bug: Tools can be invoked without initialization #579
Description
Description
Tools can be invoked without initialization -- the mcp-session-id is not checked.
For example, the following invokes the time tool, rather than returning 404 for invalid sessionID:
curl -v localhost:8081/mcp -H "mcp-session-id: mcp-session-ffffffff-ffff-ffff-ffff-ffffffffffff" -H "Content-Type: application/json" -H "Accept: application/json, text/event-stream" --data ' { "jsonrpc": "2.0", "id": 1, "method": "tools/call", "params": { "name": "time" } } ' (From looking at the source code, perhaps I was supposed to use server.WithSessionIdManager(mgr) in my call to server.NewMCPServer(), but it wasn't obvious that none of the provided implementations check for a valid session.)
Code Sample
This is the minimal server I tested with:
package main import ( "context" "fmt" "net/http" "time" "github.com/mark3labs/mcp-go/mcp" "github.com/mark3labs/mcp-go/server" ) func main() { s := server.NewMCPServer("MyMcpClock", "0.0.1", server.WithToolCapabilities(true)) s.AddTools(server.ServerTool{ Tool: mcp.NewTool("time", mcp.WithDescription("Get the current time")), Handler: func(_ context.Context, _ mcp.CallToolRequest) (*mcp.CallToolResult, error) { return mcp.NewToolResultText(time.Now().String()), nil }, }) mux := http.NewServeMux() httpServer := &http.Server{ Addr: ":8081", Handler: mux, } streamableHTTPServer := server.NewStreamableHTTPServer( s, server.WithStreamableHTTPServer(httpServer), ) mux.Handle("/mcp", streamableHTTPServer) err := streamableHTTPServer.Start(":8081") fmt.Printf("Err = %v\n", err) }Environment
- Go version (see
go.mod): go 1.25.0 - mcp-go version (see
go.mod): v0.39.1 - Any other relevant environment details: MacOS