fast-mcp 1.1.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dde8305abcf47ffc314fc95df26467f737957e1b97eecae8c2c4a88b34c76017
-  data.tar.gz: 22715faf289cd3f45090480f59585220c3bb904b2a15c9669c5b93700a85e104
+  metadata.gz: 688719b076ec2db4860e3e8a0d40d5417b485cdafbaebb777975d680600c1b9b
+  data.tar.gz: e367624636eecd848a48fd89eff2fd0860b7b1468287d63da77e529d76e96f6f
 SHA512:
-  metadata.gz: eacade9a05c17a5032bbe2ed13e68bf094e7d018f272163a70f2457971c60ed79672488ab177fe3926dc9aa51cbf738ed2e3ba70bd9ab4c309599e593659ab97
-  data.tar.gz: 390cb3617e29219da28df5c49ff7da06c36b09d341068b5bc4c20883b64dd61f33c67e0542e03f368bf686129f1338ea5af3157bac28439c824520095250adfd
+  metadata.gz: c861b5abf1a982e435b5954075ebaeeece64559a79bae67e36a7d91313a05eba45d5bd61924b87eddc2f6a12f63e69187e3821c4856329e0b2f48b68834bec0f
+  data.tar.gz: 53b8d45da7985600f6b4bb8c131159c769c7458ad2b94471cbfbcd8497154f21c50061fba8a6ac3768bb54c21375035d3fd9f18bc79c008504e54e087017553e

data/CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.3.0] - 2025-04-28
+### Added
+- Added automatic forwarding of query params from to the messages endpoint [@yjacquin](https://github.com/yjacquin/fast-mcp/commit/011d968ac982d0b0084f7753dcac5789f66339ee)
+
+### Fixed
+- Declare rack as an explicit dependency [#49 @subelsky](https://github.com/yjacquin/fast-mcp/pull/49)
+- Fix notifications/initialized response [#51 @yjacquin](https://github.com/yjacquin/fast-mcp/pull/51)
+
+## [1.2.0] - 2025-04-21
+### Added
+- Security enhancement: Bing only to localhost by default [#44 @yjacquin](https://github.com/yjacquin/fast-mcp/pull/44)
+- Prevent AuthenticatedRackMiddleware from blocking other rails routes[#35 @JulianPasquale](https://github.com/yjacquin/fast-mcp/pull/35)
+- Stop Forcing reconnections after 30 pings [#42 @zoedsoupe](https://github.com/yjacquin/fast-mcp/pull/42)
+
+
 ## [1.1.0] - 2025-04-13
 ### Added
 - Security enhancement: Added DNS rebinding protection by validating Origin headers [#32 @yjacquin](https://github.com/yjacquin/fast-mcp/pull/32/files)
@@ -60,5 +75,5 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Resource management with subscription capabilities
 - Binary resource support
 - Examples with STDIO Transport, HTTP & SSE, Rack app
-- Initialize lifecycle with capabilities 
+- Initialize lifecycle with capabilities
 - Comprehensive test suite with RSpec

data/README.md

@@ -103,6 +103,9 @@ FastMcp.mount_in_rails(
   sse_route: 'sse', # This is the default route for the SSE endpoint
   # Add allowed origins below, it defaults to Rails.application.config.hosts
   # allowed_origins: ['localhost', '127.0.0.1', 'example.com', /.*\.example\.com/],
+  # localhost_only: true, # Set to false to allow connections from other hosts
+  # whitelist specific ips to if you want to run on localhost and allow connections from other IPs
+  # allowed_ips: ['127.0.0.1', '::1']
   # authenticate: true,       # Uncomment to enable authentication
   # auth_token: 'your-token' # Required if authenticate: true
 ) do |server|
@@ -320,8 +323,10 @@ The HTTP/SSE transport validates the Origin header on all incoming connections t
 
 ```ruby
 # Configure allowed origins (defaults to ['localhost', '127.0.0.1'])
-FastMcp.rack_middleware(app, 
+FastMcp.rack_middleware(app,
   allowed_origins: ['localhost', '127.0.0.1', 'your-domain.com', /.*\.your-domain\.com/],
+  localhost_only: false,
+  allowed_ips: ['192.168.1.1', '10.0.0.1'],
   # other options...
 )
 ```

