Skip to content

fix(gateway): guard nil Session in mcp-add handler#526

Closed
syf2211 wants to merge 0 commit into
docker:mainfrom
syf2211:fix/442-mcp-add-nil-session
Closed

fix(gateway): guard nil Session in mcp-add handler#526
syf2211 wants to merge 0 commit into
docker:mainfrom
syf2211:fix/442-mcp-add-nil-session

Conversation

@syf2211

@syf2211 syf2211 commented Jun 26, 2026

Copy link
Copy Markdown

Summary

Guard all req.Session accesses in the mcp-add tool handler so a nil session returns a structured error instead of panicking.

Motivation

Fixes #442. Some transports/clients invoke gateway tools without populating req.Session. The handler called req.Session.InitializeParams() unguarded when reporting missing secrets/config or during OAuth elicitation, causing a nil pointer dereference.

Changes

  • Add req.Session != nil guard before reading initialize params when missing secrets/config are reported
  • Skip OAuth elicitation path when session is nil (remote server add flow)
  • Wrap elicitation block in getRemoteOAuthServerStatus with a nil session check
  • Add regression test TestAddServerHandler_NilSessionMissingConfig

Tests

go test ./pkg/gateway/ -run TestAddServerHandler_NilSessionMissingConfig -v
# PASS

Notes

  • auditClientInfoFromSession already handles nil sessions
  • Pre-PR review (composer-2.5): APPROVE

Fixes #442

@syf2211 syf2211 requested a review from a team as a code owner June 26, 2026 23:49
@syf2211 syf2211 closed this Jun 27, 2026
@syf2211 syf2211 force-pushed the fix/442-mcp-add-nil-session branch from a4f87c8 to 8f422b6 Compare June 27, 2026 07:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Panic in mcp-add when req.Session is nil (nil pointer dereference)

1 participant

@syf2211