@j0hanz/superfetch 2.0.0 → 2.1.0

package/dist/http/auth.js

@@ -1,8 +1,167 @@
+import { InvalidTokenError, ServerError, } from '@modelcontextprotocol/sdk/server/auth/errors.js';
 import { requireBearerAuth } from '@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js';
 import { getOAuthProtectedResourceMetadataUrl, mcpAuthMetadataRouter, } from '@modelcontextprotocol/sdk/server/auth/router.js';
 import { config } from '../config/index.js';
-import { verifyWithIntrospection } from './auth-introspection.js';
-import { verifyStaticToken } from './auth-static.js';
+import { timingSafeEqualUtf8 } from '../utils/crypto.js';
+import { isRecord } from '../utils/guards.js';
+const STATIC_TOKEN_TTL_SECONDS = 60 * 60 * 24;
+function stripHash(url) {
+    const copy = new URL(url.href);
+    copy.hash = '';
+    return copy.href;
+}
+function parseScopes(value) {
+    if (typeof value === 'string') {
+        return value
+            .split(' ')
+            .map((scope) => scope.trim())
+            .filter((scope) => scope.length > 0);
+    }
+    if (Array.isArray(value)) {
+        return value.filter((scope) => typeof scope === 'string');
+    }
+    return [];
+}
+function parseResourceUrl(value) {
+    if (typeof value !== 'string')
+        return undefined;
+    if (!URL.canParse(value))
+        return undefined;
+    return new URL(value);
+}
+function parseAudResource(aud) {
+    if (typeof aud === 'string') {
+        return parseResourceUrl(aud);
+    }
+    if (Array.isArray(aud)) {
+        for (const entry of aud) {
+            const parsed = parseResourceUrl(entry);
+            if (parsed)
+                return parsed;
+        }
+    }
+    return undefined;
+}
+function extractResource(data) {
+    const resource = parseResourceUrl(data.resource);
+    if (resource)
+        return resource;
+    return parseAudResource(data.aud);
+}
+function extractScopes(data) {
+    if (data.scope !== undefined) {
+        return parseScopes(data.scope);
+    }
+    if (data.scopes !== undefined) {
+        return parseScopes(data.scopes);
+    }
+    if (data.scp !== undefined) {
+        return parseScopes(data.scp);
+    }
+    return [];
+}
+function readExpiresAt(data) {
+    const expiresAt = typeof data.exp === 'number' ? data.exp : Number.NaN;
+    if (!Number.isFinite(expiresAt)) {
+        throw new InvalidTokenError('Token has no expiration time');
+    }
+    return expiresAt;
+}
+function resolveClientId(data) {
+    if (typeof data.client_id === 'string')
+        return data.client_id;
+    if (typeof data.cid === 'string')
+        return data.cid;
+    if (typeof data.sub === 'string')
+        return data.sub;
+    return 'unknown';
+}
+function ensureResourceMatch(resource) {
+    if (resource && stripHash(resource) !== stripHash(config.auth.resourceUrl)) {
+        throw new InvalidTokenError('Token resource mismatch');
+    }
+    return resource;
+}
+function buildIntrospectionAuthInfo(token, data) {
+    const resource = ensureResourceMatch(extractResource(data));
+    return {
+        token,
+        clientId: resolveClientId(data),
+        scopes: extractScopes(data),
+        expiresAt: readExpiresAt(data),
+        resource: resource ?? config.auth.resourceUrl,
+        extra: data,
+    };
+}
+function buildBasicAuthHeader(clientId, clientSecret) {
+    const secret = clientSecret ?? '';
+    const basic = Buffer.from(`${clientId}:${secret}`, 'utf8').toString('base64');
+    return `Basic ${basic}`;
+}
+function buildIntrospectionRequest(token, resourceUrl, clientId, clientSecret) {
+    const body = new URLSearchParams({
+        token,
+        token_type_hint: 'access_token',
+        resource: stripHash(resourceUrl),
+    }).toString();
+    const headers = {
+        'content-type': 'application/x-www-form-urlencoded',
+    };
+    if (clientId) {
+        headers.authorization = buildBasicAuthHeader(clientId, clientSecret);
+    }
+    return { body, headers };
+}
+async function requestIntrospection(introspectionUrl, request, timeoutMs) {
+    const response = await fetch(introspectionUrl, {
+        method: 'POST',
+        headers: request.headers,
+        body: request.body,
+        signal: AbortSignal.timeout(timeoutMs),
+    });
+    if (!response.ok) {
+        await response.body?.cancel();
+        throw new ServerError(`Token introspection failed: ${response.status}`);
+    }
+    return response.json();
+}
+function parseIntrospectionPayload(payload) {
+    if (!isRecord(payload) || Array.isArray(payload)) {
+        throw new ServerError('Invalid introspection response');
+    }
+    if (payload.active !== true) {
+        throw new InvalidTokenError('Token is inactive');
+    }
+    return payload;
+}
+async function verifyWithIntrospection(token) {
+    const { auth } = config;
+    if (!auth.introspectionUrl) {
+        throw new ServerError('Token introspection is not configured');
+    }
+    const request = buildIntrospectionRequest(token, auth.resourceUrl, auth.clientId, auth.clientSecret);
+    const payload = await requestIntrospection(auth.introspectionUrl, request, auth.introspectionTimeoutMs);
+    return buildIntrospectionAuthInfo(token, parseIntrospectionPayload(payload));
+}
+function buildStaticAuthInfo(token) {
+    return {
+        token,
+        clientId: 'static-token',
+        scopes: config.auth.requiredScopes,
+        expiresAt: Math.floor(Date.now() / 1000) + STATIC_TOKEN_TTL_SECONDS,
+        resource: config.auth.resourceUrl,
+    };
+}
+function verifyStaticToken(token) {
+    if (config.auth.staticTokens.length === 0) {
+        throw new InvalidTokenError('No static tokens configured');
+    }
+    const matched = config.auth.staticTokens.some((candidate) => timingSafeEqualUtf8(candidate, token));
+    if (!matched) {
+        throw new InvalidTokenError('Invalid token');
+    }
+    return buildStaticAuthInfo(token);
+}
 function normalizeHeaderValue(header) {
     return Array.isArray(header) ? header[0] : header;
 }

