[v1.x] fix(streamable-http): reject duplicate JSON-RPC ids with 409#2657
Open
truffle-dev wants to merge 1 commit into
Open
Conversation
The MCP base protocol requires that a request ID "MUST NOT have been previously used by the requestor within the same session". Before this change a duplicate POST silently overwrote the prior _request_streams entry, leaving the original in-flight request hanging forever. Mirror the existing GET_STREAM_KEY collision branch and return 409 Conflict, keeping the prior stream untouched. Closes modelcontextprotocol#2655
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #2655.
The MCP base protocol requires that a request ID "MUST NOT have been previously used by the requestor within the same session". Before this change a duplicate POST silently overwrote the prior
_request_streamsentry, leaving the original in-flight request hanging forever.Mirror the existing
GET_STREAM_KEYcollision branch (line 711) and return 409 Conflict, keeping the prior stream untouched.Repro
Same session, two POSTs with
id: 1. With the bug, the secondtools/calldisplaces the first request's stream; the first never resolves and times out client-side. With the fix, the second POST gets a 409 Conflict and the first stream is preserved.Test
Added
test_handle_post_rejects_duplicate_request_idexercising the new branch directly on the transport: seed_request_streams["1"]with a real in-flight pair, send a POST withid: 1, assert 409 +INVALID_REQUESTerror code + the in-flight pair is left in place.