Use numeric comparison for number-typed custom header validation

Tarek Mahmoud Sayed · Tarek Mahmoud Sayed · commit 5f4735b1468b · 2026-05-12T14:26:53.000-07:00
For parameters with JSON Schema type 'number' or 'integer', compare
header values numerically instead of as exact strings. This handles
cross-SDK representation differences where different SDKs may serialize
the same number differently (e.g., '42' vs '42.0', or minor floating
point drift). Uses an absolute tolerance of 1e-9 for decimal values,
matching the conformance test approach.
diff --git a/src/ModelContextProtocol.AspNetCore/StreamableHttpHandler.cs b/src/ModelContextProtocol.AspNetCore/StreamableHttpHandler.cs
@@ -748,7 +748,7 @@ argForMissing is not null &&
                 if (expectedHeaderValue is not null)
                 {
                     var decodedExpected = McpHeaderEncoder.DecodeValue(expectedHeaderValue);
-                    if (!string.Equals(decodedActual, decodedExpected, StringComparison.Ordinal))
+                    if (!ValuesMatch(decodedActual, decodedExpected, property.Value))
                     {
                         errorMessage = $"Header mismatch: {fullHeaderName} header value does not match body argument '{property.Name}'.";
                         return false;
@@ -791,6 +791,41 @@ private static bool IsValidHeaderValue(string value)
         return true;
     }
 
+    /// <summary>
+    /// Compares two decoded header values, using numeric comparison for number-typed
+    /// parameters to handle cross-SDK representation differences (e.g., "42" vs "42.0").
+    /// </summary>
+    private static bool ValuesMatch(string? actual, string? expected, System.Text.Json.JsonElement propertySchema)
+    {
+        if (string.Equals(actual, expected, StringComparison.Ordinal))
+        {
+            return true;
+        }
+
+        // JSON Schema defines two numeric types: "number" (any numeric value including
+        // decimals like 3.14) and "integer" (whole numbers only like 42). Both produce
+        // JsonValueKind.Number in the JSON body and are sent as numeric strings in headers.
+        // We check for both because different SDKs may serialize them differently —
+        // e.g., a client might send header "42.0" for an "integer" body value of 42,
+        // or header "42" for a "number" body value of 42.0. Without handling both types,
+        // valid cross-SDK requests would be incorrectly rejected.
+        if (propertySchema.TryGetProperty("type", out var typeElement) &&
+            typeElement.ValueKind == System.Text.Json.JsonValueKind.String &&
+            typeElement.GetString() is "number" or "integer" &&
+            actual is not null && expected is not null &&
+            double.TryParse(actual, System.Globalization.NumberStyles.Float, System.Globalization.CultureInfo.InvariantCulture, out var actualNum) &&
+            double.TryParse(expected, System.Globalization.NumberStyles.Float, System.Globalization.CultureInfo.InvariantCulture, out var expectedNum))
+        {
+            // Allow a small absolute tolerance for floating point representation differences.
+            if (Math.Abs(actualNum - expectedNum) < 1e-9)
+            {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
     private static string? ConvertJsonNodeToHeaderValue(System.Text.Json.Nodes.JsonNode node)
     {
         if (node is not System.Text.Json.Nodes.JsonValue jsonValue)
diff --git a/tests/ModelContextProtocol.AspNetCore.Tests/Sep2243HeaderTests.cs b/tests/ModelContextProtocol.AspNetCore.Tests/Sep2243HeaderTests.cs
@@ -233,6 +233,54 @@ public async Task Server_AcceptsLargeIntegerWithFullPrecision()
         Assert.Equal(HttpStatusCode.OK, response.StatusCode);
     }
 
+    [Theory]
+    [InlineData("42", 42)]       // "42" header vs 42 body → exact integer match
+    [InlineData("42.0", 42)]     // "42.0" header vs 42 body → numeric equivalence
+    [InlineData("42", 42.0)]     // "42" header vs 42.0 body → numeric equivalence
+    public async Task Server_AcceptsNumericEquivalentHeaderValues(string headerValue, double bodyValue)
+    {
+        await StartAsync();
+        await InitializeWithDraftVersionAsync();
+
+        var callJson = CallTool("header_test", $$$"""{"region":"test","priority":{{{bodyValue.ToString(System.Globalization.CultureInfo.InvariantCulture)}}},"verbose":false,"emptyVal":""}""");
+
+        using var request = new HttpRequestMessage(HttpMethod.Post, "");
+        request.Content = new StringContent(callJson, Encoding.UTF8, "application/json");
+        request.Headers.Add("MCP-Protocol-Version", "DRAFT-2026-v1");
+        request.Headers.Add("Mcp-Method", "tools/call");
+        request.Headers.Add("Mcp-Name", "header_test");
+        request.Headers.Add("Mcp-Param-Region", "test");
+        request.Headers.Add("Mcp-Param-Priority", headerValue);
+        request.Headers.Add("Mcp-Param-Verbose", "false");
+        request.Headers.Add("Mcp-Param-EmptyVal", "");
+
+        using var response = await HttpClient.SendAsync(request, TestContext.Current.CancellationToken);
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task Server_RejectsNonNumericMismatch_ForIntegerParam()
+    {
+        await StartAsync();
+        await InitializeWithDraftVersionAsync();
+
+        // Header says "99" but body says priority:42 — must reject even with numeric comparison
+        var callJson = CallTool("header_test", """{"region":"test","priority":42,"verbose":false,"emptyVal":""}""");
+
+        using var request = new HttpRequestMessage(HttpMethod.Post, "");
+        request.Content = new StringContent(callJson, Encoding.UTF8, "application/json");
+        request.Headers.Add("MCP-Protocol-Version", "DRAFT-2026-v1");
+        request.Headers.Add("Mcp-Method", "tools/call");
+        request.Headers.Add("Mcp-Name", "header_test");
+        request.Headers.Add("Mcp-Param-Region", "test");
+        request.Headers.Add("Mcp-Param-Priority", "99");
+        request.Headers.Add("Mcp-Param-Verbose", "false");
+        request.Headers.Add("Mcp-Param-EmptyVal", "");
+
+        using var response = await HttpClient.SendAsync(request, TestContext.Current.CancellationToken);
+        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+    }
+
     [Fact]
     public async Task Server_SkipsHeaderValidation_ForNonDraftVersion()
     {
