@gethmy/mcp 2.4.7 → 2.5.1

package/src/__tests__/remote-routing.test.ts

@@ -1,285 +0,0 @@
-/**
- * Routing/auth tests for the remote MCP server (`src/remote.ts`).
- *
- * Covers the four session-routing branches mandated by the MCP Streamable
- * HTTP spec — the regression that surfaced as "Harmony MCP not responding"
- * after a server restart, OAuth refresh, or stale-session GC was a missing
- * 404 branch for unknown `Mcp-Session-Id` values.
- *
- * These tests stub `globalThis.fetch` so we don't depend on harmony-api
- * being reachable.
- *
- * Run with: bun test packages/mcp-server/src/__tests__/remote-routing.test.ts
- */
-
-import {
-  afterAll,
-  afterEach,
-  beforeAll,
-  beforeEach,
-  describe,
-  expect,
-  test,
-} from "bun:test";
-
-const ORIGINAL_FETCH = globalThis.fetch;
-
-// Fixed values used across tests
-const TEST_USER = "user-alpha";
-const OTHER_USER = "user-beta";
-const TEST_WORKSPACE = "ws-1";
-const VALID_TOKEN = "hmy_at_alpha_valid";
-const REFRESHED_TOKEN = "hmy_at_alpha_refreshed";
-const OTHER_USER_TOKEN = "hmy_at_beta_valid";
-const REVOKED_TOKEN = "hmy_at_revoked";
-
-function makeFetchStub() {
-  return async (
-    input: string | URL | Request,
-    init?: RequestInit,
-  ): Promise<Response> => {
-    const url = typeof input === "string" ? input : input.toString();
-    const apiKey =
-      (init?.headers as Record<string, string> | undefined)?.["X-API-Key"] ??
-      "";
-
-    if (url.endsWith("/v1/auth/context")) {
-      const map: Record<
-        string,
-        { userId: string; workspaceId: string | null; source: string } | null
-      > = {
-        [VALID_TOKEN]: {
-          userId: TEST_USER,
-          workspaceId: TEST_WORKSPACE,
-          source: "oauth",
-        },
-        [REFRESHED_TOKEN]: {
-          userId: TEST_USER,
-          workspaceId: TEST_WORKSPACE,
-          source: "oauth",
-        },
-        [OTHER_USER_TOKEN]: {
-          userId: OTHER_USER,
-          workspaceId: "ws-2",
-          source: "oauth",
-        },
-      };
-      const ctx = map[apiKey];
-      if (!ctx) {
-        return new Response(JSON.stringify({ error: "unauthorized" }), {
-          status: 401,
-          headers: { "Content-Type": "application/json" },
-        });
-      }
-      return new Response(JSON.stringify(ctx), {
-        status: 200,
-        headers: { "Content-Type": "application/json" },
-      });
-    }
-
-    // Anything else — return a benign 404 so unrelated lookups don't blow up.
-    return new Response("{}", {
-      status: 404,
-      headers: { "Content-Type": "application/json" },
-    });
-  };
-}
-
-let fetchHandler: (req: Request) => Promise<Response>;
-let _sessionsForTests: Map<string, unknown>;
-
-beforeAll(async () => {
-  globalThis.fetch = makeFetchStub() as unknown as typeof fetch;
-  // Import after the stub is in place (module init is synchronous-only.)
-  const mod = await import("../remote.js");
-  fetchHandler = mod.fetchHandler as (req: Request) => Promise<Response>;
-  _sessionsForTests = mod._sessionsForTests as Map<string, unknown>;
-});
-
-afterAll(() => {
-  globalThis.fetch = ORIGINAL_FETCH;
-});
-
-beforeEach(() => {
-  // Refresh the fetch stub each test (preserves across the cache TTL).
-  globalThis.fetch = makeFetchStub() as unknown as typeof fetch;
-});
-
-afterEach(() => {
-  // Wipe sessions between tests so state doesn't leak.
