mcp-proxy 6.4.3 → 6.4.5

package/jsr.json

@@ -3,5 +3,5 @@
   "include": ["src/index.ts", "src/bin/mcp-proxy.ts"],
   "license": "MIT",
   "name": "@punkpeye/mcp-proxy",
-  "version": "6.4.3"
+  "version": "6.4.5"
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-proxy",
-  "version": "6.4.3",
+  "version": "6.4.5",
   "main": "dist/index.mjs",
   "scripts": {
     "build": "tsdown",
@@ -39,7 +39,7 @@
   },
   "devDependencies": {
     "@eslint/js": "^9.39.1",
-    "@modelcontextprotocol/sdk": "^1.24.3",
+    "@modelcontextprotocol/sdk": "^1.27.1",
     "@sebbo2002/semantic-release-jsr": "^3.1.0",
     "@tsconfig/node24": "^24.0.3",
     "@types/express": "^5.0.6",

package/src/bin/mcp-proxy.ts

@@ -2,6 +2,7 @@
 
 import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { ServerCapabilities } from "@modelcontextprotocol/sdk/types.js";
 import { EventSource } from "eventsource";
 import { createRequire } from "node:module";
 import { setTimeout } from "node:timers";
@@ -196,9 +197,7 @@ const proxy = async () => {
     version: string;
   };
 
-  const serverCapabilities = client.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = client.getServerCapabilities() as ServerCapabilities;
 
   console.info("starting server on port %d", argv.port);
 

package/src/proxyServer.test.ts

@@ -2,7 +2,7 @@ import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
-import { McpError } from "@modelcontextprotocol/sdk/types.js";
+import { McpError, ServerCapabilities } from "@modelcontextprotocol/sdk/types.js";
 import { EventSource } from "eventsource";
 import { getRandomPort } from "get-port-please";
 import { describe, expect, it } from "vitest";
@@ -59,9 +59,7 @@ async function createTestEnvironment(
     name: string;
     version: string;
   };
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
   const port = await getRandomPort();
 
   const httpServer = await startHTTPServer({

package/src/startHTTPServer.test.ts

@@ -3,6 +3,7 @@ import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
 import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { ServerCapabilities } from "@modelcontextprotocol/sdk/types.js";
 import { EventSource } from "eventsource";
 import fs from "fs";
 import { getRandomPort } from "get-port-please";
@@ -42,9 +43,7 @@ it("proxies messages between HTTP stream and stdio servers", async () => {
     version: string;
   };
 
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
 
   const port = await getRandomPort();
 
@@ -155,9 +154,7 @@ it("proxies messages between SSE and stdio servers", async () => {
     version: string;
   };
 
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
 
   const port = await getRandomPort();
 
@@ -265,9 +262,7 @@ it("supports stateless HTTP streamable transport", async () => {
     version: string;
   };
 
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
 
   const port = await getRandomPort();
 
@@ -354,9 +349,7 @@ it("allows requests when no auth is configured", async () => {
     version: string;
   };
 
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
 
   const port = await getRandomPort();
 
@@ -434,9 +427,7 @@ it("rejects requests without API key when auth is enabled", async () => {
     version: string;
   };
 
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
 
   const port = await getRandomPort();
 
@@ -503,9 +494,7 @@ it("accepts requests with valid API key", async () => {
     version: string;
   };
 
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
 
   const port = await getRandomPort();
   const apiKey = "test-api-key-123";
@@ -591,9 +580,7 @@ it("works with SSE transport and authentication", async () => {
     version: string;
   };
 
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
 
   const port = await getRandomPort();
   const apiKey = "test-api-key-456";
@@ -705,6 +692,60 @@ it("does not require auth for OPTIONS requests", async () => {
   await httpServer.close();
 });
 
+it("allows onUnhandledRequest to serve routes without auth", async () => {
+  const port = await getRandomPort();
+  const apiKey = "test-api-key-unhandled";
+
+  const httpServer = await startHTTPServer({
+    apiKey,
+    createServer: async () => {
+      const mcpServer = new Server(
+        { name: "test", version: "1.0.0" },
+        { capabilities: {} },
+      );
+      return mcpServer;
+    },
+    onUnhandledRequest: async (req, res) => {
+      if (req.url === "/health") {
+        res.writeHead(200).end("ok");
+      } else if (req.url === "/ready") {
+        res.writeHead(200).end("ready");
+      }
+      // Don't write response for unknown paths — fall through to MCP handlers
+    },
+    port,
+  });
+
+  // /health works without auth
+  const healthResponse = await fetch(`http://localhost:${port}/health`);
+  expect(healthResponse.status).toBe(200);
+  expect(await healthResponse.text()).toBe("ok");
+
+  // /ready works without auth
+  const readyResponse = await fetch(`http://localhost:${port}/ready`);
+  expect(readyResponse.status).toBe(200);
+  expect(await readyResponse.text()).toBe("ready");
+
+  // POST /mcp without auth still returns 401
+  const mcpResponse = await fetch(`http://localhost:${port}/mcp`, {
+    body: JSON.stringify({
+      id: 1,
+      jsonrpc: "2.0",
+      method: "initialize",
+      params: {
+        capabilities: {},
+        clientInfo: { name: "test", version: "1.0.0" },
+        protocolVersion: "2025-03-26",
+      },
+    }),
+    headers: { "Content-Type": "application/json" },
+    method: "POST",
+  });
+  expect(mcpResponse.status).toBe(401);
+
+  await httpServer.close();
+});
+
 // Stateless OAuth 2.0 JWT Bearer Token Authentication Tests (PR #37)
 
 it("accepts requests with valid Bearer token in stateless mode", async () => {
@@ -730,9 +771,7 @@ it("accepts requests with valid Bearer token in stateless mode", async () => {
     version: string;
   };
 
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
 
   const port = await getRandomPort();
 
@@ -825,9 +864,7 @@ it("returns 401 when authenticate callback returns null in stateless mode", asyn
     version: string;
   };
 
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
 
   const port = await getRandomPort();
 
@@ -908,9 +945,7 @@ it("returns 401 when authenticate callback throws error in stateless mode", asyn
     version: string;
   };
 
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
 
   const port = await getRandomPort();
 
@@ -993,9 +1028,7 @@ it("calls authenticate on every request in stateful mode", async () => {
     version: string;
   };
 
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
 
   const port = await getRandomPort();
 
@@ -1083,9 +1116,7 @@ it("calls authenticate on every request in stateless mode", async () => {
     version: string;
   };
 
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
 
   const port = await getRandomPort();
 
@@ -1211,9 +1242,7 @@ it("returns 401 when authenticate callback returns { authenticated: false } in s
     version: string;
   };
 
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
 
   const port = await getRandomPort();
 
@@ -1297,9 +1326,7 @@ it("returns 401 with custom error message when { authenticated: false, error: '.
     version: string;
   };
 
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
 
   const port = await getRandomPort();
 
@@ -1766,9 +1793,7 @@ it("succeeds when authenticate returns { authenticated: true } in stateless mode
     version: string;
   };
 
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
 
   const port = await getRandomPort();
 
@@ -2167,9 +2192,7 @@ it("DELETE request terminates session cleanly and calls onClose exactly once", a
     name: string;
     version: string;
   };
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
 
   const port = await getRandomPort();
   const onClose = vi.fn().mockResolvedValue(undefined);
@@ -2240,9 +2263,7 @@ it("DELETE request to non-existent session returns 400", async () => {
     name: string;
     version: string;
   };
-  const serverCapabilities = stdioClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = stdioClient.getServerCapabilities() as ServerCapabilities;
 
   const port = await getRandomPort();
 

package/src/startHTTPServer.ts

@@ -938,7 +938,16 @@ export const startHTTPServer = async <T extends ServerLike>({
       return;
     }
 
-    // Check authentication for all other endpoints
+    // Let non-MCP routes (e.g. /health, /ready, OAuth metadata) be handled
+    // before auth — API key auth protects MCP protocol endpoints, not custom routes.
+    if (onUnhandledRequest) {
+      await onUnhandledRequest(req, res);
+      if (res.writableEnded) {
+        return;
+      }
+    }
+
+    // Check authentication for MCP protocol endpoints
     if (!authMiddleware.validateRequest(req)) {
       const authResponse = authMiddleware.getUnauthorizedResponse();
       res.writeHead(401, authResponse.headers);
@@ -982,11 +991,7 @@ export const startHTTPServer = async <T extends ServerLike>({
       return;
     }
 
-    if (onUnhandledRequest) {
-      await onUnhandledRequest(req, res);
-    } else {
-      res.writeHead(404).end();
-    }
+    res.writeHead(404).end();
   };
 
   let httpServer;

package/src/startStdioServer.ts

@@ -5,6 +5,7 @@ import { StreamableHTTPClientTransportOptions } from "@modelcontextprotocol/sdk/
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { ServerCapabilities } from "@modelcontextprotocol/sdk/types.js";
 
 import { proxyServer } from "./proxyServer.js";
 
@@ -58,9 +59,7 @@ export const startStdioServer = async ({
     version: string;
   };
 
-  const serverCapabilities = streamClient.getServerCapabilities() as {
-    capabilities: Record<string, unknown>;
-  };
+  const serverCapabilities = streamClient.getServerCapabilities() as ServerCapabilities;
 
   const stdioServer = initStdioServer
     ? await initStdioServer()