vector_mcp 0.3.2 → 0.3.4

data/lib/vector_mcp/security/strategies/api_key.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "openssl"
+
 module VectorMCP
   module Security
     module Strategies
@@ -10,8 +12,10 @@ module VectorMCP
 
         # Initialize with a list of valid API keys
         # @param keys [Array<String>] array of valid API keys
-        def initialize(keys: [])
+        # @param allow_query_params [Boolean] whether to accept API keys from query parameters (default: false)
+        def initialize(keys: [], allow_query_params: false)
           @valid_keys = Set.new(keys.map(&:to_s))
+          @allow_query_params = allow_query_params
         end
 
         # Add a valid API key
@@ -33,7 +37,7 @@ module VectorMCP
           api_key = extract_api_key(request)
           return false unless api_key&.length&.positive?
 
-          if @valid_keys.include?(api_key)
+          if secure_key_match?(api_key)
             {
               api_key: api_key,
               strategy: "api_key",
@@ -58,14 +62,33 @@ module VectorMCP
 
         private
 
+        # Constant-time comparison of API key against all valid keys.
+        # Iterates all keys to prevent timing side-channels.
+        # @param candidate [String] the API key to check
+        # @return [Boolean] true if the candidate matches a valid key
+        def secure_key_match?(candidate)
+          matched = false
+          @valid_keys.each do |valid_key|
+            next unless candidate.bytesize == valid_key.bytesize
+
+            matched = true if OpenSSL.fixed_length_secure_compare(candidate, valid_key)
+          end
+          matched
+        end
+
         # Extract API key from various request formats
         # @param request [Hash] the request object
         # @return [String, nil] the extracted API key
         def extract_api_key(request)
           headers = normalize_headers(request)
-          params = normalize_params(request)
 
-          extract_from_headers(headers) || extract_from_params(params)
+          from_headers = extract_from_headers(headers)
+          return from_headers if from_headers
+
+          return nil unless @allow_query_params
+
+          params = normalize_params(request)
+          extract_from_params(params)
         end
 
         # Normalize headers to handle different formats
@@ -96,36 +119,14 @@ module VectorMCP
         # @param env [Hash] the Rack environment
         # @return [Hash] normalized headers
         def extract_headers_from_rack_env(env)
-          headers = {}
-          env.each do |key, value|
-            next unless key.start_with?("HTTP_")
-
-            # Convert HTTP_X_API_KEY to X-API-Key format
-            header_name = key[5..].split("_").map do |part|
-              case part.upcase
-              when "API" then "API" # Keep API in all caps
-              else part.capitalize
-              end
-            end.join("-")
-            headers[header_name] = value
-          end
-
-          # Add special headers
-          headers["Authorization"] = env["HTTP_AUTHORIZATION"] if env["HTTP_AUTHORIZATION"]
-          headers["Content-Type"] = env["CONTENT_TYPE"] if env["CONTENT_TYPE"]
-          headers
+          VectorMCP::Util.extract_headers_from_rack_env(env)
         end
 
         # Extract params from Rack environment
         # @param env [Hash] the Rack environment
         # @return [Hash] normalized params
         def extract_params_from_rack_env(env)
-          params = {}
-          if env["QUERY_STRING"]
-            require "uri"
-            params = URI.decode_www_form(env["QUERY_STRING"]).to_h
-          end
-          params
+          VectorMCP::Util.extract_params_from_rack_env(env)
         end
 
         # Extract API key from headers

data/lib/vector_mcp/security/strategies/jwt_token.rb

@@ -17,12 +17,14 @@ module VectorMCP
         # Initialize JWT strategy
         # @param secret [String] the secret key for JWT verification
         # @param algorithm [String] the JWT algorithm (default: HS256)
+        # @param allow_query_params [Boolean] whether to accept JWT tokens from query parameters (default: false)
         # @param options [Hash] additional JWT verification options
-        def initialize(secret:, algorithm: "HS256", **options)
+        def initialize(secret:, algorithm: "HS256", allow_query_params: false, **options)
           raise LoadError, "JWT gem is required for JWT authentication strategy" unless defined?(JWT)
 
