Merge branch 'rc-v1' into 'v1'

subtype · subtype · commit c65b6de55418 · 2025-05-28T12:12:30.000-04:00
rc-v1 -&gt; v1 updates

See merge request subtype/subspace-api!16
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -9,6 +9,10 @@ on:
     branches:
       - 'v*'
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build-for-v:
     if: startsWith(github.ref, 'refs/heads/v') || (github.event_name == 'pull_request' && startsWith(github.base_ref, 'v'))
diff --git a/README.md b/README.md
@@ -26,8 +26,9 @@ npm run build && npm run start
 | Env var | Purpose |
 |---------|--------|
 | PORT | Defaults to 9595. The port for the API and MCP server to listen on. |
-| LOG_LEVEL | Defaults to 'info'. Set the logging level |
+| LOG_LEVEL | Defaults to 'info'. Set the logging level. |
 | ACTIVE_VERSION | Defaults to 'v1', currently not implemented fully. |
 | WMATA_PRIMARY_KEY | The API key to use for obtaining WMATA status. |
-| JWT_SECRET | This is the secret key that is used for encrypting and decrypting JWT tokens. |
+| JWT_SECRET | (DEPRECATED) This is the secret key that is used for encrypting and decrypting JWT tokens. |
+| SESSION_SECRET | Base64 encoded random string that you can probably generate with `openssl rand -base64 64`. |
 | TZ | (Optional) Lets the container/logger format log messages with the machine's local time zone. |
diff --git a/src/server.ts b/src/server.ts
@@ -47,6 +47,9 @@ server.use(
     resave: false,
     saveUninitialized: true,
     store: memoryStore,
+    cookie: {
+      secure: true // Setting this to true requires trust proxy set in express
+    }
   })
 )
 server.use(keycloak.middleware())
@@ -60,7 +63,7 @@ logger.info('Initializing routes...')
 server.use('/', statusRouter)
 server.use('/health', express.json(), statusRouter)
 
-// reverse proxy
+// reverse proxy -- removing this will cause issues with secure cookies
 server.set('trust proxy', 1)
 
 server.use(function (err: any, req: Request, res: Response, next: NextFunction) {
@@ -104,7 +107,8 @@ server.post('/messages', logIncomingAuth, keycloak.protect(), async (req: Reques
     logger.info(`${transport.sessionId} has an active session`)
     await transport.handlePostMessage(req, res, req.body) // don't remove req.body otherwise MCP inspector will panik
   } else {
-    res.status(400).send(`No session was found for ${sessionId}`)
+    logger.warn(`${sessionId} was not found`)
+    res.status(400).send('Requested sessionId not found')
   }
 })
 
