pmcp 2.2.0

High-quality Rust SDK for Model Context Protocol (MCP) with full TypeScript SDK compatibility
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

//! Axum Router convenience function for MCP servers.
//!
//! Provides [`router()`] and [`router_with_config()`] that return a
//! fully-configured [`axum::Router`] with DNS rebinding protection,
//! security response headers, and origin-locked CORS applied as Tower
//! Layers.
//!
//! # Example
//!
//! ```rust,no_run
//! use pmcp::server::axum_router::{router, AllowedOrigins, RouterConfig};
//! use std::sync::Arc;
//!
//! # async fn example() -> Result<(), Box<dyn std::error::Error>> {
//! let server = pmcp::Server::builder()
//!     .name("my-server")
//!     .version("1.0.0")
//!     .build()?;
//!
//! let server = Arc::new(tokio::sync::Mutex::new(server));
//!
//! // One-liner: secure MCP server with localhost protection
//! let app = router(server.clone());
//!
//! let listener = tokio::net::TcpListener::bind("127.0.0.1:8080").await?;
//! axum::serve(listener, app).await?;
//! # Ok(())
//! # }
//! ```

use crate::server::streamable_http_server::{
    build_mcp_router, make_server_state, StreamableHttpServerConfig,
};
use crate::server::tower_layers::{DnsRebindingLayer, SecurityHeadersLayer};
use crate::server::Server;
use axum::Router;
use std::sync::Arc;

// Re-export for convenience so users can import from pmcp::axum::*
pub use crate::server::tower_layers::AllowedOrigins;

/// Configuration for the MCP Axum Router.
///
/// Controls allowed origins, security headers, and underlying streamable
/// HTTP settings (sessions, middleware, etc.).
#[derive(Debug, Default)]
pub struct RouterConfig {
    /// Allowed origins for DNS rebinding protection and CORS.
    /// Defaults to localhost aliases when `None`.
    pub allowed_origins: Option<AllowedOrigins>,
    /// Security headers configuration. Defaults to all enabled.
    pub security_headers: SecurityHeadersLayer,
    /// Streamable HTTP server configuration (sessions, middleware, etc.)
    pub server_config: StreamableHttpServerConfig,
}

/// Create a secure MCP Axum Router with default localhost protection.
///
/// Returns an [`axum::Router`] with:
/// - DNS rebinding protection (Host + Origin validation)
/// - Security response headers (nosniff, DENY, no-store)
/// - Origin-locked CORS (no wildcard `*`)
///
/// Bind a listener and serve:
///
/// ```rust,no_run
/// # async fn example(app: axum::Router) {
/// let listener = tokio::net::TcpListener::bind("127.0.0.1:8080").await.unwrap();
/// axum::serve(listener, app).await.unwrap();
/// # }
/// ```
pub fn router(server: Arc<tokio::sync::Mutex<Server>>) -> Router {
    router_with_config(server, RouterConfig::default())
}

/// Create a secure MCP Axum Router with explicit configuration.
///
/// Use this when deploying to production with specific allowed origins:
///
/// ```rust,no_run
/// # use pmcp::server::axum_router::*;
/// # fn example(server: std::sync::Arc<tokio::sync::Mutex<pmcp::Server>>) {
/// let app = router_with_config(server, RouterConfig {
///     allowed_origins: Some(AllowedOrigins::explicit(vec![
///         "https://myapp.example.com".to_string(),
///     ])),
///     ..Default::default()
/// });
/// # }
/// ```
pub fn router_with_config(server: Arc<tokio::sync::Mutex<Server>>, config: RouterConfig) -> Router {
    let allowed = config
        .allowed_origins
        .unwrap_or_else(AllowedOrigins::localhost);

    // Ensure server_config carries the resolved origins so that
    // make_server_state() stores the same value in ServerState.
    let mut server_config = config.server_config;
    server_config.allowed_origins = Some(allowed.clone());

    let state = make_server_state(server, server_config);
    let base_router = build_mcp_router(state);
    let cors = crate::server::tower_layers::build_mcp_cors_layer(&allowed);

    // Layer ordering: CORS (outermost) -> DnsRebinding -> SecurityHeaders -> handler
    base_router
        .layer(config.security_headers)
        .layer(DnsRebindingLayer::new(allowed))
        .layer(cors)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_router_returns_router() {
        let rt = tokio::runtime::Runtime::new().unwrap();
        rt.block_on(async {
            let server = Server::builder()
                .name("test")
                .version("0.1.0")
                .build()
                .unwrap();
            let server = Arc::new(tokio::sync::Mutex::new(server));
            let _app = router(server);
        });
    }

    #[test]
    fn test_router_with_explicit_origins() {
        let rt = tokio::runtime::Runtime::new().unwrap();
        rt.block_on(async {
            let server = Server::builder()
                .name("test")
                .version("0.1.0")
                .build()
                .unwrap();
            let server = Arc::new(tokio::sync::Mutex::new(server));
            let _app = router_with_config(
                server,
                RouterConfig {
                    allowed_origins: Some(AllowedOrigins::explicit(vec![
                        "https://example.com".to_string()
                    ])),
                    ..Default::default()
                },
            );
        });
    }

    #[test]
    fn test_router_config_default() {
        let config = RouterConfig::default();
        assert!(config.allowed_origins.is_none());
    }
}