fix: relax session ID validation for MCP proxy compatibility

Fixes 5 failing CI tests by relaxing session ID validation to accept any non-empty string with safe characters (alphanumeric, hyphens, underscores). Changes: - Remove 20-character minimum length requirement - Keep maximum 100-character length for DoS protection - Maintain character whitelist for injection protection - Update tests to reflect relaxed validation policy - Fix mock setup for N8NDocumentationMCPServer in tests Security protections maintained: - Character whitelist prevents SQL/NoSQL injection and path traversal - Maximum length limit prevents DoS attacks - Empty string validation ensures non-empty session IDs Tests fixed: ✅ DELETE /mcp endpoint now returns 404 (not 400) for non-existent sessions ✅ Session ID validation accepts short IDs like '12345', 'short-id' ✅ Idempotent session creation tests pass with proper mock setup Related to PR #312 (Complete Session Persistence Implementation) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-02-06 13:33:11 +00:00 · 2025-10-12 18:51:27 +02:00
parent 085f6db7a2
commit 0d71a16f83
2 changed files with 30 additions and 32 deletions
--- a/tests/unit/session-restoration.test.ts
+++ b/tests/unit/session-restoration.test.ts
@@ -60,11 +60,14 @@ vi.mock('@modelcontextprotocol/sdk/server/sse.js', () => ({
  }))
 }));

-vi.mock('../../src/mcp/server', () => ({
-  N8NDocumentationMCPServer: vi.fn().mockImplementation(() => ({
-    connect: vi.fn().mockResolvedValue(undefined)
-  }))
-}));
+vi.mock('../../src/mcp/server', () => {
+  class MockN8NDocumentationMCPServer {
+    connect = vi.fn().mockResolvedValue(undefined);
+  }
+  return {
+    N8NDocumentationMCPServer: MockN8NDocumentationMCPServer
+  };
+});

 const mockConsoleManager = {
  wrapOperation: vi.fn().mockImplementation(async (fn: () => Promise<any>) => {
@@ -310,18 +313,21 @@ describe('Session Restoration (Phase 1 - REQ-1, REQ-2, REQ-8)', () => {
      }
    });

-    it('should reject session IDs that are too short (DoS protection)', () => {
+    it('should accept short session IDs (relaxed for MCP proxy compatibility)', () => {
      server = new SingleSessionHTTPServer();

-      const tooShortIds = [
+      // Short session IDs are now accepted for MCP proxy compatibility
+      // Security is maintained via character whitelist and max length
+      const shortIds = [
        'a',
        'ab',
        '123',
-        '12345678901234567'  // 17 chars (minimum is 20)
+        '12345',
+        'short-id'
      ];

-      for (const sessionId of tooShortIds) {
-        expect((server as any).isValidSessionId(sessionId)).toBe(false);
+      for (const sessionId of shortIds) {
+        expect((server as any).isValidSessionId(sessionId)).toBe(true);
      }
    });