Added 'Accept' header validation and touched up 'Last-Event-ID' header

Author: Zachary German

mcp-spring/mcp-spring-webflux/src/main/java/io/modelcontextprotocol/server/transport/WebFluxStreamableServerTransportProvider.java

@@ -1,7 +1,11 @@
 package io.modelcontextprotocol.server.transport;
 
+import java.awt.PageAttributes;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
+
 import io.modelcontextprotocol.spec.DefaultMcpTransportContext;
 import io.modelcontextprotocol.spec.McpError;
 import io.modelcontextprotocol.spec.McpSchema;
@@ -10,6 +14,7 @@
 import io.modelcontextprotocol.spec.McpStreamableServerTransportProvider;
 import io.modelcontextprotocol.spec.McpTransportContext;
 import io.modelcontextprotocol.util.Assert;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpStatus;
@@ -19,16 +24,30 @@
 import org.springframework.web.reactive.function.server.RouterFunctions;
 import org.springframework.web.reactive.function.server.ServerRequest;
 import org.springframework.web.reactive.function.server.ServerResponse;
+
 import reactor.core.Disposable;
 import reactor.core.Exceptions;
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.FluxSink;
 import reactor.core.publisher.Mono;
 
 import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.function.Function;
 
+/**
+ * Server-side implementation of the Model Context Protocol (MCP) streamable transport
+ * layer using HTTP with Server-Sent Events (SSE) through Spring WebFlux.
+ *
+ * <p>
+ *
+ * @author Dariusz Jędrzejczyk
+ * @author Zachary German
+ * @see McpStreamableServerTransportProvider
+ * @see RouterFunction
+ */
 public class WebFluxStreamableServerTransportProvider implements McpStreamableServerTransportProvider {
 
 	private static final Logger logger = LoggerFactory.getLogger(WebFluxStreamableServerTransportProvider.class);
@@ -37,6 +56,12 @@ public class WebFluxStreamableServerTransportProvider implements McpStreamableSe
 
 	public static final String DEFAULT_BASE_URL = "";
 
+	private static final String MCP_SESSION_ID = "mcp-session-id";
+
+	private static final String LAST_EVENT_ID = "Last-Event-ID";
+
+	private static final String ACCEPT = "Accept";
+
 	private final ObjectMapper objectMapper;
 
 	private final String baseUrl;
@@ -195,21 +220,40 @@ private Mono<ServerResponse> handleGet(ServerRequest request) {
 		McpTransportContext transportContext = this.contextExtractor.apply(request);
 
 		return Mono.defer(() -> {
-			if (!request.headers().asHttpHeaders().containsKey("mcp-session-id")) {
-				return ServerResponse.badRequest().build(); // TODO: say we need a session
-															// id
+			List<String> badRequestErrors = new ArrayList<>();
+
+			String accept = request.headers().asHttpHeaders().getFirst(ACCEPT);
+			if (accept == null || !accept.contains(MediaType.TEXT_EVENT_STREAM_VALUE)) {
+				badRequestErrors.add("text/event-stream required in Accept header");
 			}
 
-			String sessionId = request.headers().asHttpHeaders().getFirst("mcp-session-id");
+			String sessionId = request.headers().asHttpHeaders().getFirst(MCP_SESSION_ID);
+
+			if (sessionId == null || sessionId.isBlank()) {
+				badRequestErrors.add("Session ID required in mcp-session-id header");
+			}
+
+			if (!badRequestErrors.isEmpty()) {
+				String combinedMessage = String.join("; ", badRequestErrors);
+				try {
+					String errorJson = objectMapper.writeValueAsString(new McpError(combinedMessage));
+					return ServerResponse.badRequest().bodyValue(errorJson);
+				}
+				catch (JsonProcessingException e) {
+					logger.debug("Failed to serialize McpError: {}", e);
+					return ServerResponse.status(HttpStatus.INTERNAL_SERVER_ERROR)
+						.bodyValue("Failed to serialize error message.");
+				}
+			}
 
