ros/n8n-mcp
1
0
Fork 0
mirror of https://github.com/czlonkowski/n8n-mcp.git synced 2026-04-05 09:03:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: implement session persistence for v2.19.0 (Phase 1 + Phase 2)

Browse Source 
Phase 1 - Lazy Session Restoration (REQ-1, REQ-2, REQ-8):
- Add onSessionNotFound hook for restoring sessions from external storage
- Implement idempotent session creation to prevent race conditions
- Add session ID validation for security (prevent injection attacks)
- Comprehensive error handling (400/408/500 status codes)
- 13 integration tests covering all scenarios

Phase 2 - Session Management API (REQ-5):
- getActiveSessions(): Get all active session IDs
- getSessionState(sessionId): Get session state for persistence
- getAllSessionStates(): Bulk session state retrieval
- restoreSession(sessionId, context): Manual session restoration
- deleteSession(sessionId): Manual session termination
- 21 unit tests covering all API methods

Benefits:
- Sessions survive container restarts
- Horizontal scaling support (no session stickiness needed)
- Zero-downtime deployments
- 100% backwards compatible

Implementation Details:
- Backend methods in http-server-single-session.ts
- Public API methods in mcp-engine.ts
- SessionState type exported from index.ts
- Synchronous session creation and deletion for reliable testing
- Version updated from 2.18.10 to 2.19.0

Tests: 34 passing (13 integration + 21 unit)
Coverage: Full API coverage with edge cases
Security: Session ID validation prevents SQL/NoSQL injection and path traversal

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
czlonkowski
2025-10-12 17:25:38 +02:00
parent 4566253bdc
commit 1d34ad81d5
14 changed files with 9595 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

600
tests/integration/session-persistence.test.ts Normal file
View File

@@ -0,0 +1,600 @@
/**
* Integration tests for session persistence (Phase 1)
*
* Tests the complete session restoration flow end-to-end,
* simulating real-world scenarios like container restarts and multi-tenant usage.
*/
import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
import { N8NMCPEngine } from '../../src/mcp-engine';
import { SingleSessionHTTPServer } from '../../src/http-server-single-session';
import { InstanceContext } from '../../src/types/instance-context';
import { SessionRestoreHook, SessionState } from '../../src/types/session-restoration';
import type { Request, Response } from 'express';
// In-memory session storage for testing
const sessionStorage: Map<string, SessionState> = new Map();
/**
* Simulates a backend database for session persistence
*/
class MockSessionStore {
async saveSession(sessionState: SessionState): Promise<void> {
sessionStorage.set(sessionState.sessionId, {
...sessionState,
// Only update lastAccess and expiresAt if not provided
lastAccess: sessionState.lastAccess || new Date(),
expiresAt: sessionState.expiresAt || new Date(Date.now() + 30 * 60 * 1000) // 30 minutes
});
}
async loadSession(sessionId: string): Promise<SessionState | null> {
const session = sessionStorage.get(sessionId);
if (!session) return null;
// Check if expired
if (session.expiresAt < new Date()) {
sessionStorage.delete(sessionId);
return null;
}
// Update last access
session.lastAccess = new Date();
session.expiresAt = new Date(Date.now() + 30 * 60 * 1000);
sessionStorage.set(sessionId, session);
return session;
}
async deleteSession(sessionId: string): Promise<void> {
sessionStorage.delete(sessionId);
}
async cleanExpired(): Promise<number> {
const now = new Date();
let count = 0;
for (const [sessionId, session] of sessionStorage.entries()) {
if (session.expiresAt < now) {
sessionStorage.delete(sessionId);
count++;
}
}
return count;
}
getAllSessions(): Map<string, SessionState> {
return new Map(sessionStorage);
}
clear(): void {
sessionStorage.clear();
}
}
describe('Session Persistence Integration Tests', () => {
const TEST_AUTH_TOKEN = 'integration-test-token-with-32-chars-min-length';
let mockStore: MockSessionStore;
let originalEnv: NodeJS.ProcessEnv;
beforeEach(() => {
// Save and set environment
originalEnv = { ...process.env };
process.env.AUTH_TOKEN = TEST_AUTH_TOKEN;
process.env.PORT = '0';
process.env.NODE_ENV = 'test';
// Clear session storage
mockStore = new MockSessionStore();
mockStore.clear();
});
afterEach(() => {
// Restore environment
process.env = originalEnv;
mockStore.clear();
});
// Helper to create properly mocked Request and Response objects
function createMockReqRes(sessionId?: string, body?: any) {
const req = {
method: 'POST',
path: '/mcp',
url: '/mcp',
originalUrl: '/mcp',
headers: {
'authorization': `Bearer ${TEST_AUTH_TOKEN}`,
...(sessionId && { 'mcp-session-id': sessionId })
} as Record<string, string>,
body: body || {
jsonrpc: '2.0',
method: 'tools/list',
params: {},
id: 1
},
ip: '127.0.0.1',
readable: true,
readableEnded: false,
complete: true,
get: vi.fn((header: string) => req.headers[header.toLowerCase()]),
on: vi.fn((event: string, handler: Function) => {}),
removeListener: vi.fn((event: string, handler: Function) => {})
} as any as Request;
const res = {
status: vi.fn().mockReturnThis(),
json: vi.fn().mockReturnThis(),
setHeader: vi.fn(),
send: vi.fn().mockReturnThis(),
headersSent: false,
finished: false
} as any as Response;
return { req, res };
}
describe('Container Restart Simulation', () => {