data/lib/fast_mcp.rb

@@ -141,7 +141,10 @@ module FastMcp
     sse_route = options.delete(:sse_route) || 'sse'
     authenticate = options.delete(:authenticate) || false
     allowed_origins = options[:allowed_origins] || default_rails_allowed_origins(app)
+    allowed_ips = options[:allowed_ips] || FastMcp::Transports::RackTransport::DEFAULT_ALLOWED_IPS
 
+    options[:localhost_only] = Rails.env.local? if options[:localhost_only].nil?
+    options[:allowed_ips] = allowed_ips
     options[:logger] = logger
     options[:allowed_origins] = allowed_origins
 

data/lib/generators/fast_mcp/install/templates/fast_mcp_initializer.rb

@@ -22,7 +22,10 @@ FastMcp.mount_in_rails(
   messages_route: 'messages', # This is the default route for the messages endpoint
   sse_route: 'sse' # This is the default route for the SSE endpoint
   # Add allowed origins below, it defaults to Rails.application.config.hosts
-  # allowed_origins: ['localhost', '127.0.0.1', 'example.com', /.*\.example\.com/],
+  # allowed_origins: ['localhost', '127.0.0.1', '[::1]', 'example.com', /.*\.example\.com/],
+  # localhost_only: true, # Set to false to allow connections from other hosts
+  # whitelist specific ips to if you want to run on localhost and allow connections from other IPs
+  # allowed_ips: ['127.0.0.1', '::1']
   # authenticate: true,       # Uncomment to enable authentication
   # auth_token: 'your-token', # Required if authenticate: true
 ) do |server|

data/lib/mcp/server.rb

@@ -275,7 +275,7 @@ module FastMcp
       @client_initialized = true
       @logger.info('Client initialized, beginning normal operation')
 
-      send_result({}, nil)
+      nil
     end
 
     # Handle tools/list request

data/lib/mcp/transports/authenticated_rack_transport.rb

@@ -14,9 +14,7 @@ module FastMcp
         @auth_enabled = !@auth_token.nil?
       end
 
-      def call(env)
-        request = Rack::Request.new(env)
-
+      def handle_mcp_request(request, env)
         if auth_enabled? && !exempt_from_auth?(request.path)
           auth_header = request.env["HTTP_#{@auth_header_name.upcase.gsub('-', '_')}"]
           token = auth_header&.gsub('Bearer ', '')
@@ -42,6 +40,7 @@ module FastMcp
       end
 
       def unauthorized_response(request)
+        @logger.error('Unauthorized request: Invalid or missing authentication token')
         body = JSON.generate(
           {
             jsonrpc: '2.0',

data/lib/mcp/transports/rack_transport.rb

@@ -11,9 +11,25 @@ module FastMcp
     # This transport can be mounted in any Rack-compatible web framework
     class RackTransport < BaseTransport # rubocop:disable Metrics/ClassLength
       DEFAULT_PATH_PREFIX = '/mcp'
-      DEFAULT_ALLOWED_ORIGINS = ['localhost', '127.0.0.1'].freeze
-
-      attr_reader :app, :path_prefix, :sse_clients, :messages_route, :sse_route, :allowed_origins
+      DEFAULT_ALLOWED_ORIGINS = ['localhost', '127.0.0.1', '[::1]'].freeze
+      DEFAULT_ALLOWED_IPS = ['127.0.0.1', '::1'].freeze
+
+      SSE_HEADERS = {
+        'Content-Type' => 'text/event-stream',
+        'Cache-Control' => 'no-cache, no-store, must-revalidate',
+        'Connection' => 'keep-alive',
+        'X-Accel-Buffering' => 'no', # For Nginx
+        'Access-Control-Allow-Origin' => '*', # Allow CORS
+        'Access-Control-Allow-Methods' => 'GET, OPTIONS',
+        'Access-Control-Allow-Headers' => 'Content-Type',
+        'Access-Control-Max-Age' => '86400', # 24 hours
+        'Keep-Alive' => 'timeout=600', # 10 minutes timeout
+        'Pragma' => 'no-cache',
+        'Expires' => '0'
+      }.freeze
+
+      attr_reader :app, :path_prefix, :sse_clients, :messages_route, :sse_route, :allowed_origins, :localhost_only,
+                  :allowed_ips
 
