From 3e81ec45a8ebd3bd4385cbe0ddb4ba4e6af15e69 Mon Sep 17 00:00:00 2001 From: Jerome Date: Tue, 19 Aug 2025 20:07:19 +0100 Subject: [PATCH 1/3] Add splash page for MCP Everything Server MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Implemented a clean, informative splash page at the root endpoint that showcases: - Server features and capabilities - API endpoints documentation - Links to GitHub repository and MCP documentation - Black and white theme matching MCP branding - Responsive design for mobile and desktop The splash page provides users with an immediate overview of the server's functionality and serves as a landing page for the MCP Everything Server. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- src/index.ts | 6 + src/static/index.html | 280 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 286 insertions(+) create mode 100644 src/static/index.html diff --git a/src/index.ts b/src/index.ts index cb8c1b2..d06fe9d 100644 --- a/src/index.ts +++ b/src/index.ts @@ -167,6 +167,12 @@ app.get("/mcp-logo.png", (req, res) => { res.sendFile(logoPath); }); +// Splash page +app.get("/", (req, res) => { + const splashPath = path.join(__dirname, "static", "index.html"); + res.sendFile(splashPath); +}); + // Upstream auth routes app.get("/fakeupstreamauth/authorize", cors(corsOptions), handleFakeAuthorize); app.get("/fakeupstreamauth/callback", cors(corsOptions), handleFakeAuthorizeRedirect); diff --git a/src/static/index.html b/src/static/index.html new file mode 100644 index 0000000..acbfd37 --- /dev/null +++ b/src/static/index.html @@ -0,0 +1,280 @@ + + + + + + MCP Everything Server + + + +
+
+ +

MCP Everything Server

+
+ +

+ A comprehensive reference implementation of the Model Context Protocol (MCP) server + demonstrating all protocol features with full authentication support and horizontal scalability. +

+ +
+
+

Complete MCP Support

+

All MCP features including tools, resources, prompts, sampling, completions, and logging with full protocol compliance.

+
+
+

Multiple Transports

+

Streamable HTTP (SHTTP) and Server-Sent Events (SSE) transports for flexible client integration.

+
+
+

OAuth 2.0 Authentication

+

Complete OAuth flow with PKCE support and a built-in fake provider for testing and development.

+
+
+

Horizontal Scalability

+

Redis-backed session management enables multi-instance deployments with automatic load distribution.

+
+
+

7 Demo Tools

+

Echo, add, long-running operations, LLM sampling, image handling, annotations, and resource references.

+
+
+

100+ Resources

+

Example resources with pagination, templates, subscriptions, and real-time update notifications.

