n8n-mcp

ros/n8n-mcp

Fork 0

mirror of https://github.com/czlonkowski/n8n-mcp.git synced 2026-02-06 05:23:08 +00:00

Commit Graph

Author	SHA1	Message	Date
czlonkowski	0d71a16f83	fix: relax session ID validation for MCP proxy compatibility Fixes 5 failing CI tests by relaxing session ID validation to accept any non-empty string with safe characters (alphanumeric, hyphens, underscores). Changes: - Remove 20-character minimum length requirement - Keep maximum 100-character length for DoS protection - Maintain character whitelist for injection protection - Update tests to reflect relaxed validation policy - Fix mock setup for N8NDocumentationMCPServer in tests Security protections maintained: - Character whitelist prevents SQL/NoSQL injection and path traversal - Maximum length limit prevents DoS attacks - Empty string validation ensures non-empty session IDs Tests fixed: ✅ DELETE /mcp endpoint now returns 404 (not 400) for non-existent sessions ✅ Session ID validation accepts short IDs like '12345', 'short-id' ✅ Idempotent session creation tests pass with proper mock setup Related to PR #312 (Complete Session Persistence Implementation) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-12 18:51:27 +02:00
czlonkowski	1d34ad81d5	feat: implement session persistence for v2.19.0 (Phase 1 + Phase 2) Phase 1 - Lazy Session Restoration (REQ-1, REQ-2, REQ-8): - Add onSessionNotFound hook for restoring sessions from external storage - Implement idempotent session creation to prevent race conditions - Add session ID validation for security (prevent injection attacks) - Comprehensive error handling (400/408/500 status codes) - 13 integration tests covering all scenarios Phase 2 - Session Management API (REQ-5): - getActiveSessions(): Get all active session IDs - getSessionState(sessionId): Get session state for persistence - getAllSessionStates(): Bulk session state retrieval - restoreSession(sessionId, context): Manual session restoration - deleteSession(sessionId): Manual session termination - 21 unit tests covering all API methods Benefits: - Sessions survive container restarts - Horizontal scaling support (no session stickiness needed) - Zero-downtime deployments - 100% backwards compatible Implementation Details: - Backend methods in http-server-single-session.ts - Public API methods in mcp-engine.ts - SessionState type exported from index.ts - Synchronous session creation and deletion for reliable testing - Version updated from 2.18.10 to 2.19.0 Tests: 34 passing (13 integration + 21 unit) Coverage: Full API coverage with edge cases Security: Session ID validation prevents SQL/NoSQL injection and path traversal 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-12 17:25:38 +02:00

Author

SHA1

Message

Date

czlonkowski

0d71a16f83

fix: relax session ID validation for MCP proxy compatibility

Fixes 5 failing CI tests by relaxing session ID validation to accept
any non-empty string with safe characters (alphanumeric, hyphens, underscores).

Changes:
- Remove 20-character minimum length requirement
- Keep maximum 100-character length for DoS protection
- Maintain character whitelist for injection protection
- Update tests to reflect relaxed validation policy
- Fix mock setup for N8NDocumentationMCPServer in tests

Security protections maintained:
- Character whitelist prevents SQL/NoSQL injection and path traversal
- Maximum length limit prevents DoS attacks
- Empty string validation ensures non-empty session IDs

Tests fixed:
✅ DELETE /mcp endpoint now returns 404 (not 400) for non-existent sessions
✅ Session ID validation accepts short IDs like '12345', 'short-id'
✅ Idempotent session creation tests pass with proper mock setup

Related to PR #312 (Complete Session Persistence Implementation)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-10-12 18:51:27 +02:00

czlonkowski

1d34ad81d5

feat: implement session persistence for v2.19.0 (Phase 1 + Phase 2)

Phase 1 - Lazy Session Restoration (REQ-1, REQ-2, REQ-8):
- Add onSessionNotFound hook for restoring sessions from external storage
- Implement idempotent session creation to prevent race conditions
- Add session ID validation for security (prevent injection attacks)
- Comprehensive error handling (400/408/500 status codes)
- 13 integration tests covering all scenarios

Phase 2 - Session Management API (REQ-5):
- getActiveSessions(): Get all active session IDs
- getSessionState(sessionId): Get session state for persistence
- getAllSessionStates(): Bulk session state retrieval
- restoreSession(sessionId, context): Manual session restoration
- deleteSession(sessionId): Manual session termination
- 21 unit tests covering all API methods

Benefits:
- Sessions survive container restarts
- Horizontal scaling support (no session stickiness needed)
- Zero-downtime deployments
- 100% backwards compatible

Implementation Details:
- Backend methods in http-server-single-session.ts
- Public API methods in mcp-engine.ts
- SessionState type exported from index.ts
- Synchronous session creation and deletion for reliable testing
- Version updated from 2.18.10 to 2.19.0

Tests: 34 passing (13 integration + 21 unit)
Coverage: Full API coverage with edge cases
Security: Session ID validation prevents SQL/NoSQL injection and path traversal

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-10-12 17:25:38 +02:00

2 Commits