it('should restore session after simulated container restart', async () => {
// PHASE 1: Initial session creation
const context: InstanceContext = {
n8nApiUrl: 'https://tenant1.n8n.cloud',
n8nApiKey: 'tenant1-api-key',
instanceId: 'tenant-1'
};
const sessionId = 'instance-tenant-1-abc-550e8400-e29b-41d4-a716-446655440000';
// Simulate session being persisted by the backend
await mockStore.saveSession({
sessionId,
instanceContext: context,
createdAt: new Date(),
lastAccess: new Date(),
expiresAt: new Date(Date.now() + 30 * 60 * 1000)
});
// PHASE 2: Simulate container restart (create new engine)
const restorationHook: SessionRestoreHook = async (sid) => {
const session = await mockStore.loadSession(sid);
return session ? session.instanceContext : null;
};
const engine = new N8NMCPEngine({
onSessionNotFound: restorationHook,
sessionRestorationTimeout: 5000
});
// PHASE 3: Client tries to use old session ID
const { req: mockReq, res: mockRes } = createMockReqRes(sessionId);
// Should successfully restore and process request
await engine.processRequest(mockReq, mockRes, context);
// Session should be restored (not return 400 for unknown session)
expect(mockRes.status).not.toHaveBeenCalledWith(400);
expect(mockRes.status).not.toHaveBeenCalledWith(404);
await engine.shutdown();
});
it('should reject expired sessions after container restart', async () => {
const context: InstanceContext = {
n8nApiUrl: 'https://tenant1.n8n.cloud',
n8nApiKey: 'tenant1-api-key',
instanceId: 'tenant-1'
};
const sessionId = '550e8400-e29b-41d4-a716-446655440000';
// Save session with past expiration
await mockStore.saveSession({
sessionId,
instanceContext: context,
createdAt: new Date(Date.now() - 60 * 60 * 1000), // 1 hour ago
lastAccess: new Date(Date.now() - 45 * 60 * 1000), // 45 minutes ago
expiresAt: new Date(Date.now() - 15 * 60 * 1000) // Expired 15 minutes ago
});
const restorationHook: SessionRestoreHook = async (sid) => {
const session = await mockStore.loadSession(sid);
return session ? session.instanceContext : null;
};
const engine = new N8NMCPEngine({
onSessionNotFound: restorationHook,
sessionRestorationTimeout: 5000
});
const { req: mockReq, res: mockRes } = createMockReqRes(sessionId);
await engine.processRequest(mockReq, mockRes);
// Should reject expired session
expect(mockRes.status).toHaveBeenCalledWith(400);
expect(mockRes.json).toHaveBeenCalledWith(
expect.objectContaining({
error: expect.objectContaining({
message: expect.stringMatching(/session|not found/i)
})
})
);
await engine.shutdown();
});
});
describe('Multi-Tenant Session Restoration', () => {
it('should restore correct instance context for each tenant', async () => {
// Create sessions for multiple tenants
const tenant1Context: InstanceContext = {
n8nApiUrl: 'https://tenant1.n8n.cloud',
n8nApiKey: 'tenant1-key',
instanceId: 'tenant-1'
};
const tenant2Context: InstanceContext = {
n8nApiUrl: 'https://tenant2.n8n.cloud',
n8nApiKey: 'tenant2-key',
instanceId: 'tenant-2'
};
const sessionId1 = 'instance-tenant-1-abc-550e8400-e29b-41d4-a716-446655440000';
const sessionId2 = 'instance-tenant-2-xyz-f47ac10b-58cc-4372-a567-0e02b2c3d479';
await mockStore.saveSession({
sessionId: sessionId1,
instanceContext: tenant1Context,
createdAt: new Date(),
lastAccess: new Date(),
expiresAt: new Date(Date.now() + 30 * 60 * 1000)
});
await mockStore.saveSession({
sessionId: sessionId2,
instanceContext: tenant2Context,
createdAt: new Date(),
lastAccess: new Date(),
expiresAt: new Date(Date.now() + 30 * 60 * 1000)
});
const restorationHook: SessionRestoreHook = async (sid) => {
const session = await mockStore.loadSession(sid);
return session ? session.instanceContext : null;
};
const engine = new N8NMCPEngine({
onSessionNotFound: restorationHook,
sessionRestorationTimeout: 5000
});
// Verify each tenant gets their own context
const session1 = await mockStore.loadSession(sessionId1);
const session2 = await mockStore.loadSession(sessionId2);
expect(session1?.instanceContext.instanceId).toBe('tenant-1');
expect(session1?.instanceContext.n8nApiUrl).toBe('https://tenant1.n8n.cloud');
expect(session2?.instanceContext.instanceId).toBe('tenant-2');
expect(session2?.instanceContext.n8nApiUrl).toBe('https://tenant2.n8n.cloud');
await engine.shutdown();
});
it('should isolate sessions between tenants', async () => {
const tenant1Context: InstanceContext = {
n8nApiUrl: 'https://tenant1.n8n.cloud',
n8nApiKey: 'tenant1-key',
instanceId: 'tenant-1'
};
const sessionId = 'instance-tenant-1-abc-550e8400-e29b-41d4-a716-446655440000';
await mockStore.saveSession({
sessionId,
instanceContext: tenant1Context,
createdAt: new Date(),
lastAccess: new Date(),
expiresAt: new Date(Date.now() + 30 * 60 * 1000)
});
const restorationHook: SessionRestoreHook = async (sid) => {
const session = await mockStore.loadSession(sid);
return session ? session.instanceContext : null;
};
const engine = new N8NMCPEngine({
onSessionNotFound: restorationHook
});
// Tenant 2 tries to use tenant 1's session ID
const wrongSessionId = sessionId; // Tenant 1's ID
const { req: tenant2Request, res: mockRes } = createMockReqRes(wrongSessionId);
// The restoration will succeed (session exists), but the backend
// should implement authorization checks to prevent cross-tenant access
await engine.processRequest(tenant2Request, mockRes);
// Restoration should work (this test verifies the session CAN be restored)
