feat: change middleware behaviour

Author: 3nethz

examples/express-mcp-server/src/index.ts

@@ -20,7 +20,7 @@ app.use(mcpAuthServer.router());
 app.use('/api', publicRoutes);
 
 // Protected routes with MCP authentication
-app.use('/api/protected', mcpAuthServer.protect(protectedRoutes));
+app.use('/api/protected', mcpAuthServer.protect(), protectedRoutes);
 
 // Error handling middleware
 app.use((err: Error, req: express.Request, res: express.Response, next: express.NextFunction) => {

examples/express-mcp-vet-ai-assist-app/src/index.ts

@@ -29,7 +29,7 @@ config();
 
 const app: Express = express();
 
-const mcpAuthServer = new McpAuthServer({
+const mcpAuthServer: McpAuthServer = new McpAuthServer({
   baseUrl: process.env.BASE_URL as string,
 });
 
@@ -48,170 +48,167 @@ const SESSION_TIMEOUT_MS: number = 30 * 60 * 1000;
 
 const isSessionExpired = (lastAccessTime: number): boolean => Date.now() - lastAccessTime > SESSION_TIMEOUT_MS;
 
-app.post(
-  '/mcp',
-  mcpAuthServer.protect(async (req: Request, res: Response): Promise<void> => {
-    try {
-      const sessionId: string | undefined = req.headers['mcp-session-id'] as string | undefined;
-      let transport: StreamableHTTPServerTransport;
+app.post('/mcp', mcpAuthServer.protect(), async (req: Request, res: Response): Promise<void> => {
+  try {
+    const sessionId: string | undefined = req.headers['mcp-session-id'] as string | undefined;
+    let transport: StreamableHTTPServerTransport;
 
-      if (sessionId && transports[sessionId]) {
-        if (isSessionExpired(transports[sessionId].lastAccess)) {
-          // eslint-disable-next-line no-console
-          console.log(`Session expired: ${sessionId}`);
-          transports[sessionId].transport.close();
-          delete transports[sessionId];
-
-          res.status(401).json({
-            error: {
-              code: -32000,
-              message: 'Session expired',
-            },
-            id: null,
-            jsonrpc: '2.0',
-          });
-          return;
-        }
+    if (sessionId && transports[sessionId]) {
+      if (isSessionExpired(transports[sessionId].lastAccess)) {
+        // eslint-disable-next-line no-console
+        console.log(`Session expired: ${sessionId}`);
+        transports[sessionId].transport.close();
+        delete transports[sessionId];
 
-        transport = transports[sessionId].transport;
-        transports[sessionId].lastAccess = Date.now();
-      } else if (!sessionId && isInitializeRequest(req.body)) {
-        let bearerToken: string | undefined;
-        const authHeader: string | undefined = req.headers.authorization as string | undefined;
-        if (authHeader && authHeader.toLowerCase().startsWith('bearer ')) {
-          bearerToken = authHeader.substring(7);
-          // eslint-disable-next-line no-console
-          console.log(`Bearer token captured for new session.`);
-        } else {
-          // eslint-disable-next-line no-console
-          console.warn('MCP session initialized: No Bearer token found in Authorization header.');
-        }
-        transport = new StreamableHTTPServerTransport({
-          onsessioninitialized: (newSessionId: string): void => {
-            transports[newSessionId] = {
-              lastAccess: Date.now(),
-              transport,
-            };
-            // eslint-disable-next-line no-console
-            console.log(`Session initialized: ${newSessionId}`);
+        res.status(401).json({
+          error: {
+            code: -32000,
+            message: 'Session expired',
           },
-          sessionIdGenerator: (): string => randomUUID(),
-        });
-
-        transport.onclose = (): void => {
-          if (transport.sessionId) {
-            // eslint-disable-next-line no-console
-            console.log(`Session closed: ${transport.sessionId}`);
-            delete transports[transport.sessionId];
-          }
-        };
-
-        const server: McpServer = new McpServer({
-          name: 'example-server',
-          version: '1.0.0',
+          id: null,
+          jsonrpc: '2.0',
         });
+        return;
+      }
 
