- Added cleanupTimer property to track setInterval timer
- Implemented destroy() method to clear timer and prevent memory leak
- Updated MCP server shutdown to call cache.destroy()
- Enhanced HTTP server error handling with transport.onerror
- Fixed event listener cleanup to prevent accumulation
- Added comprehensive test coverage for memory leak prevention
This fixes the issue where MCP server would lose connection after
several hours due to timer accumulation causing memory exhaustion.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Fix express.json() mocking issue in tests by properly creating express mock
- Update test expectations to match new security-enhanced response format
- Adjust CORS test to include DELETE method added for session management
- All n8n mode tests now passing with security features intact
The server now includes:
- Production token validation with minimum 32 character requirement
- Session limiting (max 100 concurrent sessions)
- Automatic session cleanup every 5 minutes
- Enhanced health endpoint with security and session metrics
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add N8N_MODE environment variable for n8n-specific behavior
- Implement HTTP Streamable transport with multiple session support
- Add protocol version endpoint (GET /mcp) for n8n compatibility
- Support multiple initialize requests for stateless n8n clients
- Add Docker configuration for n8n deployment
- Add test script with persistent volume support
- Add comprehensive unit tests for n8n mode
- Fix session management to handle per-request transport pattern
BREAKING CHANGE: Server now creates new transport for each initialize request
when running in n8n mode to support n8n's stateless client architecture
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add intelligent URL detection supporting BASE_URL, PUBLIC_URL, and proxy headers
- Fix hardcoded localhost URLs in server console output
- Add hostname validation to prevent host header injection attacks
- Restrict URL schemes to http/https only (block javascript:, file://, etc.)
- Remove sensitive environment data from API responses
- Add GET endpoints (/, /mcp) for better API discovery
- Fix version inconsistency between server implementations
- Update HTTP bridge to use HOST/PORT environment variables
- Add comprehensive test scripts for URL configuration and security
This resolves issues #41 and #42 by making the HTTP server properly handle
deployment behind reverse proxies and adds critical security validations.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Added specific error reasons for auth failures: no_auth_header, invalid_auth_format, invalid_token
- Fixed AUTH_TOKEN_FILE support in Docker production stacks (issue #16)
- Added AUTH_TOKEN_FILE support to single-session HTTP server for consistency
- Enhanced security by removing token lengths from logs
- Added token trimming and empty token validation
- Updated Docker entrypoint to properly support AUTH_TOKEN_FILE
- Bumped version to 2.7.10
This improves debugging for mcp-remote authentication issues and enables
proper Docker secrets usage in production environments.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add TRUST_PROXY environment variable to enable proxy header trust
- Configure Express trust proxy in both HTTP server implementations
- Fix issue #19: Docker internal IPs logged instead of real client IPs
- Update documentation with reverse proxy configuration guide
- Add examples for nginx proxy header forwarding
- Maintain backward compatibility (disabled by default)
When TRUST_PROXY=1 is set, the server will correctly log client IPs
from X-Forwarded-For headers instead of proxy/container IPs.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Renamed files to remove unnecessary suffixes:
- tools-update.ts → tools.ts
- server-update.ts → server.ts
- http-server-fixed.ts → http-server.ts
- Created version utility to read from package.json as single source of truth
- Updated all imports across 21+ files
- Removed legacy files:
- src/http-server.ts (legacy HTTP server with known issues)
- src/utils/n8n-client.ts (unused legacy API client)
- Added n8n_diagnostic tool to help troubleshoot management tools visibility
- Added script to sync package.runtime.json version
- Fixed version mismatch issue (was hardcoded 2.4.1, now reads 2.7.0 from package.json)
This addresses GitHub issue #5 regarding version mismatch and provides better diagnostics for users.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Root Cause Analysis:
- Express.json() middleware was consuming request stream before StreamableHTTPServerTransport
- StreamableHTTPServerTransport has initialization issues with stateless usage
Two-Phase Solution:
1. Removed all body parsing middleware to preserve raw streams
2. Created http-server-fixed.ts with direct JSON-RPC implementation
Key Changes:
- Remove express.json() from all HTTP server implementations
- Add http-server-fixed.ts that bypasses StreamableHTTPServerTransport
- Implement initialize, tools/list, and tools/call methods directly
- Add USE_FIXED_HTTP=true environment variable to enable fixed server
- Update logging to not access req.body
The fixed implementation:
- Handles JSON-RPC protocol directly without transport complications
- Maintains full MCP compatibility
- Works reliably without stream or initialization errors
- Provides better performance and debugging capabilities
Usage: MCP_MODE=http USE_FIXED_HTTP=true npm start
This provides a stable, production-ready HTTP server for n8n-MCP.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add ConsoleManager to prevent console output interference with StreamableHTTPServerTransport
- Implement SingleSessionHTTPServer with persistent session reuse
- Create N8NMCPEngine for clean service integration
- Add automatic session expiry after 30 minutes of inactivity
- Update logger to be HTTP-aware during active requests
- Maintain backward compatibility with existing deployments
This fixes the "stream is not readable" error by implementing the Hybrid
Single-Session architecture as documented in MCP_ERROR_FIX_PLAN.md
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
