Fix SSE clients entering rapid reconnection loops because POST /mcp
never routed messages to SSEServerTransport.handlePostMessage() (#617).
Root cause: SSE sessions were stored in a separate `this.session` property
invisible to the StreamableHTTP POST handler. The POST handler only
checked `this.transports` (StreamableHTTP map), so SSE messages were
never delivered, causing immediate reconnection and rate limiter exhaustion.
Changes:
- Add GET /sse + POST /messages endpoints following the official MCP SDK
backward-compatible server pattern (separate endpoints per transport)
- Store SSE transports in the shared this.transports map with instanceof
guards for type discrimination
- Remove legacy this.session singleton, resetSessionSSE(), and isExpired()
- Extract duplicated auth logic into authenticateRequest() method
- Add Bearer token auth and rate limiting to SSE endpoints
- Add skipSuccessfulRequests to authLimiter to prevent 429 storms
- Mark SSE transport as deprecated (removed in MCP SDK v2.x)
The handleRequest() codepath used by the downstream SaaS backend
(N8NMCPEngine.processRequest()) is unchanged. Session persistence
(exportSessionState/restoreSessionState) is unchanged.
Closes#617
Conceived by Romuald Członkowski - https://www.aiadvisors.pl/en
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fix Property 'json' does not exist on express mock type by adding proper interface typing
- Add support for 'delete' method in findHandler function helper
- Add comprehensive test coverage for security features including:
- Malformed authorization headers
- Valid auth token handling
- DELETE endpoint behavior (returns 400 for missing session ID)
- Server configuration methods
- Express middleware configuration
- CORS preflight handling
- All tests now pass with improved coverage for security-related functionality
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Fix express.json() mocking issue in tests by properly creating express mock
- Update test expectations to match new security-enhanced response format
- Adjust CORS test to include DELETE method added for session management
- All n8n mode tests now passing with security features intact
The server now includes:
- Production token validation with minimum 32 character requirement
- Session limiting (max 100 concurrent sessions)
- Automatic session cleanup every 5 minutes
- Enhanced health endpoint with security and session metrics
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add N8N_MODE environment variable for n8n-specific behavior
- Implement HTTP Streamable transport with multiple session support
- Add protocol version endpoint (GET /mcp) for n8n compatibility
- Support multiple initialize requests for stateless n8n clients
- Add Docker configuration for n8n deployment
- Add test script with persistent volume support
- Add comprehensive unit tests for n8n mode
- Fix session management to handle per-request transport pattern
BREAKING CHANGE: Server now creates new transport for each initialize request
when running in n8n mode to support n8n's stateless client architecture
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