// Authorization is the backend's responsibility
expect(mockRes.status).not.toHaveBeenCalledWith(404);
await engine.shutdown();
});
});
describe('Concurrent Restoration Requests', () => {
it('should handle multiple concurrent restoration requests for same session', async () => {
const context: InstanceContext = {
n8nApiUrl: 'https://test.n8n.cloud',
n8nApiKey: 'test-key',
instanceId: 'test-instance'
};
const sessionId = '550e8400-e29b-41d4-a716-446655440000';
await mockStore.saveSession({
sessionId,
instanceContext: context,
createdAt: new Date(),
lastAccess: new Date(),
expiresAt: new Date(Date.now() + 30 * 60 * 1000)
});
let hookCallCount = 0;
const restorationHook: SessionRestoreHook = async (sid) => {
hookCallCount++;
// Simulate slow database query
await new Promise(resolve => setTimeout(resolve, 50));
const session = await mockStore.loadSession(sid);
return session ? session.instanceContext : null;
};
const engine = new N8NMCPEngine({
onSessionNotFound: restorationHook,
sessionRestorationTimeout: 5000
});
// Simulate 5 concurrent requests with same unknown session ID
const requests = Array.from({ length: 5 }, (_, i) => {
const { req: mockReq, res: mockRes } = createMockReqRes(sessionId, {
jsonrpc: '2.0',
method: 'tools/list',
params: {},
id: i + 1
});
return engine.processRequest(mockReq, mockRes, context);
});
// All should complete without error
await Promise.all(requests);
// Hook should be called multiple times (no built-in deduplication)
// This is expected - the idempotent session creation prevents duplicates
expect(hookCallCount).toBeGreaterThan(0);
await engine.shutdown();
});
});
describe('Database Failure Scenarios', () => {
it('should handle database connection failures gracefully', async () => {
const failingHook: SessionRestoreHook = async () => {
throw new Error('Database connection failed');
};
const engine = new N8NMCPEngine({
onSessionNotFound: failingHook,
sessionRestorationTimeout: 5000
});
const { req: mockReq, res: mockRes } = createMockReqRes('550e8400-e29b-41d4-a716-446655440000');
await engine.processRequest(mockReq, mockRes);
// Should return 500 for database errors
expect(mockRes.status).toHaveBeenCalledWith(500);
expect(mockRes.json).toHaveBeenCalledWith(
expect.objectContaining({
error: expect.objectContaining({
message: expect.stringMatching(/restoration failed|error/i)
})
})
);
await engine.shutdown();
});
it('should timeout on slow database queries', async () => {
const slowHook: SessionRestoreHook = async () => {
// Simulate very slow database query
await new Promise(resolve => setTimeout(resolve, 10000));
return {
n8nApiUrl: 'https://test.n8n.cloud',
n8nApiKey: 'test-key',
instanceId: 'test'
};
};
const engine = new N8NMCPEngine({
onSessionNotFound: slowHook,
sessionRestorationTimeout: 100 // 100ms timeout
});
const { req: mockReq, res: mockRes } = createMockReqRes('550e8400-e29b-41d4-a716-446655440000');
await engine.processRequest(mockReq, mockRes);
// Should return 408 for timeout
expect(mockRes.status).toHaveBeenCalledWith(408);
expect(mockRes.json).toHaveBeenCalledWith(
expect.objectContaining({
error: expect.objectContaining({
message: expect.stringMatching(/timeout|timed out/i)
})
})
);
await engine.shutdown();
});
});
describe('Session Metadata Tracking', () => {
it('should track session metadata correctly', async () => {
const context: InstanceContext = {
n8nApiUrl: 'https://test.n8n.cloud',
n8nApiKey: 'test-key',
instanceId: 'test-instance',
metadata: {
userId: 'user-123',
plan: 'premium'
}
};
const sessionId = '550e8400-e29b-41d4-a716-446655440000';
await mockStore.saveSession({
sessionId,
instanceContext: context,
createdAt: new Date(),
lastAccess: new Date(),
expiresAt: new Date(Date.now() + 30 * 60 * 1000),
metadata: {
userAgent: 'test-client/1.0',
ip: '192.168.1.1'
}
});
const session = await mockStore.loadSession(sessionId);
expect(session).toBeDefined();
expect(session?.instanceContext.metadata).toEqual({
userId: 'user-123',
plan: 'premium'
});
expect(session?.metadata).toEqual({
userAgent: 'test-client/1.0',
ip: '192.168.1.1'
});
});
it('should update last access time on restoration', async () => {
const context: InstanceContext = {
n8nApiUrl: 'https://test.n8n.cloud',
n8nApiKey: 'test-key',
instanceId: 'test-instance'
};
const sessionId = '550e8400-e29b-41d4-a716-446655440000';
const originalLastAccess = new Date(Date.now() - 10 * 60 * 1000); // 10 minutes ago
await mockStore.saveSession({
sessionId,
instanceContext: context,
createdAt: new Date(Date.now() - 20 * 60 * 1000),
lastAccess: originalLastAccess,
expiresAt: new Date(Date.now() + 20 * 60 * 1000)
});
// Wait a bit
await new Promise(resolve => setTimeout(resolve, 100));
// Load session (simulates restoration)
const session = await mockStore.loadSession(sessionId);
expect(session).toBeDefined();
expect(session!.lastAccess.getTime()).toBeGreaterThan(originalLastAccess.getTime());
});
});
describe('Session Cleanup', () => {
it('should clean up expired sessions', async () => {
// Add multiple sessions with different expiration times
await mockStore.saveSession({
sessionId: 'session-1',
instanceContext: {
n8nApiUrl: 'https://test.n8n.cloud',
n8nApiKey: 'key1',
instanceId: 'instance-1'
},
createdAt: new Date(Date.now() - 60 * 60 * 1000),
lastAccess: new Date(Date.now() - 45 * 60 * 1000),
expiresAt: new Date(Date.now() - 15 * 60 * 1000) // Expired
});
await mockStore.saveSession({
sessionId: 'session-2',
instanceContext: {
n8nApiUrl: 'https://test.n8n.cloud',
n8nApiKey: 'key2',
instanceId: 'instance-2'
},
createdAt: new Date(),
lastAccess: new Date(),
expiresAt: new Date(Date.now() + 30 * 60 * 1000) // Valid
});
const cleanedCount = await mockStore.cleanExpired();
expect(cleanedCount).toBe(1);
expect(mockStore.getAllSessions().size).toBe(1);
expect(mockStore.getAllSessions().has('session-2')).toBe(true);
expect(mockStore.getAllSessions().has('session-1')).toBe(false);
});
});
describe('Backwards Compatibility', () => {
it('should work without restoration hook (legacy behavior)', async () => {
// Engine without restoration hook should work normally
const engine = new N8NMCPEngine();
const sessionInfo = engine.getSessionInfo();
expect(sessionInfo).toBeDefined();
expect(sessionInfo.active).toBeDefined();
await engine.shutdown();
});
it('should not break existing session creation flow', async () => {
const engine = new N8NMCPEngine({
onSessionNotFound: async () => null
});
// Creating sessions should work normally
const sessionInfo = engine.getSessionInfo();
expect(sessionInfo).toBeDefined();
await engine.shutdown();
});
});
describe('Security Validation', () => {
it('should validate restored context before using it', async () => {
const invalidHook: SessionRestoreHook = async () => {
// Return context with malformed URL (truly invalid)
return {
n8nApiUrl: 'not-a-valid-url',
n8nApiKey: 'test-key',
instanceId: 'test'
} as any;
};
const engine = new N8NMCPEngine({
onSessionNotFound: invalidHook,
sessionRestorationTimeout: 5000
});
const { req: mockReq, res: mockRes } = createMockReqRes('550e8400-e29b-41d4-a716-446655440000');
await engine.processRequest(mockReq, mockRes);
// Should reject invalid context
expect(mockRes.status).toHaveBeenCalledWith(400);
await engine.shutdown();
});
});
});

333
tests/unit/session-management-api.test.ts Normal file
View File

@@ -0,0 +1,333 @@
/**
* Unit tests for Session Management API (Phase 2 - REQ-5)
* Tests the public API methods for session management in v2.19.0
*/
import { describe, it, expect, beforeEach } from 'vitest';
import { N8NMCPEngine } from '../../src/mcp-engine';
import { InstanceContext } from '../../src/types/instance-context';
describe('Session Management API (Phase 2 - REQ-5)', () => {
let engine: N8NMCPEngine;
const testContext: InstanceContext = {
n8nApiUrl: 'https://test.n8n.cloud',
n8nApiKey: 'test-api-key',
instanceId: 'test-instance'
};
beforeEach(() => {
// Set required AUTH_TOKEN environment variable for testing
process.env.AUTH_TOKEN = 'test-token-for-session-management-testing-32chars';
// Create engine with session restoration disabled for these tests
engine = new N8NMCPEngine({
sessionTimeout: 30 * 60 * 1000 // 30 minutes
});
});
describe('getActiveSessions()', () => {
it('should return empty array when no sessions exist', () => {
const sessionIds = engine.getActiveSessions();
expect(sessionIds).toEqual([]);
});
it('should return session IDs after session creation via restoreSession', () => {
// Create session using direct API (not through HTTP request)
const sessionId = 'instance-test-abc123-uuid-session-test-1';
engine.restoreSession(sessionId, testContext);
const sessionIds = engine.getActiveSessions();
expect(sessionIds.length).toBe(1);
expect(sessionIds).toContain(sessionId);
});
it('should return multiple session IDs when multiple sessions exist', () => {
// Create multiple sessions using direct API
const sessions = [
{ id: 'instance-test1-abc123-uuid-session-1', context: { ...testContext, instanceId: 'instance-1' } },
{ id: 'instance-test2-abc123-uuid-session-2', context: { ...testContext, instanceId: 'instance-2' } }
];
sessions.forEach(({ id, context }) => {
engine.restoreSession(id, context);
});
const sessionIds = engine.getActiveSessions();
expect(sessionIds.length).toBe(2);
expect(sessionIds).toContain(sessions[0].id);
expect(sessionIds).toContain(sessions[1].id);
});
});
describe('getSessionState()', () => {
it('should return null for non-existent session', () => {
const state = engine.getSessionState('non-existent-session-id');
expect(state).toBeNull();
});
it('should return session state for existing session', () => {
// Create a session using direct API
const sessionId = 'instance-test-abc123-uuid-session-state-test';
engine.restoreSession(sessionId, testContext);
const state = engine.getSessionState(sessionId);
expect(state).not.toBeNull();
expect(state).toMatchObject({
sessionId: sessionId,
instanceContext: expect.objectContaining({
n8nApiUrl: testContext.n8nApiUrl,
n8nApiKey: testContext.n8nApiKey,
instanceId: testContext.instanceId
}),
createdAt: expect.any(Date),
lastAccess: expect.any(Date),
expiresAt: expect.any(Date)
});
});
it('should include metadata in session state if available', () => {
const contextWithMetadata: InstanceContext = {
...testContext,
metadata: { userId: 'user-123', tier: 'premium' }
};
const sessionId = 'instance-test-abc123-uuid-metadata-test';
engine.restoreSession(sessionId, contextWithMetadata);
const state = engine.getSessionState(sessionId);
expect(state?.metadata).toEqual({ userId: 'user-123', tier: 'premium' });
});
it('should calculate correct expiration time', () => {
const sessionId = 'instance-test-abc123-uuid-expiry-test';
engine.restoreSession(sessionId, testContext);
const state = engine.getSessionState(sessionId);
