remove authInfo

Author: mattzcarey

src/examples/server/honoFetchStreamableHttp.ts

@@ -30,7 +30,7 @@ import { Hono } from 'hono';
 import { cors } from 'hono/cors';
 import { serve } from '@hono/node-server';
 import { McpServer } from '../../server/mcp.js';
-import { FetchStreamableHTTPServerTransport, type AuthenticatedRequest } from '../../experimental/fetch-streamable-http/index.js';
+import { FetchStreamableHTTPServerTransport } from '../../experimental/fetch-streamable-http/index.js';
 import { CallToolResult, GetPromptResult, ReadResourceResult } from '../../types.js';
 import { z } from 'zod';
 
@@ -234,16 +234,25 @@ app.use(
     })
 );
 
-app.all('/mcp', async c => {
-    const request = c.req.raw as AuthenticatedRequest;
+// Example auth middleware (uncomment to enable authentication):
+// app.use('/mcp', async (c, next) => {
+//     const token = c.req.header('Authorization')?.replace('Bearer ', '');
+//     if (token) {
+//         // Validate token and set auth info in context
+//         c.set('auth', { token, clientId: 'example-client' });
+//     }
+//     await next();
+// });
 
+app.all('/mcp', async c => {
     // Check for existing session
-    const sessionId = request.headers.get('mcp-session-id');
+    const sessionId = c.req.header('mcp-session-id');
 
     if (sessionId && transports.has(sessionId)) {
         // Reuse existing transport for this session
         const transport = transports.get(sessionId)!;
-        return transport.handleRequest(request);
+        // Pass auth from context if using auth middleware: { auth: c.get('auth') }
+        return transport.handleRequest(c.req.raw);
     }
 
     // For new sessions or initialization, create new transport and server
@@ -264,7 +273,8 @@ app.all('/mcp', async c => {
 
     await server.connect(transport);
 
-    return transport.handleRequest(request);
+    // Pass auth from context if using auth middleware: { auth: c.get('auth') }
+    return transport.handleRequest(c.req.raw);
 });
 
 // Health check endpoint

src/experimental/fetch-streamable-http/fetchStreamableHttpServerTransport.test.ts

@@ -12,13 +12,11 @@ import {
     EventStore,
     EventId,
     StreamId,
-    AuthenticatedRequest,
     SessionStore,
     SessionState
 } from './fetchStreamableHttpServerTransport.js';
 import { McpServer } from '../../server/mcp.js';
 import { CallToolResult, JSONRPCMessage } from '../../types.js';
-import { AuthInfo } from '../../server/auth/types.js';
 import { zodTestMatrix, type ZodMatrixEntry } from '../../__fixtures__/zodTestMatrix.js';
 
 async function getFreePort() {
@@ -270,70 +268,6 @@ describe.each(zodTestMatrix)('$zodVersionLabel', (entry: ZodMatrixEntry) => {
                 const baseUrl = `http://127.0.0.1:${(server.address() as AddressInfo).port}`;
                 const webRequest = await nodeRequestToWebRequest(req, baseUrl);
 
-                // Handle with transport
-                const webResponse = await transport.handleRequest(webRequest as AuthenticatedRequest);
-
-                // Convert Web Standard Response to Node.js response
-                webResponseToNodeResponse(webResponse, res);
-            } catch (error) {
-                console.error('Error handling request:', error);
-                if (!res.headersSent) res.writeHead(500).end();
-            }
-        });
-
-        const baseUrl = await new Promise<URL>(resolve => {
-            // Use specified port or 0 for random port
-            server.listen(config.port ?? 0, '127.0.0.1', () => {
-                const addr = server.address() as AddressInfo;
-                resolve(new URL(`http://127.0.0.1:${addr.port}`));
-            });
-        });
-
-        return { server, transport, mcpServer, baseUrl };
-    }
-
-    /**
-     * Helper to create and start authenticated test HTTP server with MCP setup
-     */
-    async function createTestAuthServer(config: TestServerConfig = { sessionIdGenerator: () => crypto.randomUUID() }): Promise<{
-        server: Server;
-        transport: FetchStreamableHTTPServerTransport;
-        mcpServer: McpServer;
-        baseUrl: URL;
-    }> {
-        const mcpServer = new McpServer({ name: 'test-server', version: '1.0.0' }, { capabilities: { logging: {} } });
-
-        mcpServer.tool(
-            'profile',
-            'A user profile data tool',
-            { active: z.boolean().describe('Profile status') },
-            async ({ active }, { authInfo }): Promise<CallToolResult> => {
-                return { content: [{ type: 'text', text: `${active ? 'Active' : 'Inactive'} profile from token: ${authInfo?.token}!` }] };
-            }
-        );
-
-        const transport = new FetchStreamableHTTPServerTransport({
-            sessionIdGenerator: config.sessionIdGenerator,
-            enableJsonResponse: config.enableJsonResponse ?? false,
-            eventStore: config.eventStore,
-            onsessioninitialized: config.onsessioninitialized,
-            onsessionclosed: config.onsessionclosed
-        });
-
-        await mcpServer.connect(transport);
-
-        const server = createServer(async (req, res) => {
-            try {
-                // Convert Node.js request to Web Standard Request
-                const baseUrl = `http://127.0.0.1:${(server.address() as AddressInfo).port}`;
-                const webRequest = (await nodeRequestToWebRequest(req, baseUrl)) as AuthenticatedRequest;
-
-                // Add auth info from Authorization header
-                const authHeader = req.headers['authorization'];
-                if (authHeader?.startsWith('Bearer ')) {
-                    webRequest.auth = { token: authHeader.split(' ')[1] } as AuthInfo;
-                }
-
                 // Handle with transport
                 const webResponse = await transport.handleRequest(webRequest);
 