 			McpStreamableServerSession session = this.sessions.get(sessionId);
 
 			if (session == null) {
 				return ServerResponse.notFound().build();
 			}
 
-			if (request.headers().asHttpHeaders().containsKey("mcp-last-id")) {
-				String lastId = request.headers().asHttpHeaders().getFirst("mcp-last-id");
+			if (request.headers().asHttpHeaders().containsKey(LAST_EVENT_ID)) {
+				String lastId = request.headers().asHttpHeaders().getFirst(LAST_EVENT_ID);
 				return ServerResponse.ok()
 					.contentType(MediaType.TEXT_EVENT_STREAM)
 					.body(session.replay(lastId), ServerSentEvent.class);
@@ -252,9 +296,31 @@ private Mono<ServerResponse> handlePost(ServerRequest request) {
 
 		return request.bodyToMono(String.class).<ServerResponse>flatMap(body -> {
 			try {
+				List<String> badRequestErrors = new ArrayList<>();
+
+				String accept = request.headers().asHttpHeaders().getFirst(ACCEPT);
+				if (accept == null || !accept.contains(MediaType.TEXT_EVENT_STREAM_VALUE)) {
+					badRequestErrors.add("text/event-stream required in Accept header");
+				}
+				if (accept == null || !accept.contains(MediaType.APPLICATION_JSON_VALUE)) {
+					badRequestErrors.add("application/json required in Accept header");
+				}
+
 				McpSchema.JSONRPCMessage message = McpSchema.deserializeJsonRpcMessage(objectMapper, body);
 				if (message instanceof McpSchema.JSONRPCRequest jsonrpcRequest
 						&& jsonrpcRequest.method().equals(McpSchema.METHOD_INITIALIZE)) {
+					if (!badRequestErrors.isEmpty()) {
+						String combinedMessage = String.join("; ", badRequestErrors);
+						try {
+							String errorJson = objectMapper.writeValueAsString(new McpError(combinedMessage));
+							return ServerResponse.badRequest().bodyValue(errorJson);
+						}
+						catch (JsonProcessingException e) {
+							logger.debug("Failed to serialize McpError: {}", e);
+							return ServerResponse.status(HttpStatus.INTERNAL_SERVER_ERROR)
+								.bodyValue("Failed to serialize error message.");
+						}
+					}
 					McpSchema.InitializeRequest initializeRequest = objectMapper.convertValue(jsonrpcRequest.params(),
 							new TypeReference<McpSchema.InitializeRequest>() {
 							});
@@ -274,15 +340,29 @@ private Mono<ServerResponse> handlePost(ServerRequest request) {
 					})
 						.flatMap(initResult -> ServerResponse.ok()
 							.contentType(MediaType.APPLICATION_JSON)
-							.header("mcp-session-id", init.session().getId())
+							.header(MCP_SESSION_ID, init.session().getId())
 							.bodyValue(initResult));
 				}
 
-				if (!request.headers().asHttpHeaders().containsKey("mcp-session-id")) {
-					return ServerResponse.badRequest().bodyValue(new McpError("Session ID missing"));
+				String sessionId = request.headers().asHttpHeaders().getFirst(MCP_SESSION_ID);
+
+				if (sessionId == null || sessionId.isBlank()) {
+					badRequestErrors.add("Session ID required in mcp-session-id header");
+				}
+
+				if (!badRequestErrors.isEmpty()) {
+					String combinedMessage = String.join("; ", badRequestErrors);
+					try {
+						String errorJson = objectMapper.writeValueAsString(new McpError(combinedMessage));
+						return ServerResponse.badRequest().bodyValue(errorJson);
+					}
+					catch (JsonProcessingException e) {
+						logger.debug("Failed to serialize McpError: {}", e);
+						return ServerResponse.status(HttpStatus.INTERNAL_SERVER_ERROR)
+							.bodyValue("Failed to serialize error message.");
+					}
 				}
 
-				String sessionId = request.headers().asHttpHeaders().getFirst("mcp-session-id");
 				McpStreamableServerSession session = sessions.get(sessionId);
 
 				if (session == null) {
@@ -330,7 +410,7 @@ private Mono<ServerResponse> handleDelete(ServerRequest request) {
 		McpTransportContext transportContext = this.contextExtractor.apply(request);
 
 		return Mono.defer(() -> {
-			if (!request.headers().asHttpHeaders().containsKey("mcp-session-id")) {
+			if (!request.headers().asHttpHeaders().containsKey(MCP_SESSION_ID)) {
 				return ServerResponse.badRequest().build(); // TODO: say we need a session
 				// id
 			}
@@ -340,7 +420,7 @@ private Mono<ServerResponse> handleDelete(ServerRequest request) {
 				return ServerResponse.status(HttpStatus.METHOD_NOT_ALLOWED).build();
 			}
 
