Merge branch 'main' of https://github.com/modelcontextprotocol/typescript-sdk into feat/elicitation-sampling-streaming

Author: LucaButBoring

docs/server.md

@@ -66,6 +66,34 @@ For a minimal “getting started” experience:
 
 For more detailed patterns (stateless vs stateful, JSON response mode, CORS, DNS rebind protection), see the examples above and the MCP spec sections on transports.
 
+## DNS rebinding protection
+
+MCP servers running on localhost are vulnerable to DNS rebinding attacks. Use `createMcpExpressApp()` to create an Express app with DNS rebinding protection enabled by default:
+
+```typescript
+import { createMcpExpressApp } from '@modelcontextprotocol/sdk/server/index.js';
+
+// Protection auto-enabled (default host is 127.0.0.1)
+const app = createMcpExpressApp();
+
+// Protection auto-enabled for localhost
+const app = createMcpExpressApp({ host: 'localhost' });
+
+// No auto protection when binding to all interfaces
+const app = createMcpExpressApp({ host: '0.0.0.0' });
+```
+
+For custom host validation, use the middleware directly:
+
+```typescript
+import express from 'express';
+import { hostHeaderValidation } from '@modelcontextprotocol/sdk/server/middleware/hostHeaderValidation.js';
+
+const app = express();
+app.use(express.json());
+app.use(hostHeaderValidation(['localhost', '127.0.0.1', 'myhost.local']));
+```
+
 ## Tools, resources, and prompts
 
 ### Tools

package-lock.json

@@ -1,6 +1,6 @@
 {
     "name": "@modelcontextprotocol/sdk",
-    "version": "1.23.0",
+    "version": "1.24.0",
     "description": "Model Context Protocol implementation for TypeScript",
     "license": "MIT",
     "author": "Anthropic, PBC (https://anthropic.com)",

package.json

@@ -1501,6 +1501,68 @@ describe('StreamableHTTPClientTransport', () => {
         });
     });
 
+    describe('Reconnection Logic with maxRetries 0', () => {
+        let transport: StreamableHTTPClientTransport;
+
+        // Use fake timers to control setTimeout and make the test instant.
+        beforeEach(() => vi.useFakeTimers());
+        afterEach(() => vi.useRealTimers());
+
+        it('should not schedule any reconnection attempts when maxRetries is 0', async () => {
+            // ARRANGE
+            transport = new StreamableHTTPClientTransport(new URL('http://localhost:1234/mcp'), {
+                reconnectionOptions: {
+                    initialReconnectionDelay: 10,
+                    maxRetries: 0, // This should disable retries completely
+                    maxReconnectionDelay: 1000,
+                    reconnectionDelayGrowFactor: 1
+                }
+            });
+
+            const errorSpy = vi.fn();
+            transport.onerror = errorSpy;
+
+            // ACT - directly call _scheduleReconnection which is the code path the fix affects
+            transport['_scheduleReconnection']({});
+
+            // ASSERT - should immediately report max retries exceeded, not schedule a retry
+            expect(errorSpy).toHaveBeenCalledTimes(1);
+            expect(errorSpy).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    message: 'Maximum reconnection attempts (0) exceeded.'
+                })
+            );
+
+            // Verify no timeout was scheduled (no reconnection attempt)
+            expect(transport['_reconnectionTimeout']).toBeUndefined();
+        });
+
+        it('should schedule reconnection when maxRetries is greater than 0', async () => {
+            // ARRANGE
+            transport = new StreamableHTTPClientTransport(new URL('http://localhost:1234/mcp'), {
+                reconnectionOptions: {
+                    initialReconnectionDelay: 10,
+                    maxRetries: 1, // Allow 1 retry
+                    maxReconnectionDelay: 1000,
+                    reconnectionDelayGrowFactor: 1
+                }
+            });
+
+            const errorSpy = vi.fn();
+            transport.onerror = errorSpy;
+
+            // ACT - call _scheduleReconnection with attemptCount 0
+            transport['_scheduleReconnection']({});
+
+            // ASSERT - should schedule a reconnection, not report error yet
+            expect(errorSpy).not.toHaveBeenCalled();
+            expect(transport['_reconnectionTimeout']).toBeDefined();
+
+            // Clean up the timeout to avoid test pollution
+            clearTimeout(transport['_reconnectionTimeout']);
+        });
+    });
+
     describe('prevent infinite recursion when server returns 401 after successful auth', () => {
         it('should throw error when server returns 401 after successful auth', async () => {
             const message: JSONRPCMessage = {

src/client/streamableHttp.test.ts

@@ -279,7 +279,7 @@ export class StreamableHTTPClientTransport implements Transport {
         const maxRetries = this._reconnectionOptions.maxRetries;
 
         // Check if we've exceeded maximum retry attempts
-        if (maxRetries > 0 && attemptCount >= maxRetries) {
+        if (attemptCount >= maxRetries) {
             this.onerror?.(new Error(`Maximum reconnection attempts (${maxRetries}) exceeded.`));
             return;
         }

src/client/streamableHttp.ts

@@ -8,11 +8,11 @@
 // to collect *sensitive* user input via a browser.
 
