Commit 0f12dae
committed
fix(streamable-http): reject GET/DELETE without session-id before allocating
Before this patch, any request to the stateful streamable_http_manager
without an MCP-Session-Id header entered the "new session" branch and:
1. allocated a StreamableHTTPServerTransport
2. registered it in `_server_instances`
3. spawned a background `run_server` task waiting on `serve_loop` /
`app.run()` for messages that never come
The subsequent transport-level rejection (400 "Missing session ID" for
GET/DELETE, 406 "Not Acceptable" for GET with missing Accept header)
returned the correct HTTP response but did not tear the allocated
session or its task down. The `finally` cleanup in the background task
only fires when the loop completes, and without the (opt-in,
off-by-default) `session_idle_timeout` the task blocks forever.
Under a real deployment we hit this via a Docker healthcheck polling
`GET /mcp` every 30s on a FastMCP-based server: ~2 sessions/min leaked,
~5.3 MiB/day RAM growth, 28 800 accumulated sessions with 0 teardown
events over 10 days.
The fix reorders `_handle_stateful_request` so that:
* security validation runs first (preserves the 421 DNS-rebinding
behaviour tested in test_streamable_http_security_get_request),
* GET and DELETE with no session-id return 400 "Missing session ID"
at the manager layer without touching `_server_instances` and
without spawning any task,
* POST without session-id continues to initialize a new session
exactly as before,
* PUT/PATCH/OPTIONS with no session-id continue to reach the
transport and get the existing 405 "Method Not Allowed".
A regression test asserts both counters (`_server_instances`,
`_task_group._tasks`) stay at zero after 300 bad requests.1 parent 0e3a604 commit 0f12dae
2 files changed
Lines changed: 121 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
21 | 21 | | |
22 | 22 | | |
23 | 23 | | |
24 | | - | |
| 24 | + | |
25 | 25 | | |
26 | 26 | | |
27 | 27 | | |
| |||
85 | 85 | | |
86 | 86 | | |
87 | 87 | | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
88 | 97 | | |
89 | 98 | | |
90 | 99 | | |
| |||
229 | 238 | | |
230 | 239 | | |
231 | 240 | | |
| 241 | + | |
| 242 | + | |
| 243 | + | |
| 244 | + | |
| 245 | + | |
| 246 | + | |
| 247 | + | |
| 248 | + | |
| 249 | + | |
| 250 | + | |
232 | 251 | | |
233 | 252 | | |
234 | 253 | | |
| |||
262 | 281 | | |
263 | 282 | | |
264 | 283 | | |
| 284 | + | |
| 285 | + | |
| 286 | + | |
| 287 | + | |
| 288 | + | |
| 289 | + | |
| 290 | + | |
| 291 | + | |
| 292 | + | |
| 293 | + | |
| 294 | + | |
| 295 | + | |
| 296 | + | |
| 297 | + | |
| 298 | + | |
| 299 | + | |
| 300 | + | |
| 301 | + | |
| 302 | + | |
| 303 | + | |
| 304 | + | |
| 305 | + | |
| 306 | + | |
| 307 | + | |
| 308 | + | |
| 309 | + | |
| 310 | + | |
| 311 | + | |
| 312 | + | |
| 313 | + | |
265 | 314 | | |
266 | 315 | | |
267 | 316 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
382 | 382 | | |
383 | 383 | | |
384 | 384 | | |
| 385 | + | |
| 386 | + | |
| 387 | + | |
| 388 | + | |
| 389 | + | |
| 390 | + | |
| 391 | + | |
| 392 | + | |
| 393 | + | |
| 394 | + | |
| 395 | + | |
| 396 | + | |
| 397 | + | |
| 398 | + | |
| 399 | + | |
| 400 | + | |
| 401 | + | |
| 402 | + | |
| 403 | + | |
| 404 | + | |
| 405 | + | |
| 406 | + | |
| 407 | + | |
| 408 | + | |
| 409 | + | |
| 410 | + | |
| 411 | + | |
| 412 | + | |
| 413 | + | |
| 414 | + | |
| 415 | + | |
| 416 | + | |
| 417 | + | |
| 418 | + | |
| 419 | + | |
| 420 | + | |
| 421 | + | |
| 422 | + | |
| 423 | + | |
| 424 | + | |
| 425 | + | |
| 426 | + | |
| 427 | + | |
| 428 | + | |
| 429 | + | |
| 430 | + | |
| 431 | + | |
| 432 | + | |
| 433 | + | |
| 434 | + | |
| 435 | + | |
| 436 | + | |
| 437 | + | |
| 438 | + | |
| 439 | + | |
| 440 | + | |
| 441 | + | |
| 442 | + | |
| 443 | + | |
| 444 | + | |
| 445 | + | |
| 446 | + | |
| 447 | + | |
| 448 | + | |
| 449 | + | |
| 450 | + | |
| 451 | + | |
| 452 | + | |
| 453 | + | |
| 454 | + | |
| 455 | + | |
385 | 456 | | |
386 | 457 | | |
387 | 458 | | |
| |||
0 commit comments