aura-manager - fix config parsing, remote deployments use stateful http to be consis… (#178)

* fix config parsing, remote deployments use stateful http to be consistent with previous config

* update unit tests

* update middleware IT to expect stateful behavior

Author: a-s-g93

servers/mcp-neo4j-cloud-aura-api/CHANGELOG.md

@@ -4,6 +4,7 @@
 * f-string bug in utils.py patched for earlier Python versions
 
 ### Changed
+* Use `stateless_http=False` when using `http` or `sse` transport to be consistent with previous configuration
 
 ### Added
 

servers/mcp-neo4j-cloud-aura-api/Dockerfile

@@ -20,10 +20,10 @@ COPY README.md /app/
 RUN pip install --no-cache-dir -e .
 
 # Environment variables for Neo4j Aura API credentials
-ENV NEO4J_AURA_CLIENT_ID=""
-ENV NEO4J_AURA_CLIENT_SECRET=""
+ENV NEO4J_AURA_CLIENT_ID="test-client-id"
+ENV NEO4J_AURA_CLIENT_SECRET="test-client-secret"
 ENV NEO4J_TRANSPORT="stdio"
-ENV NEO4J_MCP_SERVER_HOST="127.0.0.1"
+ENV NEO4J_MCP_SERVER_HOST="0.0.0.0"
 ENV NEO4J_MCP_SERVER_PORT=8000
 ENV NEO4J_MCP_SERVER_PATH="/mcp/"
 ENV NEO4J_MCP_SERVER_ALLOW_ORIGINS=""

servers/mcp-neo4j-cloud-aura-api/src/mcp_neo4j_aura_manager/__init__.py

@@ -5,6 +5,7 @@
 import logging
 import sys 
 
+from .utils import process_config
 
 # Configure logging
 logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(name)s - %(levelname)s - %(message)s')
@@ -35,28 +36,10 @@ def main():
 
     args = parser.parse_args()
 
-    if not args.client_id or not args.client_secret:
-        logger.error("Client ID and Client Secret are required. Provide them as arguments or environment variables.")
-        sys.exit(1)
-    
-    # Parse security arguments
-    allow_origins_str = args.allow_origins or os.getenv("NEO4J_MCP_SERVER_ALLOW_ORIGINS", "")
-    allow_origins = [origin.strip() for origin in allow_origins_str.split(",") if origin.strip()] if allow_origins_str else []
-
-    allowed_hosts_str = args.allowed_hosts or os.getenv("NEO4J_MCP_SERVER_ALLOWED_HOSTS", "localhost,127.0.0.1")
-    allowed_hosts = [host.strip() for host in allowed_hosts_str.split(",") if host.strip()] if allowed_hosts_str else []
+    config = process_config(args)
 
     try:
-        asyncio.run(server.main(
-            args.client_id,
-            args.client_secret,
-            args.transport or os.getenv("NEO4J_TRANSPORT", "stdio"),
-            args.server_host or os.getenv("NEO4J_MCP_SERVER_HOST", "127.0.0.1"),
-            int(args.server_port or os.getenv("NEO4J_MCP_SERVER_PORT", 8000)),
-            args.server_path or os.getenv("NEO4J_MCP_SERVER_PATH", "/mcp/"),
-            allow_origins,
-            allowed_hosts,
-        ))
+        asyncio.run(server.main(**config))
     except KeyboardInterrupt:
         logger.info("Server stopped by user")
     except Exception as e:

servers/mcp-neo4j-cloud-aura-api/src/mcp_neo4j_aura_manager/server.py

@@ -220,7 +220,7 @@ async def main(
                 f"Running Neo4j Aura Manager MCP Server with HTTP transport on {host}:{port}..."
             )
             await mcp.run_http_async(
-                host=host, port=port, path=path, middleware=custom_middleware, stateless_http=True
+                host=host, port=port, path=path, middleware=custom_middleware, stateless_http=False
             )
         case "stdio":
             logger.info("Running Neo4j Aura Manager MCP Server with stdio transport...")
@@ -229,7 +229,7 @@ async def main(
             logger.info(
                 f"Running Neo4j Aura Manager MCP Server with SSE transport on {host}:{port}..."
             )
-            await mcp.run_http_async(host=host, port=port, path=path, middleware=custom_middleware, transport="sse", stateless_http=True)
+            await mcp.run_http_async(host=host, port=port, path=path, middleware=custom_middleware, transport="sse", stateless_http=False)
         case _:
             logger.error(
                 f"Invalid transport: {transport} | Must be either 'stdio', 'sse', or 'http'"

servers/mcp-neo4j-cloud-aura-api/src/mcp_neo4j_aura_manager/utils.py

@@ -323,9 +323,9 @@ def process_config(args: argparse.Namespace) -> dict[str, Union[str, int, None]]
 
