Skip to content

Fix SSE endpoint accepting POST requests instead of returning 405 #1953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jlowin merged 2 commits into from
Sep 30, 2025
Merged

Fix SSE endpoint accepting POST requests instead of returning 405 #1953

jlowin merged 2 commits into from
Sep 30, 2025

Conversation

@jlowin
Copy link
Owner

@jlowin jlowin commented Sep 29, 2025
edited
Loading

Fixes #1903

Problem

After d36ea42, the SSE endpoint (/sse) started accepting POST requests and returning 200 OK instead of rejecting them with 405 Method Not Allowed. This expected MCP semantics and caused clients (like Claude Desktop) to stop their search and not communicate with the "correct" SSE endpoint via a GET request.

The refactoring centralized MCP endpoint route creation in AuthProvider.get_routes(), but didn't specify HTTP methods, causing routes to accept all methods by default.

Solution

Separated responsibilities clearly:

  • Auth providers (get_routes()) return only their own routes (OAuth endpoints, metadata)
  • Transport layer (http.py) creates the protected MCP endpoint routes with correct methods:
    • SSE: methods=["GET"] only
    • Streamable HTTP: no method restriction (as before)

This preserves the original behavior while fixing the bug.

@jlowin
Fix SSE endpoint accepting POST requests instead of returning 405
02822e9 
Commit d36ea42 centralized MCP endpoint route creation in auth providers,
but didn't specify HTTP methods. This caused the SSE endpoint to accept all
methods instead of only GET, breaking proper HTTP semantics.

Split responsibilities: auth providers return their own routes (OAuth, metadata),
while the transport layer creates protected MCP endpoint routes with correct methods.

Closes #1903
@marvin-context-protocol marvin-context-protocol bot added bug Something isn't working. Reports of errors, unexpected behavior, or broken functionality. server Related to FastMCP server implementation or server-side functionality. http Related to HTTP transport, networking, or web server functionality. labels Sep 29, 2025
@jlowin jlowin merged commit d9fe373 into main Sep 30, 2025
8 checks passed
@jlowin jlowin deleted the fix/sse-post-405 branch September 30, 2025 00:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working. Reports of errors, unexpected behavior, or broken functionality. http Related to HTTP transport, networking, or web server functionality. server Related to FastMCP server implementation or server-side functionality.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Regression in SSE transport introduced in 2.12.1

2 participants

@jlowin