expect(state).not.toBeNull();
if (state) {
const expectedExpiry = new Date(state.lastAccess.getTime() + 30 * 60 * 1000);
const actualExpiry = state.expiresAt;
// Allow 1 second difference for test timing
expect(Math.abs(actualExpiry.getTime() - expectedExpiry.getTime())).toBeLessThan(1000);
}
});
});
describe('getAllSessionStates()', () => {
it('should return empty array when no sessions exist', () => {
const states = engine.getAllSessionStates();
expect(states).toEqual([]);
});
it('should return all session states', () => {
// Create two sessions using direct API
const session1Id = 'instance-test1-abc123-uuid-all-states-1';
const session2Id = 'instance-test2-abc123-uuid-all-states-2';
engine.restoreSession(session1Id, {
...testContext,
instanceId: 'instance-1'
});
engine.restoreSession(session2Id, {
...testContext,
instanceId: 'instance-2'
});
const states = engine.getAllSessionStates();
expect(states.length).toBe(2);
expect(states[0]).toMatchObject({
sessionId: expect.any(String),
instanceContext: expect.objectContaining({
n8nApiUrl: testContext.n8nApiUrl
}),
createdAt: expect.any(Date),
lastAccess: expect.any(Date),
expiresAt: expect.any(Date)
});
});
it('should filter out sessions without state', () => {
// Create session using direct API
const sessionId = 'instance-test-abc123-uuid-filter-test';
engine.restoreSession(sessionId, testContext);
// Get states
const states = engine.getAllSessionStates();
expect(states.length).toBe(1);
// All returned states should be non-null
states.forEach(state => {
expect(state).not.toBeNull();
});
});
});
describe('restoreSession()', () => {
it('should create a new session with provided ID and context', () => {
const sessionId = 'instance-test-abc123-uuid-test-session-id';
const result = engine.restoreSession(sessionId, testContext);
expect(result).toBe(true);
expect(engine.getActiveSessions()).toContain(sessionId);
});
it('should be idempotent - return true for existing session', () => {
const sessionId = 'instance-test-abc123-uuid-test-session-id2';
// First restoration
const result1 = engine.restoreSession(sessionId, testContext);
expect(result1).toBe(true);
// Second restoration with same ID
const result2 = engine.restoreSession(sessionId, testContext);
expect(result2).toBe(true);
// Should still only have one session
const sessionIds = engine.getActiveSessions();
expect(sessionIds.filter(id => id === sessionId).length).toBe(1);
});
it('should return false for invalid session ID format', () => {
const invalidSessionIds = [
'short', // Too short (5 chars)
'a'.repeat(101), // Too long (101 chars)
"'; DROP TABLE sessions--", // SQL injection attempt (invalid characters)
'../../../etc/passwd', // Path traversal attempt (invalid characters)
'only-nineteen-chars' // Too short (19 chars, need 20+)
];
invalidSessionIds.forEach(sessionId => {
const result = engine.restoreSession(sessionId, testContext);
expect(result).toBe(false);
});
});
it('should return false for invalid instance context', () => {
const sessionId = 'instance-test-abc123-uuid-test-session-id3';
const invalidContext = {
n8nApiUrl: 'not-a-valid-url', // Invalid URL
n8nApiKey: 'test-key',
instanceId: 'test'
} as any;
const result = engine.restoreSession(sessionId, invalidContext);
expect(result).toBe(false);
});
it('should create session that can be retrieved with getSessionState', () => {
const sessionId = 'instance-test-abc123-uuid-test-session-id4';
engine.restoreSession(sessionId, testContext);
const state = engine.getSessionState(sessionId);
expect(state).not.toBeNull();
expect(state?.sessionId).toBe(sessionId);
expect(state?.instanceContext).toEqual(testContext);
});
});
describe('deleteSession()', () => {
it('should return false for non-existent session', () => {
const result = engine.deleteSession('non-existent-session-id');
expect(result).toBe(false);
});
it('should delete existing session and return true', () => {
// Create a session using direct API
const sessionId = 'instance-test-abc123-uuid-delete-test';
engine.restoreSession(sessionId, testContext);
// Delete the session
const result = engine.deleteSession(sessionId);
expect(result).toBe(true);
// Session should no longer exist
expect(engine.getActiveSessions()).not.toContain(sessionId);
expect(engine.getSessionState(sessionId)).toBeNull();
});
it('should return false when trying to delete already deleted session', () => {
// Create and delete session using direct API
const sessionId = 'instance-test-abc123-uuid-double-delete-test';
engine.restoreSession(sessionId, testContext);
engine.deleteSession(sessionId);
// Try to delete again
const result = engine.deleteSession(sessionId);
expect(result).toBe(false);
});
});
describe('Integration workflows', () => {
it('should support periodic backup workflow', () => {
// Create multiple sessions using direct API
for (let i = 0; i < 3; i++) {
const sessionId = `instance-test${i}-abc123-uuid-backup-${i}`;
engine.restoreSession(sessionId, {
...testContext,
instanceId: `instance-${i}`
});
}
// Simulate periodic backup
const states = engine.getAllSessionStates();
expect(states.length).toBe(3);
// Each state should be serializable
states.forEach(state => {
const serialized = JSON.stringify(state);
expect(serialized).toBeTruthy();
const deserialized = JSON.parse(serialized);
expect(deserialized.sessionId).toBe(state.sessionId);
});
});
it('should support bulk restore workflow', () => {