 import { randomUUID } from 'node:crypto';
-import cors from 'cors';
-import express, { type Request, type Response } from 'express';
+import { type Request, type Response } from 'express';
 import { McpServer } from '../../server/mcp.js';
 import { StreamableHTTPServerTransport } from '../../server/streamableHttp.js';
 import { isInitializeRequest } from '../../types.js';
+import { createMcpExpressApp } from '../../server/index.js';
 
 // Create MCP server - it will automatically use AjvJsonSchemaValidator with sensible defaults
 // The validator supports format validation (email, date, etc.) if ajv-formats is installed
@@ -320,16 +320,7 @@ mcpServer.registerTool(
 async function main() {
     const PORT = process.env.PORT ? parseInt(process.env.PORT, 10) : 3000;
 
-    const app = express();
-    app.use(express.json());
-
-    // Allow CORS for all domains, expose the Mcp-Session-Id header
-    app.use(
-        cors({
-            origin: '*',
-            exposedHeaders: ['Mcp-Session-Id']
-        })
-    );
+    const app = createMcpExpressApp();
 
     // Map to store transports by session ID
     const transports: { [sessionId: string]: StreamableHTTPServerTransport } = {};

src/examples/server/elicitationFormExample.ts

@@ -11,6 +11,7 @@ import express, { Request, Response } from 'express';
 import { randomUUID } from 'node:crypto';
 import { z } from 'zod';
 import { McpServer } from '../../server/mcp.js';
+import { createMcpExpressApp } from '../../server/index.js';
 import { StreamableHTTPServerTransport } from '../../server/streamableHttp.js';
 import { getOAuthProtectedResourceMetadataUrl, mcpAuthMetadataRouter } from '../../server/auth/router.js';
 import { requireBearerAuth } from '../../server/auth/middleware/bearerAuth.js';
@@ -214,8 +215,7 @@ function completeURLElicitation(elicitationId: string) {
 const MCP_PORT = process.env.MCP_PORT ? parseInt(process.env.MCP_PORT, 10) : 3000;
 const AUTH_PORT = process.env.MCP_AUTH_PORT ? parseInt(process.env.MCP_AUTH_PORT, 10) : 3001;
 
-const app = express();
-app.use(express.json());
+const app = createMcpExpressApp();
 
 // Allow CORS all domains, expose the Mcp-Session-Id header
 app.use(

src/examples/server/elicitationUrlExample.ts

@@ -1,10 +1,10 @@
-import express, { Request, Response } from 'express';
+import { Request, Response } from 'express';
 import { randomUUID } from 'node:crypto';
 import { McpServer } from '../../server/mcp.js';
 import { StreamableHTTPServerTransport } from '../../server/streamableHttp.js';
 import * as z from 'zod/v4';
 import { CallToolResult, isInitializeRequest } from '../../types.js';
-import cors from 'cors';
+import { createMcpExpressApp } from '../../server/index.js';
 
 // Create an MCP server with implementation details
 const getServer = () => {
@@ -90,16 +90,7 @@ const getServer = () => {
     return server;
 };
 
-const app = express();
-app.use(express.json());
-
-// Configure CORS to expose Mcp-Session-Id header for browser-based clients
-app.use(
-    cors({
-        origin: '*', // Allow all origins - adjust as needed for production
-        exposedHeaders: ['Mcp-Session-Id']
-    })
-);
+const app = createMcpExpressApp();
 
 // Map to store transports by session ID
 const transports: { [sessionId: string]: StreamableHTTPServerTransport } = {};

src/examples/server/jsonResponseStreamableHttp.ts

@@ -1,8 +1,9 @@
-import express, { Request, Response } from 'express';
+import { Request, Response } from 'express';
 import { McpServer } from '../../server/mcp.js';
 import { SSEServerTransport } from '../../server/sse.js';
 import * as z from 'zod/v4';
 import { CallToolResult } from '../../types.js';
+import { createMcpExpressApp } from '../../server/index.js';
 
 /**
  * This example server demonstrates the deprecated HTTP+SSE transport
@@ -75,8 +76,7 @@ const getServer = () => {
     return server;
 };
 
-const app = express();
-app.use(express.json());
+const app = createMcpExpressApp();
 
 // Store transports by session ID
 const transports: Record<string, SSEServerTransport> = {};

src/examples/server/simpleSseServer.ts

@@ -1,9 +1,9 @@
-import express, { Request, Response } from 'express';
+import { Request, Response } from 'express';
 import { McpServer } from '../../server/mcp.js';
 import { StreamableHTTPServerTransport } from '../../server/streamableHttp.js';
 import * as z from 'zod/v4';
 import { CallToolResult, GetPromptResult, ReadResourceResult } from '../../types.js';
-import cors from 'cors';
+import { createMcpExpressApp } from '../../server/index.js';
 
 const getServer = () => {
     // Create an MCP server with implementation details
@@ -96,16 +96,7 @@ const getServer = () => {
     return server;
 };
 
-const app = express();
-app.use(express.json());
-
-// Configure CORS to expose Mcp-Session-Id header for browser-based clients
-app.use(
-    cors({
-        origin: '*', // Allow all origins - adjust as needed for production
-        exposedHeaders: ['Mcp-Session-Id']
-    })
-);
+const app = createMcpExpressApp();
 
 app.post('/mcp', async (req: Request, res: Response) => {
     const server = getServer();