hono-server updates

KKonstantinov · KKonstantinov · commit aaeff28619a2 · 2025-12-20T15:37:19.000+02:00
diff --git a/packages/server-hono/src/auth/bearerAuth.ts b/packages/server-hono/src/auth/bearerAuth.ts
@@ -0,0 +1,19 @@
+import type { BearerAuthMiddlewareOptions } from '@modelcontextprotocol/server';
+import { requireBearerAuth as requireBearerAuthWeb } from '@modelcontextprotocol/server';
+import type { MiddlewareHandler } from 'hono';
+/**
+ * Hono middleware wrapper for the Web-standard `requireBearerAuth` helper.
+ *
+ * On success, sets `c.set('auth', authInfo)` and calls `next()`.
+ * On failure, returns the JSON error response.
+ */
+export function requireBearerAuth(options: BearerAuthMiddlewareOptions): MiddlewareHandler {
+    return async (c, next) => {
+        const result = await requireBearerAuthWeb(c.req.raw, options);
+        if ('authInfo' in result) {
+            c.set('auth', result.authInfo);
+            return await next();
+        }
+        return result.response;
+    };
+}
diff --git a/packages/server-hono/src/auth/router.ts b/packages/server-hono/src/auth/router.ts
@@ -1,33 +1,61 @@
 import type { AuthMetadataOptions, AuthRoute, AuthRouterOptions } from '@modelcontextprotocol/server';
-import { mcpAuthMetadataRouter as createWebAuthMetadataRouter, mcpAuthRouter as createWebAuthRouter } from '@modelcontextprotocol/server';
-import type { Handler, Hono } from 'hono';
-
-export type RegisterMcpAuthRoutesOptions = AuthRouterOptions;
+import {
+    getParsedBody,
+    mcpAuthMetadataRouter as createWebAuthMetadataRouter,
+    mcpAuthRouter as createWebAuthRouter
+} from '@modelcontextprotocol/server';
+import type { Handler } from 'hono';
+import { Hono } from 'hono';
 
 /**
- * Registers the standard MCP OAuth endpoints on a Hono app.
+ * Hono router adapter for the Web-standard `mcpAuthRouter` from `@modelcontextprotocol/server`.
+ *
+ * IMPORTANT: This router MUST be mounted at the application root.
  *
- * IMPORTANT: These routes MUST be mounted at the application root.
+ * @example
+ * ```ts
+ * app.route('/', mcpAuthRouter(...))
+ * ```
  */
-export function registerMcpAuthRoutes(app: Hono, options: RegisterMcpAuthRoutesOptions): void {
+export function mcpAuthRouter(options: AuthRouterOptions): Hono {
     const web = createWebAuthRouter(options);
-    registerRoutes(app, web.routes);
+    const router = new Hono();
+    registerRoutes(router, web.routes);
+    return router;
 }
 
 /**
- * Registers only the auth metadata endpoints (RFC 8414 + RFC 9728) on a Hono app.
+ * Hono router adapter for the Web-standard `mcpAuthMetadataRouter` from `@modelcontextprotocol/server`.
  *
- * IMPORTANT: These routes MUST be mounted at the application root.
+ * IMPORTANT: This router MUST be mounted at the application root.
  */
-export function registerMcpAuthMetadataRoutes(app: Hono, options: AuthMetadataOptions): void {
+export function mcpAuthMetadataRouter(options: AuthMetadataOptions): Hono {
     const web = createWebAuthMetadataRouter(options);
-    registerRoutes(app, web.routes);
+    const router = new Hono();
+    registerRoutes(router, web.routes);
+    return router;
 }
 