+
+
+ +
+

API Endpoints

+
+
+ POST + /mcp - Initialize sessions or send messages (Streamable HTTP) +
+
+ GET + /mcp - Establish SSE streams (Streamable HTTP) +
+
+ DELETE + /mcp - Terminate sessions (Streamable HTTP) +
+
+ GET + /sse - Legacy SSE transport endpoint +
+
+ POST + /message - Legacy message endpoint for SSE transport +
+
+
+ +
+ + + + + GitHub Repository + + + MCP Documentation + + + Protocol Specification + +
+
+ + + + \ No newline at end of file From 9df5df3218c7b6671578c5a522751a0f033958a0 Mon Sep 17 00:00:00 2001 From: Jerome Date: Fri, 22 Aug 2025 16:39:11 +0100 Subject: [PATCH 2/3] Potential fix for code scanning alert no. 5: Missing rate limiting Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- package.json | 3 ++- src/index.ts | 10 +++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 793ab33..6e83d5d 100644 --- a/package.json +++ b/package.json @@ -32,7 +32,8 @@ "cors": "^2.8.5", "dotenv": "^16.4.7", "express": "^4.21.2", - "raw-body": "^3.0.0" + "raw-body": "^3.0.0", + "express-rate-limit": "^8.0.1" }, "overrides": { "@types/express": "^5.0.0", diff --git a/src/index.ts b/src/index.ts index d06fe9d..e34accb 100644 --- a/src/index.ts +++ b/src/index.ts @@ -2,6 +2,7 @@ import { BearerAuthMiddlewareOptions, requireBearerAuth } from "@modelcontextpro import { AuthRouterOptions, getOAuthProtectedResourceMetadataUrl, mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js"; import cors from "cors"; import express from "express"; +import rateLimit from "express-rate-limit"; import path from "path"; import { fileURLToPath } from "url"; import { EverythingAuthProvider } from "./auth/provider.js"; @@ -15,6 +16,13 @@ import { logger } from "./utils/logger.js"; const app = express(); +// Rate limiter for splash page +const splashLimiter = rateLimit({ + windowMs: 15 * 60 * 1000, // 15 minutes + max: 100, // limit each IP to 100 requests per windowMs + standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers + legacyHeaders: false, // Disable the `X-RateLimit-*` headers +}); // Get the directory of the current module const __filename = fileURLToPath(import.meta.url); const __dirname = path.dirname(__filename); @@ -168,7 +176,7 @@ app.get("/mcp-logo.png", (req, res) => { }); // Splash page -app.get("/", (req, res) => { +app.get("/", splashLimiter, (req, res) => { const splashPath = path.join(__dirname, "static", "index.html"); res.sendFile(splashPath); }); From 6c4b45d0f35d675742e7b0e591dc295583a51b44 Mon Sep 17 00:00:00 2001 From: Jerome Date: Fri, 22 Aug 2025 21:52:20 +0100 Subject: [PATCH 3/3] Fix package-lock.json sync issue with express-rate-limit@8.0.1 --- package-lock.json | 36 ++++++++++++++++++++++++++++++++---- 1 file changed, 32 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index 0eb858d..e798391 100644 --- a/package-lock.json +++ b/package-lock.json @@ -13,6 +13,7 @@ "cors": "^2.8.5", "dotenv": "^16.4.7", "express": "^4.21.2", + "express-rate-limit": "^8.0.1", "raw-body": "^3.0.0" }, "devDependencies": { @@ -1763,6 +1764,21 @@ "url": "https://opencollective.com/express" } }, + "node_modules/@modelcontextprotocol/sdk/node_modules/express-rate-limit": { + "version": "7.5.1", + "resolved": "https://artifactory.infra.ant.dev:443/artifactory/api/npm/npm-all/express-rate-limit/-/express-rate-limit-7.5.1.tgz", + "integrity": "sha512-7iN8iPMDzOMHPUYllBEsQdWVB6fPDMPqwjBaFrgr4Jgr/+okjvzAy+UHlYYL/Vs0OsOrMkwS6PJDkFlJwoxUnw==", + "license": "MIT", + "engines": { + "node": ">= 16" + }, + "funding": { + "url": "https://github.com/sponsors/express-rate-limit" + }, + "peerDependencies": { + "express": ">= 4.11" + } + }, "node_modules/@modelcontextprotocol/sdk/node_modules/finalhandler": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-2.1.0.tgz", @@ -3755,10 +3771,13 @@ } }, "node_modules/express-rate-limit": { - "version": "7.5.0", - "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-7.5.0.tgz", - "integrity": "sha512-eB5zbQh5h+VenMPM3fh+nw1YExi5nMr6HUCR62ELSP11huvxm/Uir1H1QEyTkk5QX6A58pX6NmaTMceKZ0Eodg==", + "version": "8.0.1", + "resolved": "https://artifactory.infra.ant.dev:443/artifactory/api/npm/npm-all/express-rate-limit/-/express-rate-limit-8.0.1.tgz", + "integrity": "sha512-aZVCnybn7TVmxO4BtlmnvX+nuz8qHW124KKJ8dumsBsmv5ZLxE0pYu7S2nwyRBGHHCAzdmnGyrc5U/rksSPO7Q==", "license": "MIT", + "dependencies": { + "ip-address": "10.0.1" + }, "engines": { "node": ">= 16" }, @@ -3766,7 +3785,7 @@ "url": "https://github.com/sponsors/express-rate-limit" }, "peerDependencies": { - "express": "^4.11 || 5 || ^5.0.0-beta.1" + "express": ">= 4.11" } }, "node_modules/express/node_modules/debug": { @@ -4371,6 +4390,15 @@ "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==", "license": "ISC" }, + "node_modules/ip-address": { + "version": "10.0.1", + "resolved": "https://artifactory.infra.ant.dev:443/artifactory/api/npm/npm-all/ip-address/-/ip-address-10.0.1.tgz", + "integrity": "sha512-NWv9YLW4PoW2B7xtzaS3NCot75m6nK7Icdv0o3lfMceJVRfSoQwqD4wEH5rLwoKJwUiZ/rfpiVBhnaF0FK4HoA==", + "license": "MIT", + "engines": { + "node": ">= 12" + } + }, "node_modules/ipaddr.js": { "version": "1.9.1", "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",