package/dist/http/base-middleware.d.ts

@@ -0,0 +1,7 @@
+import type { Express, RequestHandler } from 'express';
+export declare function attachBaseMiddleware(options: {
+    app: Express;
+    jsonParser: RequestHandler;
+    rateLimitMiddleware: RequestHandler;
+    corsMiddleware: RequestHandler;
+}): void;

package/dist/http/base-middleware.js

@@ -0,0 +1,143 @@
+import { randomUUID } from 'node:crypto';
+import { config } from '../config/index.js';
+import { runWithRequestContext } from '../services/context.js';
+import { logDebug } from '../services/logger.js';
+import { normalizeHost } from '../utils/host-normalizer.js';
+import { getSessionId } from './mcp-sessions.js';
+const LOOPBACK_HOSTS = new Set(['localhost', '127.0.0.1', '::1']);
+function getNonEmptyStringHeader(value) {
+    if (typeof value !== 'string')
+        return null;
+    const trimmed = value.trim();
+    return trimmed === '' ? null : trimmed;
+}
+function respondHostNotAllowed(res) {
+    res.status(403).json({
+        error: 'Host not allowed',
+        code: 'HOST_NOT_ALLOWED',
+    });
+}
+function respondOriginNotAllowed(res) {
+    res.status(403).json({
+        error: 'Origin not allowed',
+        code: 'ORIGIN_NOT_ALLOWED',
+    });
+}
+function tryParseOriginHostname(originHeader) {
+    try {
+        return new URL(originHeader).hostname.toLowerCase();
+    }
+    catch {
+        return null;
+    }
+}
+function isWildcardHost(host) {
+    return host === '0.0.0.0' || host === '::';
+}
+function addLoopbackHosts(allowedHosts) {
+    for (const host of LOOPBACK_HOSTS) {
+        allowedHosts.add(host);
+    }
+}
+function addConfiguredHost(allowedHosts) {
+    const configuredHost = normalizeHost(config.server.host);
+    if (!configuredHost)
+        return;
+    if (isWildcardHost(configuredHost))
+        return;
+    allowedHosts.add(configuredHost);
+}
+function addExplicitAllowedHosts(allowedHosts) {
+    for (const host of config.security.allowedHosts) {
+        const normalized = normalizeHost(host);
+        if (!normalized) {
+            logDebug('Ignoring invalid allowed host entry', { host });
+            continue;
+        }
+        allowedHosts.add(normalized);
+    }
+}
+function buildAllowedHosts() {
+    const allowedHosts = new Set();
+    addLoopbackHosts(allowedHosts);
+    addConfiguredHost(allowedHosts);
+    addExplicitAllowedHosts(allowedHosts);
+    return allowedHosts;
+}
+function createHostValidationMiddleware() {
+    const allowedHosts = buildAllowedHosts();
+    return (req, res, next) => {
+        const hostHeader = typeof req.headers.host === 'string' ? req.headers.host : '';
+        const normalized = normalizeHost(hostHeader);
+        if (!normalized || !allowedHosts.has(normalized)) {
+            respondHostNotAllowed(res);
+            return;
+        }
+        next();
+    };
+}
+function createOriginValidationMiddleware() {
+    const allowedHosts = buildAllowedHosts();
+    return (req, res, next) => {
+        const originHeader = getNonEmptyStringHeader(req.headers.origin);
+        if (!originHeader) {
+            next();
+            return;
+        }
+        const originHostname = tryParseOriginHostname(originHeader);
+        if (!originHostname || !allowedHosts.has(originHostname)) {
+            respondOriginNotAllowed(res);
+            return;
+        }
+        next();
+    };
+}
+function createJsonParseErrorHandler() {
+    return (err, _req, res, next) => {
+        if (err instanceof SyntaxError && 'body' in err) {
+            res.status(400).json({
+                jsonrpc: '2.0',
+                error: {
+                    code: -32700,
+                    message: 'Parse error: Invalid JSON',
+                },
+                id: null,
+            });
+            return;
+        }
+        next();
+    };
+}
+function createContextMiddleware() {
+    return (req, _res, next) => {
+        const requestId = randomUUID();
+        const sessionId = getSessionId(req);
+        const context = sessionId === undefined
+            ? { requestId, operationId: requestId }
+            : { requestId, operationId: requestId, sessionId };
+        runWithRequestContext(context, () => {
+            next();
+        });
+    };
+}
+function registerHealthRoute(app) {
+    app.get('/health', (_req, res) => {
+        res.json({
+            status: 'healthy',
+            name: config.server.name,
+            version: config.server.version,
+            uptime: process.uptime(),
+        });
+    });
+}
+export function attachBaseMiddleware(options) {
+    const { app, jsonParser, rateLimitMiddleware, corsMiddleware } = options;
+    app.use(createHostValidationMiddleware());
+    app.use(createOriginValidationMiddleware());
+    app.use(jsonParser);
+    app.use(createContextMiddleware());
+    app.use(createJsonParseErrorHandler());
+    app.use(corsMiddleware);
+    app.use('/mcp', rateLimitMiddleware);
+    registerHealthRoute(app);
+}

package/dist/http/cors.d.ts

@@ -1,7 +1,2 @@
 import type { NextFunction, Request, Response } from 'express';
-/**
- * Creates a minimal CORS middleware.
- * MCP clients are not browser-based, so CORS is not needed.
- * This just handles OPTIONS preflight requests.
- */
 export declare function createCorsMiddleware(): (req: Request, res: Response, next: NextFunction) => void;

package/dist/http/cors.js

@@ -1,11 +1,5 @@
-/**
- * Creates a minimal CORS middleware.
- * MCP clients are not browser-based, so CORS is not needed.
- * This just handles OPTIONS preflight requests.
- */
 export function createCorsMiddleware() {
     return (req, res, next) => {
-        // Handle OPTIONS preflight
         if (req.method === 'OPTIONS') {
             res.sendStatus(200);
             return;

package/dist/http/download-routes.js

@@ -3,7 +3,6 @@ import * as cache from '../services/cache.js';
 import { logDebug } from '../services/logger.js';
 import { parseCachedPayload, resolveCachedPayloadContent, } from '../utils/cached-payload.js';
 import { generateSafeFilename } from '../utils/filename-generator.js';
-import { wrapAsync } from './async-handler.js';
 const HASH_PATTERN = /^[a-f0-9.]+$/i;
 function validateNamespace(namespace) {
     return namespace === 'markdown';
@@ -11,8 +10,13 @@ function validateNamespace(namespace) {
 function validateHash(hash) {
     return HASH_PATTERN.test(hash) && hash.length >= 8 && hash.length <= 64;
 }
+function isSingleParam(value) {
+    return typeof value === 'string';
+}
 function parseDownloadParams(req) {
     const { namespace, hash } = req.params;
+    if (!isSingleParam(namespace) || !isSingleParam(hash))
+        return null;
     if (!namespace || !hash)
         return null;
     if (!validateNamespace(namespace))
@@ -96,5 +100,5 @@ function handleDownload(req, res) {
     sendDownloadPayload(res, payload);
 }
 export function registerDownloadRoutes(app) {
-    app.get('/mcp/downloads/:namespace/:hash', wrapAsync(handleDownload));
+    app.get('/mcp/downloads/:namespace/:hash', handleDownload);
 }