     # server configuration
     config["transport"] = parse_transport(args)
-    config["server_host"] = parse_server_host(args, config["transport"])
-    config["server_port"] = parse_server_port(args, config["transport"])
-    config["server_path"] = parse_server_path(args, config["transport"])
+    config["host"] = parse_server_host(args, config["transport"])
+    config["port"] = parse_server_port(args, config["transport"])
+    config["path"] = parse_server_path(args, config["transport"])
 
     # middleware configuration
     config["allow_origins"] = parse_allow_origins(args)

servers/mcp-neo4j-cloud-aura-api/tests/integration/test_http_transport_IT.py

@@ -304,13 +304,30 @@ async def test_cors_preflight_malicious_origin_blocked(self, middleware_test_ser
     async def test_cors_actual_request_no_cors_headers(self, middleware_test_server):
         """Test actual request without Origin header (should work - not CORS)."""
         async with aiohttp.ClientSession() as session:
+            # First, initiate session with the MCP server
             async with session.post(
                 "http://127.0.0.1:8005/mcp/",
-                json={"jsonrpc": "2.0", "id": 1, "method": "tools/list"},
+                json={"jsonrpc": "2.0", "id": 1, "method": "initialize", "params": {"protocolVersion": "2024-11-05", "capabilities": {}}},
                 headers={
                     "Accept": "application/json, text/event-stream",
                     "Content-Type": "application/json",
                 },
+            ) as init_response:
+                # Get session ID from response headers
+                session_id = init_response.headers.get("mcp-session-id")
+
+            # Now make the actual test request with session ID
+            headers = {
+                "Accept": "application/json, text/event-stream",
+                "Content-Type": "application/json",
+            }
+            if session_id:
+                headers["mcp-session-id"] = session_id
+
+            async with session.post(
+                "http://127.0.0.1:8005/mcp/",
+                json={"jsonrpc": "2.0", "id": 1, "method": "tools/list"},
+                headers=headers,
             ) as response:
                 # The server will fail to authenticate with dummy credentials, but that's ok
                 # We just want to test that the middleware allows the request through
@@ -321,14 +338,30 @@ async def test_cors_actual_request_no_cors_headers(self, middleware_test_server)
     async def test_cors_actual_request_with_origin_blocked(self, middleware_test_server):
         """Test actual CORS request with origin header (should work but no CORS headers)."""
         async with aiohttp.ClientSession() as session:
+            # First, initiate session with the MCP server
             async with session.post(
                 "http://127.0.0.1:8005/mcp/",
-                json={"jsonrpc": "2.0", "id": 1, "method": "tools/list"},
+                json={"jsonrpc": "2.0", "id": 1, "method": "initialize", "params": {"protocolVersion": "2024-11-05", "capabilities": {}}},
                 headers={
                     "Accept": "application/json, text/event-stream",
                     "Content-Type": "application/json",
-                    "Origin": "http://localhost:3000",
                 },
+            ) as init_response:
+                session_id = init_response.headers.get("mcp-session-id")
+
+            # Now make the actual test request with session ID and Origin header
+            headers = {
+                "Accept": "application/json, text/event-stream",
+                "Content-Type": "application/json",
+                "Origin": "http://localhost:3000",
+            }
+            if session_id:
+                headers["mcp-session-id"] = session_id
+
+            async with session.post(
+                "http://127.0.0.1:8005/mcp/",
+                json={"jsonrpc": "2.0", "id": 1, "method": "tools/list"},
+                headers=headers,
             ) as response:
                 # Request should still work (server processes it) but no CORS headers
                 assert response.status in [200, 401, 500]  # Any non-CORS error is fine
@@ -340,15 +373,30 @@ async def test_cors_actual_request_with_origin_blocked(self, middleware_test_ser
     async def test_dns_rebinding_protection_trusted_hosts(self, middleware_test_server):
         """Test DNS rebinding protection with TrustedHostMiddleware - allowed hosts."""
         async with aiohttp.ClientSession() as session:
-            # Test with localhost - should be allowed (in default allowed_hosts)
+            # First, initiate session with the MCP server
             async with session.post(
                 "http://127.0.0.1:8005/mcp/",
-                json={"jsonrpc": "2.0", "id": 1, "method": "tools/list"},
+                json={"jsonrpc": "2.0", "id": 1, "method": "initialize", "params": {"protocolVersion": "2024-11-05", "capabilities": {}}},
                 headers={
                     "Accept": "application/json, text/event-stream",
                     "Content-Type": "application/json",
-                    "Host": "localhost:8005",
                 },
+            ) as init_response:
+                session_id = init_response.headers.get("mcp-session-id")
+
+            # Test with localhost - should be allowed (in default allowed_hosts)
+            headers = {
+                "Accept": "application/json, text/event-stream",
+                "Content-Type": "application/json",
+                "Host": "localhost:8005",
+            }
+            if session_id:
+                headers["mcp-session-id"] = session_id
+
+            async with session.post(
+                "http://127.0.0.1:8005/mcp/",
+                json={"jsonrpc": "2.0", "id": 1, "method": "tools/list"},
+                headers=headers,
             ) as response:
                 print(f"Trusted host (localhost) response status: {response.status}")
                 print(f"Trusted host (localhost) response headers: {dict(response.headers)}")

