npm - mcp-proxy - Versions diffs - 5.9.0 → 5.10.0 - Mend

mcp-proxy 5.9.0 → 5.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/README.md +148 -1
package/dist/bin/mcp-proxy.js +1 -1
package/dist/index.d.ts +11 -1
package/dist/index.js +1 -1
package/dist/{stdio-CsjPjeWC.js → stdio-DF5lH8jj.js} +44 -12
package/dist/stdio-DF5lH8jj.js.map +1 -0
package/jsr.json +1 -1
package/package.json +1 -1
package/src/index.ts +1 -0
package/src/startHTTPServer.test.ts +248 -0
package/src/startHTTPServer.ts +101 -13
package/dist/stdio-CsjPjeWC.js.map +0 -1

package/jsr.json CHANGED Viewed

@@ -3,5 +3,5 @@
   "include": ["src/index.ts", "src/bin/mcp-proxy.ts"],
   "license": "MIT",
   "name": "@punkpeye/mcp-proxy",
-  "version": "5.9.0"
+  "version": "5.10.0"
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "mcp-proxy",
-  "version": "5.9.0",
+  "version": "5.10.0",
   "main": "dist/index.js",
   "scripts": {
     "build": "tsdown",

package/src/index.ts CHANGED Viewed

@@ -2,6 +2,7 @@ export type { AuthConfig } from "./authentication.js";
 export { AuthenticationMiddleware } from "./authentication.js";
 export { InMemoryEventStore } from "./InMemoryEventStore.js";
 export { proxyServer } from "./proxyServer.js";
+export type { CorsOptions } from "./startHTTPServer.js";
 export { startHTTPServer } from "./startHTTPServer.js";
 export { ServerType, startStdioServer } from "./startStdioServer.js";
 export { tapTransport } from "./tapTransport.js";

