npm - fdic-mcp-server - Versions diffs - 1.30.0 → 1.30.1 - Mend

fdic-mcp-server 1.30.0 → 1.30.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -32,7 +32,7 @@ var import_types = require("@modelcontextprotocol/sdk/types.js");
 var import_express2 = __toESM(require("express"));
 // src/constants.ts
-var VERSION = true ? "1.30.0" : process.env.npm_package_version ?? "0.0.0-dev";
+var VERSION = true ? "1.30.1" : process.env.npm_package_version ?? "0.0.0-dev";
 var FDIC_API_BASE_URL = "https://banks.data.fdic.gov/api";
 var CHARACTER_LIMIT = 5e4;
 var DEFAULT_FDIC_MAX_RESPONSE_BYTES = 5 * 1024 * 1024;
@@ -73,6 +73,42 @@ var RateLimiter = class {
     return true;
   }
 };
+var ConcurrentLimiter = class {
+  maxConcurrent;
+  active = /* @__PURE__ */ new Map();
+  constructor(maxConcurrent) {
+    this.maxConcurrent = maxConcurrent;
+  }
+  acquire(key) {
+    const current = this.active.get(key) ?? 0;
+    if (current >= this.maxConcurrent) {
+      return void 0;
+    }
+    this.active.set(key, current + 1);
+    let released = false;
+    return () => {
+      if (released) {
+        return;
+      }
+      released = true;
+      const latest = this.active.get(key) ?? 0;
+      if (latest <= 1) {
+        this.active.delete(key);
+        return;
+      }
+      this.active.set(key, latest - 1);
+    };
+  }
+};
+// src/requestIdentity.ts
+function getRequestIp(req) {
+  const forwarded = req.get("x-forwarded-for");
+  if (forwarded) {
+    return forwarded.split(",")[0]?.trim() || req.ip || "unknown";
+  }
+  return req.ip || "unknown";
+}
 // src/chat.ts
 var CHAT_SYSTEM_PROMPT = `You are a demo assistant for the FDIC BankFind MCP Server. You help users
@@ -195,13 +231,6 @@ function mapMessagesToContents(messages) {
     parts: [{ text: message.content }]
   }));
 }
-function getRequestIp(req) {
-  const forwarded = req.get("x-forwarded-for");
-  if (forwarded) {
-    return forwarded.split(",")[0]?.trim() || req.ip || "unknown";
-  }
-  return req.ip || "unknown";
-}
 function getResponseParts(response) {
   return response.candidates?.[0]?.content?.parts ?? [];
 }
@@ -40540,6 +40569,21 @@ function parseAllowedOrigins(rawOrigins, port) {
 }
 var DEFAULT_SESSION_IDLE_TIMEOUT_MS = 30 * 60 * 1e3;
 var DEFAULT_SESSION_SWEEP_INTERVAL_MS = 5 * 60 * 1e3;
+var DEFAULT_MCP_RATE_LIMIT_MAX_REQUESTS = 120;
+var DEFAULT_MCP_RATE_LIMIT_WINDOW_MS = 6e4;
+var DEFAULT_MCP_STREAM_RATE_LIMIT_MAX_REQUESTS = 2;
+var DEFAULT_MCP_STREAM_RATE_LIMIT_WINDOW_MS = 60 * 60 * 1e3;
+var DEFAULT_MCP_MAX_CONCURRENT_STREAMS_PER_IP = 1;
+function parsePositiveInteger(rawValue, fallback, name) {
+  if (rawValue === void 0 || rawValue.trim().length === 0) {
+    return fallback;
+  }
+  const value = Number.parseInt(rawValue, 10);
+  if (!Number.isInteger(value) || value < 1) {
+    throw new Error(`${name} must be a positive integer. Received: ${rawValue}`);
+  }
+  return value;
+}
 async function closeSession(sessions, sessionId) {
   const session = sessions.get(sessionId);
   if (!session) {
@@ -40575,6 +40619,17 @@ function sendInvalidSessionResponse(res) {
     id: null
   });
 }
+function sendMcpRateLimitResponse(res, retryAfterSeconds) {
+  res.setHeader("Retry-After", String(retryAfterSeconds));
+  res.status(429).json({
+    jsonrpc: "2.0",
+    error: {
+      code: -32e3,
+      message: "Rate limit exceeded. Try again shortly."
+    },
+    id: null
+  });
+}
 function createApp(options = {}) {
   const app = (0, import_express2.default)();
   const serverFactory = options.serverFactory ?? (() => createServer());
@@ -40585,6 +40640,29 @@ function createApp(options = {}) {
   const sessionIdleTimeoutMs = options.sessionIdleTimeoutMs ?? DEFAULT_SESSION_IDLE_TIMEOUT_MS;
   const sessionSweepIntervalMs = options.sessionSweepIntervalMs ?? DEFAULT_SESSION_SWEEP_INTERVAL_MS;
   const stateless = options.stateless ?? process.env.FDIC_MCP_STATELESS_HTTP === "true";
+  const mcpRateLimiter = options.mcpRateLimiter ?? new RateLimiter({
+    maxRequests: parsePositiveInteger(
+      process.env.MCP_RATE_LIMIT_MAX_REQUESTS_PER_MINUTE,
+      DEFAULT_MCP_RATE_LIMIT_MAX_REQUESTS,
+      "MCP_RATE_LIMIT_MAX_REQUESTS_PER_MINUTE"
+    ),
+    windowMs: DEFAULT_MCP_RATE_LIMIT_WINDOW_MS
+  });
+  const mcpStreamRateLimiter = options.mcpStreamRateLimiter ?? new RateLimiter({
+    maxRequests: parsePositiveInteger(
+      process.env.MCP_STREAM_RATE_LIMIT_MAX_REQUESTS_PER_HOUR,
+      DEFAULT_MCP_STREAM_RATE_LIMIT_MAX_REQUESTS,
+      "MCP_STREAM_RATE_LIMIT_MAX_REQUESTS_PER_HOUR"
+    ),
+    windowMs: DEFAULT_MCP_STREAM_RATE_LIMIT_WINDOW_MS
+  });
+  const mcpStreamConcurrentLimiter = options.mcpStreamConcurrentLimiter ?? new ConcurrentLimiter(
+    parsePositiveInteger(
+      process.env.MCP_MAX_CONCURRENT_STREAMS_PER_IP,
+      DEFAULT_MCP_MAX_CONCURRENT_STREAMS_PER_IP,
+      "MCP_MAX_CONCURRENT_STREAMS_PER_IP"
+    )
+  );
   app.use(import_express2.default.json());
   if (!stateless) {
     const sessionSweepTimer = setInterval(() => {
@@ -40597,6 +40675,31 @@ function createApp(options = {}) {
     res.json({ status: "ok", server: "fdic-mcp-server", version: VERSION });
   });
   app.all("/mcp", async (req, res) => {
+    const requestIp = getRequestIp(req);
+    if (!mcpRateLimiter.check(requestIp)) {
+      sendMcpRateLimitResponse(
+        res,
+        Math.ceil(DEFAULT_MCP_RATE_LIMIT_WINDOW_MS / 1e3)
+      );
+      return;
+    }
+    if (req.method === "GET") {
+      const releaseStream = mcpStreamConcurrentLimiter.acquire(requestIp);
+      if (!releaseStream) {
+        sendMcpRateLimitResponse(res, 60);
+        return;
+      }
+      if (!mcpStreamRateLimiter.check(requestIp)) {
+        releaseStream();
+        sendMcpRateLimitResponse(
+          res,
+          Math.ceil(DEFAULT_MCP_STREAM_RATE_LIMIT_WINDOW_MS / 1e3)
+        );
+        return;
+      }
+      res.once("close", releaseStream);
+      res.once("finish", releaseStream);
+    }
     if (stateless) {
       let server;
       let transport;

package/dist/server.js CHANGED Viewed

@@ -47,7 +47,7 @@ var import_types = require("@modelcontextprotocol/sdk/types.js");
 var import_express2 = __toESM(require("express"));
 // src/constants.ts
-var VERSION = true ? "1.30.0" : process.env.npm_package_version ?? "0.0.0-dev";
