starred/borsa-mcp
1
0
Fork 0
mirror of https://github.com/saidsurucu/borsa-mcp.git synced 2026-04-26 07:45:53 +03:00
Code Issues Projects Releases Packages Wiki Activity

[GH-ISSUE #6] null id accepted in mcp request (minor) #1

New issue
Closed
opened 2026-03-04 02:08:23 +03:00 by kerem · 2 comments
kerem commented 2026-03-04 02:08:23 +03:00
Owner
Copy link

Originally created by @clgtm on GitHub (Feb 12, 2026).
Original GitHub issue: https://github.com/saidsurucu/borsa-mcp/issues/6

Not a big deal but thought of reporting nonetheless

Command:   authprobe scan --explain --trace-failure https://borsamcp.fastmcp.app/mcp
Scanning:  https://borsamcp.fastmcp.app/mcp
Scan time: Feb 12, 2026 06:08:09 UTC
Github:    https://github.com/authprobe/authprobe

Funnel
  [1] MCP probe (401 + WWW-Authenticate)      [-] SKIP
        probe returned 405; checking PRM for OAuth config

  [2] MCP initialize + tools/list             [X] FAIL
        initialize -> 200
        notifications/initialized -> 202
        tools/list -> 200 (tools: search_symbol, get_profile, get_quick_info,
        get_historical_data, +23 more)

  [3] PRM fetch matrix                        [X] FAIL
        https://borsamcp.fastmcp.app/.well-known/oauth-protected-resource -> 404
        https://borsamcp.fastmcp.app/.well-known/oauth-protected-resource/mcp ->
        405
        PRM unreachable or unusable; OAuth discovery unavailable

  [4] Auth server metadata                    [-] SKIP
        auth not required

  [5] Token endpoint readiness (heuristics)   [-] SKIP
        auth not required

  [6] Dynamic client registration (RFC 7591)  [-] SKIP
        auth not required

Primary Finding (HIGH): MCP_JSONRPC_ID_NULL_ACCEPTED (confidence 1.00)
  Evidence:
      null id probe status 202
      MCP JSON-RPC requires request IDs to be strings or numbers; null IDs must be rejected.

┌─────────────────────┤ RFC RATIONALE ├──────────────────────┐
Explain (RFC 9728 rationale)
1) MCP probe
- AuthProbe did not receive a 401 response that indicates authentication is required, so RFC 9728 PRM discovery is skipped.

┌───────────────────────┤ CALL TRACE ├───────────────────────┐
Call Trace Using: https://github.com/authprobe/authprobe

