Detect Pong from MCP Client and skip Session ID validation (#539)

* Detect Pong from MCP Client and skip Session ID validation.
https://modelcontextprotocol.io/specification/2025-03-26/basic/utilities/ping

* Use isJSONEmpty to handle empty Result/Error without allocations

---------

Co-authored-by: Aleksei Strukov <[email protected]>
Co-authored-by: Ed Zynda <[email protected]>

Author: 3 people

server/streamable_http.go

@@ -1,6 +1,7 @@
 package server
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
@@ -13,6 +14,7 @@ import (
 	"sync"
 	"sync/atomic"
 	"time"
+	"unicode"
 
 	"github.com/google/uuid"
 	"github.com/mark3labs/mcp-go/mcp"
@@ -262,6 +264,14 @@ func (s *StreamableHTTPServer) handlePost(w http.ResponseWriter, r *http.Request
 		return
 	}
 
+	// detect empty ping response, skip session ID validation
+	isPingResponse := jsonMessage.Method == "" && jsonMessage.ID != nil &&
+		(isJSONEmpty(jsonMessage.Result) && isJSONEmpty(jsonMessage.Error))
+
+	if isPingResponse {
+		return
+	}
+
 	// Check if this is a sampling response (has result/error but no method)
 	isSamplingResponse := jsonMessage.Method == "" && jsonMessage.ID != nil &&
 		(jsonMessage.Result != nil || jsonMessage.Error != nil)
@@ -937,3 +947,51 @@ func NewTestStreamableHTTPServer(server *MCPServer, opts ...StreamableHTTPOption
 	testServer := httptest.NewServer(sseServer)
 	return testServer
 }
+
+// isJSONEmpty reports whether the provided JSON value is "empty":
+//   - null
+//   - empty object: {}
+//   - empty array: []
+// It also treats nil/whitespace-only input as empty.
+// It does NOT treat 0, false, "" or non-empty composites as empty.
+func isJSONEmpty(data json.RawMessage) bool {
+	if len(data) == 0 {
+		return true
+	}
+
+	trimmed := bytes.TrimSpace(data)
+	if len(trimmed) == 0 {
+		return true
+	}
+
+	switch trimmed[0] {
+	case '{':
+		if len(trimmed) == 2 && trimmed[1] == '}' {
+			return true
+		}
+		for i := 1; i < len(trimmed); i++ {
+			if !unicode.IsSpace(rune(trimmed[i])) {
+				return trimmed[i] == '}'
+			}
+		}
+	case '[':
+		if len(trimmed) == 2 && trimmed[1] == ']' {
+			return true
+		}
+		for i := 1; i < len(trimmed); i++ {
+			if !unicode.IsSpace(rune(trimmed[i])) {
+				return trimmed[i] == ']'
+			}
+		}
+
+	case '"': // treat "" as not empty
+		return false
+
+	case 'n': // null
+		return len(trimmed) == 4 &&
+			trimmed[1] == 'u' &&
+			trimmed[2] == 'l' &&
+			trimmed[3] == 'l'
+	}
+	return false
+}

server/streamable_http_test.go

@@ -894,6 +894,101 @@ func TestStreamableHTTP_HeaderPassthrough(t *testing.T) {
 	}
 }
 
+func TestStreamableHTTP_PongResponseHandling(t *testing.T) {
+	// Ping/Pong does not require session ID
+	// https://modelcontextprotocol.io/specification/2025-03-26/basic/utilities/ping
+	mcpServer := NewMCPServer("test-mcp-server", "1.0")
+	server := NewTestStreamableHTTPServer(mcpServer)
+	defer server.Close()
+
+	t.Run("Pong response with empty result should not be treated as sampling response", func(t *testing.T) {
+		// According to MCP spec, pong responses have empty result: {"jsonrpc": "2.0", "id": "123", "result": {}}
+		pongResponse := map[string]any{
+			"jsonrpc": "2.0",
+			"id":      123,
+			"result":  map[string]any{},
+		}
+
+		resp, err := postJSON(server.URL, pongResponse)
+		if err != nil {
+			t.Fatalf("Failed to send pong response: %v", err)
+		}
+		defer func() { _ = resp.Body.Close() }()
+
+		bodyBytes, err := io.ReadAll(resp.Body)
+		if err != nil {
+			t.Fatalf("Failed to read response body: %v", err)
+		}
+		bodyStr := string(bodyBytes)
+
+		if strings.Contains(bodyStr, "Missing session ID for sampling response") {
+			t.Errorf("Pong response was incorrectly detected as sampling response. Response: %s", bodyStr)
+		}
+		if strings.Contains(bodyStr, "Failed to handle sampling response") {
+			t.Errorf("Pong response was incorrectly detected as sampling response. Response: %s", bodyStr)
+		}
+
+		if resp.StatusCode != http.StatusOK {
+			t.Errorf("Expected status 200 for pong response, got %d. Body: %s", resp.StatusCode, bodyStr)
+		}
+	})
+
+	t.Run("Pong response with null result should not be treated as sampling response", func(t *testing.T) {
+		pongResponse := map[string]any{
+			"jsonrpc": "2.0",
+			"id":      124,
+		}
+
+		resp, err := postJSON(server.URL, pongResponse)
+		if err != nil {
+			t.Fatalf("Failed to send pong response: %v", err)
+		}
+		defer func() { _ = resp.Body.Close() }()
+
+		bodyBytes, err := io.ReadAll(resp.Body)
+		if err != nil {
+			t.Fatalf("Failed to read response body: %v", err)
+		}
+		bodyStr := string(bodyBytes)
+
+		if strings.Contains(bodyStr, "Missing session ID for sampling response") {
+			t.Errorf("Pong response with omitted result was incorrectly detected as sampling response. Response: %s", bodyStr)
+		}
+
+		if resp.StatusCode != http.StatusOK {
+			t.Errorf("Expected status 200 for pong response, got %d. Body: %s", resp.StatusCode, bodyStr)
+		}
+	})
+
+	t.Run("Response with empty error should not be treated as sampling response", func(t *testing.T) {
+		response := map[string]any{
+			"jsonrpc": "2.0",
+			"id":      125,
+			"error":   map[string]any{},
+		}
+
+		resp, err := postJSON(server.URL, response)
+		if err != nil {
+			t.Fatalf("Failed to send response: %v", err)
+		}
+		defer func() { _ = resp.Body.Close() }()
+
+		bodyBytes, err := io.ReadAll(resp.Body)
+		if err != nil {
+			t.Fatalf("Failed to read response body: %v", err)
+		}
+		bodyStr := string(bodyBytes)
+
+		if strings.Contains(bodyStr, "Missing session ID for sampling response") {
+			t.Errorf("Response with empty error was incorrectly detected as sampling response. Response: %s", bodyStr)
+		}
+
+		if resp.StatusCode != http.StatusOK {
+			t.Errorf("Expected status 200 for response with empty error, got %d. Body: %s", resp.StatusCode, bodyStr)
+ 		}
+	})
+}
+      
 func TestStreamableHTTPServer_TLS(t *testing.T) {
 	t.Run("TLS options are set correctly", func(t *testing.T) {
 		mcpServer := NewMCPServer("test-mcp-server", "1.0.0")