn()),
calculatePKCECodeChallenge: jest.fn(),
randomPKCECodeVerifier: jest.fn(),
buildAuthorizationUrl: jest.fn(),
authorizationCodeGrant: jest.fn(),
refreshTokenGrant: jest.fn(),
}));
import { Server } from 'http';
import request from 'supertest';
import { AppServer } from '../../src/server.js';
import { TestServerHelper } from '../utils/testServerHelper.js';
import { createMockSettings } from '../utils/mockSettings.js';
import { cleanupAllServers } from '../../src/services/mcpService.js';
import { McpSettings, IUser } from '../../src/types/index.js';
describe('Authentication Bypass Security Tests', () => {
let _appServer: AppServer;
let httpServer: Server;
let _baseURL: string;
let testServerHelper: TestServerHelper;
// Test users defined in settings
const adminUser: IUser = {
username: 'admin',
password: 'admin123',
isAdmin: true,
};
const regularUser: IUser = {
username: 'bob',
password: 'bob123',
isAdmin: false,
};
const aliceUser: IUser = {
username: 'alice',
password: 'alice123',
isAdmin: false,
};
beforeAll(async () => {
// Create mock settings with multiple users and bearer auth enabled
const settings: McpSettings = createMockSettings({
users: [adminUser, regularUser, aliceUser],
systemConfig: {
routing: {
enableGlobalRoute: true,
enableGroupNameRoute: true,
enableBearerAuth: true,
bearerAuthKey: 'supersecret-value',
},
enableSessionRebuild: false,
},
mcpServers: {
'alice-secret': {
command: 'npx',
args: ['-y', 'time-mcp'],
env: {},
enabled: true,
keepAliveInterval: 30000,
type: 'stdio',
},
'bob-secret': {
command: 'npx',
args: ['-y', 'time-mcp'],
env: {},
enabled: true,
keepAliveInterval: 30000,
type: 'stdio',
},
},
groups: [
{
name: 'alice-private',
servers: ['alice-secret'],
description: 'Alice private group',
owner: 'alice',
},
{
name: 'bob-private',
servers: ['bob-secret'],
description: 'Bob private group',
owner: 'bob',
},
],
});
testServerHelper = new TestServerHelper();
const result = await testServerHelper.createTestServer(settings);
_appServer = result.appServer;
httpServer = result.httpServer;
_baseURL = result.baseURL;
}, 60000);
afterAll(async () => {
cleanupAllServers();
if (testServerHelper) {
await testServerHelper.closeTestServer();
} else if (httpServer) {
await new Promise<void>((resolve) => {
httpServer.close(() => resolve());
});
}
await new Promise((resolve) => setTimeout(resolve, 100));
});
describe('User-Scoped MCP Endpoint - Unauthenticated Access', () => {
it('should reject unauthenticated POST to /:user/mcp/:group (impersonation attempt)', async () => {
// Attempt to initialize MCP session as admin without authentication
const response = await request(httpServer)
.post('/admin/mcp/alice-private')
.set('Content-Type', 'application/json')
.set('Accept', 'application/json, text/event-stream')
.send({
jsonrpc: '2.0',
id: 1,
method: 'initialize',
params: {
protocolVersion: '2024-11-05',
capabilities: {},
clientInfo: {
name: 'test-client',
version: '1.0',
},
},
});
// Should reject with 401 Unauthorized
expect(response.status).toBe(401);
expect(response.body).toHaveProperty('error');
expect(response.body.error).toBe('invalid_token');
expect(response.headers['www-authenticate']).toContain('Bearer');
});
it('should reject unauthenticated POST to /:user/mcp/:group for different user', async () => {
// Attempt to impersonate bob
const response = await request(httpServer)
.post('/bob/mcp/bob-private')
.set('Content-Type', 'application/json')
.set('Accept', 'application/json')
.send({
jsonrpc: '2.0',
id: 2,
method: 'initialize',
params: {
protocolVersion: '2024-11-05',
capabilities: {},
clientInfo: {
name: 'attacker',
version: '1.0',
},
},
});
expect(response.status).toBe(401);
expect(response.body).toHaveProperty('error');
expect(response.body.error).toBe('invalid_token');
});
it('should reject unauthenticated tools/call after session creation', async () => {
// This test verifies that even if a session is somehow obtained,
// subsequent calls without auth should also be rejected
// First, try to create a session without auth (should fail)
const initResponse = await request(httpServer)
.post('/alice/mcp/alice-private')
.set('Content-Type', 'application/json')
.send({
jsonrpc: '2.0',
id: 1,
method: 'initialize',
params: {
protocolVersion: '2024-11-05',
capabilities: {},
clientInfo: { name: 'test', version: '1.0' },
},
});
expect(initResponse.status).toBe(401);
});
});
describe('User-Scoped SSE Endpoint - Unauthenticated Access', () => {
it('should reject unauthenticated GET to /:user/sse/:group', async () => {
const response = await request(httpServer)
.get('/admin/sse/alice-private')
.set('Accept', 'text/event-stream');
// Should reject with 401 Unauthorized
expect(response.status).toBe(401);
expect(response.body).toHaveProperty('error');
expect(response.body.error).toBe('invalid_token');
expect(response.headers['www-authenticate']).toContain('Bearer');
});
it('should reject unauthenticated GET to /:user/sse/:group for different user', async () => {
const response = await request(httpServer)
.get('/bob/sse/bob-private')
.set('Accept', 'text/event-stream');
expect(response.status).toBe(401);
expect(response.body).toHaveProperty('error');
});
});
describe('Bearer Auth Enforcement with enableBearerAuth=true', () => {
it('should accept valid bearer token', async () => {
const response = await request(httpServer)
.post('/admin/mcp/alice-private')
.set('Authorization', 'Bearer supersecret-value')
.set('Content-Type', 'application/json')
.send({
jsonrpc: '2.0',
id: 1,
method: 'initialize',
params: {
protocolVersion: '2024-11-05',
capabilities: {},
clientInfo: { name: 'test', version: '1.0' },
},
});
// With valid bearer token, should NOT return 401 (auth error)
// May return other errors (404, 406, etc.) depending on MCP server state
expect(response.status).not.toBe(401);
});
it('should reject invalid bearer token', async () => {
const response = await request(httpServer)
.post('/admin/mcp/alice-private')
.set('Authorization', 'Bearer wrong-token')
.set('Content-Type', 'application/json')
.send({
jsonrpc: '2.0',
id: 1,
method: 'initialize',
params: {
protocolVersion: '2024-11-05',
capabilities: {},
clientInfo: { name: 'test', version: '1.0' },
},
});
expect(response.status).toBe(401);
expect(response.body.error).toBe('invalid_token');
expect(response.body.error_description).toContain('Invalid bearer token');
});
it('should reject malformed Authorization header', async () => {
const response = await request(httpServer)
.post('/admin/mcp/alice-private')
.set('Authorization', 'InvalidFormat token')
.set('Content-Type', 'application/json')
.send({
jsonrpc: '2.0',
id: 1,
method: 'initialize',
params: {
protocolVersion: '2024-11-05',
capabilities: {},
clientInfo: { name: 'test', version: '1.0' },
},
});
expect(response.status).toBe(401);
});
it('should enforce bearer auth on SSE endpoints', async () => {
const response = await request(httpServer)
.get('/admin/sse/alice-private')
.set('Accept', 'text/event-stream');
expect(response.status).toBe(401);
expect(response.body.error).toBe('invalid_token');
});
it.skip('should accept valid bearer token on SSE endpoints (skipped - SSE keeps connection open)', async () => {
const response = await request(httpServer)
.get('/admin/sse/alice-private')
.set('Authorization', 'Bearer supersecret-value')
.set('Accept', 'text/event-stream')
.timeout(5000); // Add timeout to prevent hanging
// With valid auth, should NOT return 401 (auth error)
// SSE will return 200 and keep connection open
expect(response.status).not.toBe(401);
}, 10000); // Increase test timeout
});
describe('Global Routes - Bearer Auth Enforcement', () => {
it('should reject unauthenticated access to global MCP endpoint when bearer auth enabled', async () => {
const response = await request(httpServer)
.post('/mcp/alice-private')
.set('Content-Type', 'application/json')
.send({
jsonrpc: '2.0',
id: 1,
method: 'initialize',
params: {
protocolVersion: '2024-11-05',
capabilities: {},
clientInfo: { name: 'test', version: '1.0' },
},
});
expect(response.status).toBe(401);
});
it('should accept valid bearer token on global MCP endpoint', async () => {
const response = await request(httpServer)
.post('/mcp/alice-private')
.set('Authorization', 'Bearer supersecret-value')
.set('Content-Type', 'application/json')
.send({
jsonrpc: '2.0',
id: 1,
method: 'initialize',
params: {
protocolVersion: '2024-11-05',
capabilities: {},
clientInfo: { name: 'test', version: '1.0' },
},
});
// With valid auth, should NOT return 401 (auth error)
expect(response.status).not.toBe(401);
});
});
describe('User Messages Endpoint - Bearer Auth', () => {
it('should reject unauthenticated POST to /:user/messages', async () => {
const response = await request(httpServer)
.post('/admin/messages?sessionId=fake-session-id')
.set('Content-Type', 'application/json')
.send({
jsonrpc: '2.0',
id: 1,
method: 'tools/list',
});
expect(response.status).toBe(401);
});
it('should accept authenticated POST to /:user/messages', async () => {
// Note: This will fail due to missing session, but should pass auth check
const response = await request(httpServer)
.post('/admin/messages?sessionId=fake-session-id')
.set('Authorization', 'Bearer supersecret-value')
.set('Content-Type', 'application/json')
.send({
jsonrpc: '2.0',
id: 1,
method: 'tools/list',
});
// Should not be 401 (auth error), might be 400 or 404 (session not found)
expect(response.status).not.toBe(401);
});
});
describe('Edge Cases and Security Considerations', () => {
it('should not leak user existence through different error messages', async () => {
const existingUserResponse = await request(httpServer)
.post('/alice/mcp/alice-private')
.set('Content-Type', 'application/json')
.send({
jsonrpc: '2.0',
id: 1,
method: 'initialize',
params: {
protocolVersion: '2024-11-05',
capabilities: {},
clientInfo: { name: 'test', version: '1.0' },
},
});
const nonExistingUserResponse = await request(httpServer)
.post('/nonexistent/mcp/alice-private')
.set('Content-Type', 'application/json')
.send({
jsonrpc: '2.0',
id: 1,
method: 'initialize',
params: {
protocolVersion: '2024-11-05',
capabilities: {},
clientInfo: { name: 'test', version: '1.0' },
},
});
// Both should return same error (401) to avoid user enumeration
expect(existingUserResponse.status).toBe(nonExistingUserResponse.status);
expect(existingUserResponse.body.error).toBe(nonExistingUserResponse.body.error);
});
it('should include WWW-Authenticate header with proper challenge', async () => {
const response = await request(httpServer)
.post('/admin/mcp/alice-private')
.set('Content-Type', 'application/json')
.send({
jsonrpc: '2.0',
id: 1,
method: 'initialize',
params: {
protocolVersion: '2024-11-05',
capabilities: {},
clientInfo: { name: 'test', version: '1.0' },
},
});
expect(response.status).toBe(401);
expect(response.headers['www-authenticate']).toBeDefined();
expect(response.headers['www-authenticate']).toMatch(/^Bearer /);
expect(response.headers['www-authenticate']).toContain('error="invalid_token"');
});
});
});

305
tests/services/keepalive.test.ts Normal file
View File

@@ -0,0 +1,305 @@
// Mock openid-client before anything else
jest.mock('openid-client', () => ({
discovery: jest.fn(),
dynamicClientRegistration: jest.fn(),
ClientSecretPost: jest.fn(() => jest.fn()),
ClientSecretBasic: jest.fn(() => jest.fn()),
None: jest.fn(() => jest.fn()),
calculatePKCECodeChallenge: jest.fn(),
randomPKCECodeVerifier: jest.fn(),
buildAuthorizationUrl: jest.fn(),
authorizationCodeGrant: jest.fn(),
refreshTokenGrant: jest.fn(),
}));
// Mock dependencies BEFORE any imports that use them
jest.mock('../../src/models/OAuth.js', () => ({
OAuthModel: {
getOAuthToken: jest.fn(),
},
}));
jest.mock('../../src/db/connection.js', () => ({
getDatabase: jest.fn(),
}));
jest.mock('../../src/services/vectorSearchService.js', () => ({
VectorSearchService: jest.fn(),
}));
jest.mock('../../src/utils/oauthBearer.js', () => ({
resolveOAuthUserFromToken: jest.fn(),
}));
import { Request, Response } from 'express';
import { handleSseConnection, transports } from '../../src/services/sseService.js';
import * as mcpService from '../../src/services/mcpService.js';
import * as configModule from '../../src/config/index.js';
// Mock remaining dependencies
jest.mock('../../src/services/mcpService.js');
jest.mock('../../src/config/index.js');
// Mock UserContextService with getInstance pattern
const mockUserContextService = {
getCurrentUser: jest.fn().mockReturnValue(null),
setCurrentUser: jest.fn(),
clearCurrentUser: jest.fn(),
hasUser: jest.fn().mockReturnValue(false),
};
jest.mock('../../src/services/userContextService.js', () => ({
UserContextService: {
getInstance: jest.fn(() => mockUserContextService),
},
}));
// Mock RequestContextService with getInstance pattern
const mockRequestContextService = {
setRequestContext: jest.fn(),
clearRequestContext: jest.fn(),
getRequestContext: jest.fn(),
};
jest.mock('../../src/services/requestContextService.js', () => ({
RequestContextService: {
getInstance: jest.fn(() => mockRequestContextService),
},
}));
// Mock SSEServerTransport
const mockTransportInstance = {
sessionId: 'test-session-id',
send: jest.fn(),
onclose: null,
};
jest.mock('@modelcontextprotocol/sdk/server/sse.js', () => ({
SSEServerTransport: jest.fn().mockImplementation(() => mockTransportInstance),
}));
describe('Keepalive Functionality', () => {
let mockReq: Partial<Request>;
let mockRes: Partial<Response>;
let eventListeners: { [event: string]: (...args: any[]) => void };
let originalSetInterval: typeof setInterval;
let originalClearInterval: typeof clearInterval;
let intervals: NodeJS.Timeout[];
beforeAll(() => {
// Save original timer functions
originalSetInterval = global.setInterval;
originalClearInterval = global.clearInterval;
});
beforeEach(() => {
// Track all intervals created during the test
intervals = [];
// Mock setInterval to track created intervals
global.setInterval = jest.fn((callback: any, ms: number) => {
const interval = originalSetInterval(callback, ms);
intervals.push(interval);
return interval;
}) as any;
// Mock clearInterval to track cleanup
global.clearInterval = jest.fn((interval: NodeJS.Timeout) => {
const index = intervals.indexOf(interval);
if (index > -1) {
intervals.splice(index, 1);
}
originalClearInterval(interval);
}) as any;
eventListeners = {};
mockReq = {
params: { group: 'test-group' },
headers: {},
};
mockRes = {
on: jest.fn((event: string, callback: (...args: any[]) => void) => {
eventListeners[event] = callback;
return mockRes as Response;
}),
setHeader: jest.fn(),
writeHead: jest.fn(),
write: jest.fn(),
end: jest.fn(),
};
// Update the mock instance for each test
mockTransportInstance.sessionId = 'test-session-id';
mockTransportInstance.send = jest.fn();
mockTransportInstance.onclose = null;
// Mock getMcpServer
const mockMcpServer = {
connect: jest.fn().mockResolvedValue(undefined),
};
(mcpService.getMcpServer as jest.Mock).mockReturnValue(mockMcpServer);
// Mock loadSettings and loadOriginalSettings
const mockSettingsValue = {
systemConfig: {
routing: {
enableGlobalRoute: true,
enableGroupNameRoute: true,
enableBearerAuth: false,
bearerAuthKey: '',
},
},
mcpServers: {},
};
(configModule.loadSettings as jest.Mock).mockReturnValue(mockSettingsValue);
(configModule.loadOriginalSettings as jest.Mock).mockReturnValue(mockSettingsValue);
// Clear transports
Object.keys(transports).forEach((key) => delete transports[key]);
});
afterEach(() => {
// Clean up all intervals
intervals.forEach((interval) => originalClearInterval(interval));
intervals = [];
// Restore original timer functions
global.setInterval = originalSetInterval;
global.clearInterval = originalClearInterval;
// Clear all mocks
jest.clearAllMocks();
});
describe('SSE Connection Keepalive', () => {
it('should create a keepalive interval when establishing SSE connection', async () => {
await handleSseConnection(mockReq as Request, mockRes as Response);
// Verify setInterval was called with 30000ms (30 seconds)
expect(global.setInterval).toHaveBeenCalledWith(expect.any(Function), 30000);
});
it('should send ping messages via transport', async () => {
jest.useFakeTimers();
await handleSseConnection(mockReq as Request, mockRes as Response);
// Fast-forward time by 30 seconds
jest.advanceTimersByTime(30000);
// Verify ping was sent using mockTransportInstance
expect(mockTransportInstance.send).toHaveBeenCalledWith({
jsonrpc: '2.0',
method: 'ping',
});
jest.useRealTimers();
});
it('should send multiple pings at 30-second intervals', async () => {
jest.useFakeTimers();
await handleSseConnection(mockReq as Request, mockRes as Response);
// Fast-forward time by 90 seconds (3 intervals)
jest.advanceTimersByTime(90000);
// Verify ping was sent 3 times using mockTransportInstance
expect(mockTransportInstance.send).toHaveBeenCalledTimes(3);
expect(mockTransportInstance.send).toHaveBeenCalledWith({
jsonrpc: '2.0',
method: 'ping',
});
jest.useRealTimers();
});
it('should clear keepalive interval when connection closes', async () => {
await handleSseConnection(mockReq as Request, mockRes as Response);
// Verify interval was created
expect(global.setInterval).toHaveBeenCalled();
const intervalsBefore = intervals.length;
expect(intervalsBefore).toBeGreaterThan(0);
// Simulate connection close
if (eventListeners['close']) {
eventListeners['close']();
}
// Verify clearInterval was called
expect(global.clearInterval).toHaveBeenCalled();
expect(intervals.length).toBeLessThan(intervalsBefore);
});
it('should handle ping send errors gracefully', async () => {
jest.useFakeTimers();
await handleSseConnection(mockReq as Request, mockRes as Response);
const consoleWarnSpy = jest.spyOn(console, 'warn').mockImplementation();
// Make transport.send throw an error on the first call
let callCount = 0;
mockTransportInstance.send.mockImplementation(() => {
callCount++;
throw new Error('Connection broken');
});
// Fast-forward time by 30 seconds (first ping)
jest.advanceTimersByTime(30000);
// Verify error was logged for the first ping
expect(consoleWarnSpy).toHaveBeenCalledWith(
expect.stringContaining('Failed to send keepalive ping'),
expect.any(Error),
);
const firstCallCount = callCount;
// Fast-forward time by another 30 seconds
jest.advanceTimersByTime(30000);
// Verify no additional attempts were made after the error (interval was cleared)
expect(callCount).toBe(firstCallCount);
consoleWarnSpy.mockRestore();
jest.useRealTimers();
});
it('should not send pings after connection is closed', async () => {
jest.useFakeTimers();
await handleSseConnection(mockReq as Request, mockRes as Response);
// Close the connection
if (eventListeners['close']) {
eventListeners['close']();
}
// Reset mock to count pings after close
mockTransportInstance.send.mockClear();
// Fast-forward time by 60 seconds
jest.advanceTimersByTime(60000);
// Verify no pings were sent after close
expect(mockTransportInstance.send).not.toHaveBeenCalled();
jest.useRealTimers();
});
});
describe('StreamableHTTP Connection Keepalive', () => {
// Note: StreamableHTTP keepalive is tested indirectly through the session creation functions
// These are tested in the integration tests as they require more complex setup
it('should track keepalive intervals for multiple sessions', () => {
// This test verifies the pattern is set up correctly
const intervalCount = intervals.length;
expect(intervalCount).toBeGreaterThanOrEqual(0);
});
});
});