 function registerRoutes(app: Hono, routes: AuthRoute[]): void {
     for (const route of routes) {
-        // Hono's `on()` expects methods like 'GET', 'POST', etc.
-        const handler: Handler = c => route.handler(c.req.raw);
-        app.on(route.methods, route.path, handler);
+        // Use `all()` so unsupported methods still reach the handler and can return 405,
+        // matching the Express adapter behavior.
+        const handler: Handler = async c => {
+            let parsedBody = c.get('parsedBody');
+            if (parsedBody === undefined && c.req.method === 'POST') {
+                // Parse from a clone so we don't consume the original request stream.
+                parsedBody = await getParsedBody(c.req.raw.clone());
+            }
+            return route.handler(c.req.raw, { parsedBody });
+        };
+        app.all(route.path, handler);
     }
 }
+
+export function registerMcpAuthRoutes(app: Hono, options: AuthRouterOptions): void {
+    app.route('/', mcpAuthRouter(options));
+}
+
+export function registerMcpAuthMetadataRoutes(app: Hono, options: AuthMetadataOptions): void {
+    app.route('/', mcpAuthMetadataRouter(options));
+}
diff --git a/packages/server-hono/src/hono.ts b/packages/server-hono/src/hono.ts
@@ -0,0 +1,90 @@
+import type { Context } from 'hono';
+import { Hono } from 'hono';
+
+import { hostHeaderValidation, localhostHostValidation } from './middleware/hostHeaderValidation.js';
+
+/**
+ * Options for creating an MCP Hono application.
+ */
+export interface CreateMcpHonoAppOptions {
+    /**
+     * The hostname to bind to. Defaults to '127.0.0.1'.
+     * When set to '127.0.0.1', 'localhost', or '::1', DNS rebinding protection is automatically enabled.
+     */
+    host?: string;
+
+    /**
+     * List of allowed hostnames for DNS rebinding protection.
+     * If provided, host header validation will be applied using this list.
+     * For IPv6, provide addresses with brackets (e.g., '[::1]').
+     *
+     * This is useful when binding to '0.0.0.0' or '::' but still wanting
+     * to restrict which hostnames are allowed.
+     */
+    allowedHosts?: string[];
+}
+
+/**
+ * Creates a Hono application pre-configured for MCP servers.
+ *
+ * When the host is '127.0.0.1', 'localhost', or '::1' (the default is '127.0.0.1'),
+ * DNS rebinding protection middleware is automatically applied to protect against
+ * DNS rebinding attacks on localhost servers.
+ *
+ * This also installs a small JSON body parsing middleware (similar to `express.json()`)
+ * that stashes the parsed body into `c.set('parsedBody', ...)` when `Content-Type` includes
+ * `application/json`.
+ *
+ * @param options - Configuration options
+ * @returns A configured Hono application
+ */
+export function createMcpHonoApp(options: CreateMcpHonoAppOptions = {}): Hono {
+    const { host = '127.0.0.1', allowedHosts } = options;
+
+    const app = new Hono();
+
+    // Similar to `express.json()`: parse JSON bodies and make them available to MCP adapters via `parsedBody`.
+    app.use('*', async (c: Context, next) => {
+        // If an upstream middleware already set parsedBody, keep it.
+        if (c.get('parsedBody') !== undefined) {
+            return await next();
+        }
+
+        const ct = c.req.header('content-type') ?? '';
+        if (!ct.includes('application/json')) {
+            return await next();
+        }
+
+        try {
+            // Parse from a clone so we don't consume the original request stream.
+            const parsed = await c.req.raw.clone().json();
+            c.set('parsedBody', parsed);
+        } catch {
+            // Mirror express.json() behavior loosely: reject invalid JSON.
+            return c.text('Invalid JSON', 400);
+        }
+
+        return await next();
+    });
+
+    // If allowedHosts is explicitly provided, use that for validation.
+    if (allowedHosts) {
+        app.use('*', hostHeaderValidation(allowedHosts));
+    } else {
+        // Apply DNS rebinding protection automatically for localhost hosts.
+        const localhostHosts = ['127.0.0.1', 'localhost', '::1'];
+        if (localhostHosts.includes(host)) {
+            app.use('*', localhostHostValidation());
+        } else if (host === '0.0.0.0' || host === '::') {
+            // Warn when binding to all interfaces without DNS rebinding protection.
+            // eslint-disable-next-line no-console
+            console.warn(
+                `Warning: Server is binding to ${host} without DNS rebinding protection. ` +
+                    'Consider using the allowedHosts option to restrict allowed hosts, ' +
+                    'or use authentication to protect your server.'
+            );
+        }
+    }
+
+    return app;
+}
diff --git a/packages/server-hono/src/index.ts b/packages/server-hono/src/index.ts
@@ -1,3 +1,5 @@
+export * from './auth/bearerAuth.js';
 export * from './auth/router.js';
+export * from './hono.js';
 export * from './middleware/hostHeaderValidation.js';
 export * from './streamableHttp.js';
diff --git a/packages/server-hono/src/streamableHttp.ts b/packages/server-hono/src/streamableHttp.ts
@@ -1,4 +1,5 @@
 import type { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/server';
+import { getParsedBody } from '@modelcontextprotocol/server';
 import type { Context, Handler } from 'hono';
 
 /**
@@ -10,5 +11,13 @@ import type { Context, Handler } from 'hono';
  * ```
  */
 export function mcpStreamableHttpHandler(transport: WebStandardStreamableHTTPServerTransport): Handler {
-    return (c: Context) => transport.handleRequest(c.req.raw);
+    return async (c: Context) => {
+        let parsedBody = c.get('parsedBody');
+        if (parsedBody === undefined && c.req.method === 'POST') {
+            // Parse from a clone so we don't consume the original request stream.
+            parsedBody = await getParsedBody(c.req.raw.clone());
+        }
+        const authInfo = c.get('auth');
+        return transport.handleRequest(c.req.raw, { authInfo, parsedBody });
+    };
 }
diff --git a/packages/server-hono/test/server-hono.test.ts b/packages/server-hono/test/server-hono.test.ts
