Skip to content

fix: create fresh Server per request in auth test helpers #141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pcarleton merged 1 commit into from
Feb 10, 2026
Merged

fix: create fresh Server per request in auth test helpers #141

pcarleton merged 1 commit into from
Feb 10, 2026
+61 −47

Conversation

@felixweinberger
Copy link
Contributor

@felixweinberger felixweinberger commented Feb 10, 2026

Fixes auth test server and no-dns-rebinding-protection example reusing a single Server instance across requests, which breaks with SDK v1.26.0's security fix (GHSA-345p-7cg4-v4c7).

Motivation and Context

SDK v1.26.0 added a runtime guard that throws "Already connected to a transport" when Protocol.connect() is called on an already-connected server. The auth test helper (createServer.ts) and the no-dns-rebinding-protection.ts example both created a single Server/McpServer at module scope and called connect() per request, triggering this guard.

How Has This Been Tested?

Ran the v1.x client conformance tests with this fix installed locally — tools_call scenario now passes (was failing with "Already connected" error).

Breaking Changes

None — internal test infrastructure only.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling

@felixweinberger @claude
fix: create fresh Server per request in auth test helpers
ba02a1a 
The auth test server helper and no-dns-rebinding-protection example
reused a single Server instance across requests, calling connect()
on each new transport. SDK v1.26.0's security fix (GHSA-345p-7cg4-v4c7)
now throws "Already connected to a transport" in this case.

Fix by wrapping Server creation in a factory function called per
request, matching the pattern already used by tools_call.ts and
everything-server.ts.

Also updates no-dns-rebinding-protection.ts to use registerTool()
instead of the deprecated tool() API.

Co-Authored-By: Claude Opus 4.6 <[email protected]>
@pkg-pr-new
Copy link

pkg-pr-new bot commented Feb 10, 2026

Open in StackBlitz

npx https://pkg.pr.new/modelcontextprotocol/conformance/@modelcontextprotocol/conformance@141

commit: ba02a1a

@felixweinberger felixweinberger mentioned this pull request Feb 10, 2026
Merged
6 tasks
@felixweinberger felixweinberger marked this pull request as ready for review February 10, 2026 19:15
@pcarleton pcarleton merged commit 37225ce into main Feb 10, 2026
8 checks passed
@pcarleton pcarleton deleted the fweinberger/fix-server-reuse branch February 10, 2026 19:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pcarleton pcarleton pcarleton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@felixweinberger @pcarleton