@@ -1058,105 +992,6 @@ describe.each(zodTestMatrix)('$zodVersionLabel', (entry: ZodMatrixEntry) => {
         });
     });
 
-    describe('FetchStreamableHTTPServerTransport with AuthInfo', () => {
-        let server: Server;
-        let transport: FetchStreamableHTTPServerTransport;
-        let baseUrl: URL;
-        let sessionId: string;
-
-        beforeEach(async () => {
-            const result = await createTestAuthServer();
-            server = result.server;
-            transport = result.transport;
-            baseUrl = result.baseUrl;
-        });
-
-        afterEach(async () => {
-            await stopTestServer({ server, transport });
-        });
-
-        async function initializeServer(): Promise<string> {
-            const response = await sendPostRequest(baseUrl, TEST_MESSAGES.initialize);
-
-            expect(response.status).toBe(200);
-            const newSessionId = response.headers.get('mcp-session-id');
-            expect(newSessionId).toBeDefined();
-            return newSessionId as string;
-        }
-
-        it('should call a tool with authInfo', async () => {
-            sessionId = await initializeServer();
-
-            const toolCallMessage: JSONRPCMessage = {
-                jsonrpc: '2.0',
-                method: 'tools/call',
-                params: {
-                    name: 'profile',
-                    arguments: { active: true }
-                },
-                id: 'call-1'
-            };
-
-            const response = await sendPostRequest(baseUrl, toolCallMessage, sessionId, { authorization: 'Bearer test-token' });
-            expect(response.status).toBe(200);
-
-            const text = await readSSEEvent(response);
-            const eventLines = text.split('\n');
-            const dataLine = eventLines.find(line => line.startsWith('data:'));
-            expect(dataLine).toBeDefined();
-
-            const eventData = JSON.parse(dataLine!.substring(5));
-            expect(eventData).toMatchObject({
-                jsonrpc: '2.0',
-                result: {
-                    content: [
-                        {
-                            type: 'text',
-                            text: 'Active profile from token: test-token!'
-                        }
-                    ]
-                },
-                id: 'call-1'
-            });
-        });
-
-        it('should calls tool without authInfo when it is optional', async () => {
-            sessionId = await initializeServer();
-
-            const toolCallMessage: JSONRPCMessage = {
-                jsonrpc: '2.0',
-                method: 'tools/call',
-                params: {
-                    name: 'profile',
-                    arguments: { active: false }
-                },
-                id: 'call-1'
-            };
-
-            const response = await sendPostRequest(baseUrl, toolCallMessage, sessionId);
-            expect(response.status).toBe(200);
-
-            const text = await readSSEEvent(response);
-            const eventLines = text.split('\n');
-            const dataLine = eventLines.find(line => line.startsWith('data:'));
-            expect(dataLine).toBeDefined();
-
-            const eventData = JSON.parse(dataLine!.substring(5));
-            expect(eventData).toMatchObject({
-                jsonrpc: '2.0',
-                result: {
-                    content: [
-                        {
-                            type: 'text',
-                            text: 'Inactive profile from token: undefined!'
-                        }
-                    ]
-                },
-                id: 'call-1'
-            });
-        });
-    });
-
     // Test JSON Response Mode
     describe('FetchStreamableHTTPServerTransport with JSON Response Mode', () => {
         let server: Server;

src/experimental/fetch-streamable-http/fetchStreamableHttpServerTransport.ts

@@ -22,7 +22,6 @@ import {
     SUPPORTED_PROTOCOL_VERSIONS,
     DEFAULT_NEGOTIATED_PROTOCOL_VERSION
 } from '../../types.js';
-import { AuthInfo } from '../../server/auth/types.js';
 
 export type StreamId = string;
 export type EventId = string;
@@ -229,13 +228,6 @@ export interface FetchStreamableHTTPServerTransportOptions {
     sessionStore?: SessionStore;
 }
 
