ros/n8n-mcp
1
0
Fork 0
mirror of https://github.com/czlonkowski/n8n-mcp.git synced 2026-02-06 05:23:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: implement multi-tenant support with dynamic tool registration

Browse Source 
Implements comprehensive multi-tenant support to fix n8n API tools not being dynamically registered when instance context is provided via headers. Includes critical security and performance improvements identified during code review.

Changes:
- Add ENABLE_MULTI_TENANT configuration option for dynamic instance support
- Fix tool registration to check instance context in addition to env vars
- Implement session isolation strategies (instance-based and shared)
- Add validation for instance context creation from headers
- Enhance security logging with sanitized sensitive data
- Add locking mechanism to prevent race conditions in session switches
- Improve URL validation to handle edge cases (localhost, IPs, ports)
- Include configuration hash in session IDs to prevent collisions
- Add type-safe header extraction with MultiTenantHeaders interface
- Add comprehensive test scripts for multi-tenant scenarios

Fixes issue where "Method not found" errors occurred in multi-tenant deployments because n8n API tools weren't being registered dynamically based on instance context.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
czlonkowski
2025-09-20 01:13:02 +02:00
parent 424f8ae1ff
commit f237fad1e8
6 changed files with 494 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

168
src/http-server-single-session.ts
View File

@@ -15,19 +15,28 @@ import dotenv from 'dotenv';
import { getStartupBaseUrl, formatEndpointUrls, detectBaseUrl } from './utils/url-detector';
import { PROJECT_VERSION } from './utils/version';
import { v4 as uuidv4 } from 'uuid';
import { createHash } from 'crypto';
import { isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
import {
negotiateProtocolVersion,
logProtocolNegotiation,
STANDARD_PROTOCOL_VERSION
} from './utils/protocol-version';
import { InstanceContext } from './types/instance-context';
import { InstanceContext, validateInstanceContext } from './types/instance-context';
dotenv.config();
// Protocol version constant - will be negotiated per client
const DEFAULT_PROTOCOL_VERSION = STANDARD_PROTOCOL_VERSION;
// Type-safe headers interface for multi-tenant support
interface MultiTenantHeaders {
'x-n8n-url'?: string;
'x-n8n-key'?: string;
'x-instance-id'?: string;
'x-session-id'?: string;
}
// Session management constants
const MAX_SESSIONS = 100;
const SESSION_CLEANUP_INTERVAL = 5 * 60 * 1000; // 5 minutes
@@ -48,12 +57,25 @@ interface SessionMetrics {
lastCleanup: Date;
}
/**
* Extract multi-tenant headers in a type-safe manner
*/
function extractMultiTenantHeaders(req: express.Request): MultiTenantHeaders {
return {
'x-n8n-url': req.headers['x-n8n-url'] as string | undefined,
'x-n8n-key': req.headers['x-n8n-key'] as string | undefined,
'x-instance-id': req.headers['x-instance-id'] as string | undefined,
'x-session-id': req.headers['x-session-id'] as string | undefined,
};
}
export class SingleSessionHTTPServer {
// Map to store transports by session ID (following SDK pattern)
private transports: { [sessionId: string]: StreamableHTTPServerTransport } = {};
private servers: { [sessionId: string]: N8NDocumentationMCPServer } = {};
private sessionMetadata: { [sessionId: string]: { lastAccess: Date; createdAt: Date } } = {};
private sessionContexts: { [sessionId: string]: InstanceContext | undefined } = {};
private contextSwitchLocks: Map<string, Promise<void>> = new Map();
private session: Session | null = null; // Keep for SSE compatibility
private consoleManager = new ConsoleManager();
private expressServer: any;
@@ -213,7 +235,55 @@ export class SingleSessionHTTPServer {
this.sessionMetadata[sessionId].lastAccess = new Date();
}
}
/**
* Switch session context with locking to prevent race conditions
*/
private async switchSessionContext(sessionId: string, newContext: InstanceContext): Promise<void> {
// Check if there's already a switch in progress for this session
const existingLock = this.contextSwitchLocks.get(sessionId);
if (existingLock) {
// Wait for the existing switch to complete
await existingLock;
return;
}
// Create a promise for this switch operation
const switchPromise = this.performContextSwitch(sessionId, newContext);
this.contextSwitchLocks.set(sessionId, switchPromise);
try {
await switchPromise;
} finally {
// Clean up the lock after completion
this.contextSwitchLocks.delete(sessionId);
}
}
/**
* Perform the actual context switch
*/
private async performContextSwitch(sessionId: string, newContext: InstanceContext): Promise<void> {
const existingContext = this.sessionContexts[sessionId];
// Only switch if the context has actually changed
if (JSON.stringify(existingContext) !== JSON.stringify(newContext)) {