  ┌────────────┐                                                    ┌────────────┐    
  │ authprobe  │                                                    │ MCP Server │    
  └─────┬──────┘                                                    └─────┬──────┘    
        │                                                                 │           
        │ ╔═══ Step 1: MCP probe                    ═══════╪═══════════════════╗
        │  GET https://borsamcp.fastmcp.app/mcp                          
        │  Reason: 401 + WWW-Authenticate discovery                      
        │    Accept:  text/event-stream
        │    Host:    borsamcp.fastmcp.app
        ├─────────────────────────────────────────────────────────────────►│
        │  405 Method Not Allowed                                        
        │    Access-Control-Allow-Origin:  *
        │    Content-Length:               0
        │    Content-Type:                 application/json
        │    Date:                         Thu, 12 Feb 2026 06:08:01 GMT
        │    Via:                          1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront)
        │    X-Amz-Cf-Id:                  szpdas7LdOBZXXe8cMNUxTdqA1t304ZmFJqRlLsUBjEwdoSASyKGgg==
        │    X-Amz-Cf-Pop:                 SFO53-P7
        │    X-Amzn-Requestid:             6b4677f2-dcb5-4d81-ba1c-402c3814775d
        │    X-Amzn-Trace-Id:              Root=1-698d6e41-5043a42e74f96962681d1478;Parent=4d83ec1023fd9d8c;Sampled=0;Lineage=1:389041bb:0
        │    X-Cache:                      Error from cloudfront
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │ ╔═══ Step 2: MCP initialize               ═══════╪═══════════════════╗
        │  POST https://borsamcp.fastmcp.app/mcp                         
        │  Reason: Step 2: MCP initialize + tools/list (pre-init tools/list)
        │    Accept:                application/json, text/event-stream
        │    Content-Type:          application/json
        │    Host:                  borsamcp.fastmcp.app
        │    Mcp-Protocol-Version:  2025-11-25
        ├─────────────────────────────────────────────────────────────────►│
        │  200 OK                                                        
        │    Cache-Control:               no-cache, no-transform
        │    Content-Length:              25025
        │    Content-Type:                text/event-stream
        │    Date:                        Thu, 12 Feb 2026 06:08:01 GMT
        │    Via:                         1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront)
        │    X-Amz-Cf-Id:                 MsXKQhnkiuQYnpocaqA-RBRRlZ0Y2Jy-UFdP57AyzL3aaUHpUaHZwA==
        │    X-Amz-Cf-Pop:                SFO53-P7
        │    X-Amzn-Remapped-Connection:  keep-alive
        │    X-Amzn-Remapped-Date:        Thu, 12 Feb 2026 06:05:37 GMT
        │    X-Amzn-Remapped-Server:      uvicorn
        │    X-Amzn-Requestid:            0c479a83-84a3-472e-b43f-71b9023fe470
        │    X-Amzn-Trace-Id:             Root=1-698d6e41-2ba366245ad138ee372d8226;Parent=6f7d83eed3af0133;Sampled=0;Lineage=1:389041bb:0
        │    X-Cache:                     Miss from cloudfront
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │  POST https://borsamcp.fastmcp.app/mcp                         
        │  Reason: Step 2: MCP initialize + tools/list (initialize)      
        │    Accept:                application/json, text/event-stream
        │    Content-Type:          application/json
        │    Host:                  borsamcp.fastmcp.app
        │    Mcp-Protocol-Version:  2025-11-25
        ├─────────────────────────────────────────────────────────────────►│
        │  200 OK                                                        
        │    Cache-Control:               no-cache, no-transform
        │    Content-Length:              627
        │    Content-Type:                text/event-stream
        │    Date:                        Thu, 12 Feb 2026 06:08:02 GMT
        │    Mcp-Session-Id:              01308a93-b14c-49d7-a0e6-289c93d66014
        │    Via:                         1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront)
        │    X-Amz-Cf-Id:                 bGe6Nks9_TURSUCCWT6Cop5YyKTdDi6OpsF-704Dy2EGNm51L_A7tA==
        │    X-Amz-Cf-Pop:                SFO53-P7
        │    X-Amzn-Remapped-Connection:  keep-alive
        │    X-Amzn-Remapped-Date:        Thu, 12 Feb 2026 06:05:37 GMT
        │    X-Amzn-Remapped-Server:      uvicorn
        │    X-Amzn-Requestid:            ddb7500e-9e5e-47f1-af15-a0b160c0080b
        │    X-Amzn-Trace-Id:             Root=1-698d6e42-532e59235c2b126c48196615;Parent=58ab3314f9943306;Sampled=0;Lineage=1:389041bb:0
        │    X-Cache:                     Miss from cloudfront
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │  POST https://borsamcp.fastmcp.app/mcp                         
        │  Reason: Step 2: MCP initialize + tools/list (notifications/initialized)
        │    Accept:                application/json, text/event-stream
        │    Content-Type:          application/json
        │    Host:                  borsamcp.fastmcp.app
        │    Mcp-Protocol-Version:  2025-11-25
        │    Mcp-Session-Id:        01308a93-b14c-49d7-a0e6-289c93d66014
        ├─────────────────────────────────────────────────────────────────►│
        │  202 Accepted                                                  
        │    Content-Length:                  0
        │    Content-Type:                    application/json
        │    Date:                            Thu, 12 Feb 2026 06:08:02 GMT
        │    Mcp-Session-Id:                  01308a93-b14c-49d7-a0e6-289c93d66014
        │    Via:                             1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront)
        │    X-Amz-Cf-Id:                     gbnDkmvZTM1K1fKQD7b6f5X-E4mFPwXoAIz-d8PWgAtJUrlx2stNzw==
        │    X-Amz-Cf-Pop:                    SFO53-P7
        │    X-Amzn-Remapped-Content-Length:  0
        │    X-Amzn-Remapped-Date:            Thu, 12 Feb 2026 06:05:37 GMT
        │    X-Amzn-Remapped-Server:          uvicorn
        │    X-Amzn-Requestid:                55dcaab4-ee62-4c5d-8f48-e67cd46f633d
        │    X-Amzn-Trace-Id:                 Root=1-698d6e42-2ad6250c7bbb02577b431ec4;Parent=7dd0452347d56f08;Sampled=0;Lineage=1:389041bb:0
        │    X-Cache:                         Miss from cloudfront
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │  POST https://borsamcp.fastmcp.app/mcp                         
        │  Reason: Step 2: MCP initialize + tools/list (null id probe)   
        │    Accept:                application/json, text/event-stream
        │    Content-Type:          application/json
        │    Host:                  borsamcp.fastmcp.app
        │    Mcp-Protocol-Version:  2025-11-25
        │    Mcp-Session-Id:        01308a93-b14c-49d7-a0e6-289c93d66014
        ├─────────────────────────────────────────────────────────────────►│
        │  202 Accepted                                                  