-/**
- * Extended Request type that may include auth information
- */
-export interface AuthenticatedRequest extends Request {
-    auth?: AuthInfo;
-}
-
 /**
  * Server transport for Web Standards Streamable HTTP: this implements the MCP Streamable HTTP transport specification
  * using Web Standard APIs (Request, Response, TransformStream).
@@ -244,22 +236,19 @@ export interface AuthenticatedRequest extends Request {
  *
  * ```typescript
  * // Stateful mode - server sets the session ID
- * const statefulTransport = new WSStreamableHTTPServerTransport({
+ * const statefulTransport = new FetchStreamableHTTPServerTransport({
  *   sessionIdGenerator: () => crypto.randomUUID(),
  * });
  *
  * // Stateless mode - explicitly set session ID to undefined
- * const statelessTransport = new WSStreamableHTTPServerTransport({
+ * const statelessTransport = new FetchStreamableHTTPServerTransport({
  *   sessionIdGenerator: undefined,
  * });
  *
- * // Using with Hono.js
+ * // Hono.js usage
  * app.all('/mcp', async (c) => {
  *   return transport.handleRequest(c.req.raw);
  * });
- *
- * // Using with pre-parsed request body
- * const response = await transport.handleRequest(request, await request.json());
  * ```
  *
  * In stateful mode:
@@ -380,7 +369,7 @@ export class FetchStreamableHTTPServerTransport implements Transport {
      * Handles an incoming HTTP request, whether GET, POST, or DELETE
      * Returns a Response object (Web Standard)
      */
-    async handleRequest(req: AuthenticatedRequest, parsedBody?: unknown): Promise<Response> {
+    async handleRequest(req: Request): Promise<Response> {
         // Validate request headers for DNS rebinding protection
         const validationError = this.validateRequestHeaders(req);
         if (validationError) {
@@ -389,7 +378,7 @@ export class FetchStreamableHTTPServerTransport implements Transport {
 
         switch (req.method) {
             case 'POST':
-                return this.handlePostRequest(req, parsedBody);
+                return this.handlePostRequest(req);
             case 'GET':
                 return this.handleGetRequest(req);
             case 'DELETE':
@@ -627,7 +616,7 @@ export class FetchStreamableHTTPServerTransport implements Transport {
     /**
      * Handles POST requests containing JSON-RPC messages
      */
-    private async handlePostRequest(req: AuthenticatedRequest, parsedBody?: unknown): Promise<Response> {
+    private async handlePostRequest(req: Request): Promise<Response> {
         try {
             // Validate the Accept header
             const acceptHeader = req.headers.get('accept');
@@ -645,20 +634,15 @@ export class FetchStreamableHTTPServerTransport implements Transport {
                 return this.createJsonErrorResponse(415, -32000, 'Unsupported Media Type: Content-Type must be application/json');
             }
 
-            const authInfo: AuthInfo | undefined = req.auth;
             const requestInfo: RequestInfo = {
                 headers: Object.fromEntries(req.headers.entries())
             };
 
             let rawMessage;
-            if (parsedBody !== undefined) {
-                rawMessage = parsedBody;
-            } else {
-                try {
-                    rawMessage = await req.json();
-                } catch {
-                    return this.createJsonErrorResponse(400, -32700, 'Parse error: Invalid JSON');
-                }
+            try {
+                rawMessage = await req.json();
+            } catch {
+                return this.createJsonErrorResponse(400, -32700, 'Parse error: Invalid JSON');
             }
 
             let messages: JSONRPCMessage[];
@@ -726,7 +710,7 @@ export class FetchStreamableHTTPServerTransport implements Transport {
             if (!hasRequests) {
                 // if it only contains notifications or responses, return 202
                 for (const message of messages) {
-                    this.onmessage?.(message, { authInfo, requestInfo });
+                    this.onmessage?.(message, { requestInfo });
                 }
                 return new Response(null, { status: 202 });
             }
@@ -752,7 +736,7 @@ export class FetchStreamableHTTPServerTransport implements Transport {
                     }
 
                     for (const message of messages) {
-                        this.onmessage?.(message, { authInfo, requestInfo });
+                        this.onmessage?.(message, { requestInfo });
                     }
                 });
             }
@@ -819,7 +803,7 @@ export class FetchStreamableHTTPServerTransport implements Transport {
                     };
                 }
 
-                this.onmessage?.(message, { authInfo, requestInfo, closeSSEStream, closeStandaloneSSEStream });
+                this.onmessage?.(message, { requestInfo, closeSSEStream, closeStandaloneSSEStream });
             }
             // The server SHOULD NOT close the SSE stream before sending all JSON-RPC responses
             // This will be handled by the send() method when responses are ready

src/experimental/fetch-streamable-http/index.ts

@@ -13,7 +13,6 @@ export {
     type EventStore,
     type EventId,
     type StreamId,
-    type AuthenticatedRequest,
     type SessionStore,
     type SessionState
 } from './fetchStreamableHttpServerTransport.js';