       def initialize(app, server, options = {}, &_block)
         super(server, logger: options[:logger])
@@ -22,6 +38,8 @@ module FastMcp
         @messages_route = options[:messages_route] || 'messages'
         @sse_route = options[:sse_route] || 'sse'
         @allowed_origins = options[:allowed_origins] || DEFAULT_ALLOWED_ORIGINS
+        @localhost_only = options.fetch(:localhost_only, true) # Default to localhost-only mode
+        @allowed_ips = options[:allowed_ips] || DEFAULT_ALLOWED_IPS
         @sse_clients = {}
         @running = false
       end
@@ -105,6 +123,18 @@ module FastMcp
 
       private
 
+      def validate_client_ip(request)
+        client_ip = request.ip
+
+        # Check if we're in localhost-only mode
+        if @localhost_only && !@allowed_ips.include?(client_ip)
+          @logger.warn("Blocked connection from non-localhost IP: #{client_ip}")
+          return false
+        end
+
+        true
+      end
+
       # Validate the Origin header to prevent DNS rebinding attacks
       def validate_origin(request, env)
         origin = env['HTTP_ORIGIN']
@@ -117,7 +147,7 @@ module FastMcp
 
         # If we have a hostname and allowed_origins is not empty
         if hostname && !allowed_origins.empty?
-          @logger.info("Validating origin: #{hostname}")
+          @logger.debug("Validating origin: #{hostname}")
 
           # Check if the hostname matches any allowed origin
           is_allowed = allowed_origins.any? do |allowed|
@@ -160,20 +190,11 @@ module FastMcp
 
       # Handle MCP-specific requests
       def handle_mcp_request(request, env)
+        # Validate client IP to ensure it's connecting from allowed sources
+        return forbidden_response('Forbidden: Remote IP not allowed') unless validate_client_ip(request)
+
         # Validate Origin header to prevent DNS rebinding attacks
-        unless validate_origin(request, env)
-          return [403, { 'Content-Type' => 'application/json' },
-                  [JSON.generate(
-                    {
-                      jsonrpc: '2.0',
-                      error: {
-                        code: -32_600,
-                        message: 'Forbidden: Origin validation failed'
-                      },
-                      id: nil
-                    }
-                  )]]
-        end
+        return forbidden_response('Forbidden: Origin validation failed') unless validate_origin(request, env)
 
         subpath = request.path[@path_prefix.length..]
         @logger.info("MCP request subpath: '#{subpath.inspect}'")
@@ -190,6 +211,20 @@ module FastMcp
         end
       end
 
+      def forbidden_response(message)
+        [403, { 'Content-Type' => 'application/json' },
+         [JSON.generate(
+           {
+             jsonrpc: '2.0',
+             error: {
+               code: -32_600,
+               message: message
+             },
+             id: nil
+           }
+         )]]
+      end
+
       # Return a 404 endpoint not found response
       def endpoint_not_found_response
         [404, { 'Content-Type' => 'application/json' },
@@ -212,24 +247,21 @@ module FastMcp
 
         return method_not_allowed_response unless request.get?
 