-        server.tool(
-          'get_pet_vaccination_info',
-          'Retrieves the vaccination history and upcoming vaccination dates for a specific pet. Requires user authentication and explicit consent via an authorization token.',
-          {
-            petId: z.string().describe('The unique identifier for the pet.'),
-          },
-          async ({petId}: {petId: string}) => {
-            try {
-              return {
-                content: [
-                  {
-                    text: `Retrieved vaccination info for pet ID: ${petId}. Token was ${
-                      bearerToken ? 'present' : 'absent'
-                    }.`,
-                    type: 'text',
-                  },
-                ],
-              };
-            } catch (error) {
-              const errorMessage: string = error instanceof Error ? error.message : String(error);
-              throw new Error(`Failed to retrieve vaccination information: ${errorMessage}`);
-            }
-          },
-        );
-
-        server.tool(
-          'book_vet_appointment',
-          'Books a new veterinary appointment for a specific pet. Requires user authentication and explicit consent via an authorization token.',
-          {
-            date: z.string().describe('Desired date for the appointment (e.g., YYYY-MM-DD).'),
-            petId: z.string().describe('The unique identifier for the pet.'),
-            reason: z.string().describe('The reason for the vet visit.'),
-            time: z.string().describe('Desired time for the appointment (e.g., HH:MM AM/PM).'),
-          },
-          async ({date, petId, reason, time}: {date: string; petId: string; reason: string; time: string}) => {
-            try {
-              return {
-                content: [
-                  {
-                    text: `Booked vet appointment for pet ID: ${petId} on ${date} at ${time} for: ${reason}. Token was ${
-                      bearerToken ? 'present' : 'absent'
-                    }.`,
-                    type: 'text',
-                  },
-                ],
-              };
-            } catch (error) {
-              const errorMessage: string = error instanceof Error ? error.message : String(error);
-              throw new Error(`Failed to book appointment: ${errorMessage}`);
-            }
-          },
-        );
-
-        try {
-          await server.connect(transport);
+      transport = transports[sessionId].transport;
+      transports[sessionId].lastAccess = Date.now();
+    } else if (!sessionId && isInitializeRequest(req.body)) {
+      let bearerToken: string | undefined;
+      const authHeader: string | undefined = req.headers.authorization as string | undefined;
+      if (authHeader && authHeader.toLowerCase().startsWith('bearer ')) {
+        bearerToken = authHeader.substring(7);
+        // eslint-disable-next-line no-console
+        console.log(`Bearer token captured for new session.`);
+      } else {
+        // eslint-disable-next-line no-console
+        console.warn('MCP session initialized: No Bearer token found in Authorization header.');
+      }
+      transport = new StreamableHTTPServerTransport({
+        onsessioninitialized: (newSessionId: string): void => {
+          transports[newSessionId] = {
+            lastAccess: Date.now(),
+            transport,
+          };
           // eslint-disable-next-line no-console
-          console.log('Server connected to transport');
-        } catch (error) {
+          console.log(`Session initialized: ${newSessionId}`);
+        },
+        sessionIdGenerator: (): string => randomUUID(),
+      });
+
+      transport.onclose = (): void => {
+        if (transport.sessionId) {
           // eslint-disable-next-line no-console
-          console.error(`Error connecting server to transport: ${error}`);
-          res.status(500).json({
-            error: {
-              code: -32000,
-              message: 'Internal server error: Failed to connect to MCP server',
-            },
-            id: null,
-            jsonrpc: '2.0',
-          });
-          return;
+          console.log(`Session closed: ${transport.sessionId}`);
+          delete transports[transport.sessionId];
         }
-      } else {
-        let message: string = 'Bad Request: No valid session ID provided for existing session.';
-        if (!isInitializeRequest(req.body)) {
-          message = 'Bad Request: Not an initialization request and no session ID found.';
-        }
-        res.status(400).json({
+      };
+
+      const server: McpServer = new McpServer({
+        name: 'example-server',
+        version: '1.0.0',
+      });
+
+      server.tool(
+        'get_pet_vaccination_info',
+        'Retrieves the vaccination history and upcoming vaccination dates for a specific pet. Requires user authentication and explicit consent via an authorization token.',
+        {
+          petId: z.string().describe('The unique identifier for the pet.'),
+        },
+        async ({petId}: {petId: string}) => {
+          try {
+            return {
+              content: [
+                {
+                  text: `Retrieved vaccination info for pet ID: ${petId}. Token was ${
+                    bearerToken ? 'present' : 'absent'
+                  }.`,
+                  type: 'text',
+                },
+              ],
+            };
+          } catch (error) {
+            const errorMessage: string = error instanceof Error ? error.message : String(error);
+            throw new Error(`Failed to retrieve vaccination information: ${errorMessage}`);
+          }
+        },
+      );
+
+      server.tool(
+        'book_vet_appointment',
+        'Books a new veterinary appointment for a specific pet. Requires user authentication and explicit consent via an authorization token.',
+        {
+          date: z.string().describe('Desired date for the appointment (e.g., YYYY-MM-DD).'),
+          petId: z.string().describe('The unique identifier for the pet.'),
+          reason: z.string().describe('The reason for the vet visit.'),
+          time: z.string().describe('Desired time for the appointment (e.g., HH:MM AM/PM).'),
+        },
+        async ({date, petId, reason, time}: {date: string; petId: string; reason: string; time: string}) => {
+          try {
+            return {
+              content: [
+                {
+                  text: `Booked vet appointment for pet ID: ${petId} on ${date} at ${time} for: ${reason}. Token was ${
+                    bearerToken ? 'present' : 'absent'
+                  }.`,
+                  type: 'text',
+                },
+              ],
+            };
+          } catch (error) {
+            const errorMessage: string = error instanceof Error ? error.message : String(error);
+            throw new Error(`Failed to book appointment: ${errorMessage}`);
+          }
+        },
+      );
+
+      try {
+        await server.connect(transport);
+        // eslint-disable-next-line no-console
+        console.log('Server connected to transport');
+      } catch (error) {
+        // eslint-disable-next-line no-console
+        console.error(`Error connecting server to transport: ${error}`);
+        res.status(500).json({
           error: {
             code: -32000,
-            message,
+            message: 'Internal server error: Failed to connect to MCP server',
           },
-          id: req.body?.id || null,
+          id: null,
           jsonrpc: '2.0',
         });
         return;
       }
-
-      await transport.handleRequest(req, res, req.body);
-    } catch (error) {
-      const requestId: string | number | null | undefined =
-        typeof req.body === 'object' && req.body !== null && 'id' in req.body ? req.body.id : null;
-      res.status(500).json({
+    } else {
+      let message: string = 'Bad Request: No valid session ID provided for existing session.';
+      if (!isInitializeRequest(req.body)) {
+        message = 'Bad Request: Not an initialization request and no session ID found.';
+      }
+      res.status(400).json({
         error: {
           code: -32000,
-          message: 'Internal server error',
+          message,
         },
-        id: requestId,
+        id: req.body?.id || null,
         jsonrpc: '2.0',
       });
+      return;
     }
-  }),
-);
+
+    await transport.handleRequest(req, res, req.body);
+  } catch (error) {
+    const requestId: string | number | null | undefined =
+      typeof req.body === 'object' && req.body !== null && 'id' in req.body ? req.body.id : null;
+    res.status(500).json({
+      error: {
+        code: -32000,
+        message: 'Internal server error',
+      },
+      id: requestId,
+      jsonrpc: '2.0',
+    });
+  }
+});
 
