[BUG]: Non-standard redirect handling in _validate_gateway_url

[jonpspri]

Description

The _validate_gateway_url method in mcpgateway/services/gateway_service.py (lines 357-407) has non-standard redirect handling for STREAMABLEHTTP transport that may cause confusion and maintenance issues.

Current Behavior

When transport_type="STREAMABLEHTTP", the validation logic:

1. Makes a GET request to the gateway URL
2. Checks for a location header in the response (regardless of HTTP status code)
3. If a location header is present, treats it as a redirect and makes a second request to that URL
4. Validates the redirected response has mcp-session-id header and application/json content-type

Code Reference

This block occurs after the function has already made an initial request. Notice that if there is no response, the if logic falls through and the verification eventually returns False.

if transport_type == "STREAMABLEHTTP":
    if location:
        async with validation_client.client.stream("GET", location, headers=headers, timeout=timeout) as response_redirect:
            response_headers = dict(response_redirect.headers)
            mcp_session_id = response_headers.get("mcp-session-id")
            content_type = response_headers.get("content-type")
            if response_redirect.status_code in (401, 403):
                logger.debug(f"Authentication failed at redirect location {location}")
                return False
            if mcp_session_id is not None and mcp_session_id != "":
                if content_type is not None and content_type != "" and "application/json" in content_type:
                    return True

Issues

1. Non-standard HTTP behavior: The code treats any response with a location header as a redirect, without checking for proper 3xx status codes (301, 302, 307, 308, etc.)

2. Undocumented protocol: Is this "200 OK with location header" pattern documented in the MCP specification or StreamableHTTP protocol? If not, it creates confusion about expected server behavior.

3. Reinventing redirect handling: httpx library already has robust redirect-following capabilities that handle:

   • Proper 3xx status code checking
   • Redirect loop detection
   • Maximum redirect limits
   • Preservation of request methods and bodies per RFC standards

Questions

1. Is the requirement for a 200 HTTP response with a "location" header part of a documented standard for StreamableHTTP?
2. If this is custom behavior specific to this implementation, should it be documented?

Recommendation

If this isn't a documented standard, consider:

1. Use httpx's built-in redirect handling:

   validation_client = ResilientHttpClient(
       client_args={
           "timeout": settings.gateway_validation_timeout,
           "verify": not settings.skip_ssl_verify,
           "follow_redirects": True,  # Let httpx handle redirects properly
           "max_redirects": 5
       }
   )

2. Simplify the validation logic to check final response attributes after httpx has followed any proper HTTP redirects

3. Document the expected behavior if the current "location header without 3xx status" pattern is intentional

Impact

• Confusion for developers implementing MCP gateway servers
• Potential incompatibility with standard HTTP redirect behavior
• Maintenance burden of custom redirect logic
• Test complexity (as evidenced by the recent test refactoring in PR #XXX)

Environment

• Component: mcpgateway/services/gateway_service.py
• Method: _validate_gateway_url (lines 357-407)
• Transport: STREAMABLEHTTP

[baustin27]

Workaround Confirmed: Transport Type Must Be Explicitly Specified

I've successfully worked around this issue and can confirm the root cause affects real-world MCP server registration.

The Problem in Practice

When attempting to register Streamable HTTP MCP servers (tested with Archon MCP and BookStack MCP), registration fails with:

• "Failed to initialize gateway"
• "Unable to connect to gateway"

Root Cause: ContextForge defaults to SSE transport when the transport field is omitted from the registration payload. This causes the validation method to send GET requests (SSE behavior) to servers that only accept POST requests (Streamable HTTP spec).

The Workaround

Registration must explicitly specify the transport type:

curl -X POST http://localhost:4444/gateways \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"archon","url":"http://archon-mcp:8051/mcp","transport":"STREAMABLEHTTP"}'

❌ Without explicit transport (defaults to SSE):

🔍 Starting SSE validation for http://archon-mcp:8051/mcp
📥 SSE response: status=406  ← Server rejects GET request
❌ GatewayConnectionError: Failed to initialize gateway

✅ With explicit transport="STREAMABLEHTTP":

🔍 Starting Streamable HTTP validation for http://archon-mcp:8051/mcp
📤 Sending initialize request to http://archon-mcp:8051/mcp
📥 Received response: status=200
📄 Response keys: ['jsonrpc', 'result', 'id']
✅ Streamable HTTP validation successful

Enhanced Validation Logging

To aid debugging, I enhanced the _validate_gateway_url method with INFO-level logging (emoji icons for easy scanning):

async def _validate_gateway_url(self, url: str, headers: dict, transport_type: str, timeout: Optional[int] = None):
    if transport_type == "STREAMABLEHTTP":
        logger.info(f"🔍 Starting Streamable HTTP validation for {url}")

        initialize_request = {
            "jsonrpc": "2.0", "id": 1, "method": "initialize",
            "params": {
                "protocolVersion": "2024-11-05",
                "capabilities": {},
                "clientInfo": {"name": "contextforge-gateway", "version": "0.8.0"}
            }
        }

        request_headers = {**headers, "Accept": "application/json, text/event-stream", "Content-Type": "application/json"}
        logger.info(f"📤 Sending initialize request to {url}")

        try:
            response = await validation_client.client.post(url, json=initialize_request, headers=request_headers, timeout=timeout)
            logger.info(f"📥 Received response from {url}: status={response.status_code}")

            if response.status_code == 200:
                try:
                    response_data = response.json()
                    logger.info(f"📄 Response keys: {list(response_data.keys())}")

                    if "jsonrpc" in response_data and "result" in response_data:
                        logger.info(f"✅ Streamable HTTP validation successful for {url}")
                        return True
                    else:
                        logger.info(f"❌ Missing JSON-RPC fields from {url}")
                        return False
                except Exception as e:
                    logger.info(f"❌ Failed to parse JSON from {url}: {e}")
                    return False
        except httpx.TimeoutException:
            logger.info(f"⏱️  Timeout validating {url}")
            return False
        except httpx.ConnectError:
            logger.info(f"🔌 Connection error validating {url}")
            return False

Test Results

✅ Archon MCP Server - Fully working with explicit transport="STREAMABLEHTTP":

• Registration: SUCCESS
• Validation: SUCCESS
• 14 tools successfully enumerated and accessible

Recommendations

1. Documentation: Add clear guidance that transport field must be specified for Streamable HTTP servers

2. Better error messages: When validation fails with HTTP 406, suggest checking transport type

3. Auto-detection (optional): Attempt POST first, fall back to GET:

   # Try Streamable HTTP (POST)
   if await validate_streamablehttp(url):
       return "STREAMABLEHTTP"
   # Fall back to SSE (GET)
   elif await validate_sse(url):
       return "SSE"

4. UI improvements: Make transport type selection prominent in gateway creation UI

Related Files

Full documentation of the fix and enhanced validation method available at:

• Debug process: CONTEXTFORGE_DEBUG_STATE.md
• Complete fix guide: CONTEXTFORGE_FIX_COMPLETE.md

This workaround unblocks Streamable HTTP MCP server registration until a proper fix is implemented.

[rakdutta]

closed by PR #1444 and PR #1425