mcp-ts-template 2.3.8 → 2.3.9

package/README.md

@@ -7,7 +7,7 @@
 
 <div align="center">
 
-[![Version](https://img.shields.io/badge/Version-2.3.8-blue.svg?style=flat-square)](./CHANGELOG.md) [![MCP Spec](https://img.shields.io/badge/MCP%20Spec-2025--06--18-8A2BE2.svg?style=flat-square)](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/docs/specification/2025-06-18/changelog.mdx) [![MCP SDK](https://img.shields.io/badge/MCP%20SDK-^1.20.0-green.svg?style=flat-square)](https://modelcontextprotocol.io/) [![License](https://img.shields.io/badge/License-Apache%202.0-orange.svg?style=flat-square)](./LICENSE) [![Status](https://img.shields.io/badge/Status-Stable-brightgreen.svg?style=flat-square)](https://github.com/cyanheads/mcp-ts-template/issues) [![TypeScript](https://img.shields.io/badge/TypeScript-^5.9.3-3178C6.svg?style=flat-square)](https://www.typescriptlang.org/) [![Bun](https://img.shields.io/badge/Bun-v1.2.23-blueviolet.svg?style=flat-square)](https://bun.sh/) [![Code Coverage](https://img.shields.io/badge/Coverage-93.44%25-brightgreen.svg?style=flat-square)](./coverage/lcov-report/)
+[![Version](https://img.shields.io/badge/Version-2.3.9-blue.svg?style=flat-square)](./CHANGELOG.md) [![MCP Spec](https://img.shields.io/badge/MCP%20Spec-2025--06--18-8A2BE2.svg?style=flat-square)](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/docs/specification/2025-06-18/changelog.mdx) [![MCP SDK](https://img.shields.io/badge/MCP%20SDK-^1.20.0-green.svg?style=flat-square)](https://modelcontextprotocol.io/) [![License](https://img.shields.io/badge/License-Apache%202.0-orange.svg?style=flat-square)](./LICENSE) [![Status](https://img.shields.io/badge/Status-Stable-brightgreen.svg?style=flat-square)](https://github.com/cyanheads/mcp-ts-template/issues) [![TypeScript](https://img.shields.io/badge/TypeScript-^5.9.3-3178C6.svg?style=flat-square)](https://www.typescriptlang.org/) [![Bun](https://img.shields.io/badge/Bun-v1.2.23-blueviolet.svg?style=flat-square)](https://bun.sh/) [![Code Coverage](https://img.shields.io/badge/Coverage-93.44%25-brightgreen.svg?style=flat-square)](./coverage/lcov-report/)
 
