From 43f1f61019902a5eeea9822e0996f6a8f4d21bf9 Mon Sep 17 00:00:00 2001 From: guro Date: Tue, 20 Jan 2026 18:50:45 +0000 Subject: [PATCH 1/2] fix: enable trust proxy for correct rate limiting behind reverse proxy Without this, rate limiting uses the proxy's IP instead of actual client IPs, causing all requests through Cloudflare to be rate limited together. --- src/index.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/index.ts b/src/index.ts index 8866406..f37ed02 100644 --- a/src/index.ts +++ b/src/index.ts @@ -44,6 +44,10 @@ async function main() { const app = express(); + // Trust proxy headers (X-Forwarded-For, etc.) when behind reverse proxy (Cloudflare, etc.) + // This is required for rate limiting to work correctly with real client IPs + app.set('trust proxy', true); + // Basic middleware // Intentionally permissive CORS for public MCP reference server // This allows any MCP client to test against this reference implementation From 67ffeb0b9393472b2e87519dd9632aeb48d922c1 Mon Sep 17 00:00:00 2001 From: guro Date: Tue, 17 Mar 2026 14:52:21 +0000 Subject: [PATCH 2/2] Increase rate limits across server endpoints Raise request limits to better accommodate legitimate traffic patterns: - Splash page: 50 -> 200 req/min - Auth endpoints: 20 -> 200 req/min - Static assets (auth & mcp): 100 -> 500 req/min - OAuth metadata: 100 -> 300 req/5s - Client registration: 10 -> 60 req/min --- src/index.ts | 2 +- src/modules/auth/index.ts | 8 ++++---- src/modules/mcp/index.ts | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/index.ts b/src/index.ts index f37ed02..d587065 100644 --- a/src/index.ts +++ b/src/index.ts @@ -192,7 +192,7 @@ async function main() { // Rate limiter for splash page (moderate limit) const splashPageLimiter = rateLimit({ windowMs: 60 * 1000, // 1 minute - max: 50, // 50 requests per minute + max: 200, // 200 requests per minute message: 'Too many requests to splash page', standardHeaders: true, legacyHeaders: false, diff --git a/src/modules/auth/index.ts b/src/modules/auth/index.ts index 15758a1..140705d 100644 --- a/src/modules/auth/index.ts +++ b/src/modules/auth/index.ts @@ -77,7 +77,7 @@ export class AuthModule { // Rate limiters for different route types const authLimiter = rateLimit({ windowMs: 60 * 1000, // 1 minute - max: 20, // 20 requests per minute for auth endpoints + max: 200, // 200 requests per minute for auth endpoints message: 'Too many authentication attempts', standardHeaders: true, legacyHeaders: false, @@ -85,7 +85,7 @@ export class AuthModule { const staticAssetLimiter = rateLimit({ windowMs: 60 * 1000, // 1 minute - max: 100, // 100 requests per minute for static assets + max: 500, // 500 requests per minute for static assets message: 'Too many requests for static assets', standardHeaders: true, legacyHeaders: false, @@ -96,10 +96,10 @@ export class AuthModule { provider: this.provider, issuerUrl: new URL(this.config.authServerUrl || this.config.baseUri), tokenOptions: { - rateLimit: { windowMs: 5000, limit: 100 } + rateLimit: { windowMs: 5000, limit: 300 } // 300 requests per 5 seconds }, clientRegistrationOptions: { - rateLimit: { windowMs: 60000, limit: 10 } + rateLimit: { windowMs: 60000, limit: 60 } // 60 requests per minute } })); diff --git a/src/modules/mcp/index.ts b/src/modules/mcp/index.ts index 647588a..325b2e8 100644 --- a/src/modules/mcp/index.ts +++ b/src/modules/mcp/index.ts @@ -51,7 +51,7 @@ export class MCPModule { // Rate limiter for static assets const staticAssetLimiter = rateLimit({ windowMs: 60 * 1000, // 1 minute - max: 100, // 100 requests per minute for static assets + max: 500, // 500 requests per minute for static assets message: 'Too many requests for static assets', standardHeaders: true, legacyHeaders: false,