logger.info('Multi-tenant shared mode: Updating instance context for session', {
sessionId,
oldInstanceId: existingContext?.instanceId,
newInstanceId: newContext.instanceId
});
// Update the session context
this.sessionContexts[sessionId] = newContext;
// Update the MCP server's instance context if it exists
if (this.servers[sessionId]) {
(this.servers[sessionId] as any).instanceContext = newContext;
}
}
}
/**
* Get session metrics for monitoring
*/
@@ -367,8 +437,35 @@ export class SingleSessionHTTPServer {
// For initialize requests: always create new transport and server
logger.info('handleRequest: Creating new transport for initialize request');
// Use client-provided session ID or generate one if not provided
const sessionIdToUse = sessionId || uuidv4();
// Generate session ID based on multi-tenant configuration
let sessionIdToUse: string;
const isMultiTenantEnabled = process.env.ENABLE_MULTI_TENANT === 'true';
const sessionStrategy = process.env.MULTI_TENANT_SESSION_STRATEGY || 'instance';
if (isMultiTenantEnabled && sessionStrategy === 'instance' && instanceContext?.instanceId) {
// In multi-tenant mode with instance strategy, create session per instance
// This ensures each tenant gets isolated sessions
// Include configuration hash to prevent collisions with different configs
const configHash = createHash('sha256')
.update(JSON.stringify({
url: instanceContext.n8nApiUrl,
instanceId: instanceContext.instanceId
}))
.digest('hex')
.substring(0, 8);
sessionIdToUse = `instance-${instanceContext.instanceId}-${configHash}-${uuidv4()}`;
logger.info('Multi-tenant mode: Creating instance-specific session', {
instanceId: instanceContext.instanceId,
configHash,
sessionId: sessionIdToUse
});
} else {
// Use client-provided session ID or generate a standard one
sessionIdToUse = sessionId || uuidv4();
}
const server = new N8NDocumentationMCPServer(instanceContext);
transport = new StreamableHTTPServerTransport({
@@ -432,7 +529,16 @@ export class SingleSessionHTTPServer {
// For non-initialize requests: reuse existing transport for this session
logger.info('handleRequest: Reusing existing transport for session', { sessionId });
transport = this.transports[sessionId];
// In multi-tenant shared mode, update instance context if provided
const isMultiTenantEnabled = process.env.ENABLE_MULTI_TENANT === 'true';
const sessionStrategy = process.env.MULTI_TENANT_SESSION_STRATEGY || 'instance';
if (isMultiTenantEnabled && sessionStrategy === 'shared' && instanceContext) {
// Update the context for this session with locking to prevent race conditions
await this.switchSessionContext(sessionId, instanceContext);
}
// Update session access time
this.updateSessionAccess(sessionId);
@@ -1001,25 +1107,53 @@ export class SingleSessionHTTPServer {
});
// Extract instance context from headers if present (for multi-tenant support)
const instanceContext: InstanceContext | undefined =
(req.headers['x-n8n-url'] || req.headers['x-n8n-key']) ? {
n8nApiUrl: req.headers['x-n8n-url'] as string,
n8nApiKey: req.headers['x-n8n-key'] as string,
instanceId: req.headers['x-instance-id'] as string,
sessionId: req.headers['x-session-id'] as string,
metadata: {
userAgent: req.headers['user-agent'],
const instanceContext: InstanceContext | undefined = (() => {
// Use type-safe header extraction
const headers = extractMultiTenantHeaders(req);
const hasUrl = headers['x-n8n-url'];
const hasKey = headers['x-n8n-key'];
if (!hasUrl && !hasKey) return undefined;
// Create context with proper type handling
const context: InstanceContext = {
n8nApiUrl: hasUrl || undefined,
n8nApiKey: hasKey || undefined,
instanceId: headers['x-instance-id'] || undefined,
sessionId: headers['x-session-id'] || undefined
};
// Add metadata if available
if (req.headers['user-agent'] || req.ip) {
context.metadata = {
userAgent: req.headers['user-agent'] as string | undefined,
ip: req.ip
}
} : undefined;
};
}
// Validate the context
const validation = validateInstanceContext(context);
if (!validation.valid) {
logger.warn('Invalid instance context from headers', {
errors: validation.errors,
hasUrl: !!hasUrl,
hasKey: !!hasKey
});
return undefined;
}
return context;
})();
// Log context extraction for debugging (only if context exists)
if (instanceContext) {
// Use sanitized logging for security
logger.debug('Instance context extracted from headers', {
hasUrl: !!instanceContext.n8nApiUrl,
hasKey: !!instanceContext.n8nApiKey,
instanceId: instanceContext.instanceId,
sessionId: instanceContext.sessionId
instanceId: instanceContext.instanceId ? instanceContext.instanceId.substring(0, 8) + '...' : undefined,
sessionId: instanceContext.sessionId ? instanceContext.sessionId.substring(0, 8) + '...' : undefined,
urlDomain: instanceContext.n8nApiUrl ? new URL(instanceContext.n8nApiUrl).hostname : undefined
});
}