fix: resolve HTTP server URL handling and security issues (#41, #42)

- Add intelligent URL detection supporting BASE_URL, PUBLIC_URL, and proxy headers - Fix hardcoded localhost URLs in server console output - Add hostname validation to prevent host header injection attacks - Restrict URL schemes to http/https only (block javascript:, file://, etc.) - Remove sensitive environment data from API responses - Add GET endpoints (/, /mcp) for better API discovery - Fix version inconsistency between server implementations - Update HTTP bridge to use HOST/PORT environment variables - Add comprehensive test scripts for URL configuration and security This resolves issues #41 and #42 by making the HTTP server properly handle deployment behind reverse proxies and adds critical security validations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-07-15 16:46:30 +02:00
parent 4c217088f5
commit a0f09fba28
12 changed files with 641 additions and 8 deletions
--- a/src/http-server-single-session.ts
+++ b/src/http-server-single-session.ts
@@ -11,6 +11,8 @@ import { ConsoleManager } from './utils/console-manager';
 import { logger } from './utils/logger';
 import { readFileSync } from 'fs';
 import dotenv from 'dotenv';
+import { getStartupBaseUrl, formatEndpointUrls, detectBaseUrl } from './utils/url-detector';
+import { PROJECT_VERSION } from './utils/version';

 dotenv.config();

@@ -230,12 +232,44 @@ export class SingleSessionHTTPServer {
      next();
    });
    
+    // Root endpoint with API information
+    app.get('/', (req, res) => {
+      const port = parseInt(process.env.PORT || '3000');
+      const host = process.env.HOST || '0.0.0.0';
+      const baseUrl = detectBaseUrl(req, host, port);
+      const endpoints = formatEndpointUrls(baseUrl);
+      
+      res.json({
+        name: 'n8n Documentation MCP Server',
+        version: PROJECT_VERSION,
+        description: 'Model Context Protocol server providing comprehensive n8n node documentation and workflow management',
+        endpoints: {
+          health: {
+            url: endpoints.health,
+            method: 'GET',
+            description: 'Health check and status information'
+          },
+          mcp: {
+            url: endpoints.mcp,
+            method: 'GET/POST',
+            description: 'MCP endpoint - GET for info, POST for JSON-RPC'
+          }
+        },
+        authentication: {
+          type: 'Bearer Token',
+          header: 'Authorization: Bearer <token>',
+          required_for: ['POST /mcp']
+        },
+        documentation: 'https://github.com/czlonkowski/n8n-mcp'
+      });
+    });
+
    // Health check endpoint (no body parsing needed for GET)
    app.get('/health', (req, res) => {
      res.json({ 
        status: 'ok', 
        mode: 'single-session',
-        version: '2.3.2',
+        version: PROJECT_VERSION,
        uptime: Math.floor(process.uptime()),
        sessionActive: !!this.session,
        sessionAge: this.session 
@@ -250,6 +284,35 @@ export class SingleSessionHTTPServer {
      });
    });
    
+    // MCP information endpoint (no auth required for discovery)
+    app.get('/mcp', (req, res) => {
+      res.json({
+        description: 'n8n Documentation MCP Server',
+        version: PROJECT_VERSION,
+        endpoints: {
+          mcp: {
+            method: 'POST',
+            path: '/mcp',
+            description: 'Main MCP JSON-RPC endpoint',
+            authentication: 'Bearer token required'
+          },
+          health: {
+            method: 'GET',
+            path: '/health',
+            description: 'Health check endpoint',
+            authentication: 'None'
+          },
+          root: {
+            method: 'GET',
+            path: '/',
+            description: 'API information',
+            authentication: 'None'
+          }
+        },
+        documentation: 'https://github.com/czlonkowski/n8n-mcp'
+      });
+    });
+
    // Main MCP endpoint with authentication
    app.post('/mcp', async (req: express.Request, res: express.Response): Promise<void> => {
      // Enhanced authentication check with specific logging
@@ -347,10 +410,21 @@ export class SingleSessionHTTPServer {
    
    this.expressServer = app.listen(port, host, () => {
      logger.info(`n8n MCP Single-Session HTTP Server started`, { port, host });
+      
+      // Detect the base URL using our utility
+      const baseUrl = getStartupBaseUrl(host, port);
+      const endpoints = formatEndpointUrls(baseUrl);
+      
      console.log(`n8n MCP Single-Session HTTP Server running on ${host}:${port}`);
-      console.log(`Health check: http://localhost:${port}/health`);
-      console.log(`MCP endpoint: http://localhost:${port}/mcp`);
+      console.log(`Health check: ${endpoints.health}`);
+      console.log(`MCP endpoint: ${endpoints.mcp}`);
      console.log('\nPress Ctrl+C to stop the server');
+      
+      if (process.env.BASE_URL || process.env.PUBLIC_URL) {
+        console.log(`\nPublic URL configured: ${baseUrl}`);
+      } else if (process.env.TRUST_PROXY && Number(process.env.TRUST_PROXY) > 0) {
+        console.log(`\nNote: TRUST_PROXY is enabled. URLs will be auto-detected from proxy headers.`);
+      }
    });
    
    // Handle server errors