const sessionData = [
{ sessionId: 'instance-test1-abc123-uuid-bulk-session-1', context: { ...testContext, instanceId: 'user-1' } },
{ sessionId: 'instance-test2-abc123-uuid-bulk-session-2', context: { ...testContext, instanceId: 'user-2' } },
{ sessionId: 'instance-test3-abc123-uuid-bulk-session-3', context: { ...testContext, instanceId: 'user-3' } }
];
// Restore all sessions
for (const { sessionId, context } of sessionData) {
const restored = engine.restoreSession(sessionId, context);
expect(restored).toBe(true);
}
// Verify all sessions exist
const sessionIds = engine.getActiveSessions();
expect(sessionIds.length).toBe(3);
sessionData.forEach(({ sessionId }) => {
expect(sessionIds).toContain(sessionId);
});
});
it('should support session lifecycle workflow (create → get → delete)', () => {
// 1. Create session using direct API
const sessionId = 'instance-test-abc123-uuid-lifecycle-test';
engine.restoreSession(sessionId, testContext);
// 2. Get session state
const state = engine.getSessionState(sessionId);
expect(state).not.toBeNull();
// 3. Simulate saving to database (serialization test)
const serialized = JSON.stringify(state);
expect(serialized).toBeTruthy();
// 4. Delete session
const deleted = engine.deleteSession(sessionId);
expect(deleted).toBe(true);
// 5. Verify deletion
expect(engine.getSessionState(sessionId)).toBeNull();
expect(engine.getActiveSessions()).not.toContain(sessionId);
});
});
});

545
tests/unit/session-restoration.test.ts Normal file
View File

@@ -0,0 +1,545 @@
import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
import { SingleSessionHTTPServer } from '../../src/http-server-single-session';
import { InstanceContext } from '../../src/types/instance-context';
import { SessionRestoreHook } from '../../src/types/session-restoration';
// Mock dependencies
vi.mock('../../src/utils/logger', () => ({
logger: {
info: vi.fn(),
error: vi.fn(),
warn: vi.fn(),
debug: vi.fn()
}
}));
vi.mock('dotenv');
// Mock UUID generation to make tests predictable
vi.mock('uuid', () => ({
v4: vi.fn(() => 'test-session-id-1234-5678-9012-345678901234')
}));
// Mock transport
vi.mock('@modelcontextprotocol/sdk/server/streamableHttp.js', () => ({
StreamableHTTPServerTransport: vi.fn().mockImplementation((options: any) => {
const mockTransport = {
handleRequest: vi.fn().mockImplementation(async (req: any, res: any, body?: any) => {
if (body && body.method === 'initialize') {
res.setHeader('Mcp-Session-Id', mockTransport.sessionId || 'test-session-id');
}
res.status(200).json({
jsonrpc: '2.0',
result: { success: true },
id: body?.id || 1
});
}),
close: vi.fn().mockResolvedValue(undefined),
sessionId: null as string | null,
onclose: null as (() => void) | null
};
if (options?.sessionIdGenerator) {
const sessionId = options.sessionIdGenerator();
mockTransport.sessionId = sessionId;
if (options.onsessioninitialized) {
setTimeout(() => {
options.onsessioninitialized(sessionId);
}, 0);
}
}
return mockTransport;
})
}));
vi.mock('@modelcontextprotocol/sdk/server/sse.js', () => ({
SSEServerTransport: vi.fn().mockImplementation(() => ({
close: vi.fn().mockResolvedValue(undefined)
}))
}));
vi.mock('../../src/mcp/server', () => ({
N8NDocumentationMCPServer: vi.fn().mockImplementation(() => ({
connect: vi.fn().mockResolvedValue(undefined)
}))
}));
const mockConsoleManager = {
wrapOperation: vi.fn().mockImplementation(async (fn: () => Promise<any>) => {
return await fn();
})
};
vi.mock('../../src/utils/console-manager', () => ({
ConsoleManager: vi.fn(() => mockConsoleManager)
}));
vi.mock('../../src/utils/url-detector', () => ({
getStartupBaseUrl: vi.fn((host: string, port: number) => `http://localhost:${port || 3000}`),
formatEndpointUrls: vi.fn((baseUrl: string) => ({
health: `${baseUrl}/health`,
mcp: `${baseUrl}/mcp`
})),
detectBaseUrl: vi.fn((req: any, host: string, port: number) => `http://localhost:${port || 3000}`)
}));
vi.mock('../../src/utils/version', () => ({
PROJECT_VERSION: '2.19.0'
}));
vi.mock('@modelcontextprotocol/sdk/types.js', () => ({
isInitializeRequest: vi.fn((request: any) => {
return request && request.method === 'initialize';
})
}));
// Create handlers storage for Express mock
const mockHandlers: { [key: string]: any[] } = {
get: [],
post: [],
delete: [],
use: []
};
// Mock Express
vi.mock('express', () => {
const mockExpressApp = {
get: vi.fn((path: string, ...handlers: any[]) => {
mockHandlers.get.push({ path, handlers });
return mockExpressApp;
}),
post: vi.fn((path: string, ...handlers: any[]) => {
mockHandlers.post.push({ path, handlers });
return mockExpressApp;
}),
delete: vi.fn((path: string, ...handlers: any[]) => {
mockHandlers.delete.push({ path, handlers });
return mockExpressApp;
}),
use: vi.fn((handler: any) => {
mockHandlers.use.push(handler);
return mockExpressApp;
}),
set: vi.fn(),
listen: vi.fn((port: number, host: string, callback?: () => void) => {
if (callback) callback();
return {
on: vi.fn(),
close: vi.fn((cb: () => void) => cb()),
address: () => ({ port: 3000 })
};
})
};
interface ExpressMock {
(): typeof mockExpressApp;
json(): (req: any, res: any, next: any) => void;
}
const expressMock = vi.fn(() => mockExpressApp) as unknown as ExpressMock;
expressMock.json = vi.fn(() => (req: any, res: any, next: any) => {
req.body = req.body || {};
next();
});
return {
default: expressMock,
Request: {},
Response: {},
NextFunction: {}
};
});