-  _sessionsForTests.clear();
-});
-
-const INIT_BODY = {
-  jsonrpc: "2.0",
-  id: 1,
-  method: "initialize",
-  params: {
-    protocolVersion: "2025-06-18",
-    capabilities: {},
-    clientInfo: { name: "test", version: "0.0.1" },
-  },
-};
-
-const TOOLS_LIST_BODY = {
-  jsonrpc: "2.0",
-  id: 2,
-  method: "tools/list",
-  params: {},
-};
-
-function makePost(
-  body: unknown,
-  opts: { token?: string; sessionId?: string } = {},
-): Request {
-  const headers: Record<string, string> = {
-    "Content-Type": "application/json",
-    Accept: "application/json, text/event-stream",
-  };
-  if (opts.token) headers.Authorization = `Bearer ${opts.token}`;
-  if (opts.sessionId) headers["Mcp-Session-Id"] = opts.sessionId;
-  return new Request("http://localhost/mcp", {
-    method: "POST",
-    headers,
-    body: JSON.stringify(body),
-  });
-}
-
-describe("remote MCP routing", () => {
-  test("no Authorization header → 401 + WWW-Authenticate", async () => {
-    const res = await fetchHandler(
-      new Request("http://localhost/mcp", { method: "POST" }),
-    );
-    expect(res.status).toBe(401);
-    const wwwAuth = res.headers.get("WWW-Authenticate") ?? "";
-    expect(wwwAuth).toContain("Bearer");
-    expect(wwwAuth).toContain("resource_metadata=");
-  });
-
-  test("invalid bearer on initialize → 401 invalid_token", async () => {
-    const res = await fetchHandler(
-      makePost(INIT_BODY, { token: REVOKED_TOKEN }),
-    );
-    expect(res.status).toBe(401);
-    expect(res.headers.get("WWW-Authenticate") ?? "").toContain(
-      "invalid_token",
-    );
-  });
-
-  test("POST without session id and not initialize → 400", async () => {
-    const res = await fetchHandler(
-      makePost(TOOLS_LIST_BODY, { token: VALID_TOKEN }),
-    );
-    expect(res.status).toBe(400);
-    const body = (await res.json()) as { error: { message: string } };
-    expect(body.error.message).toMatch(/Mcp-Session-Id header required/i);
-  });
-
-  test("POST with unknown session id → 404 (forces client re-init)", async () => {
-    const res = await fetchHandler(
-      makePost(TOOLS_LIST_BODY, {
-        token: VALID_TOKEN,
-        sessionId: "ghost-session-id",
-      }),
-    );
-    // This is the spec-mandated behavior that fixes "Harmony MCP not responding".
-    expect(res.status).toBe(404);
-    const body = (await res.json()) as { error: { code: number } };
-    expect(body.error.code).toBe(-32001);
-    expect(res.headers.get("Mcp-Session-Id")).toBe("ghost-session-id");
-  });
-
-  test("initialize succeeds and registers a session", async () => {
-    const res = await fetchHandler(makePost(INIT_BODY, { token: VALID_TOKEN }));
-    expect(res.status).toBe(200);
-    const sid = res.headers.get("mcp-session-id");
-    expect(sid).toBeTruthy();
-    expect(_sessionsForTests.has(sid!)).toBe(true);
-  });
-
-  test("rotated token (same user) is accepted on hot-swap", async () => {
-    // Bootstrap a session.
-    const initRes = await fetchHandler(
-      makePost(INIT_BODY, { token: VALID_TOKEN }),
-    );
-    const sid = initRes.headers.get("mcp-session-id")!;
-
-    // Send a follow-up with the *new* token + same session id.
-    // We're not asserting on the body — just that the rotation didn't
-    // produce a 401/404, which it would if hot-swap were broken.
-    const follow = await fetchHandler(
-      makePost(TOOLS_LIST_BODY, {
-        token: REFRESHED_TOKEN,
-        sessionId: sid,
-      }),
-    );
-    expect(follow.status).not.toBe(401);
-    expect(follow.status).not.toBe(404);
-  });
-
-  test("token from a different user is REJECTED on hot-swap", async () => {
-    const initRes = await fetchHandler(
-      makePost(INIT_BODY, { token: VALID_TOKEN }),
-    );
-    const sid = initRes.headers.get("mcp-session-id")!;
-
-    // Attempt to ride the session with another user's bearer.
-    const hijack = await fetchHandler(
-      makePost(TOOLS_LIST_BODY, {
-        token: OTHER_USER_TOKEN,
-        sessionId: sid,
-      }),
-    );
-    expect(hijack.status).toBe(401);
-    const wwwAuth = hijack.headers.get("WWW-Authenticate") ?? "";
-    expect(wwwAuth).toContain("invalid_token");
-  });
-
-  test("GET without valid session id → 400", async () => {
-    const res = await fetchHandler(
-      new Request("http://localhost/mcp", {
-        method: "GET",
-        headers: {
-          Authorization: `Bearer ${VALID_TOKEN}`,
-          Accept: "text/event-stream",
-        },
-      }),
-    );
-    // GET without a session id falls into "session required" — 400.
-    expect(res.status).toBe(400);
-  });
-
-  test("GET with unknown session id → 404", async () => {
-    const res = await fetchHandler(
-      new Request("http://localhost/mcp", {
-        method: "GET",
-        headers: {
-          Authorization: `Bearer ${VALID_TOKEN}`,
-          Accept: "text/event-stream",
-          "Mcp-Session-Id": "ghost",
-        },
-      }),
-    );
-    expect(res.status).toBe(404);
-  });
-
-  test("/.well-known/oauth-protected-resource is unauthenticated", async () => {
-    const res = await fetchHandler(
-      new Request("http://localhost/.well-known/oauth-protected-resource"),
-    );
-    expect(res.status).toBe(200);
-    const body = (await res.json()) as {
-      authorization_servers: string[];
-      bearer_methods_supported: string[];
-    };
-    expect(body.authorization_servers.length).toBeGreaterThan(0);
-    expect(body.bearer_methods_supported).toContain("header");
-  });
-
-  test("/health is unauthenticated", async () => {
-    const res = await fetchHandler(new Request("http://localhost/health"));
-    expect(res.status).toBe(200);
-    const body = (await res.json()) as { status: string };
-    expect(body.status).toBe("ok");
-  });
-});