-
Notifications
You must be signed in to change notification settings - Fork 3.7k
fix(streamable-http): return spec-mandated 405 for pre-session GET (Closes #3102) #3104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -124,7 +124,8 @@ async def test_streamable_http_security_get_request() -> None: | |
| assert response.text == "Invalid Host header" | ||
|
|
||
| response = await client.get("/", headers={"Accept": "text/event-stream", "Host": "127.0.0.1"}) | ||
| # An allowed host passes security and fails on session validation instead. | ||
| assert response.status_code == 400 | ||
| # An allowed host passes security; a session-less GET the server cannot serve | ||
| # as an SSE stream then gets the spec-mandated 405 (not 400). | ||
| assert response.status_code == 405 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. P2: The spec-mandated Prompt for AI agents |
||
| body = response.json() | ||
| assert "Missing session ID" in body["error"]["message"] | ||
| assert "Method Not Allowed" in body["error"]["message"] | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
P1: A normal pre-initialize SSE probe now creates and retains a stateful session even though it is rejected. The session manager allocates and starts a transport before this handler returns 405, and the prescribed follow-up POST has no session ID, so it creates a different transport; with the default no idle timeout, the probe transport stays in
_server_instancesforever. Consider rejecting session-less GET probes before allocating a stateful transport (or explicitly terminating/removing the newly allocated transport) so this handshake path cannot accumulate orphan sessions.Prompt for AI agents