session management

ihrpr · ihrpr · commit 27bc01ec4bb6 · 2025-04-21T09:36:24.000+01:00
diff --git a/examples/servers/simple-streamablehttp/mcp_simple_streamablehttp/server.py b/examples/servers/simple-streamablehttp/mcp_simple_streamablehttp/server.py
@@ -1,13 +1,19 @@
 import contextlib
 import logging
+from http import HTTPStatus
 from uuid import uuid4
 
 import anyio
 import click
 import mcp.types as types
 from mcp.server.lowlevel import Server
-from mcp.server.streamableHttp import StreamableHTTPServerTransport
+from mcp.server.streamableHttp import (
+    MCP_SESSION_ID_HEADER,
+    StreamableHTTPServerTransport,
+)
 from starlette.applications import Starlette
+from starlette.requests import Request
+from starlette.responses import Response
 from starlette.routing import Mount
 
 # Configure logging
@@ -116,40 +122,56 @@ async def list_tools() -> list[types.Tool]:
             )
         ]
 
-    # Create a Streamable HTTP transport
-    http_transport = StreamableHTTPServerTransport(
-        mcp_session_id=uuid4().hex,
-    )
-
     # We need to store the server instances between requests
     server_instances = {}
+    # Lock to prevent race conditions when creating new sessions
+    session_creation_lock = anyio.Lock()
 
     # ASGI handler for streamable HTTP connections
     async def handle_streamable_http(scope, receive, send):
-        if http_transport.mcp_session_id in server_instances:
+        request = Request(scope, receive)
+        request_mcp_session_id = request.headers.get(MCP_SESSION_ID_HEADER)
+        if (
+            request_mcp_session_id is not None
+            and request_mcp_session_id in server_instances
+        ):
+            transport = server_instances[request_mcp_session_id]
             logger.debug("Session already exists, handling request directly")
-            await http_transport.handle_request(scope, receive, send)
+            await transport.handle_request(scope, receive, send)
+        elif request_mcp_session_id is None:
+            # try to establish new session
+            logger.debug("Creating new transport")
+            # Use lock to prevent race conditions when creating new sessions
+            async with session_creation_lock:
+                new_session_id = uuid4().hex
+                http_transport = StreamableHTTPServerTransport(
+                    mcp_session_id=new_session_id,
+                )
+                async with http_transport.connect() as streams:
+                    read_stream, write_stream = streams
+
+                    async def run_server():
+                        await app.run(
+                            read_stream,
+                            write_stream,
+                            app.create_initialization_options(),
+                        )
+
+                    if not task_group:
+                        raise RuntimeError("Task group is not initialized")
+
+                    # Store the instance before starting the task to prevent races
+                    server_instances[http_transport.mcp_session_id] = http_transport
+                    task_group.start_soon(run_server)
+
+                    # Handle the HTTP request and return the response
+                    await http_transport.handle_request(scope, receive, send)
         else:
-            # Start new server instance for this session
-            async with http_transport.connect() as streams:
-                read_stream, write_stream = streams
-
-                async def run_server():
-                    await app.run(
-                        read_stream, write_stream, app.create_initialization_options()
-                    )
-
-                if not task_group:
-                    raise RuntimeError("Task group is not initialized")
-
-                task_group.start_soon(run_server)
-
-                # For initialization requests, store the server reference
-                if http_transport.mcp_session_id:
-                    server_instances[http_transport.mcp_session_id] = True
-
-                # Handle the HTTP request and return the response
-                await http_transport.handle_request(scope, receive, send)
+            response = Response(
+                "Bad Request: No valid session ID provided",
+                status_code=HTTPStatus.BAD_REQUEST,
+            )
+            await response(scope, receive, send)
 
     # Create an ASGI application using the transport
     starlette_app = Starlette(
diff --git a/src/mcp/server/streamableHttp.py b/src/mcp/server/streamableHttp.py
@@ -9,6 +9,7 @@
 
 import json
 import logging
+import re
 from collections.abc import AsyncGenerator
 from contextlib import asynccontextmanager
 from http import HTTPStatus
@@ -42,6 +43,10 @@
 CONTENT_TYPE_JSON = "application/json"
 CONTENT_TYPE_SSE = "text/event-stream"
 
+# Session ID validation pattern (visible ASCII characters ranging from 0x21 to 0x7E)
+# Pattern ensures entire string contains only valid characters by using ^ and $ anchors
+SESSION_ID_PATTERN = re.compile(r"^[\x21-\x7E]+$")
+
 
 class StreamableHTTPServerTransport:
     """
@@ -65,8 +70,20 @@ def __init__(
         Initialize a new StreamableHTTP server transport.
 
