fix: return 404 instead of 400 for invalid session IDs (#689)

burugo · web-flow · commit 1572bc3dded9 · 2026-01-05T14:11:18.000+03:00
Per MCP specification, invalid/expired session IDs should return
HTTP 404 Not Found so clients can detect and re-initialize sessions.
diff --git a/server/streamable_http.go b/server/streamable_http.go
@@ -345,7 +345,7 @@ func (s *StreamableHTTPServer) handlePost(w http.ResponseWriter, r *http.Request
 		sessionID = r.Header.Get(HeaderKeySessionID)
 		isTerminated, err := sessionIdManager.Validate(sessionID)
 		if err != nil {
-			http.Error(w, "Invalid session ID", http.StatusBadRequest)
+			http.Error(w, "Invalid session ID", http.StatusNotFound)
 			return
 		}
 		if isTerminated {
@@ -734,7 +734,7 @@ func (s *StreamableHTTPServer) handleSamplingResponse(w http.ResponseWriter, r *
 	sessionIdManager := s.sessionIdManagerResolver.ResolveSessionIdManager(r)
 	isTerminated, err := sessionIdManager.Validate(sessionID)
 	if err != nil {
-		http.Error(w, "Invalid session ID", http.StatusBadRequest)
+		http.Error(w, "Invalid session ID", http.StatusNotFound)
 		return err
 	}
 	if isTerminated {
diff --git a/server/streamable_http_test.go b/server/streamable_http_test.go
@@ -255,8 +255,8 @@ func TestStreamableHTTP_POST_SendAndReceive(t *testing.T) {
 		}
 		defer resp.Body.Close()
 
-		if resp.StatusCode != 400 {
-			t.Errorf("Expected status 400, got %d", resp.StatusCode)
+		if resp.StatusCode != http.StatusNotFound {
+			t.Errorf("Expected status 404, got %d", resp.StatusCode)
 		}
 	})
 
@@ -1458,8 +1458,8 @@ func TestStreamableHTTP_SessionValidation(t *testing.T) {
 		}
 		defer resp.Body.Close()
 
-		if resp.StatusCode != http.StatusBadRequest {
-			t.Errorf("Expected status 400, got %d", resp.StatusCode)
+		if resp.StatusCode != http.StatusNotFound {
+			t.Errorf("Expected status 404, got %d", resp.StatusCode)
 		}
 
 		body, _ := io.ReadAll(resp.Body)

Original file line number	Diff line number	Diff line change
`@@ -255,8 +255,8 @@ func TestStreamableHTTP_POST_SendAndReceive(t *testing.T) {`
`255`	`255`	`}`
`256`	`256`	`defer resp.Body.Close()`
`257`	`257`
`258`		`- if resp.StatusCode != 400 {`
`259`		`- t.Errorf("Expected status 400, got %d", resp.StatusCode)`
	`258`	`+ if resp.StatusCode != http.StatusNotFound {`
	`259`	`+ t.Errorf("Expected status 404, got %d", resp.StatusCode)`
`260`	`260`	`}`
`261`	`261`	`})`
`262`	`262`
`@@ -1458,8 +1458,8 @@ func TestStreamableHTTP_SessionValidation(t *testing.T) {`
`1458`	`1458`	`}`
`1459`	`1459`	`defer resp.Body.Close()`
`1460`	`1460`
`1461`		`- if resp.StatusCode != http.StatusBadRequest {`
`1462`		`- t.Errorf("Expected status 400, got %d", resp.StatusCode)`
	`1461`	`+ if resp.StatusCode != http.StatusNotFound {`
	`1462`	`+ t.Errorf("Expected status 404, got %d", resp.StatusCode)`
`1463`	`1463`	`}`
`1464`	`1464`
`1465`	`1465`	`body, _ := io.ReadAll(resp.Body)`