package/src/startHTTPServer.test.ts CHANGED Viewed

@@ -1675,3 +1675,251 @@ it("succeeds when authenticate returns { authenticated: true } in stateless mode
   await httpServer.close();
   await stdioClient.close();
 });
+// CORS Configuration Tests
+it("supports wildcard CORS headers", async () => {
+  const port = await getRandomPort();
+  const httpServer = await startHTTPServer({
+    cors: {
+      allowedHeaders: "*",
+    },
+    createServer: async () => {
+      const mcpServer = new Server(
+        { name: "test", version: "1.0.0" },
+        { capabilities: {} },
+      );
+      return mcpServer;
+    },
+    port,
+  });
+  // Test OPTIONS request to verify CORS headers
+  const response = await fetch(`http://localhost:${port}/mcp`, {
+    headers: {
+      Origin: "https://example.com",
+    },
+    method: "OPTIONS",
+  });
+  expect(response.status).toBe(204);
+  // Verify wildcard is used for allowed headers
+  const allowedHeaders = response.headers.get("Access-Control-Allow-Headers");
+  expect(allowedHeaders).toBe("*");
+  await httpServer.close();
+});
+it("supports custom CORS headers array", async () => {
+  const port = await getRandomPort();
+  const httpServer = await startHTTPServer({
+    cors: {
+      allowedHeaders: ["Content-Type", "X-Custom-Header", "X-API-Key"],
+    },
+    createServer: async () => {
+      const mcpServer = new Server(
+        { name: "test", version: "1.0.0" },
+        { capabilities: {} },
+      );
+      return mcpServer;
+    },
+    port,
+  });
+  // Test OPTIONS request to verify CORS headers
+  const response = await fetch(`http://localhost:${port}/mcp`, {
+    headers: {
+      Origin: "https://example.com",
+    },
+    method: "OPTIONS",
+  });
+  expect(response.status).toBe(204);
+  // Verify custom headers are used
+  const allowedHeaders = response.headers.get("Access-Control-Allow-Headers");
+  expect(allowedHeaders).toBe("Content-Type, X-Custom-Header, X-API-Key");
+  await httpServer.close();
+});
+it("supports origin validation with array", async () => {
+  const port = await getRandomPort();
+  const httpServer = await startHTTPServer({
+    cors: {
+      origin: ["https://app.example.com", "https://admin.example.com"],
+    },
+    createServer: async () => {
+      const mcpServer = new Server(
+        { name: "test", version: "1.0.0" },
+        { capabilities: {} },
+      );
+      return mcpServer;
+    },
+    port,
+  });
+  // Test with allowed origin
+  const response1 = await fetch(`http://localhost:${port}/mcp`, {
+    headers: {
+      Origin: "https://app.example.com",
+    },
+    method: "OPTIONS",
+  });
+  expect(response1.status).toBe(204);
+  expect(response1.headers.get("Access-Control-Allow-Origin")).toBe("https://app.example.com");
+  // Test with disallowed origin
+  const response2 = await fetch(`http://localhost:${port}/mcp`, {
+    headers: {
+      Origin: "https://malicious.com",
+    },
+    method: "OPTIONS",
+  });
+  expect(response2.status).toBe(204);
+  expect(response2.headers.get("Access-Control-Allow-Origin")).toBeNull();
+  await httpServer.close();
+});
+it("supports origin validation with function", async () => {
+  const port = await getRandomPort();
+  const httpServer = await startHTTPServer({
+    cors: {
+      origin: (origin: string) => origin.endsWith(".example.com"),
+    },
+    createServer: async () => {
+      const mcpServer = new Server(
+        { name: "test", version: "1.0.0" },
+        { capabilities: {} },
+      );
+      return mcpServer;
+    },
+    port,
+  });
+  // Test with allowed origin
+  const response1 = await fetch(`http://localhost:${port}/mcp`, {
+    headers: {
+      Origin: "https://subdomain.example.com",
+    },
+    method: "OPTIONS",
+  });
+  expect(response1.status).toBe(204);
+  expect(response1.headers.get("Access-Control-Allow-Origin")).toBe("https://subdomain.example.com");
+  // Test with disallowed origin
+  const response2 = await fetch(`http://localhost:${port}/mcp`, {
+    headers: {
+      Origin: "https://malicious.com",
+    },
+    method: "OPTIONS",
+  });
+  expect(response2.status).toBe(204);
+  expect(response2.headers.get("Access-Control-Allow-Origin")).toBeNull();
+  await httpServer.close();
+});
+it("disables CORS when cors: false", async () => {
+  const port = await getRandomPort();
+  const httpServer = await startHTTPServer({
+    cors: false,
+    createServer: async () => {
+      const mcpServer = new Server(
+        { name: "test", version: "1.0.0" },
+        { capabilities: {} },
+      );
+      return mcpServer;
+    },
+    port,
+  });
+  // Test OPTIONS request - should not have CORS headers
+  const response = await fetch(`http://localhost:${port}/mcp`, {
+    headers: {
+      Origin: "https://example.com",
+    },
+    method: "OPTIONS",
+  });
+  expect(response.status).toBe(204);
+  expect(response.headers.get("Access-Control-Allow-Origin")).toBeNull();
+  expect(response.headers.get("Access-Control-Allow-Headers")).toBeNull();
+  await httpServer.close();
+});
+it("uses default CORS settings when cors: true", async () => {
+  const port = await getRandomPort();
+  const httpServer = await startHTTPServer({
+    cors: true,
+    createServer: async () => {
+      const mcpServer = new Server(
+        { name: "test", version: "1.0.0" },
+        { capabilities: {} },
+      );
+      return mcpServer;
+    },
+    port,
+  });
+  // Test OPTIONS request to verify default CORS headers
+  const response = await fetch(`http://localhost:${port}/mcp`, {
+    headers: {
+      Origin: "https://example.com",
+    },
+    method: "OPTIONS",
+  });
+  expect(response.status).toBe(204);
+  expect(response.headers.get("Access-Control-Allow-Origin")).toBe("*");
+  expect(response.headers.get("Access-Control-Allow-Headers")).toBe("Content-Type, Authorization, Accept, Mcp-Session-Id, Last-Event-Id");
+  expect(response.headers.get("Access-Control-Allow-Credentials")).toBe("true");
+  await httpServer.close();
+});
+it("supports custom methods and maxAge", async () => {
+  const port = await getRandomPort();
+  const httpServer = await startHTTPServer({
+    cors: {
+      maxAge: 86400,
+      methods: ["GET", "POST", "PUT", "DELETE"],
+    },
+    createServer: async () => {
+      const mcpServer = new Server(
+        { name: "test", version: "1.0.0" },
+        { capabilities: {} },
+      );
+      return mcpServer;
+    },
+    port,
+  });
+  // Test OPTIONS request to verify custom settings
+  const response = await fetch(`http://localhost:${port}/mcp`, {
+    headers: {
+      Origin: "https://example.com",
+    },
+    method: "OPTIONS",
+  });
+  expect(response.status).toBe(204);
+  expect(response.headers.get("Access-Control-Allow-Methods")).toBe("GET, POST, PUT, DELETE");
+  expect(response.headers.get("Access-Control-Max-Age")).toBe("86400");
+  await httpServer.close();
+});

