Add session configuration for timeouts and per-user limits

Allows configuring session timeout, cleanup interval, and max sessions
per user through the config file instead of hardcoded values.

Author: dgellow

integration/oauth_test.go

@@ -897,7 +897,7 @@ func TestToolAdvertisementWithUserTokens(t *testing.T) {
 		assert.Equal(t, "token_required", errorInfo["code"], "Error code should be token_required")
 
 		errorMessage := errorInfo["message"].(string)
-		assert.Contains(t, errorMessage, "Token Required", "Error should mention token required")
+		assert.Contains(t, errorMessage, "token required", "Error should mention token required")
 		assert.Contains(t, errorMessage, "/my/tokens", "Error should mention token setup URL")
 		assert.Contains(t, errorMessage, "Test Service", "Error should mention service name")
 

internal/client/client.go

@@ -436,7 +436,7 @@ func (c *Client) wrapToolHandler(
 					serverName,
 					setupBaseURL,
 					tokenSetup,
-					"Configuration error: This service requires user tokens but OAuth is not properly configured.",
+					"configuration error: this service requires user tokens but OAuth is not properly configured.",
 				)
 
 				errorJSON, _ := json.Marshal(errorData)
@@ -451,17 +451,17 @@ func (c *Client) wrapToolHandler(
 				var errorMessage string
 				if tokenSetup != nil {
 					errorMessage = fmt.Sprintf(
-						"Token Required: %s requires a user token to access the API. "+
-							"Please visit %s to set up your %s token. %s",
+						"token required: %s requires a user token to access the API. "+
+							"please visit %s to set up your %s token. %s",
 						tokenSetup.DisplayName,
 						tokenSetupURL,
 						tokenSetup.DisplayName,
 						tokenSetup.Instructions,
 					)
 				} else {
 					errorMessage = fmt.Sprintf(
-						"Token Required: This service requires a user token. "+
-							"Please visit %s to configure your token.",
+						"token required: this service requires a user token. "+
+							"please visit %s to configure your token.",
 						tokenSetupURL,
 					)
 				}

internal/config/load.go

@@ -142,6 +142,12 @@ func ValidateConfig(config *Config) error {
 		if config.Proxy.Sessions.Timeout > 0 && config.Proxy.Sessions.CleanupInterval > config.Proxy.Sessions.Timeout {
 			internal.LogWarn("Session cleanup interval is greater than session timeout")
 		}
+		if config.Proxy.Sessions.MaxPerUser < 0 {
+			return fmt.Errorf("proxy.sessions.maxPerUser cannot be negative")
+		}
+		if config.Proxy.Sessions.MaxPerUser == 0 {
+			internal.LogWarn("Session maxPerUser is 0 (unlimited) - this may allow resource exhaustion")
+		}
 	}
 
 	return nil

internal/config/types.go

@@ -116,6 +116,7 @@ type MCPClientConfig struct {
 type SessionConfig struct {
 	Timeout         time.Duration
 	CleanupInterval time.Duration
+	MaxPerUser      int
 }
 
 // AdminConfig represents admin UI configuration

internal/config/unmarshal.go

@@ -181,7 +181,7 @@ func (o *OAuthAuthConfig) UnmarshalJSON(data []byte) error {
 
 	// Validate JWT secret length
 	if len(o.JWTSecret) < 32 {
-		return fmt.Errorf("JWT secret must be at least 32 bytes, got %d", len(o.JWTSecret))
+		return fmt.Errorf("jwt secret must be at least 32 bytes, got %d", len(o.JWTSecret))
 	}
 
 	// Validate encryption key if storage requires it
@@ -351,6 +351,7 @@ func (s *SessionConfig) UnmarshalJSON(data []byte) error {
 	var raw struct {
 		Timeout         string `json:"timeout"`
 		CleanupInterval string `json:"cleanupInterval"`
+		MaxPerUser      *int   `json:"maxPerUser"` // Pointer to detect explicit 0
 	}
 
 	if err := json.Unmarshal(data, &raw); err != nil {
@@ -375,5 +376,10 @@ func (s *SessionConfig) UnmarshalJSON(data []byte) error {
 		s.CleanupInterval = interval
 	}
 
+	// Set MaxPerUser if present (0 is a valid value, means no upper bound)
+	if raw.MaxPerUser != nil {
+		s.MaxPerUser = *raw.MaxPerUser
+	}
+
 	return nil
 }

internal/config/unmarshal_test.go

@@ -289,7 +289,7 @@ func TestOAuthAuthConfig_ValidationErrors(t *testing.T) {
 				"jwtSecret": {"$env": "SHORT_SECRET"}
 			}`,
 			envVars:       map[string]string{"SHORT_SECRET": "too-short"},
-			expectedError: "JWT secret must be at least 32 bytes",
+			expectedError: "jwt secret must be at least 32 bytes",
 		},
 		{
 			name: "user token in oauth field",

internal/inline/handler.go

@@ -37,11 +37,12 @@ func NewHandler(name string, server MCPServer) *Handler {
 
 // ServeHTTP handles HTTP requests for the inline MCP server
 func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if r.URL.Path == "/sse" || r.URL.Path == "/"+h.name+"/sse" {
+	switch r.URL.Path {
+	case "/sse", "/" + h.name + "/sse":
 		h.handleSSE(w, r)
-	} else if r.URL.Path == "/message" || r.URL.Path == "/"+h.name+"/message" {
+	case "/message", "/" + h.name + "/message":
 		h.handleMessage(w, r)
-	} else {
+	default:
 		jsonwriter.WriteNotFound(w, "Endpoint not found")
 	}
 }