           @secret = secret
           @algorithm = algorithm
+          @allow_query_params = allow_query_params
           @options = {
             algorithm: @algorithm,
             verify_expiration: true,
@@ -82,11 +84,14 @@ module VectorMCP
         # @return [String, nil] the extracted token
         def extract_token(request)
           headers = request[:headers] || request["headers"] || {}
-          params = request[:params] || request["params"] || {}
 
-          extract_from_auth_header(headers) ||
-            extract_from_jwt_header(headers) ||
-            extract_from_params(params)
+          from_headers = extract_from_auth_header(headers) || extract_from_jwt_header(headers)
+          return from_headers if from_headers
+
+          return nil unless @allow_query_params
+
+          params = request[:params] || request["params"] || {}
+          extract_from_params(params)
         end
 
         # Extract token from Authorization header

data/lib/vector_mcp/server/capabilities.rb

@@ -34,7 +34,6 @@ module VectorMCP
       # @return [void]
       def clear_prompts_list_changed
         @prompts_list_changed = false
-        logger.debug("Prompts listChanged flag cleared.")
       end
 
       # Notifies connected clients that the list of available prompts has changed.
@@ -45,10 +44,10 @@ module VectorMCP
         notification_method = "notifications/prompts/list_changed"
         begin
           if transport.respond_to?(:broadcast_notification)
-            logger.info("Broadcasting prompts list changed notification.")
+            logger.debug("Broadcasting prompts list changed notification.")
             transport.broadcast_notification(notification_method)
           elsif transport.respond_to?(:send_notification)
-            logger.info("Sending prompts list changed notification (transport may broadcast or send to first client).")
+            logger.debug("Sending prompts list changed notification (transport may broadcast or send to first client).")
             transport.send_notification(notification_method)
           else
             logger.warn("Transport does not support sending notifications/prompts/list_changed.")
@@ -62,7 +61,6 @@ module VectorMCP
       # @return [void]
       def clear_roots_list_changed
         @roots_list_changed = false
-        logger.debug("Roots listChanged flag cleared.")
       end
 
       # Notifies connected clients that the list of available roots has changed.
@@ -73,10 +71,10 @@ module VectorMCP
         notification_method = "notifications/roots/list_changed"
         begin
           if transport.respond_to?(:broadcast_notification)
-            logger.info("Broadcasting roots list changed notification.")
+            logger.debug("Broadcasting roots list changed notification.")
             transport.broadcast_notification(notification_method)
           elsif transport.respond_to?(:send_notification)
-            logger.info("Sending roots list changed notification (transport may broadcast or send to first client).")
+            logger.debug("Sending roots list changed notification (transport may broadcast or send to first client).")
             transport.send_notification(notification_method)
           else
             logger.warn("Transport does not support sending notifications/roots/list_changed.")
@@ -90,7 +88,7 @@ module VectorMCP
       # @api private
       def subscribe_prompts(session)
         @prompt_subscribers << session unless @prompt_subscribers.include?(session)
-        logger.debug("Session subscribed to prompt list changes: #{session.object_id}")
+        # Session subscribed to prompt list changes
       end
 
       private

data/lib/vector_mcp/server/message_handling.rb

@@ -21,10 +21,10 @@ module VectorMCP
         params = message["params"] || {}
 
         if id && method # Request
-          logger.info("[#{session_id}] Request [#{id}]: #{method} with params: #{params.inspect}")
+          logger.debug("[#{session_id}] Request [#{id}]: #{method} with params: #{VectorMCP::LogFilter.filter_hash(params).inspect}")
           handle_request(id, method, params, session)
         elsif method # Notification
-          logger.info("[#{session_id}] Notification: #{method} with params: #{params.inspect}")
+          logger.debug("[#{session_id}] Notification: #{method} with params: #{VectorMCP::LogFilter.filter_hash(params).inspect}")
           handle_notification(method, params, session)
           nil # Notifications do not have a return value to send back to client
         elsif id # Invalid: Has ID but no method
@@ -74,7 +74,9 @@ module VectorMCP
       # Validates that the session is properly initialized for the given request.
       # @api private
       def validate_session_initialization(id, method, _params, session)
-        return if session.initialized?
+        # Handle both direct VectorMCP::Session and BaseSessionManager::Session wrapper
+        actual_session = session.respond_to?(:context) ? session.context : session
+        return if actual_session.initialized?
 
         # Allow "initialize" even if not marked initialized yet by server
         return if method == "initialize"
@@ -113,7 +115,9 @@ module VectorMCP
       # Internal handler for JSON-RPC notifications.
       # @api private
       def handle_notification(method, params, session)
-        unless session.initialized? || method == "initialized"
+        # Handle both direct VectorMCP::Session and BaseSessionManager::Session wrapper
+        actual_session = session.respond_to?(:context) ? session.context : session
+        unless actual_session.initialized? || method == "initialized"
           logger.warn("Ignoring notification '#{method}' before session is initialized. Params: #{params.inspect}")
           return
         end
@@ -158,7 +162,9 @@ module VectorMCP
       # @api private
       def session_method(method_name)
         lambda do |params, session, _server|
-          session.public_send(method_name, params)
+          # Handle both direct VectorMCP::Session and BaseSessionManager::Session wrapper
+          actual_session = session.respond_to?(:context) ? session.context : session
+          actual_session.public_send(method_name, params)
         end
       end
     end

data/lib/vector_mcp/server.rb

@@ -134,11 +134,12 @@ module VectorMCP
 
     # Runs the server using the specified transport mechanism.
     #
-    # @param transport [:stdio, :sse, VectorMCP::Transport::Base] The transport to use.
-    #   Can be a symbol (`:stdio`, `:sse`) or an initialized transport instance.
+    # @param transport [:stdio, :sse, :http_stream, VectorMCP::Transport::Base] The transport to use.
+    #   Can be a symbol (`:stdio`, `:sse`, `:http_stream`) or an initialized transport instance.
     #   If a symbol is provided, the method will instantiate the corresponding transport class.
-    #   If `:sse` is chosen, it uses Puma as the HTTP server.
-    # @param options [Hash] Transport-specific options (e.g., `:host`, `:port` for SSE).
+    #   If `:sse` is chosen, it uses Puma as the HTTP server (deprecated).
+    #   If `:http_stream` is chosen, it uses the MCP-compliant streamable HTTP transport.
+    # @param options [Hash] Transport-specific options (e.g., `:host`, `:port` for HTTP transports).
     #   These are passed to the transport's constructor if a symbol is provided for `transport`.
     # @return [void]
     # @raise [ArgumentError] if an unsupported transport symbol is given.
@@ -150,11 +151,20 @@ module VectorMCP
                          when :sse
                            begin
                              require_relative "transport/sse"
+                             logger.warn("SSE transport is deprecated. Please use :http_stream instead.")
                              VectorMCP::Transport::SSE.new(self, **options)
                            rescue LoadError => e
                              logger.fatal("SSE transport requires additional dependencies.")
                              raise NotImplementedError, "SSE transport dependencies not available: #{e.message}"
                            end
+                         when :http_stream
+                           begin
+                             require_relative "transport/http_stream"
+                             VectorMCP::Transport::HttpStream.new(self, **options)
+                           rescue LoadError => e
+                             logger.fatal("HttpStream transport requires additional dependencies.")
+                             raise NotImplementedError, "HttpStream transport dependencies not available: #{e.message}"
+                           end
                          when VectorMCP::Transport::Base # Allow passing an initialized transport instance
                            transport.server = self if transport.respond_to?(:server=) && transport.server.nil? # Ensure server is set
                            transport
@@ -180,7 +190,7 @@ module VectorMCP
 
       case strategy
       when :api_key
-        add_api_key_auth(options[:keys] || [])
+        add_api_key_auth(options[:keys] || [], allow_query_params: options[:allow_query_params] || false)
       when :jwt
         add_jwt_auth(options)
       when :custom
@@ -277,14 +287,14 @@ module VectorMCP
     #   server.use_middleware(LoggingMiddleware, :after_tool_call, conditions: { only_operations: ['important_tool'] })
     def use_middleware(middleware_class, hooks, priority: Middleware::Hook::DEFAULT_PRIORITY, conditions: {})
       @middleware_manager.register(middleware_class, hooks, priority: priority, conditions: conditions)
-      @logger.info("Registered middleware: #{middleware_class.name}")
+      @logger.debug("Registered middleware: #{middleware_class.name}")
     end
 