        │    Content-Length:                  0
        │    Content-Type:                    application/json
        │    Date:                            Thu, 12 Feb 2026 06:08:02 GMT
        │    Mcp-Session-Id:                  01308a93-b14c-49d7-a0e6-289c93d66014
        │    Via:                             1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront)
        │    X-Amz-Cf-Id:                     YWBW-bSbfN1ZiTqFBDcEYDTSU-duyyzIbgbuA-RGlVoF9jhqEmlvJg==
        │    X-Amz-Cf-Pop:                    SFO53-P7
        │    X-Amzn-Remapped-Content-Length:  0
        │    X-Amzn-Remapped-Date:            Thu, 12 Feb 2026 06:05:37 GMT
        │    X-Amzn-Remapped-Server:          uvicorn
        │    X-Amzn-Requestid:                8a1a9296-66cb-41f2-8545-875f1aec22f2
        │    X-Amzn-Trace-Id:                 Root=1-698d6e42-7a4a69766fa3bb9b4202491e;Parent=610707c7ec1b08cd;Sampled=0;Lineage=1:389041bb:0
        │    X-Cache:                         Miss from cloudfront
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │  POST https://borsamcp.fastmcp.app/mcp                         
        │  Reason: Step 2: MCP initialize + tools/list (notification id probe)
        │    Accept:                application/json, text/event-stream
        │    Content-Type:          application/json
        │    Host:                  borsamcp.fastmcp.app
        │    Mcp-Protocol-Version:  2025-11-25
        │    Mcp-Session-Id:        01308a93-b14c-49d7-a0e6-289c93d66014
        ├─────────────────────────────────────────────────────────────────►│
        │  200 OK                                                        
        │    Cache-Control:               no-cache, no-transform
        │    Content-Length:              124
        │    Content-Type:                text/event-stream
        │    Date:                        Thu, 12 Feb 2026 06:08:03 GMT
        │    Mcp-Session-Id:              01308a93-b14c-49d7-a0e6-289c93d66014
        │    Via:                         1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront)
        │    X-Amz-Cf-Id:                 OjY3JubRDa--ivjqdH1AXv3coyKhN-jsbypWKTOtebXAGZF0T3UKKg==
        │    X-Amz-Cf-Pop:                SFO53-P7
        │    X-Amzn-Remapped-Connection:  keep-alive
        │    X-Amzn-Remapped-Date:        Thu, 12 Feb 2026 06:05:37 GMT
        │    X-Amzn-Remapped-Server:      uvicorn
        │    X-Amzn-Requestid:            37b1b78a-d4d0-46e4-8680-af43d5f273f0
        │    X-Amzn-Trace-Id:             Root=1-698d6e43-643a78e92cd213dc15d6b56b;Parent=48385e9d792ce880;Sampled=0;Lineage=1:389041bb:0
        │    X-Cache:                     Miss from cloudfront
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │  POST https://borsamcp.fastmcp.app/mcp                         
        │  Reason: Step 2: MCP initialize + tools/list (origin probe)    
        │    Accept:                application/json, text/event-stream
        │    Content-Type:          application/json
        │    Host:                  borsamcp.fastmcp.app
        │    Mcp-Protocol-Version:  2025-11-25
        │    Mcp-Session-Id:        01308a93-b14c-49d7-a0e6-289c93d66014
        │    Origin:                http://invalid.example
        ├─────────────────────────────────────────────────────────────────►│
        │  200 OK                                                        
        │    Access-Control-Allow-Origin:  http://invalid.example
        │    Cache-Control:                no-cache, no-transform
        │    Content-Length:               25026
        │    Content-Type:                 text/event-stream
        │    Date:                         Thu, 12 Feb 2026 06:08:03 GMT
        │    Mcp-Session-Id:               01308a93-b14c-49d7-a0e6-289c93d66014
        │    Vary:                         Origin
        │    Via:                          1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront)
        │    X-Amz-Cf-Id:                  7UpsUBQxLvLti4gyWldUbmMIw0r1aXaVbXcaMb8w4j7PZnR6UcWesA==
        │    X-Amz-Cf-Pop:                 SFO53-P7
        │    X-Amzn-Remapped-Connection:   keep-alive
        │    X-Amzn-Remapped-Date:         Thu, 12 Feb 2026 06:08:03 GMT
        │    X-Amzn-Remapped-Server:       uvicorn
        │    X-Amzn-Requestid:             fa4a1fe1-ae76-45b3-ab17-823ab0b5e722
        │    X-Amzn-Trace-Id:              Root=1-698d6e43-03ca49d9260366e220afab77;Parent=7b1d1bdf8454c755;Sampled=0;Lineage=1:389041bb:0
        │    X-Cache:                      Miss from cloudfront
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │  POST https://borsamcp.fastmcp.app/mcp                         
        │  Reason: Step 2: MCP initialize + tools/list (protocol version probe)
        │    Accept:                application/json, text/event-stream
        │    Content-Type:          application/json
        │    Host:                  borsamcp.fastmcp.app
        │    Mcp-Protocol-Version:  invalid
        │    Mcp-Session-Id:        01308a93-b14c-49d7-a0e6-289c93d66014
        ├─────────────────────────────────────────────────────────────────►│
        │  400 Bad Request                                               
        │    Content-Length:                  192
        │    Content-Type:                    application/json
        │    Date:                            Thu, 12 Feb 2026 06:08:03 GMT
        │    Mcp-Session-Id:                  01308a93-b14c-49d7-a0e6-289c93d66014
        │    Via:                             1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront)
        │    X-Amz-Cf-Id:                     Q05NjujJRmzRKOkncqdcb4k7wb042fV0l5P02jTQUv46QMN8Gb1_Rg==
        │    X-Amz-Cf-Pop:                    SFO53-P7
        │    X-Amzn-Remapped-Content-Length:  192
        │    X-Amzn-Remapped-Date:            Thu, 12 Feb 2026 06:08:03 GMT
        │    X-Amzn-Remapped-Server:          uvicorn
        │    X-Amzn-Requestid:                8923c163-cfa3-453e-a934-e8593518d613
        │    X-Amzn-Trace-Id:                 Root=1-698d6e43-21827ec94936d7a6204cdf66;Parent=096754b43ef3110a;Sampled=0;Lineage=1:389041bb:0
        │    X-Cache:                         Error from cloudfront
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │  POST https://borsamcp.fastmcp.app/mcp                         
        │  Reason: Step 2: MCP initialize + tools/list (session id probe)
        │    Accept:                application/json, text/event-stream
        │    Content-Type:          application/json
        │    Host:                  borsamcp.fastmcp.app
        │    Mcp-Protocol-Version:  2025-11-25
        │    Mcp-Session-Id:        invalid-session
        ├─────────────────────────────────────────────────────────────────►│
        │  200 OK                                                        
        │    Cache-Control:               no-cache, no-transform
        │    Content-Length:              25026
        │    Content-Type:                text/event-stream