         Args:
-            mcp_session_id: Optional session identifier for this connection
+            mcp_session_id: Optional session identifier for this connection.
+                            Must contain only visible ASCII characters (0x21-0x7E).
+
+        Raises:
+            ValueError: If the session ID contains invalid characters.
         """
+        if mcp_session_id is not None and (
+            not SESSION_ID_PATTERN.match(mcp_session_id) or 
+            SESSION_ID_PATTERN.fullmatch(mcp_session_id) is None
+        ):
+            raise ValueError(
+                "Session ID must only contain visible ASCII characters (0x21-0x7E)"
+            )
+
         self.mcp_session_id = mcp_session_id
         self._request_streams = {}
 
@@ -439,7 +456,7 @@ async def _handle_delete_request(self, request: Request, send: Send) -> None:
             return
         if not await self._validate_session(request, send):
             return
-        # TODO : Implement session termination logic
+            # TODO : Implement session termination logic
 
     async def _handle_unsupported_request(self, request: Request, send: Send) -> None:
         """
diff --git a/tests/server/test_streamableHttp.py b/tests/server/test_streamableHttp.py
@@ -13,14 +13,14 @@
 import pytest
 import requests
 import uvicorn
-from anyio.streams.memory import MemoryObjectReceiveStream, MemoryObjectSendStream
 from starlette.applications import Starlette
 from starlette.requests import Request
 from starlette.responses import Response
 from starlette.routing import Route
 
 from mcp.server.streamableHttp import (
     MCP_SESSION_ID_HEADER,
+    SESSION_ID_PATTERN,
     StreamableHTTPServerTransport,
 )
 from mcp.types import JSONRPCMessage
@@ -376,3 +376,61 @@ def test_delete_without_session_support(basic_server, server_url):
     response = requests.delete(f"{server_url}/mcp")
     assert response.status_code == 405
     assert "Method Not Allowed" in response.text
+
+
+def test_session_id_pattern():
+    """Test that SESSION_ID_PATTERN correctly validates session IDs."""
+    # Valid session IDs (visible ASCII characters from 0x21 to 0x7E)
+    valid_session_ids = [
+        "test-session-id",
+        "1234567890",
+        "session!@#$%^&*()_+-=[]{}|;:,.<>?/",
+        "~`",
+    ]
+
+    for session_id in valid_session_ids:
+        assert SESSION_ID_PATTERN.match(session_id) is not None
+        # Ensure fullmatch matches too (whole string)
+        assert SESSION_ID_PATTERN.fullmatch(session_id) is not None
+
+    # Invalid session IDs
+    invalid_session_ids = [
+        "",  # Empty string
+        " test",  # Space (0x20)
+        "test\t",  # Tab
+        "test\n",  # Newline
+        "test\r",  # Carriage return
+        "test" + chr(0x7F),  # DEL character
+        "test" + chr(0x80),  # Extended ASCII
+        "test" + chr(0x00),  # Null character
+        "test" + chr(0x20),  # Space (0x20)
+    ]
+
+    for session_id in invalid_session_ids:
+        # For invalid IDs, either match will fail or fullmatch will fail
+        if SESSION_ID_PATTERN.match(session_id) is not None:
+            # If match succeeds, fullmatch should fail (partial match case)
+            assert SESSION_ID_PATTERN.fullmatch(session_id) is None
+
+
+def test_streamable_http_transport_init_validation():
+    """Test that StreamableHTTPServerTransport validates session ID on initialization."""
+    # Valid session ID should initialize without errors
+    valid_transport = StreamableHTTPServerTransport(mcp_session_id="valid-id")
+    assert valid_transport.mcp_session_id == "valid-id"
+
+    # None should be accepted
+    none_transport = StreamableHTTPServerTransport(mcp_session_id=None)
+    assert none_transport.mcp_session_id is None
+
+    # Invalid session ID should raise ValueError
+    with pytest.raises(ValueError) as excinfo:
+        StreamableHTTPServerTransport(mcp_session_id="invalid id with space")
+    assert "Session ID must only contain visible ASCII characters" in str(excinfo.value)
+
+    # Test with control characters
+    with pytest.raises(ValueError):
+        StreamableHTTPServerTransport(mcp_session_id="test\nid")
+
+    with pytest.raises(ValueError):
+        StreamableHTTPServerTransport(mcp_session_id="test\n")