 const handleSessionRequest = async (expressReq: Request, expressRes: Response): Promise<void> => {
   try {

packages/mcp-express/README.md

@@ -51,12 +51,9 @@ app.use(express.json());
 app.use(mcpAuthServer.router());
 
 // Protect your MCP endpoint
-app.post(
-  '/mcp',
-  mcpAuthServer.protect(async (req, res) => {
-    // Your MCP handling logic here
-  }),
-);
+app.post('/mcp', mcpAuthServer.protect(), async (req, res) => {
+  // Your MCP handling logic here
+});
 ```
 
 ### API Reference
@@ -79,17 +76,15 @@ Returns an Express router that sets up the necessary endpoints for MCP authentic
 app.use(mcpAuthServer.router());
 ```
 
-#### mcpAuthServer.protect(handler)
+#### mcpAuthServer.protect()
 
-Returns middleware that protects routes requiring authentication, passing control to the provided handler function when authentication succeeds.
+Returns middleware that protects routes requiring authentication. This middleware should be applied before your route
+handler.
 
 ```typescript
-app.post(
-  '/api/protected',
-  mcpAuthServer.protect(async (req, res) => {
-    // Your protected route logic here
-  })
-);
+app.post('/api/protected', mcpAuthServer.protect(), async (req, res) => {
+  // Your protected route logic here
+});
 ```
 
 ### Configuration
@@ -145,7 +140,8 @@ const isSessionExpired = (lastAccessTime: number): boolean => Date.now() - lastA
 // MCP endpoint with authentication
 app.post(
   '/mcp',
-  mcpAuthServer.protect(async (req: Request, res: Response): Promise<void> => {
+  mcpAuthServer.protect(),
+  async (req: Request, res: Response): Promise<void> => {
     try {
       const sessionId: string | undefined = req.headers['mcp-session-id'] as string | undefined;
       let transport: StreamableHTTPServerTransport;
@@ -251,4 +247,4 @@ pnpm lint
 
 ## License
 
-Apache-2.0 - see the [LICENSE](LICENSE) file for details.
+Apache-2.0 - see the [LICENSE](LICENSE) file for details.