Raindrop.io

Overview Schema Related Servers Score Discussions

raindrop-mcp
.github
instructions

middleware-analysis.md•12.1 KiB

# MCP Middleware Components Analysis for Raindrop MCP ## Executive Summary **Recommendation: OPTIONAL. Worth adopting only if you plan major HTTP framework refactoring.** The new MCP SDK middleware components are **thin integration layers** for Express, Hono, or Node.js HTTP. They're most valuable for new projects or when you're already refactoring your server architecture. For your current Raindrop MCP setup, they offer incremental benefits with moderate refactoring cost. --- ## What Are Middleware Components? The MCP SDK v2 (pre-alpha) introduces **optional middleware packages** that provide: 1. **Framework adapters** - Convert framework request/response types to MCP transport expectations 2. **Safe defaults** - DNS rebinding protection, CORS configuration 3. **Thin integration** - Not designed to add MCP features, just wiring ### Available Middleware Packages ``` @modelcontextprotocol/express - Express.js helpers @modelcontextprotocol/hono - Hono.js helpers @modelcontextprotocol/node - Node.js native HTTP wrapper ``` --- ## Your Current Setup **Current Architecture:** - **Framework:** Node.js native `http` module (not Express) - **Transport:** `StreamableHTTPServerTransport` from MCP SDK - **Session Management:** Manual session tracking with `Map<sessionId, TransportSession>` - **Security:** Manual DNS rebinding validation - **CORS:** Manual header management **Lines of Code:** ~342 in `src/server.ts` --- ## Option 1: @modelcontextprotocol/node (Most Relevant) ### What It Does Wraps Node.js `http.createServer()` for MCP Streamable HTTP transport. Handles request/response adaptation. ### Current Manual Implementation ```typescript // Your current code (~80 lines) const server = http.createServer(async (req, res) => { const id = randomUUID(); // Manual transport setup const transport = new StreamableHTTPServerTransport({ req, res, responseStreaming: true, logErrors: true, }); // Manual session tracking activeSessions.set(id, transport); // Manual error handling transport.onClose(() => { activeSessions.delete(id); }); }); server.listen(PORT); ``` ### With @modelcontextprotocol/node ```typescript import { nodeStreamableHTTP } from "@modelcontextprotocol/node"; const server = http.createServer( nodeStreamableHTTP({ request: mcpService, serverOptions: { responseStreaming: true }, }), ); server.listen(PORT); ``` **Refactoring Cost:** ~40 lines removed, ~10 lines added **Benefit:** Reduced boilerplate, standardized error handling **Risk Level:** LOW - just a thin adapter --- ## Option 2: @modelcontextprotocol/express ### When You'd Use This If you decide to **switch from native Node.js `http` to Express.js** for: - Middleware ecosystem (compression, logging, body parsing) - Route management (future endpoints) - Mature error handling ### Benefits Over Current Setup ```typescript // With Express + MCP middleware import express from "express"; import { expressStreamableHTTP } from "@modelcontextprotocol/express"; const app = express(); app.use(compression()); app.use(expressStreamableHTTP(mcpService)); app.listen(PORT); ``` **Replaces:** Your entire 342-line server.ts with ~20 lines **Adds:** Access to Express ecosystem (morgan logging, helmet security, etc.) **Cost:** Full refactor from native http to Express **Benefit:** Significantly cleaner code if you need Express features --- ## Option 3: @modelcontextprotocol/hono ### When You'd Use This If you want a **lightweight alternative to Express** with: - Better TypeScript support - Edge runtime compatibility (Cloudflare Workers, etc.) - Modern middleware patterns **Current Setup:** Not using Hono, so adoption would be a framework switch. --- ## Detailed Recommendation Matrix | Aspect | @modelcontextprotocol/node | @modelcontextprotocol/express | @modelcontextprotocol/hono | | ---------------------- | -------------------------- | ----------------------------- | -------------------------- | | **Relevance** | HIGH (native Node.js) | MEDIUM (would need Express) | LOW (would need Hono) | | **Refactoring Effort** | ~30 min | ~2 hours | ~3 hours | | **LOC Reduction** | 30-50 | 320+ | 320+ | | **Breaking Changes** | None (thin adapter) | Moderate (framework swap) | Moderate (framework swap) | | **Immediate ROI** | ✅ Yes | ⏳ Maybe later | ❌ Not now | | **Future Flexibility** | Medium | High | High | --- ## What They Actually Solve ### DNS Rebinding Protection (hostHeaderValidation) Both packages include a `hostHeaderValidation` middleware: ```typescript // Middleware component from SDK import { validateHostHeader, localhostAllowedHostnames, } from "@modelcontextprotocol/server/middleware"; // Usage const result = validateHostHeader( req.headers.get("host"), localhostAllowedHostnames(), // ['localhost', '127.0.0.1', '[::1]'] ); if (!result.ok) { return res.status(403).json({ error: result.message }); } ``` **Your Current Implementation:** You don't have DNS rebinding protection. This is actually worth adding regardless of middleware adoption. ### Error Handling Standardization Middleware ensures consistent MCP error responses: - Proper HTTP status codes - JSON-RPC error formatting - Graceful shutdown **Your Current Implementation:** Manual error handling that mostly works, but could be standardized. ### Streamable Response Support Ensures HTTP responses properly stream `Transfer-Encoding: chunked` for long-running operations. **Your Current Implementation:** Already using `StreamableHTTPServerTransport` with `responseStreaming: true` ✓ --- ## Implementation Path (Recommended) ### Phase 1: Add DNS Rebinding Protection (NOW - 15 min) ```typescript import { validateHostHeader, localhostAllowedHostnames, } from "@modelcontextprotocol/server/middleware"; // Add to your server.ts request handler const hostValidation = validateHostHeader( req.headers["host"] || "", ["localhost", "127.0.0.1", "yourdomain.com"], // allowlist ); if (!hostValidation.ok) { res.writeHead(403, { "Content-Type": "application/json" }); res.end( JSON.stringify({ jsonrpc: "2.0", error: { code: -32000, message: hostValidation.message }, id: null, }), ); return; } ``` **Benefits:** Closes security gap, zero breaking changes **Requires:** Nothing new (component already in @modelcontextprotocol/server) ### Phase 2: Adopt @modelcontextprotocol/node (LATER - 30 min) ```typescript import { createStreamableHTTPAdapter } from "@modelcontextprotocol/node"; // Simplifies session management and error handling const adapter = createStreamableHTTPAdapter(mcpService); server = http.createServer(async (req, res) => { await adapter(req, res); }); ``` **Cost:** Small refactor of server.ts **Benefit:** Standardized error handling, reduced manual session tracking ### Phase 3: Consider Express (FUTURE - Only if needed) If you add routes, authentication, or other HTTP concerns beyond MCP. --- ## What NOT to Expect from Middleware ❌ **New MCP features** - Tools, resources, prompts stay in `@modelcontextprotocol/server` ❌ **Business logic** - Raindrop API integration stays in your code ❌ **Significant performance improvement** - Middleware is thin, not optimized ❌ **Automatic scaling** - You still manage deployment & load balancing ❌ **v2 stability** - SDK v2 is pre-alpha; v1.x is production-recommended --- ## Current MCP SDK Status ⚠️ **Important:** The MCP SDK is at two versions: | Version | Status | Recommendation | Your Setup | | -------- | --------- | -------------- | ------------------------ | | **v1.x** | Stable | Production use | Using v1.25.3 ✓ | | **v2** | Pre-alpha | Not yet | Middleware is v2 feature | **Your decision points:** 1. **Stay on v1.x** (Recommended for now) - ✅ Stable, battle-tested - ✅ Receive bug fixes for 6+ months - ❌ No middleware components - **Action:** Stick