mathias/gitea-mcp
1
0
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(mcp): drop strict session-id requirement on POST /mcp
All checks were successful
CD / Lint / Test / Vet (push) Successful in 6s
Details
CD / Build & Import (push) Successful in 12s
Details
CD / Deploy via GitOps (push) Successful in 48s
Details

Browse Source 
The claude.ai connector's MCP transport proxy does not reliably
propagate the Mcp-Session-Id header issued during initialize. With the
previous strict gate (return 400 plain text "missing or invalid
Mcp-Session-Id"), every tools/list and tools/call from claude.ai
failed and the Anthropic proxy surfaced it as:

  Streamable HTTP error: {"jsonrpc":"2.0","id":N,"error":
    {"code":-32600,"message":"Anthropic Proxy: Invalid content from server"}}

— because the plain-text 400 response is not valid JSON-RPC.

All tools the gitea-mcp server exposes are stateless single-shot
calls, so there is no functional reason to gate them on a session.
brain-mcp and supervisor-mcp don't gate either, and claude.ai works
against them fine. Match that behavior: keep issuing Mcp-Session-Id
on initialize for clients that want to use it, but stop rejecting
calls that don't send one back.

Test renamed PostWithoutSessionRejected → PostWithoutSessionAccepted
and updated to assert the tools/list response shape.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mathias
2026-05-12 14:57:52 +02:00
parent 7a53935a9e
commit 174669b9f6
2 changed files with 16 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
internal/mcp/server_test.go
View File

@@ -57,14 +57,22 @@ func TestInitialize(t *testing.T) {
assert.Equal(t, "gitea-mcp", si["name"])
}
func TestPostWithoutSessionRejected(t *testing.T) {
func TestPostWithoutSessionAccepted(t *testing.T) {
// gitea-mcp tools are stateless single-shot; Mcp-Session-Id is advisory.
// claude.ai's MCP transport proxy is observed to not propagate the
// session header reliably, so non-initialize calls must work without it.
srv := newServer(t)
rr := postJSON(t, srv, map[string]any{
"jsonrpc": "2.0",
"id": 2,
"method": "tools/list",
}, "")
require.Equal(t, http.StatusBadRequest, rr.Code)
require.Equal(t, http.StatusOK, rr.Code)
var resp map[string]any
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
result := resp["result"].(map[string]any)
assert.Contains(t, result, "tools")
}
func TestServerWithOriginAllowlistRejectsBadOrigin(t *testing.T) {