internal/server/mcp_handler.go

@@ -98,7 +98,7 @@ func (h *MCPHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			})
 			h.handleStreamableGet(ctx, w, r, userEmail, serverConfig)
 		} else {
-			http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
 		}
 	} else {
 		if h.isMessageRequest(r) {
@@ -162,7 +162,7 @@ func (h *MCPHandler) handleSSERequest(ctx context.Context, w http.ResponseWriter
 		internal.LogErrorWithFields("mcp", "No shared SSE server configured for stdio server", map[string]any{
 			"server": h.serverName,
 		})
-		jsonwriter.WriteInternalServerError(w, "Server misconfiguration")
+		jsonwriter.WriteInternalServerError(w, "server misconfiguration")
 		return
 	}
 
@@ -196,7 +196,7 @@ func (h *MCPHandler) handleMessageRequest(ctx context.Context, w http.ResponseWr
 	if isStdioServer(config) {
 		sessionID := r.URL.Query().Get("sessionId")
 		if sessionID == "" {
-			jsonrpc.WriteError(w, nil, jsonrpc.InvalidParams, "Missing sessionId")
+			jsonrpc.WriteError(w, nil, jsonrpc.InvalidParams, "missing sessionId")
 			return
 		}
 
@@ -221,14 +221,14 @@ func (h *MCPHandler) handleMessageRequest(ctx context.Context, w http.ResponseWr
 			})
 			// Per MCP spec: return HTTP 404 Not Found when session is terminated or not found
 			// The response body MAY comprise a JSON-RPC error response
-			jsonrpc.WriteErrorWithStatus(w, nil, jsonrpc.InvalidParams, "Session not found", http.StatusNotFound)
+			jsonrpc.WriteErrorWithStatus(w, nil, jsonrpc.InvalidParams, "session not found", http.StatusNotFound)
 			return
 		}
 		if h.sharedSSEServer == nil {
 			internal.LogErrorWithFields("mcp", "No shared SSE server configured", map[string]any{
 				"sessionID": sessionID,
 			})
-			jsonrpc.WriteError(w, nil, jsonrpc.InternalError, "Server misconfiguration")
+			jsonrpc.WriteError(w, nil, jsonrpc.InternalError, "server misconfiguration")
 			return
 		}
 
@@ -293,7 +293,7 @@ func (h *MCPHandler) forwardMessageToBackend(ctx context.Context, w http.Respons
 			"error":  err.Error(),
 			"server": h.serverName,
 		})
-		jsonrpc.WriteError(w, nil, jsonrpc.InternalError, "Failed to read request")
+		jsonrpc.WriteError(w, nil, jsonrpc.InternalError, "failed to read request")
 		return
 	}
 
@@ -304,7 +304,7 @@ func (h *MCPHandler) forwardMessageToBackend(ctx context.Context, w http.Respons
 			"server": h.serverName,
 			"url":    backendURL,
 		})
-		jsonrpc.WriteError(w, nil, jsonrpc.InternalError, "Failed to create request")
+		jsonrpc.WriteError(w, nil, jsonrpc.InternalError, "failed to create request")
 		return
 	}
 
@@ -336,7 +336,7 @@ func (h *MCPHandler) forwardMessageToBackend(ctx context.Context, w http.Respons
 			"server": h.serverName,
 			"url":    backendURL,
 		})
-		jsonrpc.WriteError(w, nil, jsonrpc.InternalError, "Backend request failed")
+		jsonrpc.WriteError(w, nil, jsonrpc.InternalError, "backend request failed")
 		return
 	}
 	defer resp.Body.Close()

internal/server/mcp_handler_test.go

@@ -289,7 +289,7 @@ func TestForwardMessageToBackend_ErrorCases(t *testing.T) {
 
 		assert.NotNil(t, response.Error)
 		assert.Equal(t, jsonrpc.InternalError, response.Error.Code)
-		assert.Equal(t, "Backend request failed", response.Error.Message)
+		assert.Equal(t, "backend request failed", response.Error.Message)
 	})
 
 	t.Run("backend returns error status", func(t *testing.T) {
@@ -333,7 +333,7 @@ func TestForwardMessageToBackend_ErrorCases(t *testing.T) {
 
 		assert.NotNil(t, response.Error)
 		assert.Equal(t, jsonrpc.InternalError, response.Error.Code)
-		assert.Equal(t, "Failed to read request", response.Error.Message)
+		assert.Equal(t, "failed to read request", response.Error.Message)
 	})
 }
 
@@ -529,7 +529,7 @@ func TestHandleStreamablePost(t *testing.T) {
 
 		assert.NotNil(t, response.Error)
 		assert.Equal(t, jsonrpc.InternalError, response.Error.Code)
-		assert.Equal(t, "Backend request failed", response.Error.Message)
+		assert.Equal(t, "backend request failed", response.Error.Message)
 	})
 }
 

internal/server/streamable_proxy.go

@@ -55,7 +55,7 @@ func forwardStreamablePostToBackend(ctx context.Context, w http.ResponseWriter,
 			"error": err.Error(),
 			"url":   config.URL,
 		})
-		jsonrpc.WriteError(w, nil, jsonrpc.InternalError, "Backend request failed")
+		jsonrpc.WriteError(w, nil, jsonrpc.InternalError, "backend request failed")
 		return
 	}
 	defer resp.Body.Close()