refactor: Apply code review improvements to v2.19.0

Implemented minor recommendations from code-reviewer agent: 1. Session ID Validation - Verified already correctly placed before restoration (line 758) - No changes needed 2. Comprehensive Orphan Detection - Added orphan detection for transports (lines 159-167) - Added orphan detection for servers (lines 169-176) - Prevents theoretical memory leaks from orphaned components - Added warning logs for orphaned transports - Added debug logs for orphaned servers 3. Rate Limiting Documentation - Added @security note to onSessionNotFound JSDoc - Warns about database lookup abuse prevention - Recommends express-rate-limit or similar middleware All tests passing: - ✅ 21/21 session management API tests - ✅ 13/13 session persistence integration tests - ✅ TypeScript type checking clean 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-30 06:22:04 +00:00 · 2025-10-12 17:42:50 +02:00
parent 1d34ad81d5
commit c16c9a2398
2 changed files with 23 additions and 0 deletions
--- a/src/http-server-single-session.ts
+++ b/src/http-server-single-session.ts
@@ -156,6 +156,25 @@ export class SingleSessionHTTPServer {
      }
    }

+    // Check for orphaned transports (transports without metadata)
+    for (const sessionId in this.transports) {
+      if (!this.sessionMetadata[sessionId]) {
+        logger.warn('Orphaned transport detected, cleaning up', { sessionId });
+        this.removeSession(sessionId, 'orphaned_transport').catch(err => {
+          logger.error('Error cleaning orphaned transport', { sessionId, error: err });
+        });
+      }
+    }
+
+    // Check for orphaned servers (servers without metadata)
+    for (const sessionId in this.servers) {
+      if (!this.sessionMetadata[sessionId]) {
+        logger.warn('Orphaned server detected, cleaning up', { sessionId });
+        delete this.servers[sessionId];
+        logger.debug('Cleaned orphaned server', { sessionId });
+      }
+    }
+
    // Remove expired sessions
    for (const sessionId of expiredSessions) {
      this.removeSession(sessionId, 'expired');
--- a/src/mcp-engine.ts
+++ b/src/mcp-engine.ts
@@ -32,6 +32,10 @@ export interface EngineOptions {
   * Called when a client tries to use an unknown session ID
   * Return instance context to restore the session, or null to reject
   *
+   * @security IMPORTANT: Implement rate limiting in this hook to prevent abuse.
+   * Malicious clients could trigger excessive database lookups by sending random
+   * session IDs. Consider using express-rate-limit or similar middleware.
+   *
   * @since 2.19.0
   */
  onSessionNotFound?: SessionRestoreHook;