package/src/startHTTPServer.ts CHANGED Viewed

@@ -11,6 +11,15 @@ import { randomUUID } from "node:crypto";
 import { AuthConfig, AuthenticationMiddleware } from "./authentication.js";
 import { InMemoryEventStore } from "./InMemoryEventStore.js";
+export interface CorsOptions {
+  allowedHeaders?: string | string[]; // Allow string[] or '*' for wildcard
+  credentials?: boolean;
+  exposedHeaders?: string[];
+  maxAge?: number;
+  methods?: string[];
+  origin?: ((origin: string) => boolean) | string | string[];
+}
 export type SSEServer = {
   close: () => Promise<void>;
 };
@@ -102,6 +111,94 @@ const cleanupServer = async <T extends ServerLike>(
   }
 };
+// Helper function to apply CORS headers
+const applyCorsHeaders = (
+  req: http.IncomingMessage,
+  res: http.ServerResponse,
+  corsOptions?: boolean | CorsOptions,
+) => {
+  if (!req.headers.origin) {
+    return;
+  }
+  // Default CORS configuration for backward compatibility
+  const defaultCorsOptions: CorsOptions = {
+    allowedHeaders: "Content-Type, Authorization, Accept, Mcp-Session-Id, Last-Event-Id",
+    credentials: true,
+    exposedHeaders: ["Mcp-Session-Id"],
+    methods: ["GET", "POST", "OPTIONS"],
+    origin: "*",
+  };
+  let finalCorsOptions: CorsOptions;
+  if (corsOptions === false) {
+    // CORS disabled
+    return;
+  } else if (corsOptions === true || corsOptions === undefined) {
+    // Use default CORS settings
+    finalCorsOptions = defaultCorsOptions;
+  } else {
+    // Merge user options with defaults
+    finalCorsOptions = {
+      ...defaultCorsOptions,
+      ...corsOptions,
+    };
+  }
+  try {
+    const origin = new URL(req.headers.origin);
+    // Handle origin
+    let allowedOrigin = "*";
+    if (finalCorsOptions.origin) {
+      if (typeof finalCorsOptions.origin === "string") {
+        allowedOrigin = finalCorsOptions.origin;
+      } else if (Array.isArray(finalCorsOptions.origin)) {
+        allowedOrigin = finalCorsOptions.origin.includes(origin.origin)
+          ? origin.origin
+          : "false";
+      } else if (typeof finalCorsOptions.origin === "function") {
+        allowedOrigin = finalCorsOptions.origin(origin.origin) ? origin.origin : "false";
+      }
+    }
+    if (allowedOrigin !== "false") {
+      res.setHeader("Access-Control-Allow-Origin", allowedOrigin);
+    }
+    // Handle credentials
+    if (finalCorsOptions.credentials !== undefined) {
+      res.setHeader("Access-Control-Allow-Credentials", finalCorsOptions.credentials.toString());
+    }
+    // Handle methods
+    if (finalCorsOptions.methods) {
+      res.setHeader("Access-Control-Allow-Methods", finalCorsOptions.methods.join(", "));
+    }
+    // Handle allowed headers
+    if (finalCorsOptions.allowedHeaders) {
+      const allowedHeaders = typeof finalCorsOptions.allowedHeaders === "string"
+        ? finalCorsOptions.allowedHeaders
+        : finalCorsOptions.allowedHeaders.join(", ");
+      res.setHeader("Access-Control-Allow-Headers", allowedHeaders);
+    }
+    // Handle exposed headers
+    if (finalCorsOptions.exposedHeaders) {
+      res.setHeader("Access-Control-Expose-Headers", finalCorsOptions.exposedHeaders.join(", "));
+    }
+    // Handle max age
+    if (finalCorsOptions.maxAge !== undefined) {
+      res.setHeader("Access-Control-Max-Age", finalCorsOptions.maxAge.toString());
+    }
+  } catch (error) {
+    console.error("[mcp-proxy] error parsing origin", error);
+  }
+};
 const handleStreamRequest = async <T extends ServerLike>({
   activeTransports,
   authenticate,
@@ -586,6 +683,7 @@ const handleSSERequest = async <T extends ServerLike>({
 export const startHTTPServer = async <T extends ServerLike>({
   apiKey,
   authenticate,
+  cors,
   createServer,
   enableJsonResponse,
   eventStore,
@@ -601,6 +699,7 @@ export const startHTTPServer = async <T extends ServerLike>({
 }: {
   apiKey?: string;
   authenticate?: (request: http.IncomingMessage) => Promise<unknown>;
+  cors?: boolean | CorsOptions;
   createServer: (request: http.IncomingMessage) => Promise<T>;
   enableJsonResponse?: boolean;
   eventStore?: EventStore;
@@ -633,19 +732,8 @@ export const startHTTPServer = async <T extends ServerLike>({
    * @author https://dev.classmethod.jp/articles/mcp-sse/
    */
   const httpServer = http.createServer(async (req, res) => {
-    if (req.headers.origin) {
-      try {
-        const origin = new URL(req.headers.origin);
-        res.setHeader("Access-Control-Allow-Origin", origin.origin);
-        res.setHeader("Access-Control-Allow-Credentials", "true");
-        res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
-        res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, Accept, Mcp-Session-Id, Last-Event-Id");
-        res.setHeader("Access-Control-Expose-Headers", "Mcp-Session-Id");
-      } catch (error) {
-        console.error("[mcp-proxy] error parsing origin", error);
-      }
-    }
+    // Apply CORS headers
+    applyCorsHeaders(req, res, cors);
     if (req.method === "OPTIONS") {
       res.writeHead(204);