 </div>
 

package/dist/index.js

@@ -117141,7 +117141,7 @@ var z = /* @__PURE__ */ Object.freeze({
 // package.json
 var package_default = {
   name: "mcp-ts-template",
-  version: "2.3.7",
+  version: "2.3.8",
   mcpName: "io.github.cyanheads/mcp-ts-template",
   description: "The definitive, production-grade template for building powerful and scalable Model Context Protocol (MCP) servers with TypeScript, featuring built-in observability (OpenTelemetry), declarative tooling, robust error handling, and a modular, DI-driven architecture.",
   main: "dist/index.js",
@@ -119039,12 +119039,36 @@ class RateLimiter {
       maxRequests: 100,
       errorMessage: "Rate limit exceeded. Please try again in {waitTime} seconds.",
       skipInDevelopment: false,
-      cleanupInterval: 5 * 60 * 1000
+      cleanupInterval: 5 * 60 * 1000,
+      maxTrackedKeys: 1e4
     };
     this.effectiveConfig = { ...defaultConfig };
     this.limits = new Map;
     this.startCleanupTimer();
   }
+  evictLRUEntry() {
+    if (this.limits.size === 0)
+      return;
+    let oldestKey = null;
+    let oldestTime = Infinity;
+    for (const [key, entry] of this.limits.entries()) {
+      if (entry.lastAccess < oldestTime) {
+        oldestTime = entry.lastAccess;
+        oldestKey = key;
+      }
+    }
+    if (oldestKey) {
+      this.limits.delete(oldestKey);
+      const logContext = requestContextService.createRequestContext({
+        operation: "RateLimiter.evictLRUEntry",
+        additionalContext: {
+          evictedKey: oldestKey,
+          remainingEntries: this.limits.size
+        }
+      });
+      this.logger.debug("Evicted LRU entry from rate limiter", logContext);
+    }
+  }
   startCleanupTimer() {
     if (this.cleanupTimer) {
       clearInterval(this.cleanupTimer);
@@ -119107,23 +119131,34 @@ class RateLimiter {
     const now = Date.now();
     let entry = this.limits.get(limitKey);
     if (!entry || now >= entry.resetTime) {
+      const maxKeys = this.effectiveConfig.maxTrackedKeys || 1e4;
+      if (!entry && this.limits.size >= maxKeys) {
+        this.evictLRUEntry();
+        activeSpan?.addEvent("rate_limit_lru_eviction", {
+          "mcp.rate_limit.size_before_eviction": this.limits.size + 1,
+          "mcp.rate_limit.max_keys": maxKeys
+        });
+      }
       entry = {
         count: 1,
-        resetTime: now + this.effectiveConfig.windowMs
+        resetTime: now + this.effectiveConfig.windowMs,
+        lastAccess: now
       };
       this.limits.set(limitKey, entry);
     } else {
       entry.count++;
+      entry.lastAccess = now;
     }
     const remaining = Math.max(0, this.effectiveConfig.maxRequests - entry.count);
     activeSpan?.setAttributes({
       "mcp.rate_limit.limit": this.effectiveConfig.maxRequests,
       "mcp.rate_limit.count": entry.count,
-      "mcp.rate_limit.remaining": remaining
+      "mcp.rate_limit.remaining": remaining,
+      "mcp.rate_limit.tracked_keys": this.limits.size
     });
     if (entry.count > this.effectiveConfig.maxRequests) {
       const waitTime = Math.ceil((entry.resetTime - now) / 1000);
-      const errorMessage = (this.effectiveConfig.errorMessage || "Rate limit exceeded. Please try again in {waitTime} seconds.").replace("{waitTime}", waitTime.toString());
+      const errorMessage = (this.effectiveConfig.errorMessage || "Rate limit exceeded. Please try again in {waitTime}  seconds.").replace("{waitTime}", waitTime.toString());
       activeSpan?.addEvent("rate_limit_exceeded", {
         "mcp.rate_limit.wait_time_seconds": waitTime
       });
@@ -125604,13 +125639,51 @@ class SpeechService2 {
 // src/storage/core/StorageService.ts
 var import_tsyringe5 = __toESM(require_cjs3(), 1);
 function requireTenantId(context) {
-  if (!context.tenantId) {
+  const tenantId = context.tenantId;
+  if (tenantId === undefined || tenantId === null) {
     throw new McpError(-32603 /* InternalError */, "Tenant ID is required for storage operations but was not found in the request context.", {
       operation: "StorageService.requireTenantId",
       requestId: context.requestId
     });
   }
-  return context.tenantId;
+  if (typeof tenantId !== "string" || tenantId.trim().length === 0) {
+    throw new McpError(-32602 /* InvalidParams */, "Tenant ID cannot be an empty string.", {
+      operation: "StorageService.requireTenantId",
+      requestId: context.requestId,
+      tenantId
+    });
+  }
+  const trimmedTenantId = tenantId.trim();
+  if (trimmedTenantId.length > 128) {
+    throw new McpError(-32602 /* InvalidParams */, "Tenant ID exceeds maximum length of 128 characters.", {
+      operation: "StorageService.requireTenantId",
+      requestId: context.requestId,
+      tenantIdLength: trimmedTenantId.length
+    });
+  }
+  const validTenantIdPattern = /^[a-zA-Z0-9]$|^[a-zA-Z0-9][a-zA-Z0-9._-]*[a-zA-Z0-9]$/;
+  if (!validTenantIdPattern.test(trimmedTenantId)) {
+    throw new McpError(-32602 /* InvalidParams */, "Tenant ID contains invalid characters. Only alphanumeric characters, hyphens, underscores, and dots are allowed. Must start and end with alphanumeric characters.", {
+      operation: "StorageService.requireTenantId",
+      requestId: context.requestId,
+      tenantId: trimmedTenantId
+    });
+  }
+  if (trimmedTenantId.includes("../") || trimmedTenantId.includes("..\\")) {
+    throw new McpError(-32602 /* InvalidParams */, "Tenant ID contains path traversal sequences, which are not allowed.", {
+      operation: "StorageService.requireTenantId",
+      requestId: context.requestId,
+      tenantId: trimmedTenantId
+    });
+  }
+  if (trimmedTenantId.includes("..")) {
+    throw new McpError(-32602 /* InvalidParams */, "Tenant ID contains consecutive dots, which are not allowed.", {
+      operation: "StorageService.requireTenantId",
+      requestId: context.requestId,
+      tenantId: trimmedTenantId
+    });
+  }
+  return trimmedTenantId;
 }
 
 class StorageService2 {
@@ -135451,26 +135524,48 @@ class SessionStore {
     this.staleTimeout = staleTimeoutMs;
     setInterval(() => this.cleanupStaleSessions(), 60000);
   }
-  getOrCreate(sessionId) {
+  getOrCreate(sessionId, identity) {
     let session = this.sessions.get(sessionId);
     if (!session) {
-      session = {
+      const newSession = {
         id: sessionId,
         createdAt: new Date,
         lastAccessedAt: new Date
       };
+      if (identity?.tenantId)
+        newSession.tenantId = identity.tenantId;
+      if (identity?.clientId)
+        newSession.clientId = identity.clientId;
+      if (identity?.subject)
+        newSession.subject = identity.subject;
+      session = newSession;
       this.sessions.set(sessionId, session);
       const context = requestContextService.createRequestContext({
         operation: "SessionStore.create",
-        sessionId
+        sessionId,
+        tenantId: identity?.tenantId
       });
-      logger.debug("Session created", context);
+      logger.debug("Session created with identity binding", context);
     } else {
       session.lastAccessedAt = new Date;
+      if (identity && !session.tenantId) {
+        if (identity.tenantId)
+          session.tenantId = identity.tenantId;
+        if (identity.clientId)
+          session.clientId = identity.clientId;
+        if (identity.subject)
+          session.subject = identity.subject;
+        const context = requestContextService.createRequestContext({
+          operation: "SessionStore.bindIdentity",
+          sessionId,
+          tenantId: identity.tenantId
+        });
+        logger.debug("Session identity bound on authenticated request", context);
+      }
     }
     return session;
   }
-  isValid(sessionId) {
+  isValidForIdentity(sessionId, identity) {
     const session = this.sessions.get(sessionId);
     if (!session) {
       return false;
@@ -135480,6 +135575,45 @@ class SessionStore {
       this.terminate(sessionId);
       return false;
     }
+    if (!session.tenantId && !session.clientId) {
+      return true;
+    }
+    if (!identity) {
+      const context = requestContextService.createRequestContext({
+        operation: "SessionStore.isValidForIdentity",
+        sessionId
+      });
+      logger.warning("Session requires authentication but request has no identity", context);
+      return false;
+    }
+    if (session.tenantId && identity.tenantId) {
+      if (session.tenantId !== identity.tenantId) {
+        const context = requestContextService.createRequestContext({
+          operation: "SessionStore.isValidForIdentity",
+          sessionId
+        });
+        logger.warning("Session tenant mismatch - possible hijacking attempt", {
+          ...context,
+          sessionTenant: session.tenantId,
+          requestTenant: identity.tenantId
+        });
+        return false;
+      }
+    }
+    if (session.clientId && identity.clientId) {
+      if (session.clientId !== identity.clientId) {
+        const context = requestContextService.createRequestContext({
+          operation: "SessionStore.isValidForIdentity",
+          sessionId
+        });
+        logger.warning("Session client mismatch - possible hijacking attempt", {
+          ...context,
+          sessionClient: session.clientId,
+          requestClient: identity.clientId
+        });
+        return false;
+      }
+    }
     return true;
   }
   terminate(sessionId) {
@@ -135637,15 +135771,28 @@ function createHttpApp(mcpServer, parentContext) {
     }
     const providedSessionId = c.req.header("mcp-session-id");
     const sessionId = providedSessionId ?? randomUUID();
-    if (sessionStore && providedSessionId && !sessionStore.isValid(providedSessionId)) {
-      logger.warning("Request with invalid or terminated session ID", {
+    const authStore = authContext.getStore();
+    let sessionIdentity;
+    if (authStore?.authInfo) {
+      sessionIdentity = {};
+      if (authStore.authInfo.tenantId)
+        sessionIdentity.tenantId = authStore.authInfo.tenantId;
+      if (authStore.authInfo.clientId)
+        sessionIdentity.clientId = authStore.authInfo.clientId;
+      if (authStore.authInfo.subject)
+        sessionIdentity.subject = authStore.authInfo.subject;
+    }
+    if (sessionStore && providedSessionId && !sessionStore.isValidForIdentity(providedSessionId, sessionIdentity)) {
+      logger.warning("Session validation failed - invalid or hijacked session", {
         ...transportContext,
-        sessionId: providedSessionId
+        sessionId: providedSessionId,
+        requestTenant: sessionIdentity?.tenantId,
+        requestClient: sessionIdentity?.clientId
       });
       return c.json({ error: "Session not found or expired" }, 404);
     }
     if (sessionStore) {
-      sessionStore.getOrCreate(sessionId);
+      sessionStore.getOrCreate(sessionId, sessionIdentity);
     }
     const transport = new McpSessionTransport(sessionId);
     const handleRpc = async () => {
@@ -136047,7 +136194,6 @@ var start = async () => {
     }
   }
   await logger.initialize(validatedMcpLogLevel);
-  logger.info(`Logger initialized. Effective MCP logging level: ${validatedMcpLogLevel}.`, requestContextService.createRequestContext({ operation: "LoggerInit" }));
   logger.info(`Storage service initialized with provider: ${config2.storage.providerType}`, requestContextService.createRequestContext({ operation: "StorageInit" }));
   transportManager = container_default.resolve(TransportManagerToken);
   const startupContext = requestContextService.createRequestContext({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-ts-template",
-  "version": "2.3.8",
+  "version": "2.3.9",
   "mcpName": "io.github.cyanheads/mcp-ts-template",
   "description": "The definitive, production-grade template for building powerful and scalable Model Context Protocol (MCP) servers with TypeScript, featuring built-in observability (OpenTelemetry), declarative tooling, robust error handling, and a modular, DI-driven architecture.",
   "main": "dist/index.js",