package/dist/http/error-handler.d.ts

@@ -0,0 +1,2 @@
+import type { NextFunction, Request, Response } from 'express';
+export declare function errorHandler(err: Error, req: Request, res: Response, next: NextFunction): void;

package/dist/http/error-handler.js

@@ -0,0 +1,55 @@
+import { FetchError } from '../errors/app-error.js';
+import { logError } from '../services/logger.js';
+function getStatusCode(fetchError) {
+    return fetchError ? fetchError.statusCode : 500;
+}
+function getErrorCode(fetchError) {
+    return fetchError ? fetchError.code : 'INTERNAL_ERROR';
+}
+function getFetchErrorMessage(fetchError) {
+    return fetchError ? fetchError.message : 'Internal Server Error';
+}
+function getErrorDetails(fetchError) {
+    if (fetchError && Object.keys(fetchError.details).length > 0) {
+        return fetchError.details;
+    }
+    return undefined;
+}
+function resolveRetryAfter(fetchError) {
+    if (fetchError?.statusCode !== 429)
+        return undefined;
+    const { retryAfter } = fetchError.details;
+    return isRetryAfterValue(retryAfter) ? String(retryAfter) : undefined;
+}
+function isRetryAfterValue(value) {
+    return typeof value === 'number' || typeof value === 'string';
+}
+function setRetryAfterHeader(res, fetchError) {
+    const retryAfter = resolveRetryAfter(fetchError);
+    if (retryAfter === undefined)
+        return;
+    res.set('Retry-After', retryAfter);
+}
+function buildErrorResponse(fetchError) {
+    const details = getErrorDetails(fetchError);
+    const response = {
+        error: {
+            message: getFetchErrorMessage(fetchError),
+            code: getErrorCode(fetchError),
+            statusCode: getStatusCode(fetchError),
+            ...(details && { details }),
+        },
+    };
+    return response;
+}
+export function errorHandler(err, req, res, next) {
+    if (res.headersSent) {
+        next(err);
+        return;
+    }
+    const fetchError = err instanceof FetchError ? err : null;
+    const statusCode = getStatusCode(fetchError);
+    logError(`HTTP ${statusCode}: ${err.message} - ${req.method} ${req.path}`, err);
+    setRetryAfterHeader(res, fetchError);
+    res.status(statusCode).json(buildErrorResponse(fetchError));
+}

package/dist/http/host-allowlist.d.ts

@@ -0,0 +1,3 @@
+import type { RequestHandler } from 'express';
+export declare function createHostValidationMiddleware(): RequestHandler;
+export declare function createOriginValidationMiddleware(): RequestHandler;

package/dist/http/host-allowlist.js

@@ -0,0 +1,117 @@
+import { config } from '../config/index.js';
+const LOOPBACK_HOSTS = new Set(['localhost', '127.0.0.1', '::1']);
+function getNonEmptyStringHeader(value) {
+    if (typeof value !== 'string')
+        return null;
+    const trimmed = value.trim();
+    return trimmed === '' ? null : trimmed;
+}
+function respondHostNotAllowed(res) {
+    res.status(403).json({
+        error: 'Host not allowed',
+        code: 'HOST_NOT_ALLOWED',
+    });
+}
+function respondOriginNotAllowed(res) {
+    res.status(403).json({
+        error: 'Origin not allowed',
+        code: 'ORIGIN_NOT_ALLOWED',
+    });
+}
+function tryParseOriginHostname(originHeader) {
+    try {
+        return new URL(originHeader).hostname.toLowerCase();
+    }
+    catch {
+        return null;
+    }
+}
+function takeFirstHostValue(value) {
+    const first = value.split(',')[0];
+    if (!first)
+        return null;
+    const trimmed = first.trim();
+    return trimmed ? trimmed : null;
+}
+function stripIpv6Brackets(value) {
+    if (!value.startsWith('['))
+        return null;
+    const end = value.indexOf(']');
+    if (end === -1)
+        return null;
+    return value.slice(1, end);
+}
+function stripPortIfPresent(value) {
+    const colonIndex = value.indexOf(':');
+    if (colonIndex === -1)
+        return value;
+    return value.slice(0, colonIndex);
+}
+function normalizeHost(value) {
+    const trimmed = value.trim().toLowerCase();
+    if (!trimmed)
+        return null;
+    const first = takeFirstHostValue(trimmed);
+    if (!first)
+        return null;
+    const ipv6 = stripIpv6Brackets(first);
+    if (ipv6)
+        return ipv6;
+    return stripPortIfPresent(first);
+}
+function isWildcardHost(host) {
+    return host === '0.0.0.0' || host === '::';
+}
+function addLoopbackHosts(allowedHosts) {
+    for (const host of LOOPBACK_HOSTS) {
+        allowedHosts.add(host);
+    }
+}
+function addConfiguredHost(allowedHosts) {
+    const configuredHost = normalizeHost(config.server.host);
+    if (!configuredHost)
+        return;
+    if (isWildcardHost(configuredHost))
+        return;
+    allowedHosts.add(configuredHost);
+}
+function addExplicitAllowedHosts(allowedHosts) {
+    for (const host of config.security.allowedHosts) {
+        allowedHosts.add(host);
+    }
+}
+function buildAllowedHosts() {
+    const allowedHosts = new Set();
+    addLoopbackHosts(allowedHosts);
+    addConfiguredHost(allowedHosts);
+    addExplicitAllowedHosts(allowedHosts);
+    return allowedHosts;
+}
+export function createHostValidationMiddleware() {
+    const allowedHosts = buildAllowedHosts();
+    return (req, res, next) => {
+        const hostHeader = typeof req.headers.host === 'string' ? req.headers.host : '';
+        const normalized = normalizeHost(hostHeader);
+        if (!normalized || !allowedHosts.has(normalized)) {
+            respondHostNotAllowed(res);
+            return;
+        }
+        next();
+    };
+}
+export function createOriginValidationMiddleware() {
+    const allowedHosts = buildAllowedHosts();
+    return (req, res, next) => {
+        const originHeader = getNonEmptyStringHeader(req.headers.origin);
+        if (!originHeader) {
+            next();
+            return;
+        }
+        const originHostname = tryParseOriginHostname(originHeader);
+        if (!originHostname || !allowedHosts.has(originHostname)) {
+            respondOriginNotAllowed(res);
+            return;
+        }
+        next();
+    };
+}

package/dist/http/mcp-routes.d.ts

@@ -1,3 +1,9 @@
-import type { Express } from 'express';
-import { type McpSessionOptions } from './mcp-session.js';
+import type { Express, Request, Response } from 'express';
+import type { McpRequestBody } from '../config/types/runtime.js';
+import { type McpSessionOptions } from './mcp-sessions.js';
+export declare function isJsonRpcBatchRequest(body: unknown): boolean;
+export declare function isMcpRequestBody(body: unknown): body is McpRequestBody;
+export declare function ensureMcpProtocolVersionHeader(req: Request, res: Response): boolean;
+export declare function ensurePostAcceptHeader(req: Request): void;
+export declare function acceptsEventStream(req: Request): boolean;
 export declare function registerMcpRoutes(app: Express, options: McpSessionOptions): void;

package/dist/http/mcp-routes.js

@@ -1,11 +1,24 @@
+import { z } from 'zod';
 import { logError, logInfo } from '../services/logger.js';
-import { acceptsEventStream, ensurePostAcceptHeader } from './accept-policy.js';
-import { wrapAsync } from './async-handler.js';
-import { sendJsonRpcError } from './jsonrpc-http.js';
-import { resolveTransportForPost, } from './mcp-session.js';
-import { isJsonRpcBatchRequest, isMcpRequestBody } from './mcp-validation.js';
-import { ensureMcpProtocolVersionHeader } from './protocol-policy.js';
-import { getSessionId } from './sessions.js';
+import { getSessionId, resolveTransportForPost, sendJsonRpcError, } from './mcp-sessions.js';
+const paramsSchema = z.looseObject({});
+const mcpRequestSchema = z.looseObject({
+    jsonrpc: z.literal('2.0'),
+    method: z.string().min(1),
+    id: z.union([z.string(), z.number()]).optional(),
+    params: paramsSchema.optional(),
+});
+function wrapAsync(fn) {
+    return (req, res, next) => {
+        Promise.resolve(fn(req, res)).catch(next);
+    };
+}
+export function isJsonRpcBatchRequest(body) {
+    return Array.isArray(body);
+}
+export function isMcpRequestBody(body) {
+    return mcpRequestSchema.safeParse(body).success;
+}
 function respondInvalidRequestBody(res) {
     sendJsonRpcError(res, -32600, 'Invalid Request: Malformed request body', 400);
 }
@@ -67,6 +80,81 @@ function resolveSessionTransport(sessionId, options, res) {
     sessionStore.touch(sessionId);
     return session.transport;
 }
+const MCP_PROTOCOL_VERSION_HEADER = 'mcp-protocol-version';
+const MCP_PROTOCOL_VERSIONS = {
+    defaultVersion: '2025-11-25',
+    supported: new Set(['2025-11-25']),
+};
+function getHeaderValue(req, headerNameLower) {
+    const value = req.headers[headerNameLower];
+    if (typeof value === 'string')
+        return value;
+    if (Array.isArray(value))
+        return value[0] ?? null;
+    return null;
+}
+function setHeaderValue(req, headerNameLower, value) {
+    // Express exposes req.headers as a plain object, but the type is readonly-ish.
+    req.headers[headerNameLower] = value;
+}
+export function ensureMcpProtocolVersionHeader(req, res) {
+    const raw = getHeaderValue(req, MCP_PROTOCOL_VERSION_HEADER);
+    const version = raw?.trim();
+    if (!version) {
+        setHeaderValue(req, MCP_PROTOCOL_VERSION_HEADER, MCP_PROTOCOL_VERSIONS.defaultVersion);
+        return true;
+    }
+    if (!MCP_PROTOCOL_VERSIONS.supported.has(version)) {
+        sendJsonRpcError(res, -32600, `Unsupported MCP-Protocol-Version: ${version}`, 400);
+        return false;
+    }
+    return true;
+}
+function getAcceptHeader(req) {
+    const value = req.headers.accept;
+    if (typeof value === 'string')
+        return value;
+    return '';
+}
+function setAcceptHeader(req, value) {
+    req.headers.accept = value;
+    const { rawHeaders } = req;
+    if (!Array.isArray(rawHeaders))
+        return;
+    for (let i = 0; i + 1 < rawHeaders.length; i += 2) {
+        const key = rawHeaders[i];
+        if (typeof key === 'string' && key.toLowerCase() === 'accept') {
+            rawHeaders[i + 1] = value;
+            return;
+        }
+    }
+    rawHeaders.push('Accept', value);
+}
+function hasToken(header, token) {
+    return header
+        .split(',')
+        .map((part) => part.trim().toLowerCase())
+        .some((part) => part === token || part.startsWith(`${token};`));
+}
+export function ensurePostAcceptHeader(req) {
+    const accept = getAcceptHeader(req);
+    // Some clients send */* or omit Accept; the SDK transport is picky.
+    if (!accept || hasToken(accept, '*/*')) {
+        setAcceptHeader(req, 'application/json, text/event-stream');
+        return;
+    }
+    const hasJson = hasToken(accept, 'application/json');
+    const hasSse = hasToken(accept, 'text/event-stream');
+    if (!hasJson || !hasSse) {
+        setAcceptHeader(req, 'application/json, text/event-stream');
+    }
+}
+export function acceptsEventStream(req) {
+    const accept = getAcceptHeader(req);
+    if (!accept)
+        return false;
+    return hasToken(accept, 'text/event-stream');
+}
 async function handlePost(req, res, options) {
     ensurePostAcceptHeader(req);
     if (!ensureMcpProtocolVersionHeader(req, res))
@@ -76,7 +164,12 @@ async function handlePost(req, res, options) {
     if (!payload)
         return;
     logPostRequest(payload, sessionId, options);
-    const transport = await resolveTransportForPost(req, res, payload, sessionId, options);
+    const transport = await resolveTransportForPost({
+        res,
+        body: payload,
+        sessionId,
+        options,
+    });
     if (!transport)
         return;
     await handleTransportRequest(transport, req, res, payload);