@bryan-thompson/inspector-assessment 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +22 -0
- package/README.md +1042 -0
- package/cli/build/cli.js +277 -0
- package/cli/build/client/connection.js +38 -0
- package/cli/build/client/index.js +6 -0
- package/cli/build/client/prompts.js +38 -0
- package/cli/build/client/resources.js +30 -0
- package/cli/build/client/tools.js +74 -0
- package/cli/build/client/types.js +1 -0
- package/cli/build/error-handler.js +18 -0
- package/cli/build/index.js +232 -0
- package/cli/build/transport.js +65 -0
- package/cli/build/utils/awaitable-log.js +7 -0
- package/client/README.md +50 -0
- package/client/bin/client.js +62 -0
- package/client/bin/start.js +340 -0
- package/client/dist/assets/OAuthCallback-CLEJW5KO.js +55 -0
- package/client/dist/assets/OAuthDebugCallback-B154gAVm.js +64 -0
- package/client/dist/assets/index-DYiWOife.css +3138 -0
- package/client/dist/assets/index-EfKh2svk.js +53519 -0
- package/client/dist/index.html +14 -0
- package/client/dist/mcp.svg +12 -0
- package/package.json +106 -0
- package/server/build/index.js +647 -0
- package/server/build/mcpProxy.js +63 -0
|
@@ -0,0 +1,647 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
import cors from "cors";
|
|
3
|
+
import { parseArgs } from "node:util";
|
|
4
|
+
import { parse as shellParseArgs } from "shell-quote";
|
|
5
|
+
import nodeFetch, { Headers as NodeHeaders } from "node-fetch";
|
|
6
|
+
import fs from "node:fs";
|
|
7
|
+
// Type-compatible wrappers for node-fetch to work with browser-style types
|
|
8
|
+
const fetch = nodeFetch;
|
|
9
|
+
const Headers = NodeHeaders;
|
|
10
|
+
import { SSEClientTransport, SseError, } from "@modelcontextprotocol/sdk/client/sse.js";
|
|
11
|
+
import { StdioClientTransport, getDefaultEnvironment, } from "@modelcontextprotocol/sdk/client/stdio.js";
|
|
12
|
+
import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
|
|
13
|
+
import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
|
|
14
|
+
import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
|
|
15
|
+
import express from "express";
|
|
16
|
+
import { findActualExecutable } from "spawn-rx";
|
|
17
|
+
import mcpProxy from "./mcpProxy.js";
|
|
18
|
+
import { randomUUID, randomBytes, timingSafeEqual } from "node:crypto";
|
|
19
|
+
const DEFAULT_MCP_PROXY_LISTEN_PORT = "6277";
|
|
20
|
+
const defaultEnvironment = {
|
|
21
|
+
...getDefaultEnvironment(),
|
|
22
|
+
...(process.env.MCP_ENV_VARS ? JSON.parse(process.env.MCP_ENV_VARS) : {}),
|
|
23
|
+
};
|
|
24
|
+
const { values } = parseArgs({
|
|
25
|
+
args: process.argv.slice(2),
|
|
26
|
+
options: {
|
|
27
|
+
env: { type: "string", default: "" },
|
|
28
|
+
args: { type: "string", default: "" },
|
|
29
|
+
command: { type: "string", default: "" },
|
|
30
|
+
transport: { type: "string", default: "" },
|
|
31
|
+
"server-url": { type: "string", default: "" },
|
|
32
|
+
},
|
|
33
|
+
});
|
|
34
|
+
// Function to get HTTP headers.
|
|
35
|
+
const getHttpHeaders = (req) => {
|
|
36
|
+
const headers = {};
|
|
37
|
+
// Iterate over all headers in the request
|
|
38
|
+
for (const key in req.headers) {
|
|
39
|
+
const lowerKey = key.toLowerCase();
|
|
40
|
+
// Check if the header is one we want to forward
|
|
41
|
+
if (lowerKey.startsWith("mcp-") ||
|
|
42
|
+
lowerKey === "authorization" ||
|
|
43
|
+
lowerKey === "last-event-id") {
|
|
44
|
+
// Exclude the proxy's own authentication header and the Client <-> Proxy session ID header
|
|
45
|
+
if (lowerKey !== "x-mcp-proxy-auth" && lowerKey !== "mcp-session-id") {
|
|
46
|
+
const value = req.headers[key];
|
|
47
|
+
if (typeof value === "string") {
|
|
48
|
+
// If the value is a string, use it directly
|
|
49
|
+
headers[key] = value;
|
|
50
|
+
}
|
|
51
|
+
else if (Array.isArray(value)) {
|
|
52
|
+
// If the value is an array, use the last element
|
|
53
|
+
const lastValue = value.at(-1);
|
|
54
|
+
if (lastValue !== undefined) {
|
|
55
|
+
headers[key] = lastValue;
|
|
56
|
+
}
|
|
57
|
+
}
|
|
58
|
+
// If value is undefined, it's skipped, which is correct.
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
}
|
|
62
|
+
// Handle the custom auth header separately. We expect `x-custom-auth-header`
|
|
63
|
+
// to be a string containing the name of the actual authentication header.
|
|
64
|
+
const customAuthHeaderName = req.headers["x-custom-auth-header"];
|
|
65
|
+
if (typeof customAuthHeaderName === "string") {
|
|
66
|
+
const lowerCaseHeaderName = customAuthHeaderName.toLowerCase();
|
|
67
|
+
const value = req.headers[lowerCaseHeaderName];
|
|
68
|
+
if (typeof value === "string") {
|
|
69
|
+
headers[customAuthHeaderName] = value;
|
|
70
|
+
}
|
|
71
|
+
else if (Array.isArray(value)) {
|
|
72
|
+
// If the actual auth header was sent multiple times, use the last value.
|
|
73
|
+
const lastValue = value.at(-1);
|
|
74
|
+
if (lastValue !== undefined) {
|
|
75
|
+
headers[customAuthHeaderName] = lastValue;
|
|
76
|
+
}
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
// Handle multiple custom headers (new approach)
|
|
80
|
+
if (req.headers["x-custom-auth-headers"] !== undefined) {
|
|
81
|
+
try {
|
|
82
|
+
const customHeaderNames = JSON.parse(req.headers["x-custom-auth-headers"]);
|
|
83
|
+
if (Array.isArray(customHeaderNames)) {
|
|
84
|
+
customHeaderNames.forEach((headerName) => {
|
|
85
|
+
const lowerCaseHeaderName = headerName.toLowerCase();
|
|
86
|
+
if (req.headers[lowerCaseHeaderName] !== undefined) {
|
|
87
|
+
const value = req.headers[lowerCaseHeaderName];
|
|
88
|
+
headers[headerName] = Array.isArray(value)
|
|
89
|
+
? value[value.length - 1]
|
|
90
|
+
: value;
|
|
91
|
+
}
|
|
92
|
+
});
|
|
93
|
+
}
|
|
94
|
+
}
|
|
95
|
+
catch (error) {
|
|
96
|
+
console.warn("Failed to parse x-custom-auth-headers:", error);
|
|
97
|
+
}
|
|
98
|
+
}
|
|
99
|
+
return headers;
|
|
100
|
+
};
|
|
101
|
+
/**
|
|
102
|
+
* Updates a headers object in-place, preserving the original Accept header.
|
|
103
|
+
* This is necessary to ensure that transports holding a reference to the headers
|
|
104
|
+
* object see the updates.
|
|
105
|
+
* @param currentHeaders The headers object to update.
|
|
106
|
+
* @param newHeaders The new headers to apply.
|
|
107
|
+
*/
|
|
108
|
+
const updateHeadersInPlace = (currentHeaders, newHeaders) => {
|
|
109
|
+
// Preserve the Accept header, which is set at transport creation and
|
|
110
|
+
// is not present in subsequent client requests.
|
|
111
|
+
const accept = currentHeaders["Accept"];
|
|
112
|
+
// Clear the old headers and apply the new ones.
|
|
113
|
+
Object.keys(currentHeaders).forEach((key) => delete currentHeaders[key]);
|
|
114
|
+
Object.assign(currentHeaders, newHeaders);
|
|
115
|
+
// Restore the Accept header.
|
|
116
|
+
if (accept) {
|
|
117
|
+
currentHeaders["Accept"] = accept;
|
|
118
|
+
}
|
|
119
|
+
};
|
|
120
|
+
const app = express();
|
|
121
|
+
app.use(cors());
|
|
122
|
+
app.use((req, res, next) => {
|
|
123
|
+
res.header("Access-Control-Expose-Headers", "mcp-session-id");
|
|
124
|
+
next();
|
|
125
|
+
});
|
|
126
|
+
const webAppTransports = new Map(); // Web app transports by web app sessionId
|
|
127
|
+
const serverTransports = new Map(); // Server Transports by web app sessionId
|
|
128
|
+
const sessionHeaderHolders = new Map(); // For dynamic header updates
|
|
129
|
+
// Use provided token from environment or generate a new one
|
|
130
|
+
const sessionToken = process.env.MCP_PROXY_AUTH_TOKEN || randomBytes(32).toString("hex");
|
|
131
|
+
const authDisabled = !!process.env.DANGEROUSLY_OMIT_AUTH;
|
|
132
|
+
// Origin validation middleware to prevent DNS rebinding attacks
|
|
133
|
+
const originValidationMiddleware = (req, res, next) => {
|
|
134
|
+
const origin = req.headers.origin;
|
|
135
|
+
// Default origins based on CLIENT_PORT or use environment variable
|
|
136
|
+
const clientPort = process.env.CLIENT_PORT || "6274";
|
|
137
|
+
const defaultOrigin = `http://localhost:${clientPort}`;
|
|
138
|
+
const allowedOrigins = process.env.ALLOWED_ORIGINS?.split(",") || [
|
|
139
|
+
defaultOrigin,
|
|
140
|
+
];
|
|
141
|
+
if (origin && !allowedOrigins.includes(origin)) {
|
|
142
|
+
console.error(`Invalid origin: ${origin}`);
|
|
143
|
+
res.status(403).json({
|
|
144
|
+
error: "Forbidden - invalid origin",
|
|
145
|
+
message: "Request blocked to prevent DNS rebinding attacks. Configure allowed origins via environment variable.",
|
|
146
|
+
});
|
|
147
|
+
return;
|
|
148
|
+
}
|
|
149
|
+
next();
|
|
150
|
+
};
|
|
151
|
+
const authMiddleware = (req, res, next) => {
|
|
152
|
+
if (authDisabled) {
|
|
153
|
+
return next();
|
|
154
|
+
}
|
|
155
|
+
const sendUnauthorized = () => {
|
|
156
|
+
res.status(401).json({
|
|
157
|
+
error: "Unauthorized",
|
|
158
|
+
message: "Authentication required. Use the session token shown in the console when starting the server.",
|
|
159
|
+
});
|
|
160
|
+
};
|
|
161
|
+
const authHeader = req.headers["x-mcp-proxy-auth"];
|
|
162
|
+
const authHeaderValue = Array.isArray(authHeader)
|
|
163
|
+
? authHeader[0]
|
|
164
|
+
: authHeader;
|
|
165
|
+
if (!authHeaderValue || !authHeaderValue.startsWith("Bearer ")) {
|
|
166
|
+
sendUnauthorized();
|
|
167
|
+
return;
|
|
168
|
+
}
|
|
169
|
+
const providedToken = authHeaderValue.substring(7); // Remove 'Bearer ' prefix
|
|
170
|
+
const expectedToken = sessionToken;
|
|
171
|
+
// Convert to buffers for timing-safe comparison
|
|
172
|
+
const providedBuffer = Buffer.from(providedToken);
|
|
173
|
+
const expectedBuffer = Buffer.from(expectedToken);
|
|
174
|
+
// Check length first to prevent timing attacks
|
|
175
|
+
if (providedBuffer.length !== expectedBuffer.length) {
|
|
176
|
+
sendUnauthorized();
|
|
177
|
+
return;
|
|
178
|
+
}
|
|
179
|
+
// Perform timing-safe comparison
|
|
180
|
+
if (!timingSafeEqual(providedBuffer, expectedBuffer)) {
|
|
181
|
+
sendUnauthorized();
|
|
182
|
+
return;
|
|
183
|
+
}
|
|
184
|
+
next();
|
|
185
|
+
};
|
|
186
|
+
/**
|
|
187
|
+
* Converts a Node.js ReadableStream to a web-compatible ReadableStream
|
|
188
|
+
* This is necessary for the EventSource polyfill which expects web streams
|
|
189
|
+
*/
|
|
190
|
+
const createWebReadableStream = (nodeStream) => {
|
|
191
|
+
return new ReadableStream({
|
|
192
|
+
start(controller) {
|
|
193
|
+
nodeStream.on("data", (chunk) => {
|
|
194
|
+
controller.enqueue(chunk);
|
|
195
|
+
});
|
|
196
|
+
nodeStream.on("end", () => {
|
|
197
|
+
controller.close();
|
|
198
|
+
});
|
|
199
|
+
nodeStream.on("error", (err) => {
|
|
200
|
+
controller.error(err);
|
|
201
|
+
});
|
|
202
|
+
},
|
|
203
|
+
});
|
|
204
|
+
};
|
|
205
|
+
/**
|
|
206
|
+
* Creates a `fetch` function that merges dynamic session headers with the
|
|
207
|
+
* headers from the actual request, ensuring that request-specific headers like
|
|
208
|
+
* `Content-Type` are preserved. For SSE requests, it also converts Node.js
|
|
209
|
+
* streams to web-compatible streams.
|
|
210
|
+
*/
|
|
211
|
+
const createCustomFetch = (headerHolder) => {
|
|
212
|
+
return async (input, init) => {
|
|
213
|
+
// Determine the headers from the original request/init.
|
|
214
|
+
// The SDK may pass a Request object or a URL and an init object.
|
|
215
|
+
const originalHeaders = input instanceof Request ? input.headers : init?.headers;
|
|
216
|
+
// Start with our dynamic session headers.
|
|
217
|
+
const finalHeaders = new Headers(headerHolder.headers);
|
|
218
|
+
// Merge the SDK's request-specific headers, letting them overwrite.
|
|
219
|
+
// This is crucial for preserving Content-Type on POST requests.
|
|
220
|
+
new Headers(originalHeaders).forEach((value, key) => {
|
|
221
|
+
finalHeaders.set(key, value);
|
|
222
|
+
});
|
|
223
|
+
// Convert Headers to a plain object for node-fetch compatibility
|
|
224
|
+
const headersObject = {};
|
|
225
|
+
finalHeaders.forEach((value, key) => {
|
|
226
|
+
headersObject[key] = value;
|
|
227
|
+
});
|
|
228
|
+
// Get the response from node-fetch (cast input and init to handle type differences)
|
|
229
|
+
const response = await fetch(input, { ...init, headers: headersObject });
|
|
230
|
+
// Check if this is an SSE request by looking at the Accept header
|
|
231
|
+
const acceptHeader = finalHeaders.get("Accept");
|
|
232
|
+
const isSSE = acceptHeader?.includes("text/event-stream");
|
|
233
|
+
if (isSSE && response.body) {
|
|
234
|
+
// For SSE requests, we need to convert the Node.js stream to a web ReadableStream
|
|
235
|
+
// because the EventSource polyfill expects web-compatible streams
|
|
236
|
+
const webStream = createWebReadableStream(response.body);
|
|
237
|
+
// Create a new response with the web-compatible stream
|
|
238
|
+
// Convert node-fetch headers to plain object for web Response compatibility
|
|
239
|
+
const responseHeaders = {};
|
|
240
|
+
response.headers.forEach((value, key) => {
|
|
241
|
+
responseHeaders[key] = value;
|
|
242
|
+
});
|
|
243
|
+
return new Response(webStream, {
|
|
244
|
+
status: response.status,
|
|
245
|
+
statusText: response.statusText,
|
|
246
|
+
headers: responseHeaders,
|
|
247
|
+
});
|
|
248
|
+
}
|
|
249
|
+
// For non-SSE requests, return the response as-is (cast to handle type differences)
|
|
250
|
+
return response;
|
|
251
|
+
};
|
|
252
|
+
};
|
|
253
|
+
const createTransport = async (req) => {
|
|
254
|
+
const query = req.query;
|
|
255
|
+
console.log("Query parameters:", JSON.stringify(query));
|
|
256
|
+
const transportType = query.transportType;
|
|
257
|
+
if (transportType === "stdio") {
|
|
258
|
+
const command = query.command.trim();
|
|
259
|
+
const origArgs = shellParseArgs(query.args);
|
|
260
|
+
const queryEnv = query.env ? JSON.parse(query.env) : {};
|
|
261
|
+
const env = { ...defaultEnvironment, ...process.env, ...queryEnv };
|
|
262
|
+
const { cmd, args } = findActualExecutable(command, origArgs);
|
|
263
|
+
console.log(`STDIO transport: command=${cmd}, args=${args}`);
|
|
264
|
+
const transport = new StdioClientTransport({
|
|
265
|
+
command: cmd,
|
|
266
|
+
args,
|
|
267
|
+
env,
|
|
268
|
+
stderr: "pipe",
|
|
269
|
+
});
|
|
270
|
+
await transport.start();
|
|
271
|
+
return { transport };
|
|
272
|
+
}
|
|
273
|
+
else if (transportType === "sse") {
|
|
274
|
+
const url = query.url;
|
|
275
|
+
const headers = getHttpHeaders(req);
|
|
276
|
+
headers["Accept"] = "text/event-stream";
|
|
277
|
+
const headerHolder = { headers };
|
|
278
|
+
console.log(`SSE transport: url=${url}, headers=${JSON.stringify(headers)}`);
|
|
279
|
+
const transport = new SSEClientTransport(new URL(url), {
|
|
280
|
+
eventSourceInit: {
|
|
281
|
+
fetch: createCustomFetch(headerHolder),
|
|
282
|
+
},
|
|
283
|
+
requestInit: {
|
|
284
|
+
headers: headerHolder.headers,
|
|
285
|
+
},
|
|
286
|
+
});
|
|
287
|
+
await transport.start();
|
|
288
|
+
return { transport, headerHolder };
|
|
289
|
+
}
|
|
290
|
+
else if (transportType === "streamable-http") {
|
|
291
|
+
const headers = getHttpHeaders(req);
|
|
292
|
+
headers["Accept"] = "text/event-stream, application/json";
|
|
293
|
+
const headerHolder = { headers };
|
|
294
|
+
const transport = new StreamableHTTPClientTransport(new URL(query.url), {
|
|
295
|
+
// Pass a custom fetch to inject the latest headers on each request
|
|
296
|
+
fetch: createCustomFetch(headerHolder),
|
|
297
|
+
});
|
|
298
|
+
await transport.start();
|
|
299
|
+
return { transport, headerHolder };
|
|
300
|
+
}
|
|
301
|
+
else {
|
|
302
|
+
console.error(`Invalid transport type: ${transportType}`);
|
|
303
|
+
throw new Error("Invalid transport type specified");
|
|
304
|
+
}
|
|
305
|
+
};
|
|
306
|
+
app.get("/mcp", originValidationMiddleware, authMiddleware, async (req, res) => {
|
|
307
|
+
const sessionId = req.headers["mcp-session-id"];
|
|
308
|
+
console.log(`Received GET message for sessionId ${sessionId}`);
|
|
309
|
+
const headerHolder = sessionHeaderHolders.get(sessionId);
|
|
310
|
+
if (headerHolder) {
|
|
311
|
+
updateHeadersInPlace(headerHolder.headers, getHttpHeaders(req));
|
|
312
|
+
}
|
|
313
|
+
try {
|
|
314
|
+
const transport = webAppTransports.get(sessionId);
|
|
315
|
+
if (!transport) {
|
|
316
|
+
res.status(404).end("Session not found");
|
|
317
|
+
return;
|
|
318
|
+
}
|
|
319
|
+
else {
|
|
320
|
+
await transport.handleRequest(req, res);
|
|
321
|
+
}
|
|
322
|
+
}
|
|
323
|
+
catch (error) {
|
|
324
|
+
console.error("Error in /mcp route:", error);
|
|
325
|
+
res.status(500).json(error);
|
|
326
|
+
}
|
|
327
|
+
});
|
|
328
|
+
app.post("/mcp", originValidationMiddleware, authMiddleware, async (req, res) => {
|
|
329
|
+
const sessionId = req.headers["mcp-session-id"];
|
|
330
|
+
if (sessionId) {
|
|
331
|
+
console.log(`Received POST message for sessionId ${sessionId}`);
|
|
332
|
+
const headerHolder = sessionHeaderHolders.get(sessionId);
|
|
333
|
+
if (headerHolder) {
|
|
334
|
+
updateHeadersInPlace(headerHolder.headers, getHttpHeaders(req));
|
|
335
|
+
}
|
|
336
|
+
try {
|
|
337
|
+
const transport = webAppTransports.get(sessionId);
|
|
338
|
+
if (!transport) {
|
|
339
|
+
res.status(404).end("Transport not found for sessionId " + sessionId);
|
|
340
|
+
}
|
|
341
|
+
else {
|
|
342
|
+
await transport.handleRequest(req, res);
|
|
343
|
+
}
|
|
344
|
+
}
|
|
345
|
+
catch (error) {
|
|
346
|
+
console.error("Error in /mcp route:", error);
|
|
347
|
+
res.status(500).json(error);
|
|
348
|
+
}
|
|
349
|
+
}
|
|
350
|
+
else {
|
|
351
|
+
console.log("New StreamableHttp connection request");
|
|
352
|
+
try {
|
|
353
|
+
const { transport: serverTransport, headerHolder } = await createTransport(req);
|
|
354
|
+
const webAppTransport = new StreamableHTTPServerTransport({
|
|
355
|
+
sessionIdGenerator: randomUUID,
|
|
356
|
+
onsessioninitialized: (sessionId) => {
|
|
357
|
+
webAppTransports.set(sessionId, webAppTransport);
|
|
358
|
+
serverTransports.set(sessionId, serverTransport); // eslint-disable-line @typescript-eslint/no-non-null-assertion
|
|
359
|
+
if (headerHolder) {
|
|
360
|
+
sessionHeaderHolders.set(sessionId, headerHolder);
|
|
361
|
+
}
|
|
362
|
+
console.log("Client <-> Proxy sessionId: " + sessionId);
|
|
363
|
+
},
|
|
364
|
+
onsessionclosed: (sessionId) => {
|
|
365
|
+
webAppTransports.delete(sessionId);
|
|
366
|
+
serverTransports.delete(sessionId);
|
|
367
|
+
sessionHeaderHolders.delete(sessionId);
|
|
368
|
+
},
|
|
369
|
+
});
|
|
370
|
+
console.log("Created StreamableHttp client transport");
|
|
371
|
+
await webAppTransport.start();
|
|
372
|
+
mcpProxy({
|
|
373
|
+
transportToClient: webAppTransport,
|
|
374
|
+
transportToServer: serverTransport,
|
|
375
|
+
});
|
|
376
|
+
await webAppTransport.handleRequest(req, res, req.body);
|
|
377
|
+
}
|
|
378
|
+
catch (error) {
|
|
379
|
+
if (error instanceof SseError && error.code === 401) {
|
|
380
|
+
console.error("Received 401 Unauthorized from MCP server:", error.message);
|
|
381
|
+
res.status(401).json(error);
|
|
382
|
+
return;
|
|
383
|
+
}
|
|
384
|
+
console.error("Error in /mcp POST route:", error);
|
|
385
|
+
res.status(500).json(error);
|
|
386
|
+
}
|
|
387
|
+
}
|
|
388
|
+
});
|
|
389
|
+
app.delete("/mcp", originValidationMiddleware, authMiddleware, async (req, res) => {
|
|
390
|
+
const sessionId = req.headers["mcp-session-id"];
|
|
391
|
+
console.log(`Received DELETE message for sessionId ${sessionId}`);
|
|
392
|
+
if (sessionId) {
|
|
393
|
+
try {
|
|
394
|
+
const serverTransport = serverTransports.get(sessionId);
|
|
395
|
+
if (!serverTransport) {
|
|
396
|
+
res.status(404).end("Transport not found for sessionId " + sessionId);
|
|
397
|
+
}
|
|
398
|
+
else {
|
|
399
|
+
await serverTransport.terminateSession();
|
|
400
|
+
webAppTransports.delete(sessionId);
|
|
401
|
+
serverTransports.delete(sessionId);
|
|
402
|
+
sessionHeaderHolders.delete(sessionId);
|
|
403
|
+
console.log(`Transports removed for sessionId ${sessionId}`);
|
|
404
|
+
}
|
|
405
|
+
res.status(200).end();
|
|
406
|
+
}
|
|
407
|
+
catch (error) {
|
|
408
|
+
console.error("Error in /mcp route:", error);
|
|
409
|
+
res.status(500).json(error);
|
|
410
|
+
}
|
|
411
|
+
}
|
|
412
|
+
});
|
|
413
|
+
app.get("/stdio", originValidationMiddleware, authMiddleware, async (req, res) => {
|
|
414
|
+
try {
|
|
415
|
+
console.log("New STDIO connection request");
|
|
416
|
+
const { transport: serverTransport } = await createTransport(req);
|
|
417
|
+
const proxyFullAddress = req.query.proxyFullAddress || "";
|
|
418
|
+
const prefix = proxyFullAddress || "";
|
|
419
|
+
const endpoint = `${prefix}/message`;
|
|
420
|
+
const webAppTransport = new SSEServerTransport(endpoint, res);
|
|
421
|
+
webAppTransports.set(webAppTransport.sessionId, webAppTransport);
|
|
422
|
+
console.log("Created client transport");
|
|
423
|
+
serverTransports.set(webAppTransport.sessionId, serverTransport);
|
|
424
|
+
console.log("Created server transport");
|
|
425
|
+
await webAppTransport.start();
|
|
426
|
+
serverTransport.stderr.on("data", (chunk) => {
|
|
427
|
+
if (chunk.toString().includes("MODULE_NOT_FOUND")) {
|
|
428
|
+
// Server command not found, remove transports
|
|
429
|
+
const message = "Command not found, transports removed";
|
|
430
|
+
webAppTransport.send({
|
|
431
|
+
jsonrpc: "2.0",
|
|
432
|
+
method: "notifications/message",
|
|
433
|
+
params: {
|
|
434
|
+
level: "emergency",
|
|
435
|
+
logger: "proxy",
|
|
436
|
+
data: {
|
|
437
|
+
message,
|
|
438
|
+
},
|
|
439
|
+
},
|
|
440
|
+
});
|
|
441
|
+
webAppTransport.close();
|
|
442
|
+
serverTransport.close();
|
|
443
|
+
webAppTransports.delete(webAppTransport.sessionId);
|
|
444
|
+
serverTransports.delete(webAppTransport.sessionId);
|
|
445
|
+
sessionHeaderHolders.delete(webAppTransport.sessionId);
|
|
446
|
+
console.error(message);
|
|
447
|
+
}
|
|
448
|
+
else {
|
|
449
|
+
// Inspect message and attempt to assign a RFC 5424 Syslog Protocol level
|
|
450
|
+
let level;
|
|
451
|
+
let message = chunk.toString().trim();
|
|
452
|
+
let ucMsg = chunk.toString().toUpperCase();
|
|
453
|
+
if (ucMsg.includes("DEBUG")) {
|
|
454
|
+
level = "debug";
|
|
455
|
+
}
|
|
456
|
+
else if (ucMsg.includes("INFO")) {
|
|
457
|
+
level = "info";
|
|
458
|
+
}
|
|
459
|
+
else if (ucMsg.includes("NOTICE")) {
|
|
460
|
+
level = "notice";
|
|
461
|
+
}
|
|
462
|
+
else if (ucMsg.includes("WARN")) {
|
|
463
|
+
level = "warning";
|
|
464
|
+
}
|
|
465
|
+
else if (ucMsg.includes("ERROR")) {
|
|
466
|
+
level = "error";
|
|
467
|
+
}
|
|
468
|
+
else if (ucMsg.includes("CRITICAL")) {
|
|
469
|
+
level = "critical";
|
|
470
|
+
}
|
|
471
|
+
else if (ucMsg.includes("ALERT")) {
|
|
472
|
+
level = "alert";
|
|
473
|
+
}
|
|
474
|
+
else if (ucMsg.includes("EMERGENCY")) {
|
|
475
|
+
level = "emergency";
|
|
476
|
+
}
|
|
477
|
+
else if (ucMsg.includes("SIGINT")) {
|
|
478
|
+
message = "SIGINT received. Server shutdown.";
|
|
479
|
+
level = "emergency";
|
|
480
|
+
}
|
|
481
|
+
else if (ucMsg.includes("SIGHUP")) {
|
|
482
|
+
message = "SIGHUP received. Server shutdown.";
|
|
483
|
+
level = "emergency";
|
|
484
|
+
}
|
|
485
|
+
else if (ucMsg.includes("SIGTERM")) {
|
|
486
|
+
message = "SIGTERM received. Server shutdown.";
|
|
487
|
+
level = "emergency";
|
|
488
|
+
}
|
|
489
|
+
else {
|
|
490
|
+
level = "info";
|
|
491
|
+
}
|
|
492
|
+
webAppTransport.send({
|
|
493
|
+
jsonrpc: "2.0",
|
|
494
|
+
method: "notifications/message",
|
|
495
|
+
params: {
|
|
496
|
+
level,
|
|
497
|
+
logger: "stdio",
|
|
498
|
+
data: {
|
|
499
|
+
message,
|
|
500
|
+
},
|
|
501
|
+
},
|
|
502
|
+
});
|
|
503
|
+
}
|
|
504
|
+
});
|
|
505
|
+
mcpProxy({
|
|
506
|
+
transportToClient: webAppTransport,
|
|
507
|
+
transportToServer: serverTransport,
|
|
508
|
+
});
|
|
509
|
+
}
|
|
510
|
+
catch (error) {
|
|
511
|
+
if (error instanceof SseError && error.code === 401) {
|
|
512
|
+
console.error("Received 401 Unauthorized from MCP server. Authentication failure.");
|
|
513
|
+
res.status(401).json(error);
|
|
514
|
+
return;
|
|
515
|
+
}
|
|
516
|
+
console.error("Error in /stdio route:", error);
|
|
517
|
+
res.status(500).json(error);
|
|
518
|
+
}
|
|
519
|
+
});
|
|
520
|
+
app.get("/sse", originValidationMiddleware, authMiddleware, async (req, res) => {
|
|
521
|
+
try {
|
|
522
|
+
console.log("New SSE connection request. NOTE: The SSE transport is deprecated and has been replaced by StreamableHttp");
|
|
523
|
+
const { transport: serverTransport, headerHolder } = await createTransport(req);
|
|
524
|
+
const proxyFullAddress = req.query.proxyFullAddress || "";
|
|
525
|
+
const prefix = proxyFullAddress || "";
|
|
526
|
+
const endpoint = `${prefix}/message`;
|
|
527
|
+
const webAppTransport = new SSEServerTransport(endpoint, res);
|
|
528
|
+
webAppTransports.set(webAppTransport.sessionId, webAppTransport);
|
|
529
|
+
console.log("Created client transport");
|
|
530
|
+
serverTransports.set(webAppTransport.sessionId, serverTransport); // eslint-disable-line @typescript-eslint/no-non-null-assertion
|
|
531
|
+
if (headerHolder) {
|
|
532
|
+
sessionHeaderHolders.set(webAppTransport.sessionId, headerHolder);
|
|
533
|
+
}
|
|
534
|
+
console.log("Created server transport");
|
|
535
|
+
await webAppTransport.start();
|
|
536
|
+
mcpProxy({
|
|
537
|
+
transportToClient: webAppTransport,
|
|
538
|
+
transportToServer: serverTransport,
|
|
539
|
+
});
|
|
540
|
+
}
|
|
541
|
+
catch (error) {
|
|
542
|
+
if (error instanceof SseError && error.code === 401) {
|
|
543
|
+
console.error("Received 401 Unauthorized from MCP server. Authentication failure.");
|
|
544
|
+
res.status(401).json(error);
|
|
545
|
+
return;
|
|
546
|
+
}
|
|
547
|
+
else if (error instanceof SseError && error.code === 404) {
|
|
548
|
+
console.error("Received 404 not found from MCP server. Does the MCP server support SSE?");
|
|
549
|
+
res.status(404).json(error);
|
|
550
|
+
return;
|
|
551
|
+
}
|
|
552
|
+
else if (JSON.stringify(error).includes("ECONNREFUSED")) {
|
|
553
|
+
console.error("Connection refused. Is the MCP server running?");
|
|
554
|
+
res.status(500).json(error);
|
|
555
|
+
}
|
|
556
|
+
console.error("Error in /sse route:", error);
|
|
557
|
+
res.status(500).json(error);
|
|
558
|
+
}
|
|
559
|
+
});
|
|
560
|
+
app.post("/message", originValidationMiddleware, authMiddleware, async (req, res) => {
|
|
561
|
+
try {
|
|
562
|
+
const sessionId = req.query.sessionId;
|
|
563
|
+
console.log(`Received POST message for sessionId ${sessionId}`);
|
|
564
|
+
const headerHolder = sessionHeaderHolders.get(sessionId);
|
|
565
|
+
if (headerHolder) {
|
|
566
|
+
updateHeadersInPlace(headerHolder.headers, getHttpHeaders(req));
|
|
567
|
+
}
|
|
568
|
+
const transport = webAppTransports.get(sessionId);
|
|
569
|
+
if (!transport) {
|
|
570
|
+
res.status(404).end("Session not found");
|
|
571
|
+
return;
|
|
572
|
+
}
|
|
573
|
+
await transport.handlePostMessage(req, res);
|
|
574
|
+
}
|
|
575
|
+
catch (error) {
|
|
576
|
+
console.error("Error in /message route:", error);
|
|
577
|
+
res.status(500).json(error);
|
|
578
|
+
}
|
|
579
|
+
});
|
|
580
|
+
app.get("/health", (req, res) => {
|
|
581
|
+
res.json({
|
|
582
|
+
status: "ok",
|
|
583
|
+
});
|
|
584
|
+
});
|
|
585
|
+
// Assessment result persistence endpoint
|
|
586
|
+
app.post("/assessment/save", originValidationMiddleware, authMiddleware, express.json({ limit: "10mb" }), // Allow large JSON payloads
|
|
587
|
+
async (req, res) => {
|
|
588
|
+
try {
|
|
589
|
+
const { serverName, assessment } = req.body;
|
|
590
|
+
const sanitizedName = (serverName || "unknown").replace(/[^a-zA-Z0-9-_]/g, "_");
|
|
591
|
+
const filename = `/tmp/inspector-assessment-${sanitizedName}.json`;
|
|
592
|
+
// Delete old file if exists (cleanup)
|
|
593
|
+
if (fs.existsSync(filename)) {
|
|
594
|
+
fs.unlinkSync(filename);
|
|
595
|
+
}
|
|
596
|
+
// Save new assessment
|
|
597
|
+
fs.writeFileSync(filename, JSON.stringify(assessment, null, 2));
|
|
598
|
+
res.json({
|
|
599
|
+
success: true,
|
|
600
|
+
path: filename,
|
|
601
|
+
message: `Assessment saved to ${filename}`,
|
|
602
|
+
});
|
|
603
|
+
}
|
|
604
|
+
catch (error) {
|
|
605
|
+
res.status(500).json({
|
|
606
|
+
success: false,
|
|
607
|
+
error: error instanceof Error ? error.message : "Unknown error",
|
|
608
|
+
});
|
|
609
|
+
}
|
|
610
|
+
});
|
|
611
|
+
app.get("/config", originValidationMiddleware, authMiddleware, (req, res) => {
|
|
612
|
+
try {
|
|
613
|
+
res.json({
|
|
614
|
+
defaultEnvironment,
|
|
615
|
+
defaultCommand: values.command,
|
|
616
|
+
defaultArgs: values.args,
|
|
617
|
+
defaultTransport: values.transport,
|
|
618
|
+
defaultServerUrl: values["server-url"],
|
|
619
|
+
});
|
|
620
|
+
}
|
|
621
|
+
catch (error) {
|
|
622
|
+
console.error("Error in /config route:", error);
|
|
623
|
+
res.status(500).json(error);
|
|
624
|
+
}
|
|
625
|
+
});
|
|
626
|
+
const PORT = parseInt(process.env.SERVER_PORT || DEFAULT_MCP_PROXY_LISTEN_PORT, 10);
|
|
627
|
+
const HOST = process.env.HOST || "localhost";
|
|
628
|
+
const server = app.listen(PORT, HOST);
|
|
629
|
+
server.on("listening", () => {
|
|
630
|
+
console.log(`⚙️ Proxy server listening on ${HOST}:${PORT}`);
|
|
631
|
+
if (!authDisabled) {
|
|
632
|
+
console.log(`🔑 Session token: ${sessionToken}\n ` +
|
|
633
|
+
`Use this token to authenticate requests or set DANGEROUSLY_OMIT_AUTH=true to disable auth`);
|
|
634
|
+
}
|
|
635
|
+
else {
|
|
636
|
+
console.log(`⚠️ WARNING: Authentication is disabled. This is not recommended.`);
|
|
637
|
+
}
|
|
638
|
+
});
|
|
639
|
+
server.on("error", (err) => {
|
|
640
|
+
if (err.message.includes(`EADDRINUSE`)) {
|
|
641
|
+
console.error(`❌ Proxy Server PORT IS IN USE at port ${PORT} ❌ `);
|
|
642
|
+
}
|
|
643
|
+
else {
|
|
644
|
+
console.error(err.message);
|
|
645
|
+
}
|
|
646
|
+
process.exit(1);
|
|
647
|
+
});
|