-			String sessionId = request.headers().asHttpHeaders().getFirst("mcp-session-id");
+			String sessionId = request.headers().asHttpHeaders().getFirst(MCP_SESSION_ID);
 
 			McpStreamableServerSession session = this.sessions.get(sessionId);
 

mcp-spring/mcp-spring-webmvc/src/main/java/io/modelcontextprotocol/server/transport/WebMvcStreamableServerTransportProvider.java

@@ -6,12 +6,26 @@
 
 import java.io.IOException;
 import java.time.Duration;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.locks.ReentrantLock;
 import java.util.function.Function;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.web.servlet.function.RouterFunction;
+import org.springframework.web.servlet.function.RouterFunctions;
+import org.springframework.web.servlet.function.ServerRequest;
+import org.springframework.web.servlet.function.ServerResponse;
+import org.springframework.web.servlet.function.ServerResponse.SseBuilder;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
+
 import io.modelcontextprotocol.spec.DefaultMcpTransportContext;
 import io.modelcontextprotocol.spec.McpError;
 import io.modelcontextprotocol.spec.McpSchema;
@@ -20,18 +34,8 @@
 import io.modelcontextprotocol.spec.McpStreamableServerTransportProvider;
 import io.modelcontextprotocol.spec.McpTransportContext;
 import io.modelcontextprotocol.util.Assert;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import reactor.core.publisher.Mono;
 
-import org.springframework.http.HttpStatus;
-import org.springframework.http.MediaType;
-import org.springframework.web.servlet.function.RouterFunction;
-import org.springframework.web.servlet.function.RouterFunctions;
-import org.springframework.web.servlet.function.ServerRequest;
-import org.springframework.web.servlet.function.ServerResponse;
-import org.springframework.web.servlet.function.ServerResponse.SseBuilder;
-
 /**
  * Server-side implementation of the Model Context Protocol (MCP) streamable transport
  * layer using HTTP with Server-Sent Events (SSE) through Spring WebMVC. This
@@ -44,6 +48,7 @@
  *
  * @author Christian Tzolov
  * @author Dariusz Jędrzejczyk
+ * @author Zachary German
  * @see McpStreamableServerTransportProvider
  * @see RouterFunction
  */
@@ -69,7 +74,12 @@ public class WebMvcStreamableServerTransportProvider implements McpStreamableSer
 	/**
 	 * Header name for the last message ID used in replay requests.
 	 */
-	private static final String MCP_LAST_ID = "mcp-last-id";
+	private static final String LAST_EVENT_ID = "Last-Event-ID";
+
+	/**
+	 * Header name for the response media types accepted by the requester.
+	 */
+	private static final String ACCEPT = "Accept";
 
 	/**
 	 * Default base URL for the message endpoint.
@@ -216,11 +226,32 @@ private ServerResponse handleGet(ServerRequest request) {
 
 		McpTransportContext transportContext = this.contextExtractor.apply(request);
 
-		if (!request.headers().asHttpHeaders().containsKey(MCP_SESSION_ID)) {
-			return ServerResponse.badRequest().body("Session ID required in mcp-session-id header");
+		List<String> badRequestErrors = new ArrayList<>();
+
+		String accept = request.headers().asHttpHeaders().getFirst(ACCEPT);
+		if (accept == null || !accept.contains(MediaType.TEXT_EVENT_STREAM_VALUE)) {
+			badRequestErrors.add("text/event-stream required in Accept header");
 		}
 