describe('Session Restoration (Phase 1 - REQ-1, REQ-2, REQ-8)', () => {
const originalEnv = process.env;
const TEST_AUTH_TOKEN = 'test-auth-token-with-more-than-32-characters';
let server: SingleSessionHTTPServer;
let consoleLogSpy: any;
let consoleWarnSpy: any;
let consoleErrorSpy: any;
beforeEach(() => {
// Reset environment
process.env = { ...originalEnv };
process.env.AUTH_TOKEN = TEST_AUTH_TOKEN;
process.env.PORT = '0';
process.env.NODE_ENV = 'test';
// Mock console methods
consoleLogSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
consoleWarnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
consoleErrorSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
// Clear all mocks and handlers
vi.clearAllMocks();
mockHandlers.get = [];
mockHandlers.post = [];
mockHandlers.delete = [];
mockHandlers.use = [];
});
afterEach(async () => {
// Restore environment
process.env = originalEnv;
// Restore console methods
consoleLogSpy.mockRestore();
consoleWarnSpy.mockRestore();
consoleErrorSpy.mockRestore();
// Shutdown server if running
if (server) {
await server.shutdown();
server = null as any;
}
});
// Helper functions
function findHandler(method: 'get' | 'post' | 'delete', path: string) {
const routes = mockHandlers[method];
const route = routes.find(r => r.path === path);
return route ? route.handlers[route.handlers.length - 1] : null;
}
function createMockReqRes() {
const headers: { [key: string]: string } = {};
const res = {
status: vi.fn().mockReturnThis(),
json: vi.fn().mockReturnThis(),
send: vi.fn().mockReturnThis(),
setHeader: vi.fn((key: string, value: string) => {
headers[key.toLowerCase()] = value;
}),
sendStatus: vi.fn().mockReturnThis(),
headersSent: false,
finished: false,
statusCode: 200,
getHeader: (key: string) => headers[key.toLowerCase()],
headers
};
const req = {
method: 'POST',
path: '/mcp',
url: '/mcp',
originalUrl: '/mcp',
headers: {} as Record<string, string>,
body: {},
ip: '127.0.0.1',
readable: true,
readableEnded: false,
complete: true,
get: vi.fn((header: string) => (req.headers as Record<string, string>)[header.toLowerCase()])
};
return { req, res };
}
describe('REQ-8: Security-Hardened Session ID Validation', () => {
it('should accept valid UUIDv4 session IDs', () => {
server = new SingleSessionHTTPServer();
const validUUIDs = [
'550e8400-e29b-41d4-a716-446655440000',
'f47ac10b-58cc-4372-a567-0e02b2c3d479',
'a1b2c3d4-e5f6-4789-abcd-1234567890ab'
];
for (const sessionId of validUUIDs) {
expect((server as any).isValidSessionId(sessionId)).toBe(true);
}
});
it('should accept multi-tenant instance session IDs', () => {
server = new SingleSessionHTTPServer();
const multiTenantIds = [
'instance-user123-abc-550e8400-e29b-41d4-a716-446655440000',
'instance-tenant456-xyz-f47ac10b-58cc-4372-a567-0e02b2c3d479'
];
for (const sessionId of multiTenantIds) {
expect((server as any).isValidSessionId(sessionId)).toBe(true);
}
});
it('should reject session IDs with SQL injection patterns', () => {
server = new SingleSessionHTTPServer();
const sqlInjectionIds = [
"'; DROP TABLE sessions; --",
"1' OR '1'='1",
"admin'--",
"1'; DELETE FROM sessions WHERE '1'='1"
];
for (const sessionId of sqlInjectionIds) {
expect((server as any).isValidSessionId(sessionId)).toBe(false);
}
});
it('should reject session IDs with NoSQL injection patterns', () => {
server = new SingleSessionHTTPServer();
const nosqlInjectionIds = [
'{"$ne": null}',
'{"$gt": ""}',
'{$where: "1==1"}',
'[$regex]'
];
for (const sessionId of nosqlInjectionIds) {
expect((server as any).isValidSessionId(sessionId)).toBe(false);
}
});
it('should reject session IDs with path traversal attempts', () => {
server = new SingleSessionHTTPServer();
const pathTraversalIds = [
'../../../etc/passwd',
'..\\..\\..\\windows\\system32',
'session/../admin',
'session/./../../config'
];
for (const sessionId of pathTraversalIds) {
expect((server as any).isValidSessionId(sessionId)).toBe(false);
}
});
it('should reject session IDs that are too short (DoS protection)', () => {
server = new SingleSessionHTTPServer();
const tooShortIds = [
'a',
'ab',
'123',
'12345678901234567' // 17 chars (minimum is 20)
];
for (const sessionId of tooShortIds) {
expect((server as any).isValidSessionId(sessionId)).toBe(false);
}
});
it('should reject session IDs that are too long (DoS protection)', () => {
server = new SingleSessionHTTPServer();
const tooLongId = 'a'.repeat(101); // Maximum is 100 chars
expect((server as any).isValidSessionId(tooLongId)).toBe(false);
});
it('should reject empty or null session IDs', () => {
server = new SingleSessionHTTPServer();
expect((server as any).isValidSessionId('')).toBe(false);
expect((server as any).isValidSessionId(null)).toBe(false);
expect((server as any).isValidSessionId(undefined)).toBe(false);
});
it('should reject session IDs with special characters', () => {
server = new SingleSessionHTTPServer();
const specialCharIds = [
'session<script>alert(1)</script>',
'session!@#$%^&*()',
'session\x00null-byte',
'session\r\nnewline'
];
for (const sessionId of specialCharIds) {
expect((server as any).isValidSessionId(sessionId)).toBe(false);
}
});
});
describe('REQ-2: Idempotent Session Creation', () => {
it('should return same session ID for multiple concurrent createSession calls', async () => {
const mockContext: InstanceContext = {
n8nApiUrl: 'https://test.n8n.cloud',
n8nApiKey: 'test-api-key',
instanceId: 'tenant-123'