     # Remove all middleware hooks for a specific class
     # @param middleware_class [Class] Middleware class to remove
     def remove_middleware(middleware_class)
       @middleware_manager.unregister(middleware_class)
-      @logger.info("Removed middleware: #{middleware_class.name}")
+      @logger.debug("Removed middleware: #{middleware_class.name}")
     end
 
     # Get middleware statistics
@@ -296,16 +306,17 @@ module VectorMCP
     # Clear all middleware (useful for testing)
     def clear_middleware!
       @middleware_manager.clear!
-      @logger.info("Cleared all middleware")
+      @logger.debug("Cleared all middleware")
     end
 
     private
 
     # Add API key authentication strategy
     # @param keys [Array<String>] array of valid API keys
+    # @param allow_query_params [Boolean] whether to accept API keys from query parameters
     # @return [void]
-    def add_api_key_auth(keys)
-      strategy = Security::Strategies::ApiKey.new(keys: keys)
+    def add_api_key_auth(keys, allow_query_params: false)
+      strategy = Security::Strategies::ApiKey.new(keys: keys, allow_query_params: allow_query_params)
       @auth_manager.add_strategy(:api_key, strategy)
     end
 

data/lib/vector_mcp/session.rb

@@ -3,6 +3,7 @@
 require_relative "sampling/request"
 require_relative "sampling/result"
 require_relative "errors"
+require_relative "request_context"
 
 module VectorMCP
   # Represents the state of a single client-server connection session in MCP.
@@ -13,8 +14,9 @@ module VectorMCP
   # @attr_reader protocol_version [String] The MCP protocol version used by the server.
   # @attr_reader client_info [Hash, nil] Information about the client, received during initialization.
   # @attr_reader client_capabilities [Hash, nil] Capabilities supported by the client, received during initialization.
+  # @attr_reader request_context [RequestContext] The request context for this session.
   class Session
-    attr_reader :server_info, :server_capabilities, :protocol_version, :client_info, :client_capabilities, :server, :transport, :id
+    attr_reader :server_info, :server_capabilities, :protocol_version, :client_info, :client_capabilities, :server, :transport, :id, :request_context
     attr_accessor :data # For user-defined session-specific storage
 
     # Initializes a new session.
@@ -22,7 +24,8 @@ module VectorMCP
     # @param server [VectorMCP::Server] The server instance managing this session.
     # @param transport [VectorMCP::Transport::Base, nil] The transport handling this session. Required for sampling.
     # @param id [String] A unique identifier for this session (e.g., from transport layer).
-    def initialize(server, transport = nil, id: SecureRandom.uuid)
+    # @param request_context [RequestContext, Hash, nil] The request context for this session.
+    def initialize(server, transport = nil, id: SecureRandom.uuid, request_context: nil)
       @server = server
       @transport = transport # Store the transport for sending requests
       @id = id
@@ -31,6 +34,16 @@ module VectorMCP
       @client_capabilities = nil
       @data = {} # Initialize user data hash
       @logger = server.logger
+
+      # Initialize request context
+      @request_context = case request_context
+                         when RequestContext
+                           request_context
+                         when Hash
+                           RequestContext.new(**request_context)
+                         else
+                           RequestContext.new
+                         end
     end
 
     # Marks the session as initialized using parameters from the client's `initialize` request.
@@ -75,6 +88,75 @@ module VectorMCP
       @initialized_state == :succeeded
     end
 
+    # Sets the request context for this session.
+    # This method should be called by transport layers to populate request-specific data.
+    #
+    # @param context [RequestContext, Hash] The request context to set.
+    #   Can be a RequestContext object or a hash of attributes.
+    # @return [RequestContext] The newly set request context.
+    # @raise [ArgumentError] If the context is not a RequestContext or Hash.
+    def request_context=(context)
+      @request_context = case context
+                         when RequestContext
+                           context
+                         when Hash
+                           RequestContext.new(**context)
+                         else
+                           raise ArgumentError, "Request context must be a RequestContext or Hash, got #{context.class}"
+                         end
+    end
+
+    # Updates the request context with new data.
+    # This merges the provided attributes with the existing context.
+    #
+    # @param attributes [Hash] The attributes to merge into the request context.
+    # @return [RequestContext] The updated request context.
+    def update_request_context(**attributes)
+      current_attrs = @request_context.to_h
+
+      # Deep merge nested hashes like headers and params
+      merged_attrs = current_attrs.dup
+      attributes.each do |key, value|
+        merged_attrs[key] = if value.is_a?(Hash) && current_attrs[key].is_a?(Hash)
+                              current_attrs[key].merge(value)
+                            else
+                              value
+                            end
+      end
+
+      @request_context = RequestContext.new(**merged_attrs)
+    end
+
+    # Convenience method to check if the session has request headers.
+    #
+    # @return [Boolean] True if the request context has headers, false otherwise.
+    def request_headers?
+      @request_context.headers?
+    end
+
+    # Convenience method to check if the session has request parameters.
+    #
+    # @return [Boolean] True if the request context has parameters, false otherwise.
+    def request_params?
+      @request_context.params?
+    end
+
+    # Convenience method to get a request header value.
+    #
+    # @param name [String] The header name.
+    # @return [String, nil] The header value or nil if not found.
+    def request_header(name)
+      @request_context.header(name)
+    end
+
+    # Convenience method to get a request parameter value.
+    #
+    # @param name [String] The parameter name.
+    # @return [String, nil] The parameter value or nil if not found.
+    def request_param(name)
+      @request_context.param(name)
+    end
+
     # Helper to check client capabilities later if needed
     # def supports?(capability_key)
     #   @client_capabilities.key?(capability_key.to_s)
@@ -111,7 +193,7 @@ module VectorMCP
 
       begin
         sampling_req_obj = VectorMCP::Sampling::Request.new(request_params)
-        @logger.info("[Session #{@id}] Sending sampling/createMessage request to client.")
+        @logger.debug("[Session #{@id}] Sending sampling/createMessage request to client.")
 
         result = send_sampling_request(sampling_req_obj, timeout)
 
@@ -161,17 +243,25 @@ module VectorMCP
       send_request_kwargs = {}
       send_request_kwargs[:timeout] = timeout if timeout
 
-      raw_result = @transport.send_request(*send_request_args, **send_request_kwargs)
+      # For HTTP transport, we need to use send_request_to_session to target this specific session
+      raw_result = if @transport.respond_to?(:send_request_to_session)
+                     @transport.send_request_to_session(@id, *send_request_args, **send_request_kwargs)
+                   else
+                     # Fallback to generic send_request for other transports
+                     @transport.send_request(*send_request_args, **send_request_kwargs)
+                   end
+
       VectorMCP::Sampling::Result.new(raw_result)
     rescue ArgumentError => e
       @logger.error("[Session #{@id}] Invalid parameters for sampling request or result: #{e.message}")
-      raise VectorMCP::SamplingError, "Invalid sampling parameters or malformed client response: #{e.message}", details: { original_error: e.to_s }
+      raise VectorMCP::SamplingError.new("Invalid sampling parameters or malformed client response: #{e.message}",
+                                         details: { original_error: e.to_s })
     rescue VectorMCP::SamplingError => e
       @logger.warn("[Session #{@id}] Sampling request failed: #{e.message}")
       raise e
     rescue StandardError => e
       @logger.error("[Session #{@id}] Unexpected error during sampling: #{e.class.name}: #{e.message}")
-      raise VectorMCP::SamplingError, "An unexpected error occurred during sampling: #{e.message}", details: { original_error: e.to_s }
+      raise VectorMCP::SamplingError.new("An unexpected error occurred during sampling: #{e.message}", details: { original_error: e.to_s })
     end
   end
 end