 		String sessionId = request.headers().asHttpHeaders().getFirst(MCP_SESSION_ID);
+
+		if (sessionId == null || sessionId.isBlank()) {
+			badRequestErrors.add("Session ID required in mcp-session-id header");
+		}
+
+		if (!badRequestErrors.isEmpty()) {
+			String combinedMessage = String.join("; ", badRequestErrors);
+			try {
+				String errorJson = objectMapper.writeValueAsString(new McpError(combinedMessage));
+				return ServerResponse.badRequest().body(errorJson);
+			}
+			catch (JsonProcessingException e) {
+				logger.debug("Failed to serialize McpError: {}", e);
+				return ServerResponse.status(HttpStatus.INTERNAL_SERVER_ERROR)
+					.body("Failed to serialize error message.");
+			}
+		}
+
 		McpStreamableServerSession session = this.sessions.get(sessionId);
 
 		if (session == null) {
@@ -239,8 +270,8 @@ private ServerResponse handleGet(ServerRequest request) {
 						sessionId, sseBuilder);
 
 				// Check if this is a replay request
-				if (request.headers().asHttpHeaders().containsKey(MCP_LAST_ID)) {
-					String lastId = request.headers().asHttpHeaders().getFirst(MCP_LAST_ID);
+				if (request.headers().asHttpHeaders().containsKey(LAST_EVENT_ID)) {
+					String lastId = request.headers().asHttpHeaders().getFirst(LAST_EVENT_ID);
 
 					try {
 						session.replay(lastId)
@@ -294,12 +325,35 @@ private ServerResponse handlePost(ServerRequest request) {
 		McpTransportContext transportContext = this.contextExtractor.apply(request);
 
 		try {
+			List<String> badRequestErrors = new ArrayList<>();
+
+			String accept = request.headers().asHttpHeaders().getFirst(ACCEPT);
+			if (accept == null || !accept.contains(MediaType.TEXT_EVENT_STREAM_VALUE)) {
+				badRequestErrors.add("text/event-stream required in Accept header");
+			}
+			if (accept == null || !accept.contains(MediaType.APPLICATION_JSON_VALUE)) {
+				badRequestErrors.add("application/json required in Accept header");
+			}
+
 			String body = request.body(String.class);
 			McpSchema.JSONRPCMessage message = McpSchema.deserializeJsonRpcMessage(objectMapper, body);
 
 			// Handle initialization request
 			if (message instanceof McpSchema.JSONRPCRequest jsonrpcRequest
 					&& jsonrpcRequest.method().equals(McpSchema.METHOD_INITIALIZE)) {
+				if (!badRequestErrors.isEmpty()) {
+					String combinedMessage = String.join("; ", badRequestErrors);
+					try {
+						String errorJson = objectMapper.writeValueAsString(new McpError(combinedMessage));
+						return ServerResponse.badRequest().body(errorJson);
+					}
+					catch (JsonProcessingException e) {
+						logger.debug("Failed to serialize McpError: {}", e);
+						return ServerResponse.status(HttpStatus.INTERNAL_SERVER_ERROR)
+							.body("Failed to serialize error message.");
+					}
+				}
+
 				McpSchema.InitializeRequest initializeRequest = objectMapper.convertValue(jsonrpcRequest.params(),
 						new TypeReference<McpSchema.InitializeRequest>() {
 						});
@@ -323,11 +377,25 @@ private ServerResponse handlePost(ServerRequest request) {
 			}
 
 			// Handle other messages that require a session
-			if (!request.headers().asHttpHeaders().containsKey(MCP_SESSION_ID)) {
-				return ServerResponse.badRequest().body(new McpError("Session ID missing"));
+			String sessionId = request.headers().asHttpHeaders().getFirst(MCP_SESSION_ID);
+
+			if (sessionId == null || sessionId.isBlank()) {
+				badRequestErrors.add("Session ID required in mcp-session-id header");
+			}
+
+			if (!badRequestErrors.isEmpty()) {
+				String combinedMessage = String.join("; ", badRequestErrors);
+				try {
+					String errorJson = objectMapper.writeValueAsString(new McpError(combinedMessage));
+					return ServerResponse.badRequest().body(errorJson);
+				}
+				catch (JsonProcessingException e) {
+					logger.debug("Failed to serialize McpError: {}", e);
+					return ServerResponse.status(HttpStatus.INTERNAL_SERVER_ERROR)
+						.body("Failed to serialize error message.");
+				}
 			}
 
-			String sessionId = request.headers().asHttpHeaders().getFirst(MCP_SESSION_ID);
 			McpStreamableServerSession session = this.sessions.get(sessionId);
 
 			if (session == null) {