        │    Date:                        Thu, 12 Feb 2026 06:08:04 GMT
        │    Mcp-Session-Id:              invalid-session
        │    Via:                         1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront)
        │    X-Amz-Cf-Id:                 FoDsJbOL3Eoh3gvY_N5LB3C70NCPZzASNQjjaGMsBEQkz-cqO4G7Rg==
        │    X-Amz-Cf-Pop:                SFO53-P7
        │    X-Amzn-Remapped-Connection:  keep-alive
        │    X-Amzn-Remapped-Date:        Thu, 12 Feb 2026 06:08:03 GMT
        │    X-Amzn-Remapped-Server:      uvicorn
        │    X-Amzn-Requestid:            616483fc-8254-4ed2-af4e-7a939f4d03d2
        │    X-Amzn-Trace-Id:             Root=1-698d6e43-284b60be4a0ddc331cdc59d0;Parent=2c5b1cf5d0d4b1b3;Sampled=0;Lineage=1:389041bb:0
        │    X-Cache:                     Miss from cloudfront
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │  POST https://borsamcp.fastmcp.app/mcp                         
        │  Reason: Step 2: MCP initialize + tools/list (tools/list)      
        │    Accept:                application/json, text/event-stream
        │    Content-Type:          application/json
        │    Host:                  borsamcp.fastmcp.app
        │    Mcp-Protocol-Version:  2025-11-25
        │    Mcp-Session-Id:        01308a93-b14c-49d7-a0e6-289c93d66014
        ├─────────────────────────────────────────────────────────────────►│
        │  200 OK                                                        
        │    Cache-Control:               no-cache, no-transform
        │    Content-Length:              25025
        │    Content-Type:                text/event-stream
        │    Date:                        Thu, 12 Feb 2026 06:08:04 GMT
        │    Mcp-Session-Id:              01308a93-b14c-49d7-a0e6-289c93d66014
        │    Via:                         1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront)
        │    X-Amz-Cf-Id:                 dOyG3ZKI1yVShN6MjzyKAfWLiUAsiwoqVqTcxXRGLynKNDqrzleuzQ==
        │    X-Amz-Cf-Pop:                SFO53-P7
        │    X-Amzn-Remapped-Connection:  keep-alive
        │    X-Amzn-Remapped-Date:        Thu, 12 Feb 2026 06:08:03 GMT
        │    X-Amzn-Remapped-Server:      uvicorn
        │    X-Amzn-Requestid:            4e9943b7-8ecd-4b3b-ab7e-75f9de12fc6d
        │    X-Amzn-Trace-Id:             Root=1-698d6e44-33e6d1363ac204687ab41b89;Parent=0ade2fe14683e2dd;Sampled=0;Lineage=1:389041bb:0
        │    X-Cache:                     Miss from cloudfront
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │  POST https://borsamcp.fastmcp.app/mcp                         
        │  Reason: Step 2: MCP initialize + tools/list (tasks/list)      
        │    Accept:                application/json, text/event-stream
        │    Content-Type:          application/json
        │    Host:                  borsamcp.fastmcp.app
        │    Mcp-Protocol-Version:  2025-11-25
        │    Mcp-Session-Id:        01308a93-b14c-49d7-a0e6-289c93d66014
        ├─────────────────────────────────────────────────────────────────►│
        │  200 OK                                                        
        │    Cache-Control:               no-cache, no-transform
        │    Content-Length:              72
        │    Content-Type:                text/event-stream
        │    Date:                        Thu, 12 Feb 2026 06:08:04 GMT
        │    Mcp-Session-Id:              01308a93-b14c-49d7-a0e6-289c93d66014
        │    Via:                         1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront)
        │    X-Amz-Cf-Id:                 M3fEg9B5Rgm54AtrEfvLNBYuKhMeJ10LAZdv6KkfCIwBWfIL6J01QA==
        │    X-Amz-Cf-Pop:                SFO53-P7
        │    X-Amzn-Remapped-Connection:  keep-alive
        │    X-Amzn-Remapped-Date:        Thu, 12 Feb 2026 06:08:03 GMT
        │    X-Amzn-Remapped-Server:      uvicorn
        │    X-Amzn-Requestid:            57ab14e6-e1c1-43b0-840a-dc83822bc134
        │    X-Amzn-Trace-Id:             Root=1-698d6e44-1a07610149aba17b6e1e3196;Parent=064a50d2b7a1edfd;Sampled=0;Lineage=1:389041bb:0
        │    X-Cache:                     Miss from cloudfront
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │ ╔═══ Step 3: PRM Discovery                ═══════╪═══════════════════╗
        │  GET https://borsamcp.fastmcp.app/.well-known/oauth-protected-resource
        │  Reason: Step 3: PRM fetch matrix                              
        │    Accept:  application/json
        │    Host:    borsamcp.fastmcp.app
        ├─────────────────────────────────────────────────────────────────►│
        │  404 Not Found                                                 
        │    Content-Length:                  9
        │    Content-Type:                    text/plain; charset=utf-8
        │    Date:                            Thu, 12 Feb 2026 06:08:07 GMT
        │    Via:                             1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront)
        │    X-Amz-Cf-Id:                     vni1SoSVhi8XyP4R8-n65U_cA0qVFVIl22Q_JjCGuOZpp9cZsNrUbw==
        │    X-Amz-Cf-Pop:                    SFO53-P7
        │    X-Amzn-Remapped-Content-Length:  9
        │    X-Amzn-Remapped-Date:            Thu, 12 Feb 2026 06:08:06 GMT
        │    X-Amzn-Remapped-Server:          uvicorn
        │    X-Amzn-Requestid:                45e73af3-4795-4fb4-8b5f-f9866e0276a1
        │    X-Amzn-Trace-Id:                 Root=1-698d6e47-03cc4da8350abab603ee7367;Parent=5a5b1557a9f44336;Sampled=0;Lineage=1:389041bb:0
        │    X-Cache:                         Error from cloudfront
        │◄─────────────────────────────────────────────────────────────────┤
        │                                                                  │
        │  GET https://borsamcp.fastmcp.app/.well-known/oauth-protected-resource/mcp
        │  Reason: Step 3: PRM fetch matrix                              
        │    Accept:  application/json
        │    Host:    borsamcp.fastmcp.app
        ├─────────────────────────────────────────────────────────────────►│
        │  405 Method Not Allowed                                        
        │    Access-Control-Allow-Origin:  *
        │    Content-Length:               0
        │    Content-Type:                 application/json
        │    Date:                         Thu, 12 Feb 2026 06:08:08 GMT
        │    Via:                          1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront)
        │    X-Amz-Cf-Id:                  hfezQgQGBEyL9FvL1IHTZPPXci2zMSdTXj_epi858nQ1HVe-FROs-w==
        │    X-Amz-Cf-Pop:                 SFO53-P7
        │    X-Amzn-Requestid:             33f2fb12-509b-46c9-9ebf-9956e5d8de23
        │    X-Amzn-Trace-Id:              Root=1-698d6e48-446f06ef72e8f71e6f308b54;Parent=5db82eba7c55be71;Sampled=0;Lineage=1:389041bb:0
        │    X-Cache:                      Error from cloudfront
        │◄─────────────────────────────────────────────────────────────────┤
        ▼                                                                  ▼

┌────────────────────┤ LLM EXPLANATION ├─────────────────────┐
The primary failure reported by the AuthProbe scan is MCP_JSONRPC_ID_NULL_ACCEPTED, which is a high-confidence, high-priority finding. This finding identifies that the target MCP OAuth server at https://borsamcp.fastmcp.app/mcp accepts JSON-RPC requests with "id": null and responds with a status 202 Accepted. According to MCP 2025-11-25 and related specifications, this behavior is incorrect and non-compliant. Here is the detailed analysis grounded in the authoritative specifications:

1. Background: JSON-RPC ID Semantics in MCP

The MCP specification, aligned with JSON-RPC 2.0, requires that every JSON-RPC request includes an "id" field that is either a string or a number (see JSON-RPC 2.0 Specification):

  • The "id" member is used to correlate requests and responses.
  • The "id" must be a string, number, or null. But importantly, per JSON-RPC 2.0 Section 4.1, if a request's "id" is null, the request is treated as a notification and the server must not return a response.

MCP 2025-11-25 adopts JSON-RPC 2.0 semantics for its tool RPC requests (MCP Section 3.X). This implies the server must interpret "id": null as a notification and respond accordingly.

2. Why Acceptance of "id": null Requests and Returning 202 Is Invalid

Evidence from the scan:

  • Probe with "id": null returns HTTP status 202.

Why this is a failure:

  • MCP 2025-11-25: Section on MCP JSON-RPC usage requires correct "id" management. The "id" must be a string or number for standard requests expecting a response. Null IDs indicate notifications, which must not generate a response (or any HTTP status indicating acceptance with content).

  • JSON-RPC 2.0 (Section 4.1 and 1.1): Notifications are requests without an "id" (or "id": null) and do not require a response.

    "A Notification is a Request object without an "id" member. A request that is a Notification signifies the Client's lack of interest in the corresponding Response."
    (Some implementations accept "id": null as a notification semantics equivalent.)

  • Returning HTTP 202 (Accepted) as a response to a JSON-RPC request with "id": null is violating this contract, because 202 is a positive, actionable HTTP response that incorrectly implies the server accepted and will process a request expecting a response.

