mcp-proxy 6.4.5 → 6.5.0

package/jsr.json

@@ -3,5 +3,5 @@
   "include": ["src/index.ts", "src/bin/mcp-proxy.ts"],
   "license": "MIT",
   "name": "@punkpeye/mcp-proxy",
-  "version": "6.4.5"
+  "version": "6.5.0"
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-proxy",
-  "version": "6.4.5",
+  "version": "6.5.0",
   "main": "dist/index.mjs",
   "scripts": {
     "build": "tsdown",

package/src/bin/mcp-proxy.ts

@@ -55,6 +55,12 @@ const argv = await yargs(hideBin(process.argv))
         "The timeout (in milliseconds) for initial connection to the MCP server (default: 60 seconds)",
       type: "number",
     },
+    corsAddAllowedHeader: {
+      array: true,
+      describe:
+        "Add a header name to Access-Control-Allow-Headers (defaults preserved). Repeat to add multiple, e.g. `--corsAddAllowedHeader X-API-Key`.",
+      type: "string",
+    },
     debug: {
       default: false,
       describe: "Enable debug logging",
@@ -137,6 +143,22 @@ const argv = await yargs(hideBin(process.argv))
   .help()
   .parseAsync();
 
+// Default Access-Control-Allow-Headers list — must stay in sync with
+// `defaultCorsOptions.allowedHeaders` in src/startHTTPServer.ts.
+const DEFAULT_ALLOWED_HEADERS = [
+  "Content-Type",
+  "Authorization",
+  "Accept",
+  "Mcp-Session-Id",
+  "Mcp-Protocol-Version",
+  "Last-Event-Id",
+];
+
+const corsOption =
+  argv.corsAddAllowedHeader && argv.corsAddAllowedHeader.length > 0
+    ? { allowedHeaders: [...DEFAULT_ALLOWED_HEADERS, ...argv.corsAddAllowedHeader] }
+    : undefined;
+
 // If -- separator was used, everything after -- is the command and its args
 const dashDashArgs = argv["--"] as string[] | undefined;
 
@@ -218,6 +240,7 @@ const proxy = async () => {
 
   const server = await startHTTPServer({
     apiKey: argv.apiKey,
+    cors: corsOption,
     createServer,
     eventStore: new InMemoryEventStore(),
     host: argv.host,

package/src/startHTTPServer.test.ts

@@ -746,6 +746,61 @@ it("allows onUnhandledRequest to serve routes without auth", async () => {
   await httpServer.close();
 });
 
+it("routes MCP stream endpoint to handleStreamRequest even when onUnhandledRequest closes response for unknown paths", async () => {
+  // Regression test for the interaction between PR #59 and consumers
+  // (e.g. fastmcp) whose onUnhandledRequest handler writes 404 for any path
+  // it doesn't recognise. Before the fix, the POST /mcp request was served
+  // by onUnhandledRequest (→ 404) and never reached handleStreamRequest.
+  const port = await getRandomPort();
+
+  const httpServer = await startHTTPServer({
+    createServer: async () => {
+      return new Server(
+        { name: "test", version: "1.0.0" },
+        { capabilities: {} },
+      );
+    },
+    // Simulates fastmcp's handleUnhandledRequest: consumes unknown paths
+    // with a 404 because it assumes it runs *after* the MCP protocol handlers.
+    onUnhandledRequest: async (req, res) => {
+      if (req.url === "/health") {
+        res.writeHead(200).end("ok");
+        return;
+      }
+      res.writeHead(404).end();
+    },
+    port,
+  });
+
+  // Sanity: custom route still works (preserves PR #59 behaviour).
+  const healthResponse = await fetch(`http://localhost:${port}/health`);
+  expect(healthResponse.status).toBe(200);
+
+  // The MCP initialize call must reach handleStreamRequest, NOT the 404
+  // fallback inside onUnhandledRequest.
+  const mcpResponse = await fetch(`http://localhost:${port}/mcp`, {
+    body: JSON.stringify({
+      id: 1,
+      jsonrpc: "2.0",
+      method: "initialize",
+      params: {
+        capabilities: {},
+        clientInfo: { name: "test", version: "1.0.0" },
+        protocolVersion: "2025-03-26",
+      },
+    }),
+    headers: {
+      Accept: "application/json, text/event-stream",
+      "Content-Type": "application/json",
+    },
+    method: "POST",
+  });
+  expect(mcpResponse.status).toBe(200);
+  expect(mcpResponse.headers.get("mcp-session-id")).toBeTruthy();
+
+  await httpServer.close();
+});
+
 // Stateless OAuth 2.0 JWT Bearer Token Authentication Tests (PR #37)
 
 it("accepts requests with valid Bearer token in stateless mode", async () => {

package/src/startHTTPServer.ts

@@ -938,9 +938,20 @@ export const startHTTPServer = async <T extends ServerLike>({
       return;
     }
 
+    // Determine whether the request targets an MCP protocol endpoint (SSE
+    // or HTTP Stream). For those endpoints, onUnhandledRequest MUST NOT run
+    // first — some consumers (e.g. fastmcp) use it as a catch-all 404 handler
+    // and would otherwise short-circuit the MCP protocol handlers.
+    // Use a fixed base because `host` may be "::" (IPv6 any), which is not a
+    // valid URL authority. We only need pathname here.
+    const requestUrl = new URL(req.url || "", "http://localhost");
+    const isMcpEndpoint =
+      (sseEndpoint && requestUrl.pathname === sseEndpoint) ||
+      (streamEndpoint && requestUrl.pathname === streamEndpoint);
+
     // Let non-MCP routes (e.g. /health, /ready, OAuth metadata) be handled
     // before auth — API key auth protects MCP protocol endpoints, not custom routes.
-    if (onUnhandledRequest) {
+    if (onUnhandledRequest && !isMcpEndpoint) {
       await onUnhandledRequest(req, res);
       if (res.writableEnded) {
         return;