mcp-proxy 6.4.4 → 6.4.6

package/jsr.json

@@ -3,5 +3,5 @@
   "include": ["src/index.ts", "src/bin/mcp-proxy.ts"],
   "license": "MIT",
   "name": "@punkpeye/mcp-proxy",
-  "version": "6.4.4"
+  "version": "6.4.6"
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-proxy",
-  "version": "6.4.4",
+  "version": "6.4.6",
   "main": "dist/index.mjs",
   "scripts": {
     "build": "tsdown",

package/src/startHTTPServer.test.ts

@@ -692,6 +692,115 @@ it("does not require auth for OPTIONS requests", async () => {
   await httpServer.close();
 });
 
+it("allows onUnhandledRequest to serve routes without auth", async () => {
+  const port = await getRandomPort();
+  const apiKey = "test-api-key-unhandled";
+
+  const httpServer = await startHTTPServer({
+    apiKey,
+    createServer: async () => {
+      const mcpServer = new Server(
+        { name: "test", version: "1.0.0" },
+        { capabilities: {} },
+      );
+      return mcpServer;
+    },
+    onUnhandledRequest: async (req, res) => {
+      if (req.url === "/health") {
+        res.writeHead(200).end("ok");
+      } else if (req.url === "/ready") {
+        res.writeHead(200).end("ready");
+      }
+      // Don't write response for unknown paths — fall through to MCP handlers
+    },
+    port,
+  });
+
+  // /health works without auth
+  const healthResponse = await fetch(`http://localhost:${port}/health`);
+  expect(healthResponse.status).toBe(200);
+  expect(await healthResponse.text()).toBe("ok");
+
+  // /ready works without auth
+  const readyResponse = await fetch(`http://localhost:${port}/ready`);
+  expect(readyResponse.status).toBe(200);
+  expect(await readyResponse.text()).toBe("ready");
+
+  // POST /mcp without auth still returns 401
+  const mcpResponse = await fetch(`http://localhost:${port}/mcp`, {
+    body: JSON.stringify({
+      id: 1,
+      jsonrpc: "2.0",
+      method: "initialize",
+      params: {
+        capabilities: {},
+        clientInfo: { name: "test", version: "1.0.0" },
+        protocolVersion: "2025-03-26",
+      },
+    }),
+    headers: { "Content-Type": "application/json" },
+    method: "POST",
+  });
+  expect(mcpResponse.status).toBe(401);
+
+  await httpServer.close();
+});
+
+it("routes MCP stream endpoint to handleStreamRequest even when onUnhandledRequest closes response for unknown paths", async () => {
+  // Regression test for the interaction between PR #59 and consumers
+  // (e.g. fastmcp) whose onUnhandledRequest handler writes 404 for any path
+  // it doesn't recognise. Before the fix, the POST /mcp request was served
+  // by onUnhandledRequest (→ 404) and never reached handleStreamRequest.
+  const port = await getRandomPort();
+
+  const httpServer = await startHTTPServer({
+    createServer: async () => {
+      return new Server(
+        { name: "test", version: "1.0.0" },
+        { capabilities: {} },
+      );
+    },
+    // Simulates fastmcp's handleUnhandledRequest: consumes unknown paths
+    // with a 404 because it assumes it runs *after* the MCP protocol handlers.
+    onUnhandledRequest: async (req, res) => {
+      if (req.url === "/health") {
+        res.writeHead(200).end("ok");
+        return;
+      }
+      res.writeHead(404).end();
+    },
+    port,
+  });
+
+  // Sanity: custom route still works (preserves PR #59 behaviour).
+  const healthResponse = await fetch(`http://localhost:${port}/health`);
+  expect(healthResponse.status).toBe(200);
+
+  // The MCP initialize call must reach handleStreamRequest, NOT the 404
+  // fallback inside onUnhandledRequest.
+  const mcpResponse = await fetch(`http://localhost:${port}/mcp`, {
+    body: JSON.stringify({
+      id: 1,
+      jsonrpc: "2.0",
+      method: "initialize",
+      params: {
+        capabilities: {},
+        clientInfo: { name: "test", version: "1.0.0" },
+        protocolVersion: "2025-03-26",
+      },
+    }),
+    headers: {
+      Accept: "application/json, text/event-stream",
+      "Content-Type": "application/json",
+    },
+    method: "POST",
+  });
+  expect(mcpResponse.status).toBe(200);
+  expect(mcpResponse.headers.get("mcp-session-id")).toBeTruthy();
+
+  await httpServer.close();
+});
+
 // Stateless OAuth 2.0 JWT Bearer Token Authentication Tests (PR #37)
 
 it("accepts requests with valid Bearer token in stateless mode", async () => {

package/src/startHTTPServer.ts

@@ -938,7 +938,27 @@ export const startHTTPServer = async <T extends ServerLike>({
       return;
     }
 
-    // Check authentication for all other endpoints
+    // Determine whether the request targets an MCP protocol endpoint (SSE
+    // or HTTP Stream). For those endpoints, onUnhandledRequest MUST NOT run
+    // first — some consumers (e.g. fastmcp) use it as a catch-all 404 handler
+    // and would otherwise short-circuit the MCP protocol handlers.
+    // Use a fixed base because `host` may be "::" (IPv6 any), which is not a
+    // valid URL authority. We only need pathname here.
+    const requestUrl = new URL(req.url || "", "http://localhost");
+    const isMcpEndpoint =
+      (sseEndpoint && requestUrl.pathname === sseEndpoint) ||
+      (streamEndpoint && requestUrl.pathname === streamEndpoint);
+
+    // Let non-MCP routes (e.g. /health, /ready, OAuth metadata) be handled
+    // before auth — API key auth protects MCP protocol endpoints, not custom routes.
+    if (onUnhandledRequest && !isMcpEndpoint) {
+      await onUnhandledRequest(req, res);
+      if (res.writableEnded) {
+        return;
+      }
+    }
+
+    // Check authentication for MCP protocol endpoints
     if (!authMiddleware.validateRequest(req)) {
       const authResponse = authMiddleware.getUnauthorizedResponse();
       res.writeHead(401, authResponse.headers);
@@ -982,11 +1002,7 @@ export const startHTTPServer = async <T extends ServerLike>({
       return;
     }
 
-    if (onUnhandledRequest) {
-      await onUnhandledRequest(req, res);
-    } else {
-      res.writeHead(404).end();
-    }
+    res.writeHead(404).end();
   };
 
   let httpServer;