-        # Set up SSE headers
-        headers = setup_sse_headers
-
         # Handle streaming based on the framework
-        handle_streaming(env, headers)
+        handle_streaming(env)
       end
 
       # Handle streaming based on the framework
-      def handle_streaming(env, headers)
+      def handle_streaming(env)
         @logger.info("Handling streaming for env: #{env['HTTP_USER_AGENT']}")
         if env['rack.hijack']
           # Rack hijacking (e.g., Puma)
           @logger.info('Handling rack hijack SSE')
-          handle_rack_hijack_sse(env, headers)
+          handle_rack_hijack_sse(env)
         elsif rails_live_streaming?(env)
           # Rails ActionController::Live
           @logger.info('Handling rails live streaming SSE')
-          handle_rails_sse(env, headers)
+          handle_rails_sse(env)
         else
           # Fallback for servers that don't support streaming
           @logger.info('Falling back to default SSE')
@@ -244,23 +276,6 @@ module FastMcp
           env['action_controller.instance'].response.respond_to?(:stream)
       end
 
-      # Set up headers for SSE connection
-      def setup_sse_headers
-        {
-          'Content-Type' => 'text/event-stream',
-          'Cache-Control' => 'no-cache, no-store, must-revalidate',
-          'Connection' => 'keep-alive',
-          'X-Accel-Buffering' => 'no', # For Nginx
-          'Access-Control-Allow-Origin' => '*', # Allow CORS
-          'Access-Control-Allow-Methods' => 'GET, OPTIONS',
-          'Access-Control-Allow-Headers' => 'Content-Type',
-          'Access-Control-Max-Age' => '86400', # 24 hours
-          'Keep-Alive' => 'timeout=600', # 10 minutes timeout
-          'Pragma' => 'no-cache',
-          'Expires' => '0'
-        }
-      end
-
       # Set up CORS headers for preflight requests
       def setup_cors_headers
         {
@@ -286,9 +301,6 @@ module FastMcp
         browser_type = detect_browser_type(user_agent)
         @logger.info("Client connection from: #{user_agent} (#{browser_type})")
 
-        # Handle MCP inspector with fixed client ID
-        @logger.info("MCP Inspector detected, using fixed client ID: #{client_id}") if mcp_inspector?(user_agent, env)
-
         # Handle reconnection
         if client_id && @sse_clients.key?(client_id)
           handle_client_reconnection(client_id, browser_type)
@@ -321,11 +333,6 @@ module FastMcp
         end
       end
 
-      # Check if client is MCP inspector
-      def mcp_inspector?(user_agent, env)
-        user_agent.include?('mcp-inspector') || (env['mcp.client_name'] == 'mcp-inspector')
-      end
-
       # Handle client reconnection
       def handle_client_reconnection(client_id, browser_type)
         @logger.info("Client #{client_id} is reconnecting (#{browser_type})")
@@ -342,7 +349,7 @@ module FastMcp
       end
 
       # Handle SSE with Rack hijacking (e.g., Puma)
-      def handle_rack_hijack_sse(env, headers)
+      def handle_rack_hijack_sse(env)
         client_id = extract_client_id(env)
         @logger.debug("Setting up Rack hijack SSE connection for client #{client_id}")
 
@@ -350,7 +357,7 @@ module FastMcp
         io = env['rack.hijack_io']
         @logger.debug("Obtained hijack IO for client #{client_id}")
 
-        setup_sse_connection(client_id, io, headers)
+        setup_sse_connection(client_id, io, env)
         start_keep_alive_thread(client_id, io)
 
         # Return async response
@@ -358,11 +365,11 @@ module FastMcp
       end
 
       # Set up the SSE connection
-      def setup_sse_connection(client_id, io, headers)
+      def setup_sse_connection(client_id, io, env)
         # Send headers
         @logger.debug("Sending HTTP headers for SSE connection #{client_id}")
         io.write("HTTP/1.1 200 OK\r\n")
-        headers.each { |k, v| io.write("#{k}: #{v}\r\n") }
+        SSE_HEADERS.each { |k, v| io.write("#{k}: #{v}\r\n") }
         io.write("\r\n")
         io.flush
 