};
server = new SingleSessionHTTPServer();
const sessionId = 'instance-tenant123-abc-550e8400-e29b-41d4-a716-446655440000';
// Call createSession multiple times with same session ID
const id1 = (server as any).createSession(mockContext, sessionId);
const id2 = (server as any).createSession(mockContext, sessionId);
const id3 = (server as any).createSession(mockContext, sessionId);
// All calls should return the same session ID (idempotent)
expect(id1).toBe(sessionId);
expect(id2).toBe(sessionId);
expect(id3).toBe(sessionId);
// NOTE: Transport creation is async via callback - tested in integration tests
});
it('should skip session creation if session already exists', async () => {
const mockContext: InstanceContext = {
n8nApiUrl: 'https://test.n8n.cloud',
n8nApiKey: 'test-api-key',
instanceId: 'tenant-123'
};
server = new SingleSessionHTTPServer();
const sessionId = '550e8400-e29b-41d4-a716-446655440000';
// Create session first time
(server as any).createSession(mockContext, sessionId);
const transport1 = (server as any).transports[sessionId];
// Try to create again
(server as any).createSession(mockContext, sessionId);
const transport2 = (server as any).transports[sessionId];
// Should be the same transport instance
expect(transport1).toBe(transport2);
});
it('should validate session ID format when provided externally', async () => {
const mockContext: InstanceContext = {
n8nApiUrl: 'https://test.n8n.cloud',
n8nApiKey: 'test-api-key',
instanceId: 'tenant-123'
};
server = new SingleSessionHTTPServer();
const invalidSessionId = "'; DROP TABLE sessions; --";
expect(() => {
(server as any).createSession(mockContext, invalidSessionId);
}).toThrow('Invalid session ID format');
});
});
describe('REQ-1: Session Restoration Hook Configuration', () => {
it('should store restoration hook when provided', () => {
const mockHook: SessionRestoreHook = vi.fn().mockResolvedValue({
n8nApiUrl: 'https://test.n8n.cloud',
n8nApiKey: 'test-api-key',
instanceId: 'tenant-123'
});
server = new SingleSessionHTTPServer({
onSessionNotFound: mockHook,
sessionRestorationTimeout: 5000
});
// Verify hook is stored
expect((server as any).onSessionNotFound).toBe(mockHook);
expect((server as any).sessionRestorationTimeout).toBe(5000);
});
it('should work without restoration hook (backward compatible)', () => {
server = new SingleSessionHTTPServer();
// Verify hook is not configured
expect((server as any).onSessionNotFound).toBeUndefined();
});
// NOTE: Full restoration flow tests (success, failure, timeout, validation)
// are in tests/integration/session-persistence.test.ts which tests the complete
// end-to-end flow with real HTTP requests
});
describe('Backwards Compatibility', () => {
it('should use default timeout when not specified', () => {
server = new SingleSessionHTTPServer({
onSessionNotFound: vi.fn()
});
expect((server as any).sessionRestorationTimeout).toBe(5000);
});
it('should use custom timeout when specified', () => {
server = new SingleSessionHTTPServer({
onSessionNotFound: vi.fn(),
sessionRestorationTimeout: 10000
});
expect((server as any).sessionRestorationTimeout).toBe(10000);
});
it('should work without any restoration options', () => {
server = new SingleSessionHTTPServer();
expect((server as any).onSessionNotFound).toBeUndefined();
expect((server as any).sessionRestorationTimeout).toBe(5000);
});
});
describe('Timeout Utility Method', () => {
it('should reject after specified timeout', async () => {
server = new SingleSessionHTTPServer();
const timeoutPromise = (server as any).timeout(100);
await expect(timeoutPromise).rejects.toThrow('Operation timed out after 100ms');
});
it('should create TimeoutError', async () => {
server = new SingleSessionHTTPServer();
try {
await (server as any).timeout(50);
expect.fail('Should have thrown TimeoutError');
} catch (error: any) {
expect(error.name).toBe('TimeoutError');
expect(error.message).toContain('timed out');
}
});
});
describe('Session ID Generation', () => {
it('should generate valid session IDs', () => {
// Set environment for multi-tenant mode
process.env.ENABLE_MULTI_TENANT = 'true';
process.env.MULTI_TENANT_SESSION_STRATEGY = 'instance';
server = new SingleSessionHTTPServer();
const context: InstanceContext = {
n8nApiUrl: 'https://test.n8n.cloud',
n8nApiKey: 'test-api-key',
instanceId: 'tenant-123'
};
const sessionId = (server as any).generateSessionId(context);
// Should generate instance-prefixed ID in multi-tenant mode
expect(sessionId).toContain('instance-');
expect((server as any).isValidSessionId(sessionId)).toBe(true);
// Clean up env
delete process.env.ENABLE_MULTI_TENANT;
delete process.env.MULTI_TENANT_SESSION_STRATEGY;
});
it('should generate standard UUIDs when not in multi-tenant mode', () => {
// Ensure multi-tenant mode is disabled
delete process.env.ENABLE_MULTI_TENANT;
server = new SingleSessionHTTPServer();
const sessionId = (server as any).generateSessionId();
// Should be a UUID format (mocked in tests but should be non-empty string with hyphens)
expect(sessionId).toBeTruthy();
expect(typeof sessionId).toBe('string');
expect(sessionId.length).toBeGreaterThan(20); // At minimum should be longer than minimum session ID length
expect(sessionId).toContain('-');
// NOTE: In tests, UUID is mocked so it may not pass strict validation
// In production, generateSessionId uses real uuid.v4() which generates valid UUIDs
});
});
});