mcpmw

package
v0.5.13 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 10, 2026 License: MIT Imports: 8 Imported by: 0

Documentation

Overview

Package mcpmw provides MCP-specific HTTP middleware: JSON-RPC envelope rewriting, Origin allowlist, and (in later versions) audit emitter wrapping.

Each middleware is a standard `func(http.Handler) http.Handler` so it composes with any HTTP framework that can wrap handlers.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Envelope

func Envelope(next http.Handler) http.Handler

Envelope rewrites plain-text HTTP error responses on the MCP transport into canonical JSON-RPC 2.0 error envelopes.

The Streamable HTTP handler from the upstream Go MCP SDK uses http.Error for protocol-level rejections (parse errors, unknown methods, missing params). Those escape the SDK as text/plain bodies that strict MCP clients (Inspector, Claude Code) misreport as transport-level failures rather than the actual JSON-RPC -326xx errors they really are.

Behaviour:

  • Only intercepts POST. Other methods pass through untouched.
  • Buffers the response in memory until the first byte (or end of handler). If the SDK starts streaming an SSE response (Content-Type: text/event-stream) or returns a non-error status (< 400), the buffered state is flushed verbatim and the writer falls back to pass-through — so successful streaming responses are unaffected.
  • For 4xx text/plain responses with a known SDK error prefix, rewrites them as a canonical JSON-RPC envelope with HTTP 200.
  • 401 / 403 / 404 / 415 / other transport-level codes pass through untouched so WWW-Authenticate, Origin enforcement, etc. survive.

The original SDK error message is preserved in the envelope's `error.data` field so callers can debug. Per MCP transport guidance, JSON-RPC error responses use HTTP 200; the JSON `error` object is the truth.

Originally extracted from vorrent/internal/mcpserver/jsonrpc_envelope.go.

func Origin

func Origin(cfg OriginConfig, next http.Handler) http.Handler

Origin enforces an allowlist on the Origin header. Empty origin (non-browser client) is allowed. Allowed origins pass through. Loopback origins pass through when AllowLoopback is true. Anything else is rejected with 403.

Types

type OriginConfig

type OriginConfig struct {
	// Allowed is the set of permitted Origin header values (exact match).
	// Empty means no browser clients are allowed (loopback may still be
	// permitted via AllowLoopback).
	Allowed []string

	// AllowLoopback permits Origin values that resolve to a loopback host
	// (127.0.0.0/8, ::1, or the literal "localhost"). Set true in dev.
	AllowLoopback bool

	// OnDeny, if set, is called instead of writing the default 403 response.
	// Use this to integrate with the consumer's error-envelope conventions.
	OnDeny func(w http.ResponseWriter, r *http.Request, origin string)
}

OriginConfig configures the Origin allowlist middleware.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL