feat: Verify MCP endpoints with authentication for Streamable HTTP transport, test for SSE transport#535
Draft
feat: Verify MCP endpoints with authentication for Streamable HTTP transport, test for SSE transport#535
Conversation
kpavlov
changed the title
kpavlov
force-pushed
the
kpavlov/auth-test
branch
from
d84c910 to
4fbc0ab
Compare
kpavlov
added
breaking
kpavlov
changed the title
kpavlov
changed the title
kpavlov
changed the title
kpavlov
force-pushed
the
kpavlov/auth-test
branch
2 times, most recently
from
a714c63 to
7c93a68
Compare
- Introduced `SseAuthenticationTest`, demonstrating how to protect MCP endpoints with authentication.
- Move `TransportManager` to separate file and generalize. - Refactored `mcpStreamableHttp` and `mcpStatelessStreamableHttp` to use config object. - Added integration tests (`KtorStreamableHttpExtensionsTest`) to validate route registrations, subpath handling, and sibling route isolation. fix: Correct Ktor external documentation link and update KDoc references - Updated external documentation link from `ktor-client` to `ktor` in Dokka configuration. - Replaced KDoc references to `io.ktor.server.auth.authenticate` with `Route.authenticate` for consistency.
- Removed `AbstractKtorExtensionsTest` and migrated its helpers to `TestHelpers.kt` for better reuse. - Added new test cases for route and application-level MCP extensions, ensuring default and custom paths work as intended. - Enabled parallel test execution via `junit-platform.properties`. - Updated (reduced) detekt baselines to reflect changes in test structure and layout.
kpavlov
force-pushed
the
kpavlov/auth-test
branch
from
6d62199 to
a1d18ec
Compare
devcrocod
reviewed
Feb 19, 2026
Comment on lines
+119
to
+120
| config: McpStreamableHttpConfig.() -> Unit = {}, | ||
| serverFactory: RoutingContext.() -> Server, |
Contributor
There was a problem hiding this comment.
This is not the best API design
there are two lambda parameters in a row
and the second one has a default value while the third doesn't
Contributor
Author
There was a problem hiding this comment.
The exploded parameter list was not better either. Not scalable and requires hard changes to the api shape.
Let's keep it simpler then:
Suggested change
| config: McpStreamableHttpConfig.() -> Unit = {}, | |
| serverFactory: RoutingContext.() -> Server, | |
| config: McpStreamableHttpConfig, | |
| serverFactory: RoutingContext.() -> Server, |
…rver setup into reusable methods
aozherelyeva
force-pushed
the
kpavlov/auth-test
branch
from
09aeddb to
c51b6a8
Compare
kpavlov
changed the title
9 tasks
aozherelyeva
approved these changes
Feb 24, 2026
Collaborator
aozherelyeva
left a comment
aozherelyeva
left a comment
There was a problem hiding this comment.
LGTM, didn't think of other checks for now. Thanks!
kpavlov
added a commit
that referenced
this pull request
Feb 26, 2026
## Introduce Configuration class for StreamableHttpServerTransport Replace the six-parameter flat constructor of `StreamableHttpServerTransport` with a typed `Configuration` class. This improves API ergonomics, enables structural equality and copy(), and provides a stable extension point for future options without further breaking the constructor signature. ### Changes: - Add `Configuration` as a public class nested directly on `StreamableHttpServerTransport`, with `enableJsonResponse` as the first parameter (most commonly set) - Change the primary constructor to accept `Configuration`. - Rename `retryIntervalMillis: Long?` to `retryInterval: Duration?` in Configuration, aligning with Kotlin's type-safe time API - Deprecate the old flat constructor with a compatibility bridge - Update KotlinTestBase integration test to use the new constructor - Enable test AbstractResourceIntegrationTest.testSubscribeAndUnsubscribe() since #249 is closed ## Motivation and Context The current StreamableHttpServerTransport API cannot be easily extended: adding more parameters would be a breaking change. But this is already needed for #521. This PR is a prerequisite for #535 ## How Has This Been Tested? Regression tests ## Breaking Changes No. Current StreamableHttpServerTransport constructor was deprecated ## Types of changes <!-- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) - [ ] Documentation update ## Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. --> - [x] I have read the [MCP Documentation](https://modelcontextprotocol.io) - [x] My code follows the repository's style guidelines - [x] New and existing tests pass locally - [ ] I have added appropriate error handling - [ ] I have added or updated documentation as needed
61 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Verify/fix MCP endpoint with Ktor authentication for SSE and Streamable-HTTP
TransportManagerto a separate file and generalize.mcpStreamableHttpandmcpStatelessStreamableHttpextensions to use the config object instead of too many parameters. This change unblocks Support configuration of the max request payload size for Streamable HTTP impl #521KtorStreamableHttpExtensionsTest) to validate route registrations, subpath handling, and sibling route isolation.Motivation and Context
To demonstrate and verify Ktor authentication in action, I provided an example. However, it revealed that StreamableHttp transport isn’t fully supported. Consequently, missing extensions were implemented and method signatures were refactored.
How Has This Been Tested?
Unit and integration tests
Breaking Changes
Only the new API was modified.
Types of changes
Checklist
Additional context
#521