+var VERSION = true ? "1.30.1" : process.env.npm_package_version ?? "0.0.0-dev";
 var FDIC_API_BASE_URL = "https://banks.data.fdic.gov/api";
 var CHARACTER_LIMIT = 5e4;
 var DEFAULT_FDIC_MAX_RESPONSE_BYTES = 5 * 1024 * 1024;
@@ -88,6 +88,42 @@ var RateLimiter = class {
     return true;
   }
 };
+var ConcurrentLimiter = class {
+  maxConcurrent;
+  active = /* @__PURE__ */ new Map();
+  constructor(maxConcurrent) {
+    this.maxConcurrent = maxConcurrent;
+  }
+  acquire(key) {
+    const current = this.active.get(key) ?? 0;
+    if (current >= this.maxConcurrent) {
+      return void 0;
+    }
+    this.active.set(key, current + 1);
+    let released = false;
+    return () => {
+      if (released) {
+        return;
+      }
+      released = true;
+      const latest = this.active.get(key) ?? 0;
+      if (latest <= 1) {
+        this.active.delete(key);
+        return;
+      }
+      this.active.set(key, latest - 1);
+    };
+  }
+};
+// src/requestIdentity.ts
+function getRequestIp(req) {
+  const forwarded = req.get("x-forwarded-for");
+  if (forwarded) {
+    return forwarded.split(",")[0]?.trim() || req.ip || "unknown";
+  }
+  return req.ip || "unknown";
+}
 // src/chat.ts
 var CHAT_SYSTEM_PROMPT = `You are a demo assistant for the FDIC BankFind MCP Server. You help users
@@ -210,13 +246,6 @@ function mapMessagesToContents(messages) {
     parts: [{ text: message.content }]
   }));
 }
-function getRequestIp(req) {
-  const forwarded = req.get("x-forwarded-for");
-  if (forwarded) {
-    return forwarded.split(",")[0]?.trim() || req.ip || "unknown";
-  }
-  return req.ip || "unknown";
-}
 function getResponseParts(response) {
   return response.candidates?.[0]?.content?.parts ?? [];
 }
@@ -40555,6 +40584,21 @@ function parseAllowedOrigins(rawOrigins, port) {
 }
 var DEFAULT_SESSION_IDLE_TIMEOUT_MS = 30 * 60 * 1e3;
 var DEFAULT_SESSION_SWEEP_INTERVAL_MS = 5 * 60 * 1e3;
+var DEFAULT_MCP_RATE_LIMIT_MAX_REQUESTS = 120;
+var DEFAULT_MCP_RATE_LIMIT_WINDOW_MS = 6e4;
+var DEFAULT_MCP_STREAM_RATE_LIMIT_MAX_REQUESTS = 2;
+var DEFAULT_MCP_STREAM_RATE_LIMIT_WINDOW_MS = 60 * 60 * 1e3;
+var DEFAULT_MCP_MAX_CONCURRENT_STREAMS_PER_IP = 1;
+function parsePositiveInteger(rawValue, fallback, name) {
+  if (rawValue === void 0 || rawValue.trim().length === 0) {
+    return fallback;
+  }
+  const value = Number.parseInt(rawValue, 10);
+  if (!Number.isInteger(value) || value < 1) {
+    throw new Error(`${name} must be a positive integer. Received: ${rawValue}`);
+  }
+  return value;
+}
 async function closeSession(sessions, sessionId) {
   const session = sessions.get(sessionId);
   if (!session) {
@@ -40590,6 +40634,17 @@ function sendInvalidSessionResponse(res) {
     id: null
   });
 }
+function sendMcpRateLimitResponse(res, retryAfterSeconds) {
+  res.setHeader("Retry-After", String(retryAfterSeconds));
+  res.status(429).json({
+    jsonrpc: "2.0",
+    error: {
+      code: -32e3,
+      message: "Rate limit exceeded. Try again shortly."
+    },
+    id: null
+  });
+}
 function createApp(options = {}) {
   const app = (0, import_express2.default)();
   const serverFactory = options.serverFactory ?? (() => createServer());
@@ -40600,6 +40655,29 @@ function createApp(options = {}) {
   const sessionIdleTimeoutMs = options.sessionIdleTimeoutMs ?? DEFAULT_SESSION_IDLE_TIMEOUT_MS;
   const sessionSweepIntervalMs = options.sessionSweepIntervalMs ?? DEFAULT_SESSION_SWEEP_INTERVAL_MS;
   const stateless = options.stateless ?? process.env.FDIC_MCP_STATELESS_HTTP === "true";
+  const mcpRateLimiter = options.mcpRateLimiter ?? new RateLimiter({
+    maxRequests: parsePositiveInteger(
+      process.env.MCP_RATE_LIMIT_MAX_REQUESTS_PER_MINUTE,
+      DEFAULT_MCP_RATE_LIMIT_MAX_REQUESTS,
+      "MCP_RATE_LIMIT_MAX_REQUESTS_PER_MINUTE"
+    ),
+    windowMs: DEFAULT_MCP_RATE_LIMIT_WINDOW_MS
+  });
+  const mcpStreamRateLimiter = options.mcpStreamRateLimiter ?? new RateLimiter({
+    maxRequests: parsePositiveInteger(
+      process.env.MCP_STREAM_RATE_LIMIT_MAX_REQUESTS_PER_HOUR,
+      DEFAULT_MCP_STREAM_RATE_LIMIT_MAX_REQUESTS,
+      "MCP_STREAM_RATE_LIMIT_MAX_REQUESTS_PER_HOUR"
+    ),
+    windowMs: DEFAULT_MCP_STREAM_RATE_LIMIT_WINDOW_MS
+  });
+  const mcpStreamConcurrentLimiter = options.mcpStreamConcurrentLimiter ?? new ConcurrentLimiter(
+    parsePositiveInteger(
+      process.env.MCP_MAX_CONCURRENT_STREAMS_PER_IP,
+      DEFAULT_MCP_MAX_CONCURRENT_STREAMS_PER_IP,
+      "MCP_MAX_CONCURRENT_STREAMS_PER_IP"
+    )
+  );
   app.use(import_express2.default.json());
   if (!stateless) {
     const sessionSweepTimer = setInterval(() => {
@@ -40612,6 +40690,31 @@ function createApp(options = {}) {
     res.json({ status: "ok", server: "fdic-mcp-server", version: VERSION });
   });
   app.all("/mcp", async (req, res) => {
+    const requestIp = getRequestIp(req);
+    if (!mcpRateLimiter.check(requestIp)) {
+      sendMcpRateLimitResponse(
+        res,
+        Math.ceil(DEFAULT_MCP_RATE_LIMIT_WINDOW_MS / 1e3)
+      );
+      return;
+    }
+    if (req.method === "GET") {
+      const releaseStream = mcpStreamConcurrentLimiter.acquire(requestIp);
+      if (!releaseStream) {
+        sendMcpRateLimitResponse(res, 60);
+        return;
+      }
+      if (!mcpStreamRateLimiter.check(requestIp)) {
+        releaseStream();
+        sendMcpRateLimitResponse(
+          res,
+          Math.ceil(DEFAULT_MCP_STREAM_RATE_LIMIT_WINDOW_MS / 1e3)
+        );
+        return;
+      }
+      res.once("close", releaseStream);
+      res.once("finish", releaseStream);
+    }
     if (stateless) {
       let server;
       let transport;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "fdic-mcp-server",
-  "version": "1.30.0",
+  "version": "1.30.1",
   "description": "MCP server for the FDIC BankFind Suite API",
   "mcpName": "io.github.jflamb/fdic-mcp-server",
   "main": "dist/server.js",