servers/mcp-neo4j-cloud-aura-api/tests/unit/test_utils.py

@@ -552,9 +552,9 @@ def test_process_config_all_provided(self, clean_env, args_factory):
         assert config["client_id"] == "test-client-id"
         assert config["client_secret"] == "test-client-secret"
         assert config["transport"] == "http"
-        assert config["server_host"] == "test-host"
-        assert config["server_port"] == 9000
-        assert config["server_path"] == "/test/"
+        assert config["host"] == "test-host"
+        assert config["port"] == 9000
+        assert config["path"] == "/test/"
         assert config["allow_origins"] == ["http://localhost:3000"]
         assert config["allowed_hosts"] == ["example.com", "www.example.com"]
 
@@ -575,9 +575,9 @@ def test_process_config_env_vars(self, clean_env, args_factory):
         assert config["client_id"] == "env-client-id"
         assert config["client_secret"] == "env-client-secret"
         assert config["transport"] == "sse"
-        assert config["server_host"] == "env-host"
-        assert config["server_port"] == 8080
-        assert config["server_path"] == "/env/"
+        assert config["host"] == "env-host"
+        assert config["port"] == 8080
+        assert config["path"] == "/env/"
         assert config["allow_origins"] == ["http://env.com", "https://env.com"]
         assert config["allowed_hosts"] == ["env.com", "www.env.com"]
 
@@ -593,9 +593,9 @@ def test_process_config_defaults(self, clean_env, args_factory, mock_logger):
         assert config["client_id"] == "test-client-id"
         assert config["client_secret"] == "test-client-secret"
         assert config["transport"] == "stdio"  # default
-        assert config["server_host"] is None  # None for stdio
-        assert config["server_port"] is None  # None for stdio
-        assert config["server_path"] is None  # None for stdio
+        assert config["host"] is None  # None for stdio
+        assert config["port"] is None  # None for stdio
+        assert config["path"] is None  # None for stdio
         assert config["allow_origins"] == []  # default empty
         assert config["allowed_hosts"] == ["localhost", "127.0.0.1"]  # default secure
 
@@ -627,6 +627,6 @@ def test_process_config_transport_scenarios(
         config = process_config(args)
 
         assert config["transport"] == transport
-        assert config["server_host"] == expected_host
-        assert config["server_port"] == expected_port
-        assert config["server_path"] == expected_path
+        assert config["host"] == expected_host
+        assert config["port"] == expected_port
+        assert config["path"] == expected_path