  • Instead, the MCP server should not return any JSON-RPC response object at all for a null "id" request or if it returns anything at all, the HTTP status should indicate no response content (204 No Content would be more appropriate if any HTTP response must be sent). The response should not be a JSON-RPC response object or an acknowledgement message with "id": null.

3. Related Protocol and Security Considerations

  • Incorrect handling of "id": null may lead to client-server protocol confusion or unexpected state, especially if clients rely on strict
Originally created by @clgtm on GitHub (Feb 12, 2026). Original GitHub issue: https://github.com/saidsurucu/borsa-mcp/issues/6 Not a big deal but thought of reporting nonetheless ``` Command: authprobe scan --explain --trace-failure https://borsamcp.fastmcp.app/mcp Scanning: https://borsamcp.fastmcp.app/mcp Scan time: Feb 12, 2026 06:08:09 UTC Github: https://github.com/authprobe/authprobe Funnel [1] MCP probe (401 + WWW-Authenticate) [-] SKIP probe returned 405; checking PRM for OAuth config [2] MCP initialize + tools/list [X] FAIL initialize -> 200 notifications/initialized -> 202 tools/list -> 200 (tools: search_symbol, get_profile, get_quick_info, get_historical_data, +23 more) [3] PRM fetch matrix [X] FAIL https://borsamcp.fastmcp.app/.well-known/oauth-protected-resource -> 404 https://borsamcp.fastmcp.app/.well-known/oauth-protected-resource/mcp -> 405 PRM unreachable or unusable; OAuth discovery unavailable [4] Auth server metadata [-] SKIP auth not required [5] Token endpoint readiness (heuristics) [-] SKIP auth not required [6] Dynamic client registration (RFC 7591) [-] SKIP auth not required Primary Finding (HIGH): MCP_JSONRPC_ID_NULL_ACCEPTED (confidence 1.00) Evidence: null id probe status 202 MCP JSON-RPC requires request IDs to be strings or numbers; null IDs must be rejected. ┌─────────────────────┤ RFC RATIONALE ├──────────────────────┐ Explain (RFC 9728 rationale) 1) MCP probe - AuthProbe did not receive a 401 response that indicates authentication is required, so RFC 9728 PRM discovery is skipped. ┌───────────────────────┤ CALL TRACE ├───────────────────────┐ Call Trace Using: https://github.com/authprobe/authprobe ┌────────────┐ ┌────────────┐ │ authprobe │ │ MCP Server │ └─────┬──────┘ └─────┬──────┘ │ │ │ ╔═══ Step 1: MCP probe ═══════╪═══════════════════╗ │ GET https://borsamcp.fastmcp.app/mcp │ Reason: 401 + WWW-Authenticate discovery │ Accept: text/event-stream │ Host: borsamcp.fastmcp.app ├─────────────────────────────────────────────────────────────────►│ │ 405 Method Not Allowed │ Access-Control-Allow-Origin: * │ Content-Length: 0 │ Content-Type: application/json │ Date: Thu, 12 Feb 2026 06:08:01 GMT │ Via: 1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront) │ X-Amz-Cf-Id: szpdas7LdOBZXXe8cMNUxTdqA1t304ZmFJqRlLsUBjEwdoSASyKGgg== │ X-Amz-Cf-Pop: SFO53-P7 │ X-Amzn-Requestid: 6b4677f2-dcb5-4d81-ba1c-402c3814775d │ X-Amzn-Trace-Id: Root=1-698d6e41-5043a42e74f96962681d1478;Parent=4d83ec1023fd9d8c;Sampled=0;Lineage=1:389041bb:0 │ X-Cache: Error from cloudfront │◄─────────────────────────────────────────────────────────────────┤ │ │ │ ╔═══ Step 2: MCP initialize ═══════╪═══════════════════╗ │ POST https://borsamcp.fastmcp.app/mcp │ Reason: Step 2: MCP initialize + tools/list (pre-init tools/list) │ Accept: application/json, text/event-stream │ Content-Type: application/json │ Host: borsamcp.fastmcp.app │ Mcp-Protocol-Version: 2025-11-25 ├─────────────────────────────────────────────────────────────────►│ │ 200 OK │ Cache-Control: no-cache, no-transform │ Content-Length: 25025 │ Content-Type: text/event-stream │ Date: Thu, 12 Feb 2026 06:08:01 GMT │ Via: 1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront) │ X-Amz-Cf-Id: MsXKQhnkiuQYnpocaqA-RBRRlZ0Y2Jy-UFdP57AyzL3aaUHpUaHZwA== │ X-Amz-Cf-Pop: SFO53-P7 │ X-Amzn-Remapped-Connection: keep-alive │ X-Amzn-Remapped-Date: Thu, 12 Feb 2026 06:05:37 GMT │ X-Amzn-Remapped-Server: uvicorn │ X-Amzn-Requestid: 0c479a83-84a3-472e-b43f-71b9023fe470 │ X-Amzn-Trace-Id: Root=1-698d6e41-2ba366245ad138ee372d8226;Parent=6f7d83eed3af0133;Sampled=0;Lineage=1:389041bb:0 │ X-Cache: Miss from cloudfront │◄─────────────────────────────────────────────────────────────────┤ │ │ │ POST https://borsamcp.fastmcp.app/mcp │ Reason: Step 2: MCP initialize + tools/list (initialize) │ Accept: application/json, text/event-stream │ Content-Type: application/json │ Host: borsamcp.fastmcp.app │ Mcp-Protocol-Version: 2025-11-25 ├─────────────────────────────────────────────────────────────────►│ │ 200 OK │ Cache-Control: no-cache, no-transform │ Content-Length: 627 │ Content-Type: text/event-stream │ Date: Thu, 12 Feb 2026 06:08:02 GMT │ Mcp-Session-Id: 01308a93-b14c-49d7-a0e6-289c93d66014 │ Via: 1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront) │ X-Amz-Cf-Id: bGe6Nks9_TURSUCCWT6Cop5YyKTdDi6OpsF-704Dy2EGNm51L_A7tA== │ X-Amz-Cf-Pop: SFO53-P7 │ X-Amzn-Remapped-Connection: keep-alive │ X-Amzn-Remapped-Date: Thu, 12 Feb 2026 06:05:37 GMT │ X-Amzn-Remapped-Server: uvicorn │ X-Amzn-Requestid: ddb7500e-9e5e-47f1-af15-a0b160c0080b │ X-Amzn-Trace-Id: Root=1-698d6e42-532e59235c2b126c48196615;Parent=58ab3314f9943306;Sampled=0;Lineage=1:389041bb:0 │ X-Cache: Miss from cloudfront │◄─────────────────────────────────────────────────────────────────┤ │ │ │ POST https://borsamcp.fastmcp.app/mcp │ Reason: Step 2: MCP initialize + tools/list (notifications/initialized) │ Accept: application/json, text/event-stream │ Content-Type: application/json │ Host: borsamcp.fastmcp.app │ Mcp-Protocol-Version: 2025-11-25 │ Mcp-Session-Id: 01308a93-b14c-49d7-a0e6-289c93d66014 ├─────────────────────────────────────────────────────────────────►│ │ 202 Accepted │ Content-Length: 0 │ Content-Type: application/json │ Date: Thu, 12 Feb 2026 06:08:02 GMT │ Mcp-Session-Id: 01308a93-b14c-49d7-a0e6-289c93d66014 │ Via: 1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront) │ X-Amz-Cf-Id: gbnDkmvZTM1K1fKQD7b6f5X-E4mFPwXoAIz-d8PWgAtJUrlx2stNzw== │ X-Amz-Cf-Pop: SFO53-P7 │ X-Amzn-Remapped-Content-Length: 0 │ X-Amzn-Remapped-Date: Thu, 12 Feb 2026 06:05:37 GMT │ X-Amzn-Remapped-Server: uvicorn │ X-Amzn-Requestid: 55dcaab4-ee62-4c5d-8f48-e67cd46f633d │ X-Amzn-Trace-Id: Root=1-698d6e42-2ad6250c7bbb02577b431ec4;Parent=7dd0452347d56f08;Sampled=0;Lineage=1:389041bb:0 │ X-Cache: Miss from cloudfront │◄─────────────────────────────────────────────────────────────────┤ │ │ │ POST https://borsamcp.fastmcp.app/mcp │ Reason: Step 2: MCP initialize + tools/list (null id probe) │ Accept: application/json, text/event-stream │ Content-Type: application/json │ Host: borsamcp.fastmcp.app │ Mcp-Protocol-Version: 2025-11-25 │ Mcp-Session-Id: 01308a93-b14c-49d7-a0e6-289c93d66014 ├─────────────────────────────────────────────────────────────────►│ │ 202 Accepted │ Content-Length: 0 │ Content-Type: application/json │ Date: Thu, 12 Feb 2026 06:08:02 GMT │ Mcp-Session-Id: 01308a93-b14c-49d7-a0e6-289c93d66014 │ Via: 1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront) │ X-Amz-Cf-Id: YWBW-bSbfN1ZiTqFBDcEYDTSU-duyyzIbgbuA-RGlVoF9jhqEmlvJg== │ X-Amz-Cf-Pop: SFO53-P7 │ X-Amzn-Remapped-Content-Length: 0 │ X-Amzn-Remapped-Date: Thu, 12 Feb 2026 06:05:37 GMT │ X-Amzn-Remapped-Server: uvicorn │ X-Amzn-Requestid: 8a1a9296-66cb-41f2-8545-875f1aec22f2 │ X-Amzn-Trace-Id: Root=1-698d6e42-7a4a69766fa3bb9b4202491e;Parent=610707c7ec1b08cd;Sampled=0;Lineage=1:389041bb:0 │ X-Cache: Miss from cloudfront │◄─────────────────────────────────────────────────────────────────┤ │ │ │ POST https://borsamcp.fastmcp.app/mcp │ Reason: Step 2: MCP initialize + tools/list (notification id probe) │ Accept: application/json, text/event-stream │ Content-Type: application/json │ Host: borsamcp.fastmcp.app │ Mcp-Protocol-Version: 2025-11-25 │ Mcp-Session-Id: 01308a93-b14c-49d7-a0e6-289c93d66014 ├─────────────────────────────────────────────────────────────────►│ │ 200 OK │ Cache-Control: no-cache, no-transform │ Content-Length: 124 │ Content-Type: text/event-stream │ Date: Thu, 12 Feb 2026 06:08:03 GMT │ Mcp-Session-Id: 01308a93-b14c-49d7-a0e6-289c93d66014 │ Via: 1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront) │ X-Amz-Cf-Id: OjY3JubRDa--ivjqdH1AXv3coyKhN-jsbypWKTOtebXAGZF0T3UKKg== │ X-Amz-Cf-Pop: SFO53-P7 │ X-Amzn-Remapped-Connection: keep-alive │ X-Amzn-Remapped-Date: Thu, 12 Feb 2026 06:05:37 GMT │ X-Amzn-Remapped-Server: uvicorn │ X-Amzn-Requestid: 37b1b78a-d4d0-46e4-8680-af43d5f273f0 │ X-Amzn-Trace-Id: Root=1-698d6e43-643a78e92cd213dc15d6b56b;Parent=48385e9d792ce880;Sampled=0;Lineage=1:389041bb:0 │ X-Cache: Miss from cloudfront │◄─────────────────────────────────────────────────────────────────┤ │ │ │ POST https://borsamcp.fastmcp.app/mcp │ Reason: Step 2: MCP initialize + tools/list (origin probe) │ Accept: application/json, text/event-stream │ Content-Type: application/json │ Host: borsamcp.fastmcp.app │ Mcp-Protocol-Version: 2025-11-25 │ Mcp-Session-Id: 01308a93-b14c-49d7-a0e6-289c93d66014 │ Origin: http://invalid.example ├─────────────────────────────────────────────────────────────────►│ │ 200 OK │ Access-Control-Allow-Origin: http://invalid.example │ Cache-Control: no-cache, no-transform │ Content-Length: 25026 │ Content-Type: text/event-stream │ Date: Thu, 12 Feb 2026 06:08:03 GMT │ Mcp-Session-Id: 01308a93-b14c-49d7-a0e6-289c93d66014 │ Vary: Origin │ Via: 1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront) │ X-Amz-Cf-Id: 7UpsUBQxLvLti4gyWldUbmMIw0r1aXaVbXcaMb8w4j7PZnR6UcWesA== │ X-Amz-Cf-Pop: SFO53-P7 │ X-Amzn-Remapped-Connection: keep-alive │ X-Amzn-Remapped-Date: Thu, 12 Feb 2026 06:08:03 GMT │ X-Amzn-Remapped-Server: uvicorn │ X-Amzn-Requestid: fa4a1fe1-ae76-45b3-ab17-823ab0b5e722 │ X-Amzn-Trace-Id: Root=1-698d6e43-03ca49d9260366e220afab77;Parent=7b1d1bdf8454c755;Sampled=0;Lineage=1:389041bb:0 │ X-Cache: Miss from cloudfront │◄─────────────────────────────────────────────────────────────────┤ │ │ │ POST https://borsamcp.fastmcp.app/mcp │ Reason: Step 2: MCP initialize + tools/list (protocol version probe) │ Accept: application/json, text/event-stream │ Content-Type: application/json │ Host: borsamcp.fastmcp.app │ Mcp-Protocol-Version: invalid │ Mcp-Session-Id: 01308a93-b14c-49d7-a0e6-289c93d66014 ├─────────────────────────────────────────────────────────────────►│ │ 400 Bad Request │ Content-Length: 192 │ Content-Type: application/json │ Date: Thu, 12 Feb 2026 06:08:03 GMT │ Mcp-Session-Id: 01308a93-b14c-49d7-a0e6-289c93d66014 │ Via: 1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront) │ X-Amz-Cf-Id: Q05NjujJRmzRKOkncqdcb4k7wb042fV0l5P02jTQUv46QMN8Gb1_Rg== │ X-Amz-Cf-Pop: SFO53-P7 │ X-Amzn-Remapped-Content-Length: 192 │ X-Amzn-Remapped-Date: Thu, 12 Feb 2026 06:08:03 GMT │ X-Amzn-Remapped-Server: uvicorn │ X-Amzn-Requestid: 8923c163-cfa3-453e-a934-e8593518d613 │ X-Amzn-Trace-Id: Root=1-698d6e43-21827ec94936d7a6204cdf66;Parent=096754b43ef3110a;Sampled=0;Lineage=1:389041bb:0 │ X-Cache: Error from cloudfront │◄─────────────────────────────────────────────────────────────────┤ │ │ │ POST https://borsamcp.fastmcp.app/mcp │ Reason: Step 2: MCP initialize + tools/list (session id probe) │ Accept: application/json, text/event-stream │ Content-Type: application/json │ Host: borsamcp.fastmcp.app │ Mcp-Protocol-Version: 2025-11-25 │ Mcp-Session-Id: invalid-session ├─────────────────────────────────────────────────────────────────►│ │ 200 OK │ Cache-Control: no-cache, no-transform │ Content-Length: 25026 │ Content-Type: text/event-stream │ Date: Thu, 12 Feb 2026 06:08:04 GMT │ Mcp-Session-Id: invalid-session │ Via: 1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront) │ X-Amz-Cf-Id: FoDsJbOL3Eoh3gvY_N5LB3C70NCPZzASNQjjaGMsBEQkz-cqO4G7Rg== │ X-Amz-Cf-Pop: SFO53-P7 │ X-Amzn-Remapped-Connection: keep-alive │ X-Amzn-Remapped-Date: Thu, 12 Feb 2026 06:08:03 GMT │ X-Amzn-Remapped-Server: uvicorn │ X-Amzn-Requestid: 616483fc-8254-4ed2-af4e-7a939f4d03d2 │ X-Amzn-Trace-Id: Root=1-698d6e43-284b60be4a0ddc331cdc59d0;Parent=2c5b1cf5d0d4b1b3;Sampled=0;Lineage=1:389041bb:0 │ X-Cache: Miss from cloudfront │◄─────────────────────────────────────────────────────────────────┤ │ │ │ POST https://borsamcp.fastmcp.app/mcp │ Reason: Step 2: MCP initialize + tools/list (tools/list) │ Accept: application/json, text/event-stream │ Content-Type: application/json │ Host: borsamcp.fastmcp.app │ Mcp-Protocol-Version: 2025-11-25 │ Mcp-Session-Id: 01308a93-b14c-49d7-a0e6-289c93d66014 ├─────────────────────────────────────────────────────────────────►│ │ 200 OK │ Cache-Control: no-cache, no-transform │ Content-Length: 25025 │ Content-Type: text/event-stream │ Date: Thu, 12 Feb 2026 06:08:04 GMT │ Mcp-Session-Id: 01308a93-b14c-49d7-a0e6-289c93d66014 │ Via: 1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront) │ X-Amz-Cf-Id: dOyG3ZKI1yVShN6MjzyKAfWLiUAsiwoqVqTcxXRGLynKNDqrzleuzQ== │ X-Amz-Cf-Pop: SFO53-P7 │ X-Amzn-Remapped-Connection: keep-alive │ X-Amzn-Remapped-Date: Thu, 12 Feb 2026 06:08:03 GMT │ X-Amzn-Remapped-Server: uvicorn │ X-Amzn-Requestid: 4e9943b7-8ecd-4b3b-ab7e-75f9de12fc6d │ X-Amzn-Trace-Id: Root=1-698d6e44-33e6d1363ac204687ab41b89;Parent=0ade2fe14683e2dd;Sampled=0;Lineage=1:389041bb:0 │ X-Cache: Miss from cloudfront │◄─────────────────────────────────────────────────────────────────┤ │ │ │ POST https://borsamcp.fastmcp.app/mcp │ Reason: Step 2: MCP initialize + tools/list (tasks/list) │ Accept: application/json, text/event-stream │ Content-Type: application/json │ Host: borsamcp.fastmcp.app │ Mcp-Protocol-Version: 2025-11-25 │ Mcp-Session-Id: 01308a93-b14c-49d7-a0e6-289c93d66014 ├─────────────────────────────────────────────────────────────────►│ │ 200 OK │ Cache-Control: no-cache, no-transform │ Content-Length: 72 │ Content-Type: text/event-stream │ Date: Thu, 12 Feb 2026 06:08:04 GMT │ Mcp-Session-Id: 01308a93-b14c-49d7-a0e6-289c93d66014 │ Via: 1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront) │ X-Amz-Cf-Id: M3fEg9B5Rgm54AtrEfvLNBYuKhMeJ10LAZdv6KkfCIwBWfIL6J01QA== │ X-Amz-Cf-Pop: SFO53-P7 │ X-Amzn-Remapped-Connection: keep-alive │ X-Amzn-Remapped-Date: Thu, 12 Feb 2026 06:08:03 GMT │ X-Amzn-Remapped-Server: uvicorn │ X-Amzn-Requestid: 57ab14e6-e1c1-43b0-840a-dc83822bc134 │ X-Amzn-Trace-Id: Root=1-698d6e44-1a07610149aba17b6e1e3196;Parent=064a50d2b7a1edfd;Sampled=0;Lineage=1:389041bb:0 │ X-Cache: Miss from cloudfront │◄─────────────────────────────────────────────────────────────────┤ │ │ │ ╔═══ Step 3: PRM Discovery ═══════╪═══════════════════╗ │ GET https://borsamcp.fastmcp.app/.well-known/oauth-protected-resource │ Reason: Step 3: PRM fetch matrix │ Accept: application/json │ Host: borsamcp.fastmcp.app ├─────────────────────────────────────────────────────────────────►│ │ 404 Not Found │ Content-Length: 9 │ Content-Type: text/plain; charset=utf-8 │ Date: Thu, 12 Feb 2026 06:08:07 GMT │ Via: 1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront) │ X-Amz-Cf-Id: vni1SoSVhi8XyP4R8-n65U_cA0qVFVIl22Q_JjCGuOZpp9cZsNrUbw== │ X-Amz-Cf-Pop: SFO53-P7 │ X-Amzn-Remapped-Content-Length: 9 │ X-Amzn-Remapped-Date: Thu, 12 Feb 2026 06:08:06 GMT │ X-Amzn-Remapped-Server: uvicorn │ X-Amzn-Requestid: 45e73af3-4795-4fb4-8b5f-f9866e0276a1 │ X-Amzn-Trace-Id: Root=1-698d6e47-03cc4da8350abab603ee7367;Parent=5a5b1557a9f44336;Sampled=0;Lineage=1:389041bb:0 │ X-Cache: Error from cloudfront │◄─────────────────────────────────────────────────────────────────┤ │ │ │ GET https://borsamcp.fastmcp.app/.well-known/oauth-protected-resource/mcp │ Reason: Step 3: PRM fetch matrix │ Accept: application/json │ Host: borsamcp.fastmcp.app ├─────────────────────────────────────────────────────────────────►│ │ 405 Method Not Allowed │ Access-Control-Allow-Origin: * │ Content-Length: 0 │ Content-Type: application/json │ Date: Thu, 12 Feb 2026 06:08:08 GMT │ Via: 1.1 fb1699c4cb8ff04b39762e99ca06e3d2.cloudfront.net (CloudFront) │ X-Amz-Cf-Id: hfezQgQGBEyL9FvL1IHTZPPXci2zMSdTXj_epi858nQ1HVe-FROs-w== │ X-Amz-Cf-Pop: SFO53-P7 │ X-Amzn-Requestid: 33f2fb12-509b-46c9-9ebf-9956e5d8de23 │ X-Amzn-Trace-Id: Root=1-698d6e48-446f06ef72e8f71e6f308b54;Parent=5db82eba7c55be71;Sampled=0;Lineage=1:389041bb:0 │ X-Cache: Error from cloudfront │◄─────────────────────────────────────────────────────────────────┤ ▼ ▼ ``` ┌────────────────────┤ LLM EXPLANATION ├─────────────────────┐ The primary failure reported by the AuthProbe scan is **MCP_JSONRPC_ID_NULL_ACCEPTED**, which is a high-confidence, high-priority finding. This finding identifies that the target MCP OAuth server at `https://borsamcp.fastmcp.app/mcp` accepts JSON-RPC requests with `"id": null` and responds with a status `202 Accepted`. According to MCP 2025-11-25 and related specifications, this behavior is incorrect and non-compliant. Here is the detailed analysis grounded in the authoritative specifications: --- ### 1. Background: JSON-RPC ID Semantics in MCP The MCP specification, aligned with **JSON-RPC 2.0**, requires that every JSON-RPC request includes an `"id"` field that is either a string or a number (see [JSON-RPC 2.0 Specification](https://www.jsonrpc.org/specification#request_object)): - The `"id"` member is **used to correlate requests and responses**. - The `"id"` must be a string, number, or `null`. But importantly, **per JSON-RPC 2.0 Section 4.1**, if a request's `"id"` is `null`, the request is treated as a **notification** and the server must **not return a response**. MCP 2025-11-25 adopts JSON-RPC 2.0 semantics for its tool RPC requests (MCP Section 3.X). This implies the server must interpret `"id": null` as a notification and respond accordingly. --- ### 2. Why Acceptance of `"id": null` Requests and Returning `202` Is Invalid **Evidence from the scan:** - Probe with `"id": null` returns HTTP status `202`. **Why this is a failure:** - **MCP 2025-11-25**: Section on MCP JSON-RPC usage requires correct `"id"` management. The `"id"` must be a string or number for standard requests expecting a response. Null IDs indicate notifications, which must not generate a response (or any HTTP status indicating acceptance with content). - **JSON-RPC 2.0** (Section 4.1 and 1.1): Notifications are requests without an `"id"` (or `"id": null`) and do not require a response. > *"A Notification is a Request object without an "id" member. A request that is a Notification signifies the Client's lack of interest in the corresponding Response."* (Some implementations accept `"id": null` as a notification semantics equivalent.) - Returning HTTP `202` (Accepted) as a response to a JSON-RPC request with `"id": null` is violating this contract, because 202 is a positive, actionable HTTP response that incorrectly implies the server accepted and will process a request expecting a response. - Instead, the MCP server should **not return any JSON-RPC response object at all** for a null `"id"` request or if it returns anything at all, the HTTP status should indicate no response content (204 No Content would be more appropriate if any HTTP response must be sent). The response should not be a JSON-RPC response object or an acknowledgement message with `"id": null`. --- ### 3. Related Protocol and Security Considerations - Incorrect handling of `"id": null` may lead to client-server protocol confusion or unexpected state, especially if clients rely on strict
kerem closed this issue 2026-03-04 02:08:23 +03:00
kerem commented 2026-03-04 02:08:29 +03:00
Author
Owner
Copy link

@saidsurucu commented on GitHub (Feb 19, 2026):

fixed.

<!-- gh-comment-id:3928409601 --> @saidsurucu commented on GitHub (Feb 19, 2026): fixed.
kerem commented 2026-03-04 02:08:29 +03:00
Author
Owner
Copy link

@clgtm commented on GitHub (Feb 19, 2026):

github.com/saidsurucu/borsa-mcp@b0d669fdac

<!-- gh-comment-id:3928757207 --> @clgtm commented on GitHub (Feb 19, 2026): https://github.com/saidsurucu/borsa-mcp/commit/b0d669fdac93062f66df77841e611115f9da7c2d
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
models-refactor
No results found.
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/borsa-mcp#1
No description provided.