mathias/gitea-mcp
1
0
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(mcp): drop strict session-id requirement on POST /mcp
All checks were successful
CD / Lint / Test / Vet (push) Successful in 6s
Details
CD / Build & Import (push) Successful in 12s
Details
CD / Deploy via GitOps (push) Successful in 48s
Details

Browse Source 
The claude.ai connector's MCP transport proxy does not reliably
propagate the Mcp-Session-Id header issued during initialize. With the
previous strict gate (return 400 plain text "missing or invalid
Mcp-Session-Id"), every tools/list and tools/call from claude.ai
failed and the Anthropic proxy surfaced it as:

  Streamable HTTP error: {"jsonrpc":"2.0","id":N,"error":
    {"code":-32600,"message":"Anthropic Proxy: Invalid content from server"}}

— because the plain-text 400 response is not valid JSON-RPC.

All tools the gitea-mcp server exposes are stateless single-shot
calls, so there is no functional reason to gate them on a session.
brain-mcp and supervisor-mcp don't gate either, and claude.ai works
against them fine. Match that behavior: keep issuing Mcp-Session-Id
on initialize for clients that want to use it, but stop rejecting
calls that don't send one back.

Test renamed PostWithoutSessionRejected → PostWithoutSessionAccepted
and updated to assert the tools/list response shape.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mathias
2026-05-12 14:57:52 +02:00
parent 7a53935a9e
commit 174669b9f6
2 changed files with 16 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
internal/mcp/server.go
View File

@@ -56,7 +56,6 @@ func (s *Server) handlePOST(w http.ResponseWriter, r *http.Request) {
return
}
// initialize is the only method allowed without a session.
if req.Method == "initialize" {
sid := s.opts.Sessions.Issue()
w.Header().Set("Mcp-Session-Id", sid)
@@ -68,11 +67,12 @@ func (s *Server) handlePOST(w http.ResponseWriter, r *http.Request) {
return
}
sid := r.Header.Get("Mcp-Session-Id")
if !s.opts.Sessions.Valid(sid) {
http.Error(w, "missing or invalid Mcp-Session-Id", http.StatusBadRequest)
return
}
// Mcp-Session-Id is advisory: we issue one on initialize and accept it back,
// but every tool the gitea-mcp server exposes is stateless single-shot, so
// we do not gate non-initialize calls on it. The claude.ai connector's
// transport proxy is observed to not propagate the session header reliably,
// and the spec allows servers to be sessionless. Compare with brain-mcp /
// supervisor-mcp, which never required a session at all.
switch req.Method {
case "tools/list":