Summary
withHttpSession in server/lib/mcp-client.ts (added in #229 / #230) passes connection.transport.config.url straight to fetch. When that value isn't a valid URL, the native fetch error is surfaced as:
Failed to reach MCP server: Failed to parse URL from <value>
This is confusing, and — critically — it echoes the offending value back to the user. In practice this bit us: a token pasted into the URL field produced Failed to parse URL from cfut_…, leaking the credential into both the terminal output and (separately) the plaintext integrations.json config.
Proposed change
In withHttpSession, validate config.url up front, before any network call:
- Reject anything that isn't a syntactically valid
http(s) URL, mirroring executeRequest's safeOrigin helper in integration-execute.ts.
- Fail with a clear, generic message that does not echo the input value, e.g.
This MCP connection's URL is not a valid http(s) URL.
Why
- Clear error for the common misconfiguration (wrong field, typo).
- Avoids echoing a value that may be a secret into logs/terminal.
- Consistent with how the REST/OpenAPI executor already guards its base URL.
Acceptance criteria
Context
Follow-up to #229 (PR #230). Surfaced while registering the Cloudflare Code Mode integration.
Summary
withHttpSessioninserver/lib/mcp-client.ts(added in #229 / #230) passesconnection.transport.config.urlstraight tofetch. When that value isn't a valid URL, the native fetch error is surfaced as:This is confusing, and — critically — it echoes the offending value back to the user. In practice this bit us: a token pasted into the URL field produced
Failed to parse URL from cfut_…, leaking the credential into both the terminal output and (separately) the plaintextintegrations.jsonconfig.Proposed change
In
withHttpSession, validateconfig.urlup front, before any network call:http(s)URL, mirroringexecuteRequest'ssafeOriginhelper inintegration-execute.ts.This MCP connection's URL is not a valid http(s) URL.Why
Acceptance criteria
transport.config.urlis not a validhttp(s)URL fails fast with a clear message that does not include the value.http/httpsURLs continue to work unchanged.Context
Follow-up to #229 (PR #230). Surfaced while registering the Cloudflare Code Mode integration.