with native Node.js http 2. **Migrate to v2** (When stable, Q1 2026 expected) - ✅ Middleware ecosystem - ✅ New experimental features - ❌ Breaking changes possible - ❌ Still pre-alpha - **Action:** Wait for stable release --- ## Decision: Should You Adopt Middleware Now? ### YES, adopt if: - [ ] You're planning to refactor server.ts for other reasons - [ ] You want to standardize error handling & DNS rebinding protection - [ ] You're comfortable with v2 pre-alpha SDK - [ ] You have time for testing & potential issues ### NO, skip if: - [x] Your current server.ts works fine - [x] You want to stay on stable v1.x SDK - [x] You don't have immediate refactoring needs - [x] You prefer minimal dependencies --- ## Recommended Action Plan ### Short Term (This Sprint) 1. ✅ **Add DNS Rebinding Protection** (Use existing `hostHeaderValidation` from SDK) - File: `src/server.ts` - Lines: ~15 added - Time: 15 min - Risk: None 2. ✅ **Document Security Enhancement** - Update LOGGING_DIAGNOSTICS.md with DNS rebinding note - Time: 5 min ### Medium Term (Next Sprint) 3. ⏳ **Monitor MCP SDK v2 Progress** - Subscribe to releases - Review migration guide when stable - **Action:** Decide Q1 2026 when v2 stabilizes 4. ⏳ **Optional: Evaluate @modelcontextprotocol/node** - Test with staging build - Measure refactoring effort - **Trigger:** When next server.ts refactor is needed ### Long Term (Later) 5. ⏳ **Plan v2 Migration** - Only when v2 reaches stable release - When middleware becomes necessary (e.g., adding Express) - **Timeline:** Mid-2026 or later --- ## Code Examples ### Add DNS Rebinding Protection (Recommended NOW) ```typescript // src/server.ts - add to request handler import { validateHostHeader } from "@modelcontextprotocol/sdk/server/middleware.js"; const server = http.createServer(async (req, res) => { // Validate Host header for DNS rebinding protection const allowedHosts = ["localhost", "127.0.0.1", "[::1]"]; if (process.env.ALLOWED_HOSTS) { allowedHosts.push(...process.env.ALLOWED_HOSTS.split(",")); } const hostValidation = validateHostHeader( req.headers["host"] ?? "", allowedHosts, ); if (!hostValidation.ok) { res.writeHead(403, { "Content-Type": "application/json" }); res.end( JSON.stringify({ jsonrpc: "2.0", error: { code: -32603, message: hostValidation.message }, id: null, }), ); return; } // ... rest of your handler }); ``` ### Optional: Adopt @modelcontextprotocol/node (Later) ```typescript // Only when ready to refactor v1 → v2 import { NodeStreamableHTTPAdapter } from "@modelcontextprotocol/node"; const adapter = new NodeStreamableHTTPAdapter(mcpService.getServer(), { responseStreaming: true, validateHostHeader: true, allowedHosts: ["localhost", "127.0.0.1"], }); const server = http.createServer((req, res) => { adapter.handle(req, res); }); ``` --- ## Summary Table | Component | Current Status | Worth It Now? | Worth It Later? | | ----------------------------- | -------------- | ------------- | -------------------- | | DNS Rebinding Validation | ❌ Missing | ✅ YES | N/A | | @modelcontextprotocol/node | ❌ Not used | ⏳ Maybe | ✅ Probably | | @modelcontextprotocol/express | ❌ Not used | ❌ No | ⏳ If you add routes | | @modelcontextprotocol/hono | ❌ Not used | ❌ No | ❌ Unlikely | --- ## References - [MCP SDK v2 GitHub](https://github.com/modelcontextprotocol/typescript-sdk) - [Middleware README](https://github.com/modelcontextprotocol/typescript-sdk/tree/main/packages/middleware) - [Host Header Validation (DNS Rebinding Protection)](https://github.com/modelcontextprotocol/typescript-sdk/blob/main/packages/server/src/server/middleware/hostHeaderValidation.ts) - [SDK Documentation](https://modelcontextprotocol.github.io/typescript-sdk/) - [MCP Specification](https://spec.modelcontextprotocol.io)

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/adeze/raindrop-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

middleware-analysis.md•12.1 KiB