@bryan-thompson/inspector-assessment-server 1.25.1 → 1.25.4

package/build/__tests__/helpers.test.js

@@ -0,0 +1,327 @@
+/**
+ * Server Helper Functions Unit Tests
+ *
+ * Tests for pure functions: is401Error, getHttpHeaders, updateHeadersInPlace
+ */
+import { jest, describe, it, expect } from "@jest/globals";
+import { is401Error, getHttpHeaders, updateHeadersInPlace, } from "../helpers.js";
+import { SseError } from "@modelcontextprotocol/sdk/client/sse.js";
+import { StreamableHTTPError } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+/**
+ * Create a mock ErrorEvent for SseError constructor
+ * ErrorEvent is a browser API not available in Node.js, so we create a minimal mock
+ */
+const createMockErrorEvent = (message = "error") => {
+    // Create a minimal mock that satisfies the ErrorEvent interface
+    return {
+        type: "error",
+        message,
+        bubbles: false,
+        cancelable: false,
+        composed: false,
+        defaultPrevented: false,
+        eventPhase: 0,
+        isTrusted: false,
+        returnValue: true,
+        srcElement: null,
+        target: null,
+        currentTarget: null,
+        timeStamp: Date.now(),
+        cancelBubble: false,
+        NONE: 0,
+        CAPTURING_PHASE: 1,
+        AT_TARGET: 2,
+        BUBBLING_PHASE: 3,
+        colno: 0,
+        lineno: 0,
+        filename: "",
+        error: null,
+        composedPath: () => [],
+        initEvent: () => { },
+        preventDefault: () => { },
+        stopImmediatePropagation: () => { },
+        stopPropagation: () => { },
+    };
+};
+/**
+ * Helper to create a mock Express request with headers
+ */
+const createMockRequest = (headers) => ({
+    headers: headers,
+});
+describe("is401Error", () => {
+    describe("SseError detection", () => {
+        it("should return true for SseError with code 401", () => {
+            const error = new SseError(401, "Unauthorized", createMockErrorEvent());
+            expect(is401Error(error)).toBe(true);
+        });
+        it("should return false for SseError with non-401 code", () => {
+            const error = new SseError(404, "Not Found", createMockErrorEvent());
+            expect(is401Error(error)).toBe(false);
+        });
+    });
+    describe("StreamableHTTPError detection", () => {
+        it("should return true for StreamableHTTPError with code 401", () => {
+            const error = new StreamableHTTPError(401, "Unauthorized");
+            expect(is401Error(error)).toBe(true);
+        });
+        it("should return false for StreamableHTTPError with non-401 code", () => {
+            const error = new StreamableHTTPError(500, "Internal Server Error");
+            expect(is401Error(error)).toBe(false);
+        });
+    });
+    describe("Generic Error detection", () => {
+        it("should return true for Error containing 'HTTP 401'", () => {
+            const error = new Error("HTTP 401 Unauthorized");
+            expect(is401Error(error)).toBe(true);
+        });
+        it("should return true for Error containing '(401)'", () => {
+            const error = new Error("Server returned (401) unauthorized");
+            expect(is401Error(error)).toBe(true);
+        });
+        it("should return false for Error with other codes", () => {
+            const error = new Error("HTTP 500 Internal Server Error");
+            expect(is401Error(error)).toBe(false);
+        });
+        it("should return false for generic error without 401", () => {
+            const error = new Error("Something went wrong");
+            expect(is401Error(error)).toBe(false);
+        });
+    });
+    describe("Non-Error values", () => {
+        it("should return false for null", () => {
+            expect(is401Error(null)).toBe(false);
+        });
+        it("should return false for undefined", () => {
+            expect(is401Error(undefined)).toBe(false);
+        });
+        it("should return false for string", () => {
+            expect(is401Error("HTTP 401")).toBe(false);
+        });
+        it("should return false for number", () => {
+            expect(is401Error(401)).toBe(false);
+        });
+        it("should return false for plain object", () => {
+            expect(is401Error({ code: 401 })).toBe(false);
+        });
+    });
+});
+describe("getHttpHeaders", () => {
+    describe("MCP header forwarding", () => {
+        it("should forward mcp-* headers", () => {
+            const req = createMockRequest({
+                "mcp-custom-header": "custom-value",
+                "mcp-another": "another-value",
+            });
+            const headers = getHttpHeaders(req);
+            expect(headers["mcp-custom-header"]).toBe("custom-value");
+            expect(headers["mcp-another"]).toBe("another-value");
+        });
+        it("should forward authorization header", () => {
+            const req = createMockRequest({
+                authorization: "Bearer token123",
+            });
+            const headers = getHttpHeaders(req);
+            expect(headers["authorization"]).toBe("Bearer token123");
+        });
+        it("should forward last-event-id header", () => {
+            const req = createMockRequest({
+                "last-event-id": "event-42",
+            });
+            const headers = getHttpHeaders(req);
+            expect(headers["last-event-id"]).toBe("event-42");
+        });
+    });
+    describe("Header exclusions", () => {
+        it("should exclude x-mcp-proxy-auth header", () => {
+            const req = createMockRequest({
+                "x-mcp-proxy-auth": "Bearer secret",
+                "mcp-other": "value",
+            });
+            const headers = getHttpHeaders(req);
+            expect(headers["x-mcp-proxy-auth"]).toBeUndefined();
+            expect(headers["mcp-other"]).toBe("value");
+        });
+        it("should exclude mcp-session-id header", () => {
+            const req = createMockRequest({
+                "mcp-session-id": "session-123",
+                "mcp-other": "value",
+            });
+            const headers = getHttpHeaders(req);
+            expect(headers["mcp-session-id"]).toBeUndefined();
+            expect(headers["mcp-other"]).toBe("value");
+        });
+        it("should not forward non-mcp headers", () => {
+            const req = createMockRequest({
+                "content-type": "application/json",
+                "x-custom-header": "value",
+                host: "localhost:3000",
+            });
+            const headers = getHttpHeaders(req);
+            expect(headers["content-type"]).toBeUndefined();
+            expect(headers["x-custom-header"]).toBeUndefined();
+            expect(headers["host"]).toBeUndefined();
+        });
+    });
+    describe("Array header values", () => {
+        it("should use last element for array header values", () => {
+            const req = createMockRequest({
+                "mcp-multi": ["first", "second", "last"],
+            });
+            const headers = getHttpHeaders(req);
+            expect(headers["mcp-multi"]).toBe("last");
+        });
+        it("should handle empty array gracefully", () => {
+            const req = createMockRequest({
+                "mcp-empty": [],
+            });
+            const headers = getHttpHeaders(req);
+            expect(headers["mcp-empty"]).toBeUndefined();
+        });
+    });
+    describe("Custom auth header (x-custom-auth-header)", () => {
+        it("should forward custom auth header when specified", () => {
+            const req = createMockRequest({
+                "x-custom-auth-header": "X-API-Key",
+                "x-api-key": "secret-key-123",
+            });
+            const headers = getHttpHeaders(req);
+            expect(headers["X-API-Key"]).toBe("secret-key-123");
+        });
+        it("should handle array values for custom auth header", () => {
+            const req = createMockRequest({
+                "x-custom-auth-header": "X-Token",
+                "x-token": ["old-token", "new-token"],
+            });
+            const headers = getHttpHeaders(req);
+            expect(headers["X-Token"]).toBe("new-token");
+        });
+        it("should ignore if custom auth header value not present", () => {
+            const req = createMockRequest({
+                "x-custom-auth-header": "X-Missing",
+            });
+            const headers = getHttpHeaders(req);
+            expect(headers["X-Missing"]).toBeUndefined();
+        });
+    });
+    describe("Multiple custom headers (x-custom-auth-headers)", () => {
+        it("should forward multiple custom headers from JSON array", () => {
+            const req = createMockRequest({
+                "x-custom-auth-headers": JSON.stringify(["X-API-Key", "X-Client-ID"]),
+                "x-api-key": "api-key-value",
+                "x-client-id": "client-123",
+            });
+            const headers = getHttpHeaders(req);
+            expect(headers["X-API-Key"]).toBe("api-key-value");
+            expect(headers["X-Client-ID"]).toBe("client-123");
+        });
+        it("should handle array values in custom headers", () => {
+            const req = createMockRequest({
+                "x-custom-auth-headers": JSON.stringify(["X-Token"]),
+                "x-token": ["first", "second"],
+            });
+            const headers = getHttpHeaders(req);
+            expect(headers["X-Token"]).toBe("second");
+        });
+        it("should handle malformed JSON gracefully", () => {
+            const consoleSpy = jest
+                .spyOn(console, "warn")
+                .mockImplementation(() => { });
+            const req = createMockRequest({
+                "x-custom-auth-headers": "not-valid-json",
+            });
+            const headers = getHttpHeaders(req);
+            expect(consoleSpy).toHaveBeenCalled();
+            expect(Object.keys(headers)).toHaveLength(0);
+            consoleSpy.mockRestore();
+        });
+        it("should ignore non-array JSON values", () => {
+            const req = createMockRequest({
+                "x-custom-auth-headers": JSON.stringify({ key: "value" }),
+            });
+            // Should not throw, just not add any headers
+            const headers = getHttpHeaders(req);
+            expect(headers).toEqual({});
+        });
+    });
+    describe("Empty and undefined values", () => {
+        it("should handle empty request headers", () => {
+            const req = createMockRequest({});
+            const headers = getHttpHeaders(req);
+            expect(headers).toEqual({});
+        });
+        it("should skip undefined header values", () => {
+            const req = createMockRequest({
+                "mcp-defined": "value",
+                "mcp-undefined": undefined,
+            });
+            const headers = getHttpHeaders(req);
+            expect(headers["mcp-defined"]).toBe("value");
+            expect(headers["mcp-undefined"]).toBeUndefined();
+        });
+    });
+});
+describe("updateHeadersInPlace", () => {
+    it("should replace all headers with new ones", () => {
+        const current = {
+            "Old-Header": "old-value",
+            Another: "another",
+        };
+        const updated = { "New-Header": "new-value" };
+        updateHeadersInPlace(current, updated);
+        expect(current).toEqual({ "New-Header": "new-value" });
+        expect(current["Old-Header"]).toBeUndefined();
+    });
+    it("should preserve Accept header when present", () => {
+        const current = {
+            Accept: "text/event-stream",
+            "Old-Header": "old",
+        };
+        const updated = { "New-Header": "new" };
+        updateHeadersInPlace(current, updated);
+        expect(current).toEqual({
+            Accept: "text/event-stream",
+            "New-Header": "new",
+        });
+    });
+    it("should not add Accept header if not originally present", () => {
+        const current = { "Old-Header": "old" };
+        const updated = { "New-Header": "new" };
+        updateHeadersInPlace(current, updated);
+        expect(current).toEqual({ "New-Header": "new" });
+        expect(current["Accept"]).toBeUndefined();
+    });
+    it("should handle empty current headers", () => {
+        const current = {};
+        const updated = { "New-Header": "new" };
+        updateHeadersInPlace(current, updated);
+        expect(current).toEqual({ "New-Header": "new" });
+    });
+    it("should handle empty new headers", () => {
+        const current = { "Old-Header": "old" };
+        const updated = {};
+        updateHeadersInPlace(current, updated);
+        expect(current).toEqual({});
+    });
+    it("should preserve Accept even when updating with new Accept", () => {
+        const current = {
+            Accept: "original-accept",
+            Other: "value",
+        };
+        const updated = {
+            Accept: "new-accept",
+            "New-Header": "new",
+        };
+        updateHeadersInPlace(current, updated);
+        // New Accept from updated is applied, then original Accept is restored
+        expect(current["Accept"]).toBe("original-accept");
+        expect(current["New-Header"]).toBe("new");
+    });
+    it("should mutate the original object reference", () => {
+        const current = { Header: "value" };
+        const originalRef = current;
+        updateHeadersInPlace(current, { New: "value" });
+        expect(current).toBe(originalRef);
+        expect(originalRef["New"]).toBe("value");
+    });
+});

package/build/__tests__/routes.test.js

@@ -0,0 +1,197 @@
+/**
+ * Server Route Tests
+ *
+ * Integration tests for API endpoints using supertest.
+ */
+import { describe, it, expect, beforeAll, afterEach } from "@jest/globals";
+import request from "supertest";
+import * as fs from "fs";
+// Set test mode before importing app
+process.env.NODE_ENV = "test";
+// Dynamic import to ensure env vars are set first
+let app;
+let sessionToken;
+beforeAll(async () => {
+    const serverModule = await import("../index.js");
+    app = serverModule.app;
+    sessionToken = serverModule.sessionToken;
+});
+describe("GET /health", () => {
+    it("should return { status: 'ok' }", async () => {
+        const response = await request(app)
+            .get("/health")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`);
+        expect(response.status).toBe(200);
+        expect(response.body).toEqual({ status: "ok" });
+    });
+    it("should return 200 even without auth (health check accessible)", async () => {
+        // Health endpoint may or may not require auth depending on setup
+        // Check that it responds with 200 when auth is provided
+        const response = await request(app)
+            .get("/health")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`);
+        expect(response.status).toBe(200);
+    });
+});
+describe("GET /config", () => {
+    it("should return server configuration", async () => {
+        const response = await request(app)
+            .get("/config")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`);
+        expect(response.status).toBe(200);
+        expect(response.body).toHaveProperty("defaultEnvironment");
+        expect(response.body).toHaveProperty("defaultCommand");
+        expect(response.body).toHaveProperty("defaultArgs");
+        expect(response.body).toHaveProperty("defaultTransport");
+        expect(response.body).toHaveProperty("defaultServerUrl");
+    });
+    it("should require authentication", async () => {
+        const response = await request(app).get("/config");
+        expect(response.status).toBe(401);
+    });
+});
+describe("POST /assessment/save", () => {
+    const testFilePath = "/tmp/inspector-assessment-test_server.json";
+    afterEach(() => {
+        // Cleanup test file
+        if (fs.existsSync(testFilePath)) {
+            fs.unlinkSync(testFilePath);
+        }
+    });
+    it("should save assessment to /tmp", async () => {
+        const assessment = {
+            server: "test_server",
+            results: { passed: true },
+            timestamp: Date.now(),
+        };
+        const response = await request(app)
+            .post("/assessment/save")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`)
+            .send({ serverName: "test_server", assessment });
+        expect(response.status).toBe(200);
+        expect(response.body.success).toBe(true);
+        expect(response.body.path).toContain("inspector-assessment-test_server.json");
+        expect(fs.existsSync(testFilePath)).toBe(true);
+    });
+    it("should sanitize server name in filename", async () => {
+        const assessment = { test: true };
+        const response = await request(app)
+            .post("/assessment/save")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`)
+            .send({ serverName: "test@server#!$", assessment });
+        expect(response.status).toBe(200);
+        expect(response.body.path).toContain("test_server___");
+        expect(response.body.path).not.toContain("@");
+        expect(response.body.path).not.toContain("#");
+    });
+    it("should return success with path", async () => {
+        const response = await request(app)
+            .post("/assessment/save")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`)
+            .send({ serverName: "test_server", assessment: {} });
+        expect(response.body).toMatchObject({
+            success: true,
+            path: expect.stringContaining("/tmp/"),
+            message: expect.stringContaining("Assessment saved"),
+        });
+    });
+    it("should handle missing serverName gracefully", async () => {
+        const response = await request(app)
+            .post("/assessment/save")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`)
+            .send({ assessment: { data: true } });
+        expect(response.status).toBe(200);
+        expect(response.body.path).toContain("unknown");
+    });
+    it("should require authentication", async () => {
+        const response = await request(app)
+            .post("/assessment/save")
+            .send({ serverName: "test", assessment: {} });
+        expect(response.status).toBe(401);
+    });
+});
+describe("MCP Session Endpoints", () => {
+    describe("GET /mcp", () => {
+        it("should return 404 for non-existent session", async () => {
+            const response = await request(app)
+                .get("/mcp")
+                .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`)
+                .set("mcp-session-id", "non-existent-session-id");
+            expect(response.status).toBe(404);
+        });
+    });
+    describe("POST /mcp", () => {
+        it("should return 404 for non-existent session with sessionId", async () => {
+            const response = await request(app)
+                .post("/mcp")
+                .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`)
+                .set("mcp-session-id", "non-existent-session-id")
+                .send({});
+            expect(response.status).toBe(404);
+        });
+        it("should require transport parameters for new session", async () => {
+            // Without transportType, should error
+            const response = await request(app)
+                .post("/mcp")
+                .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`)
+                .send({});
+            // Will fail due to missing transport config - 500 error
+            expect(response.status).toBe(500);
+        });
+    });
+    describe("DELETE /mcp", () => {
+        it("should return 404 for non-existent session", async () => {
+            const response = await request(app)
+                .delete("/mcp")
+                .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`)
+                .set("mcp-session-id", "non-existent-session-id");
+            expect(response.status).toBe(404);
+        });
+    });
+    describe("POST /message", () => {
+        it("should return 404 for non-existent session", async () => {
+            const response = await request(app)
+                .post("/message")
+                .query({ sessionId: "non-existent" })
+                .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`)
+                .send({});
+            expect(response.status).toBe(404);
+        });
+    });
+});
+describe("Error Handling", () => {
+    it("should return 404 for unknown routes", async () => {
+        const response = await request(app)
+            .get("/unknown-route")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`);
+        expect(response.status).toBe(404);
+    });
+    it("should handle malformed JSON in POST body", async () => {
+        const response = await request(app)
+            .post("/assessment/save")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`)
+            .set("Content-Type", "application/json")
+            .send("not-valid-json");
+        expect(response.status).toBeGreaterThanOrEqual(400);
+    });
+});
+describe("Rate Limiting", () => {
+    it("should include rate limit headers on rate-limited endpoints", async () => {
+        // Rate limiting is applied to /mcp, /sse, /stdio, /message routes
+        // /health is not rate limited, so we test against /mcp
+        const response = await request(app)
+            .get("/mcp")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`)
+            .set("mcp-session-id", "test-rate-limit-session");
+        // Even with 404 response, rate limit headers should be present
+        expect(response.headers).toHaveProperty("ratelimit-limit");
+        expect(response.headers).toHaveProperty("ratelimit-remaining");
+    });
+    it("should not include rate limit headers on non-limited endpoints", async () => {
+        const response = await request(app)
+            .get("/health")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`);
+        // /health is not rate limited
+        expect(response.headers["ratelimit-limit"]).toBeUndefined();
+    });
+});

package/build/__tests__/security.test.js

@@ -0,0 +1,162 @@
+/**
+ * Server Security Tests
+ *
+ * Integration tests for authentication middleware, origin validation,
+ * and security headers using supertest.
+ */
+import { describe, it, expect, beforeAll } from "@jest/globals";
+import request from "supertest";
+// Set test mode before importing app
+process.env.NODE_ENV = "test";
+process.env.DANGEROUSLY_OMIT_AUTH = ""; // Ensure auth is enabled
+// Dynamic import to ensure env vars are set first
+let app;
+let sessionToken;
+beforeAll(async () => {
+    const serverModule = await import("../index.js");
+    app = serverModule.app;
+    sessionToken = serverModule.sessionToken;
+});
+describe("Authentication Middleware", () => {
+    describe("Valid Authentication", () => {
+        it("should accept requests with valid Bearer token", async () => {
+            const response = await request(app)
+                .get("/health")
+                .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`);
+            expect(response.status).toBe(200);
+            expect(response.body.status).toBe("ok");
+        });
+        it("should accept requests to /config with valid token", async () => {
+            const response = await request(app)
+                .get("/config")
+                .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`);
+            expect(response.status).toBe(200);
+            expect(response.body).toHaveProperty("defaultEnvironment");
+        });
+    });
+    describe("Invalid Authentication", () => {
+        it("should reject requests without auth header", async () => {
+            const response = await request(app).get("/config");
+            expect(response.status).toBe(401);
+            expect(response.body.error).toBe("Unauthorized");
+        });
+        it("should reject requests with invalid token", async () => {
+            const response = await request(app)
+                .get("/config")
+                .set("x-mcp-proxy-auth", "Bearer invalid-token-here");
+            expect(response.status).toBe(401);
+            expect(response.body.error).toBe("Unauthorized");
+        });
+        it("should reject requests without Bearer prefix", async () => {
+            const response = await request(app)
+                .get("/config")
+                .set("x-mcp-proxy-auth", sessionToken);
+            expect(response.status).toBe(401);
+            expect(response.body.error).toBe("Unauthorized");
+        });
+        it("should reject requests with wrong auth scheme", async () => {
+            const response = await request(app)
+                .get("/config")
+                .set("x-mcp-proxy-auth", `Basic ${sessionToken}`);
+            expect(response.status).toBe(401);
+            expect(response.body.error).toBe("Unauthorized");
+        });
+        it("should reject requests with empty Bearer token", async () => {
+            const response = await request(app)
+                .get("/config")
+                .set("x-mcp-proxy-auth", "Bearer ");
+            expect(response.status).toBe(401);
+            expect(response.body.error).toBe("Unauthorized");
+        });
+    });
+    describe("Auth Header Variations", () => {
+        it("should handle array auth header (use first)", async () => {
+            // Express may receive array headers - we use the first one
+            const response = await request(app)
+                .get("/config")
+                .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`)
+                .set("x-mcp-proxy-auth", "Bearer invalid"); // supertest merges, but real Express uses first
+            // In supertest, subsequent sets may override or merge depending on version
+            // The middleware uses first array element, so this should work
+            expect([200, 401]).toContain(response.status);
+        });
+    });
+});
+describe("Origin Validation Middleware", () => {
+    describe("Valid Origins", () => {
+        it("should accept requests without Origin header", async () => {
+            const response = await request(app)
+                .get("/health")
+                .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`);
+            expect(response.status).toBe(200);
+        });
+        it("should accept requests from localhost default origin", async () => {
+            const response = await request(app)
+                .get("/health")
+                .set("Origin", "http://localhost:6274")
+                .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`);
+            expect(response.status).toBe(200);
+        });
+    });
+    describe("Invalid Origins", () => {
+        it("should reject requests from invalid origins", async () => {
+            const response = await request(app)
+                .get("/config")
+                .set("Origin", "http://evil.com")
+                .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`);
+            expect(response.status).toBe(403);
+            expect(response.body.error).toContain("Forbidden");
+        });
+        it("should reject requests from non-localhost origins", async () => {
+            const response = await request(app)
+                .get("/config")
+                .set("Origin", "http://example.com:6274")
+                .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`);
+            expect(response.status).toBe(403);
+        });
+    });
+});
+describe("Security Headers", () => {
+    it("should set Content-Security-Policy header", async () => {
+        const response = await request(app)
+            .get("/health")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`);
+        expect(response.headers["content-security-policy"]).toBeDefined();
+        expect(response.headers["content-security-policy"]).toContain("default-src");
+    });
+    it("should set X-Content-Type-Options: nosniff", async () => {
+        const response = await request(app)
+            .get("/health")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`);
+        expect(response.headers["x-content-type-options"]).toBe("nosniff");
+    });
+    it("should set X-Frame-Options: DENY", async () => {
+        const response = await request(app)
+            .get("/health")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`);
+        expect(response.headers["x-frame-options"]).toBe("DENY");
+    });
+    it("should expose mcp-session-id header via CORS", async () => {
+        const response = await request(app)
+            .get("/health")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`);
+        expect(response.headers["access-control-expose-headers"]).toContain("mcp-session-id");
+    });
+});
+describe("CORS Configuration", () => {
+    it("should allow CORS requests", async () => {
+        const response = await request(app)
+            .options("/health")
+            .set("Origin", "http://localhost:6274")
+            .set("Access-Control-Request-Method", "GET");
+        // CORS preflight should succeed
+        expect(response.status).toBeLessThan(400);
+    });
+    it("should include Access-Control-Allow-Origin header", async () => {
+        const response = await request(app)
+            .get("/health")
+            .set("Origin", "http://localhost:6274")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`);
+        expect(response.headers["access-control-allow-origin"]).toBeDefined();
+    });
+});

package/build/helpers.js

@@ -0,0 +1,112 @@
+/**
+ * Server Helper Functions
+ *
+ * Pure functions extracted from index.ts for testability.
+ */
+import { SseError } from "@modelcontextprotocol/sdk/client/sse.js";
+import { StreamableHTTPError } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+/**
+ * Helper function to detect 401 Unauthorized errors from various transport types.
+ * StreamableHTTPClientTransport throws a generic Error with "HTTP 401" in the message
+ * when there's no authProvider configured, while SSEClientTransport throws SseError.
+ */
+export const is401Error = (error) => {
+    if (error instanceof SseError && error.code === 401)
+        return true;
+    if (error instanceof StreamableHTTPError && error.code === 401)
+        return true;
+    if (error instanceof Error &&
+        (error.message.includes("HTTP 401") || error.message.includes("(401)")))
+        return true;
+    return false;
+};
+/**
+ * Get HTTP headers from an Express request that should be forwarded to the MCP server.
+ * Filters to include mcp-* headers, authorization, and last-event-id.
+ * Excludes the proxy's own auth header (x-mcp-proxy-auth) and session id (mcp-session-id).
+ */
+export const getHttpHeaders = (req) => {
+    const headers = {};
+    // Iterate over all headers in the request
+    for (const key in req.headers) {
+        const lowerKey = key.toLowerCase();
+        // Check if the header is one we want to forward
+        if (lowerKey.startsWith("mcp-") ||
+            lowerKey === "authorization" ||
+            lowerKey === "last-event-id") {
+            // Exclude the proxy's own authentication header and the Client <-> Proxy session ID header
+            if (lowerKey !== "x-mcp-proxy-auth" && lowerKey !== "mcp-session-id") {
+                const value = req.headers[key];
+                if (typeof value === "string") {
+                    // If the value is a string, use it directly
+                    headers[key] = value;
+                }
+                else if (Array.isArray(value)) {
+                    // If the value is an array, use the last element
+                    const lastValue = value.at(-1);
+                    if (lastValue !== undefined) {
+                        headers[key] = lastValue;
+                    }
+                }
+                // If value is undefined, it's skipped, which is correct.
+            }
+        }
+    }
+    // Handle the custom auth header separately. We expect `x-custom-auth-header`
+    // to be a string containing the name of the actual authentication header.
+    const customAuthHeaderName = req.headers["x-custom-auth-header"];
+    if (typeof customAuthHeaderName === "string") {
+        const lowerCaseHeaderName = customAuthHeaderName.toLowerCase();
+        const value = req.headers[lowerCaseHeaderName];
+        if (typeof value === "string") {
+            headers[customAuthHeaderName] = value;
+        }
+        else if (Array.isArray(value)) {
+            // If the actual auth header was sent multiple times, use the last value.
+            const lastValue = value.at(-1);
+            if (lastValue !== undefined) {
+                headers[customAuthHeaderName] = lastValue;
+            }
+        }
+    }
+    // Handle multiple custom headers (new approach)
+    if (req.headers["x-custom-auth-headers"] !== undefined) {
+        try {
+            const customHeaderNames = JSON.parse(req.headers["x-custom-auth-headers"]);
+            if (Array.isArray(customHeaderNames)) {
+                customHeaderNames.forEach((headerName) => {
+                    const lowerCaseHeaderName = headerName.toLowerCase();
+                    if (req.headers[lowerCaseHeaderName] !== undefined) {
+                        const value = req.headers[lowerCaseHeaderName];
+                        headers[headerName] = Array.isArray(value)
+                            ? value[value.length - 1]
+                            : value;
+                    }
+                });
+            }
+        }
+        catch (error) {
+            console.warn("Failed to parse x-custom-auth-headers:", error);
+        }
+    }
+    return headers;
+};
+/**
+ * Updates a headers object in-place, preserving the original Accept header.
+ * This is necessary to ensure that transports holding a reference to the headers
+ * object see the updates.
+ * @param currentHeaders The headers object to update.
+ * @param newHeaders The new headers to apply.
+ */
+export const updateHeadersInPlace = (currentHeaders, newHeaders) => {
+    // Preserve the Accept header, which is set at transport creation and
+    // is not present in subsequent client requests.
+    const accept = currentHeaders["Accept"];
+    // Clear the old headers and apply the new ones.
+    Object.keys(currentHeaders).forEach((key) => delete currentHeaders[key]);
+    Object.assign(currentHeaders, newHeaders);
+    // Restore the Accept header.
+    if (accept) {
+        currentHeaders["Accept"] = accept;
+    }
+};

package/build/index.js

@@ -10,12 +10,13 @@ const fetch = nodeFetch;
 const Headers = NodeHeaders;
 import { SSEClientTransport, SseError, } from "@modelcontextprotocol/sdk/client/sse.js";
 import { StdioClientTransport, getDefaultEnvironment, } from "@modelcontextprotocol/sdk/client/stdio.js";
-import { StreamableHTTPClientTransport, StreamableHTTPError, } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+import { StreamableHTTPClientTransport, } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
 import express from "express";
 import { findActualExecutable } from "spawn-rx";
 import mcpProxy from "./mcpProxy.js";
+import { is401Error, getHttpHeaders, updateHeadersInPlace } from "./helpers.js";
 import { randomUUID, randomBytes, timingSafeEqual } from "node:crypto";
 const DEFAULT_MCP_PROXY_LISTEN_PORT = "6277";
 const defaultEnvironment = {
@@ -32,107 +33,6 @@ const { values } = parseArgs({
         "server-url": { type: "string", default: "" },
     },
 });
-/**
- * Helper function to detect 401 Unauthorized errors from various transport types.
- * StreamableHTTPClientTransport throws a generic Error with "HTTP 401" in the message
- * when there's no authProvider configured, while SSEClientTransport throws SseError.
- */
-const is401Error = (error) => {
-    if (error instanceof SseError && error.code === 401)
-        return true;
-    if (error instanceof StreamableHTTPError && error.code === 401)
-        return true;
-    if (error instanceof Error &&
-        (error.message.includes("HTTP 401") || error.message.includes("(401)")))
-        return true;
-    return false;
-};
-// Function to get HTTP headers.
-const getHttpHeaders = (req) => {
-    const headers = {};
-    // Iterate over all headers in the request
-    for (const key in req.headers) {
-        const lowerKey = key.toLowerCase();
-        // Check if the header is one we want to forward
-        if (lowerKey.startsWith("mcp-") ||
-            lowerKey === "authorization" ||
-            lowerKey === "last-event-id") {
-            // Exclude the proxy's own authentication header and the Client <-> Proxy session ID header
-            if (lowerKey !== "x-mcp-proxy-auth" && lowerKey !== "mcp-session-id") {
-                const value = req.headers[key];
-                if (typeof value === "string") {
-                    // If the value is a string, use it directly
-                    headers[key] = value;
-                }
-                else if (Array.isArray(value)) {
-                    // If the value is an array, use the last element
-                    const lastValue = value.at(-1);
-                    if (lastValue !== undefined) {
-                        headers[key] = lastValue;
-                    }
-                }
-                // If value is undefined, it's skipped, which is correct.
-            }
-        }
-    }
-    // Handle the custom auth header separately. We expect `x-custom-auth-header`
-    // to be a string containing the name of the actual authentication header.
-    const customAuthHeaderName = req.headers["x-custom-auth-header"];
-    if (typeof customAuthHeaderName === "string") {
-        const lowerCaseHeaderName = customAuthHeaderName.toLowerCase();
-        const value = req.headers[lowerCaseHeaderName];
-        if (typeof value === "string") {
-            headers[customAuthHeaderName] = value;
-        }
-        else if (Array.isArray(value)) {
-            // If the actual auth header was sent multiple times, use the last value.
-            const lastValue = value.at(-1);
-            if (lastValue !== undefined) {
-                headers[customAuthHeaderName] = lastValue;
-            }
-        }
-    }
-    // Handle multiple custom headers (new approach)
-    if (req.headers["x-custom-auth-headers"] !== undefined) {
-        try {
-            const customHeaderNames = JSON.parse(req.headers["x-custom-auth-headers"]);
-            if (Array.isArray(customHeaderNames)) {
-                customHeaderNames.forEach((headerName) => {
-                    const lowerCaseHeaderName = headerName.toLowerCase();
-                    if (req.headers[lowerCaseHeaderName] !== undefined) {
-                        const value = req.headers[lowerCaseHeaderName];
-                        headers[headerName] = Array.isArray(value)
-                            ? value[value.length - 1]
-                            : value;
-                    }
-                });
-            }
-        }
-        catch (error) {
-            console.warn("Failed to parse x-custom-auth-headers:", error);
-        }
-    }
-    return headers;
-};
-/**
- * Updates a headers object in-place, preserving the original Accept header.
- * This is necessary to ensure that transports holding a reference to the headers
- * object see the updates.
- * @param currentHeaders The headers object to update.
- * @param newHeaders The new headers to apply.
- */
-const updateHeadersInPlace = (currentHeaders, newHeaders) => {
-    // Preserve the Accept header, which is set at transport creation and
-    // is not present in subsequent client requests.
-    const accept = currentHeaders["Accept"];
-    // Clear the old headers and apply the new ones.
-    Object.keys(currentHeaders).forEach((key) => delete currentHeaders[key]);
-    Object.assign(currentHeaders, newHeaders);
-    // Restore the Accept header.
-    if (accept) {
-        currentHeaders["Accept"] = accept;
-    }
-};
 const app = express();
 app.use(cors());
 // [SECURITY-ENHANCEMENT] - triepod-ai fork: Rate limiting to prevent DoS attacks
@@ -681,8 +581,10 @@ app.get("/config", originValidationMiddleware, authMiddleware, (req, res) => {
 });
 const PORT = parseInt(process.env.SERVER_PORT || DEFAULT_MCP_PROXY_LISTEN_PORT, 10);
 const HOST = process.env.HOST || "localhost";
-const server = app.listen(PORT, HOST);
-server.on("listening", () => {
+// Don't start server in test mode - allows supertest to manage the server
+const isTestMode = process.env.NODE_ENV === "test";
+const server = isTestMode ? null : app.listen(PORT, HOST);
+server?.on("listening", () => {
     console.log(`⚙️ Proxy server listening on ${HOST}:${PORT}`);
     if (!authDisabled) {
         console.log(`🔑 Session token: ${sessionToken}\n   ` +
@@ -692,7 +594,7 @@ server.on("listening", () => {
         console.log(`⚠️  WARNING: Authentication is disabled. This is not recommended.`);
     }
 });
-server.on("error", (err) => {
+server?.on("error", (err) => {
     if (err.message.includes(`EADDRINUSE`)) {
         console.error(`❌  Proxy Server PORT IS IN USE at port ${PORT} ❌ `);
     }
@@ -701,3 +603,5 @@ server.on("error", (err) => {
     }
     process.exit(1);
 });
+// Export app and sessionToken for testing with supertest
+export { app, sessionToken };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-server",
-  "version": "1.25.1",
+  "version": "1.25.4",
   "description": "Server-side application for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",
@@ -27,13 +27,19 @@
     "build": "tsc",
     "start": "node build/index.js",
     "dev": "tsx watch --clear-screen=false src/index.ts",
-    "dev:windows": "tsx watch --clear-screen=false src/index.ts < NUL"
+    "dev:windows": "tsx watch --clear-screen=false src/index.ts < NUL",
+    "test": "node --experimental-vm-modules ../node_modules/.bin/jest --config jest.config.cjs"
   },
   "devDependencies": {
     "@types/cors": "^2.8.19",
     "@types/express": "^4.17.23",
+    "@types/jest": "^29.5.14",
     "@types/shell-quote": "^1.7.5",
+    "@types/supertest": "^6.0.2",
     "@types/ws": "^8.5.12",
+    "jest": "^29.7.0",
+    "supertest": "^7.0.0",
+    "ts-jest": "^29.2.0",
     "tsx": "^4.19.0",
     "typescript": "^5.6.2"
   },