@@ -372,8 +379,12 @@ module FastMcp
         # Send an initial comment to keep the connection alive
         io.write(": SSE connection established\n\n")
 
-        # Send endpoint information as the first message
+        # Extract query parameters from the request
+        query_string = env['QUERY_STRING']
+
+        # Send endpoint information as the first message with query parameters
         endpoint = "#{@path_prefix}/#{@messages_route}"
+        endpoint += "?#{query_string}" if query_string
         @logger.debug("Sending endpoint information to client #{client_id}: #{endpoint}")
         io.write("event: endpoint\ndata: #{endpoint}\n\n")
 
@@ -405,13 +416,11 @@ module FastMcp
         @logger.info("Starting keep-alive loop for SSE connection #{client_id}")
         ping_count = 0
         ping_interval = 1 # Send a ping every 1 second
-        max_ping_count = 30 # Reset connection after 30 pings (about 30 seconds)
         @running = true
 
         while @running && !io.closed?
           begin
-            ping_count = send_keep_alive_ping(io, client_id, ping_count, max_ping_count)
-            break if ping_count >= max_ping_count
+            ping_count = send_keep_alive_ping(io, client_id, ping_count)
 
             sleep ping_interval
           rescue Errno::EPIPE, IOError => e
@@ -423,7 +432,7 @@ module FastMcp
       end
 
       # Send a keep-alive ping and return the updated ping count
-      def send_keep_alive_ping(io, client_id, ping_count, max_ping_count)
+      def send_keep_alive_ping(io, client_id, ping_count)
         ping_count += 1
 
         # Send a comment before each ping to keep the connection alive
@@ -436,12 +445,6 @@ module FastMcp
           send_ping_event(io)
         end
 
-        # If we've reached the max ping count, force a reconnection
-        if ping_count >= max_ping_count
-          @logger.debug("Reached max ping count (#{max_ping_count}) for client #{client_id}, forcing reconnection")
-          send_reconnect_event(io)
-        end
-
         ping_count
       end
 
@@ -450,18 +453,12 @@ module FastMcp
         ping_message = {
           jsonrpc: '2.0',
           method: 'ping',
-          id: SecureRandom.uuid
+          id: rand(1_000_000)
         }
         io.write("event: ping\ndata: #{JSON.generate(ping_message)}\n\n")
         io.flush
       end
 
-      # Send a reconnect event
-      def send_reconnect_event(io)
-        io.write("event: reconnect\ndata: {\"reason\":\"timeout prevention\"}\n\n")
-        io.flush
-      end
-
       # Clean up SSE connection
       def cleanup_sse_connection(client_id, io)
         @logger.info("Cleaning up SSE connection for client #{client_id}")
@@ -475,7 +472,7 @@ module FastMcp
       end
 
       # Handle SSE with Rails ActionController::Live
-      def handle_rails_sse(env, headers)
+      def handle_rails_sse(env)
         client_id = extract_client_id(env)
         controller = env['action_controller.instance']
         stream = controller.response.stream
@@ -484,7 +481,7 @@ module FastMcp
         register_sse_client(client_id, stream)
 
         # The controller will handle the streaming
-        [200, headers, []]
+        [200, SSE_HEADERS, []]
       end
 
       # Handle message POST request

data/lib/mcp/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module FastMcp
-  VERSION = '1.1.0'
+  VERSION = '1.3.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fast-mcp
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.3.0
 platform: ruby
 authors:
 - Yorick Jacquin
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-04-13 00:00:00.000000000 Z
+date: 2025-04-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -66,6 +66,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.4'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
 description: A flexible and powerful implementation of the MCP with multiple approaches
   for defining tools.
 email: