fast-mcp 0.1.0 → 1.1.0

data/lib/mcp/transports/rack_transport.rb

@@ -5,32 +5,37 @@ require 'securerandom'
 require 'rack'
 require_relative 'base_transport'
 
-module MCP
+module FastMcp
   module Transports
     # Rack middleware transport for MCP
     # This transport can be mounted in any Rack-compatible web framework
-    class RackTransport < BaseTransport
+    class RackTransport < BaseTransport # rubocop:disable Metrics/ClassLength
       DEFAULT_PATH_PREFIX = '/mcp'
+      DEFAULT_ALLOWED_ORIGINS = ['localhost', '127.0.0.1'].freeze
 
-      attr_reader :app, :path_prefix, :sse_clients
+      attr_reader :app, :path_prefix, :sse_clients, :messages_route, :sse_route, :allowed_origins
 
-      def initialize(server, app, options = {})
+      def initialize(app, server, options = {}, &_block)
         super(server, logger: options[:logger])
         @app = app
         @path_prefix = options[:path_prefix] || DEFAULT_PATH_PREFIX
+        @messages_route = options[:messages_route] || 'messages'
+        @sse_route = options[:sse_route] || 'sse'
+        @allowed_origins = options[:allowed_origins] || DEFAULT_ALLOWED_ORIGINS
         @sse_clients = {}
         @running = false
       end
 
       # Start the transport
       def start
-        @logger.info("Starting Rack transport with path prefix: #{@path_prefix}")
+        @logger.debug("Starting Rack transport with path prefix: #{@path_prefix}")
+        @logger.info("DNS rebinding protection enabled. Allowed origins: #{allowed_origins.join(', ')}")
         @running = true
       end
 
       # Stop the transport
       def stop
-        @logger.info('Stopping Rack transport')
+        @logger.debug('Stopping Rack transport')
         @running = false
 
         # Close all SSE connections
@@ -45,7 +50,7 @@ module MCP
       # Send a message to all connected SSE clients
       def send_message(message)
         json_message = message.is_a?(String) ? message : JSON.generate(message)
-        @logger.info("Broadcasting message to #{@sse_clients.size} SSE clients: #{json_message}")
+        @logger.debug("Broadcasting message to #{@sse_clients.size} SSE clients: #{json_message}")
 
         clients_to_remove = []
 
@@ -85,10 +90,12 @@ module MCP
       def call(env)
         request = Rack::Request.new(env)
         path = request.path
-        @logger.info("Rack request path: #{path}")
+        @logger.debug("Rack request path: #{path}")
 
         # Check if the request is for our MCP endpoints
         if path.start_with?(@path_prefix)
+          @logger.debug('Setting server transport to RackTransport')
+          @server.transport = self
           handle_mcp_request(request, env)
         else
           # Pass through to the main application
@@ -98,16 +105,83 @@ module MCP
 
       private
 
+      # Validate the Origin header to prevent DNS rebinding attacks
+      def validate_origin(request, env)
+        origin = env['HTTP_ORIGIN']
+
+        # If no origin header is present, check the referer or host
+        origin = env['HTTP_REFERER'] || request.host if origin.nil? || origin.empty?
+
+        # Extract hostname from the origin
+        hostname = extract_hostname(origin)
+
+        # If we have a hostname and allowed_origins is not empty
+        if hostname && !allowed_origins.empty?
+          @logger.info("Validating origin: #{hostname}")
+
+          # Check if the hostname matches any allowed origin
+          is_allowed = allowed_origins.any? do |allowed|
+            if allowed.is_a?(Regexp)
+              hostname.match?(allowed)
+            else
+              hostname == allowed
+            end
+          end
+
+          unless is_allowed
+            @logger.warn("Blocked request with origin: #{hostname}")
+            return false
+          end
+        end
+
+        true
+      end
+
+      # Extract hostname from a URL
+      def extract_hostname(url)
+        return nil if url.nil? || url.empty?
+
+        begin
+          # Check if the URL has a scheme, if not, add http:// as a prefix
+          has_scheme = url.match?(%r{^[a-zA-Z][a-zA-Z0-9+.-]*://})
+          parsing_url = has_scheme ? url : "http://#{url}"
+
+          uri = URI.parse(parsing_url)
+
+          # Return nil for invalid URLs where host is empty
+          return nil if uri.host.nil? || uri.host.empty?
+
+          uri.host
+        rescue URI::InvalidURIError
+          # If standard parsing fails, try to extract host with a regex for host:port format
+          url.split(':').first if url.match?(%r{^([^:/]+)(:\d+)?$})
+        end
+      end
+
       # Handle MCP-specific requests
       def handle_mcp_request(request, env)
+        # Validate Origin header to prevent DNS rebinding attacks
+        unless validate_origin(request, env)
+          return [403, { 'Content-Type' => 'application/json' },
+                  [JSON.generate(
+                    {
+                      jsonrpc: '2.0',
+                      error: {
+                        code: -32_600,
+                        message: 'Forbidden: Origin validation failed'
+                      },
+                      id: nil
+                    }
+                  )]]
+        end
+
         subpath = request.path[@path_prefix.length..]
         @logger.info("MCP request subpath: '#{subpath.inspect}'")
 
         case subpath
-        when '/sse'
+        when "/#{@sse_route}"
           handle_sse_request(request, env)
-        when '/messages'
-          @logger.info('Received message request')
+        when "/#{@messages_route}"
           handle_message_request(request)
         else
           @logger.info('Received unknown request')
@@ -270,11 +344,11 @@ module MCP
       # Handle SSE with Rack hijacking (e.g., Puma)
       def handle_rack_hijack_sse(env, headers)
         client_id = extract_client_id(env)
-        @logger.info("Setting up Rack hijack SSE connection for client #{client_id}")
+        @logger.debug("Setting up Rack hijack SSE connection for client #{client_id}")
 
         env['rack.hijack'].call
         io = env['rack.hijack_io']
-        @logger.info("Obtained hijack IO for client #{client_id}")
+        @logger.debug("Obtained hijack IO for client #{client_id}")
 
         setup_sse_connection(client_id, io, headers)
         start_keep_alive_thread(client_id, io)
@@ -286,7 +360,7 @@ module MCP
       # Set up the SSE connection
       def setup_sse_connection(client_id, io, headers)
         # Send headers
-        @logger.info("Sending HTTP headers for SSE connection #{client_id}")
+        @logger.debug("Sending HTTP headers for SSE connection #{client_id}")
         io.write("HTTP/1.1 200 OK\r\n")
         headers.each { |k, v| io.write("#{k}: #{v}\r\n") }
         io.write("\r\n")
@@ -299,8 +373,8 @@ module MCP
         io.write(": SSE connection established\n\n")
 
         # Send endpoint information as the first message
-        endpoint = "#{@path_prefix}/messages"
-        @logger.info("Sending endpoint information to client #{client_id}: #{endpoint}")
+        endpoint = "#{@path_prefix}/#{@messages_route}"
+        @logger.debug("Sending endpoint information to client #{client_id}: #{endpoint}")
         io.write("event: endpoint\ndata: #{endpoint}\n\n")
 
         # Send a retry directive with a very short reconnect time
@@ -332,6 +406,7 @@ module MCP
         ping_count = 0
         ping_interval = 1 # Send a ping every 1 second
         max_ping_count = 30 # Reset connection after 30 pings (about 30 seconds)
+        @running = true
 
         while @running && !io.closed?
           begin
@@ -357,13 +432,13 @@ module MCP
 
         # Only send actual ping events every 5 counts to reduce overhead
         if (ping_count % 5).zero?
-          @logger.info("Sending ping ##{ping_count} to SSE client #{client_id}")
+          @logger.debug("Sending ping ##{ping_count} to SSE client #{client_id}")
           send_ping_event(io)
         end
 
         # If we've reached the max ping count, force a reconnection
         if ping_count >= max_ping_count
-          @logger.info("Reached max ping count (#{max_ping_count}) for client #{client_id}, forcing reconnection")
+          @logger.debug("Reached max ping count (#{max_ping_count}) for client #{client_id}, forcing reconnection")
           send_reconnect_event(io)
         end
 
@@ -414,7 +489,7 @@ module MCP
 
       # Handle message POST request
       def handle_message_request(request)
-        @logger.info('Received message request')
+        @logger.debug('Received message request')
         return method_not_allowed_response unless request.post?
 
         begin
@@ -431,9 +506,10 @@ module MCP
         # Parse the request body
         body = request.body.read
 
-        response = process_message(body)
+        response = process_message(body) || ''
         @logger.info("Response: #{response}")
-        [200, { 'Content-Type' => 'application/json' }, [response]]
+
+        [200, { 'Content-Type' => 'application/json' }, response]
       end
 
       # Return a method not allowed error response

data/lib/mcp/transports/stdio_transport.rb

@@ -2,7 +2,7 @@
 
 require_relative 'base_transport'
 
-module MCP
+module FastMcp
   module Transports
     # STDIO transport for MCP
     # This transport uses standard input/output for communication

data/lib/mcp/version.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-# Version information
-module FastMCP
-  VERSION = '0.1.0'
+module FastMcp
+  VERSION = '1.1.0'
 end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: fast-mcp
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Yorick Jacquin
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-03-23 00:00:00.000000000 Z
+date: 2025-04-13 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: dry-schema
   requirement: !ruby/object:Gem::Requirement
@@ -64,7 +78,14 @@ files:
 - LICENSE
 - README.md
 - lib/fast_mcp.rb
+- lib/generators/fast_mcp/install/install_generator.rb
+- lib/generators/fast_mcp/install/templates/application_resource.rb
+- lib/generators/fast_mcp/install/templates/application_tool.rb
+- lib/generators/fast_mcp/install/templates/fast_mcp_initializer.rb
+- lib/generators/fast_mcp/install/templates/sample_resource.rb
+- lib/generators/fast_mcp/install/templates/sample_tool.rb
 - lib/mcp/logger.rb
+- lib/mcp/railtie.rb
 - lib/mcp/resource.rb
 - lib/mcp/server.rb
 - lib/mcp/tool.rb
@@ -80,6 +101,7 @@ metadata:
   homepage_uri: https://github.com/yjacquin/fast_mcp
   source_code_uri: https://github.com/yjacquin/fast_mcp
   changelog_uri: https://github.com/yjacquin/fast_mcp/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths: