npm - @fnet/cli - Versions diffs - 0.119.1 → 0.119.2 - Mend

@fnet/cli 0.119.1 → 0.119.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/template/fnode/node/src/cli/index.js.njk +51 -48

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@fnet/cli",
-  "version": "0.119.1",
+  "version": "0.119.2",
   "files": [
     "dist",
     "template"

package/template/fnode/node/src/cli/index.js.njk CHANGED Viewed

@@ -80,77 +80,80 @@
       const host = args['cli-host'] || args.cli_host || 'localhost';
       const mcpEndpoint = '/mcp';
-      // Security: Validate Origin header to prevent DNS rebinding attacks
-      app.use((req, res, next) => {
-        const origin = req.get('origin');
-        if (origin && host === 'localhost') {
-          const originUrl = new URL(origin);
-          if (originUrl.hostname !== 'localhost' && originUrl.hostname !== '127.0.0.1') {
-            return res.status(403).json({ error: 'Forbidden: Invalid origin' });
-          }
-        }
-        next();
-      });
-      // Middleware to check session ID (except for initialization)
-      const checkSessionId = (req, res, next) => {
-        // Skip session check for initialization requests
-        if (req.method === 'POST' && req.body) {
-          const body = req.body;
-          // Check if this is an initialization request
-          if (body.method === 'initialize' ||
-              (Array.isArray(body) && body.some(item => item.method === 'initialize'))) {
-            return next();
-          }
-        }
+      // Map to store transports by session ID
+      const transports = {};
-        // For non-initialization requests, require session ID
+      // Handle POST requests for client-to-server communication
+      app.post(mcpEndpoint, async (req, res) => {
+        // Check for existing session ID
         const sessionId = req.get('Mcp-Session-Id');
-        if (!sessionId) {
+        let transport;
+        if (sessionId && transports[sessionId]) {
+          // Reuse existing transport
+          transport = transports[sessionId];
+        } else if (!sessionId && req.body && (req.body.method === 'initialize' ||
+                   (Array.isArray(req.body) && req.body.some(item => item.method === 'initialize')))) {
+          // New initialization request
+          transport = new StreamableHTTPServerTransport({
+            sessionIdGenerator: () => {
+              // Generate cryptographically secure session ID
+              return require('crypto').randomBytes(16).toString('hex');
+            },
+            onsessioninitialized: (sessionId) => {
+              // Store the transport by session ID
+              transports[sessionId] = transport;
+            }
+          });
+          // Clean up transport when closed
+          transport.onclose = () => {
+            if (transport.sessionId) {
+              delete transports[transport.sessionId];
+            }
+          };
+          // Connect to the MCP server
+          await server.connect(transport);
+        } else {
+          // Invalid request
           return res.status(400).json({
             jsonrpc: '2.0',
             error: {
               code: -32000,
-              message: 'Bad Request: Mcp-Session-Id header is required'
+              message: 'Bad Request: No valid session ID provided'
             },
             id: null
           });
         }
-        next();
-      };
-      app.use(mcpEndpoint, checkSessionId);
-      transport = new StreamableHTTPServerTransport({
-        sessionIdGenerator: () => {
-          // Generate cryptographically secure session ID
-          return require('crypto').randomBytes(16).toString('hex');
-        },
-      });
-      // Handle POST requests for client-to-server messages
-      app.post(mcpEndpoint, async (req, res) => {
+        // Handle the request
         await transport.handleRequest(req, res, req.body);
       });
-      // Handle GET requests for server-to-client SSE stream
-      app.get(mcpEndpoint, async (req, res) => {
+      // Reusable handler for GET and DELETE requests
+      const handleSessionRequest = async (req, res) => {
+        const sessionId = req.get('Mcp-Session-Id');
+        if (!sessionId || !transports[sessionId]) {
+          return res.status(400).send('Invalid or missing session ID');
+        }
+        const transport = transports[sessionId];
         await transport.handleRequest(req, res);
-      });
+      };
+      // Handle GET requests for server-to-client notifications via SSE
+      app.get(mcpEndpoint, handleSessionRequest);
       // Handle DELETE requests for session termination
-      app.delete(mcpEndpoint, async (req, res) => {
-        await transport.handleRequest(req, res);
-      });
+      app.delete(mcpEndpoint, handleSessionRequest);
-      const httpServer = app.listen(port, host, () => {
+      app.listen(port, host, () => {
         console.log(`MCP server started with Streamable HTTP transport`);
         console.log(`Endpoint: http://${host}:${port}${mcpEndpoint}`);
         console.log(`Listening on ${host}:${port}`);
       });
-      // Connect transport to server
-      await server.connect(transport);
       return;
     } else {
       console.error(`Unknown MCP transport type: ${transportType}`);