Contrib.social

Disallow HTTP GET on mcp.post route to comply with MCP 2025-03-26 spec

Open on Drupal.org →
Created on 16 May 2025, 22 days ago

Problem/Motivation

The MCP 2025-03-26 specification requires that, if a server does not support Server-Sent Events (SSE) on its GET endpoint, it must return 405 Method Not Allowed rather than silently accept GET. Current routing still allows GET on /mcp/post and returns 200 OK without SSE support, which violates the spec.

Steps to reproduce

  1. Send an HTTP GET request to /mcp/post
  2. Observe that the server responds with 200 OK instead of 405 Method Not Allowed.

Proposed resolution

Remove GET from the allowed methods for the mcp.post route so that any GET now returns 405. For example: 

mcp.post:
  path: '/mcp/post'
- methods: [ POST, GET ]
+ methods: [ POST ]
  defaults:
    _title: 'MCP Operation'
    _controller: '\Drupal\mcp\Controller\McpController::post'
  requirements:
    _access: 'TRUE'
  options:
    _auth: [ 'mcp_auth', 'cookie' ]

Remaining tasks

  • Update mcp.routing.yml to remove GET.
  • Update documentation to reflect that SSE is not supported on this path.
  • Code review and merge.

User interface changes

None.

API changes

- The POST /mcp/post endpoint remains unchanged.
- Any HTTP GET to /mcp/post will now return 405 Method Not Allowed instead of 200 OK.

Data model changes

None.

📌 Task
Status

Active

Version

1.0

Component

Code

Created by

🇬🇪Georgia lekso surameli

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024