refactor: Apply code review improvements to v2.19.0

Implemented minor recommendations from code-reviewer agent: 1. Session ID Validation - Verified already correctly placed before restoration (line 758) - No changes needed 2. Comprehensive Orphan Detection - Added orphan detection for transports (lines 159-167) - Added orphan detection for servers (lines 169-176) - Prevents theoretical memory leaks from orphaned components - Added warning logs for orphaned transports - Added debug logs for orphaned servers 3. Rate Limiting Documentation - Added @security note to onSessionNotFound JSDoc - Warns about database lookup abuse prevention - Recommends express-rate-limit or similar middleware All tests passing: - ✅ 21/21 session management API tests - ✅ 13/13 session persistence integration tests - ✅ TypeScript type checking clean 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-23 02:43:08 +00:00 · 2025-10-12 17:42:50 +02:00
parent 1d34ad81d5
commit c16c9a2398
2 changed files with 23 additions and 0 deletions
--- a/src/mcp-engine.ts
+++ b/src/mcp-engine.ts
@@ -32,6 +32,10 @@ export interface EngineOptions {
   * Called when a client tries to use an unknown session ID
   * Return instance context to restore the session, or null to reject
   *
+   * @security IMPORTANT: Implement rate limiting in this hook to prevent abuse.
+   * Malicious clients could trigger excessive database lookups by sending random
+   * session IDs. Consider using express-rate-limit or similar middleware.
+   *
   * @since 2.19.0
   */
  onSessionNotFound?: SessionRestoreHook;