refactor: consolidate header validation into single method

- Add _validate_request_headers method that combines session and protocol validation
- Replace repeated calls to _validate_session and _validate_protocol_version
- Improves code maintainability and extensibility for future header validations
- No functional changes, all tests passing

This refactoring makes it easier to add new header validations in the future
by having a single entry point for all non-initialization request validations.

Author: felixweinberger

src/mcp/server/streamable_http.py

@@ -385,9 +385,7 @@ async def _handle_post_request(
                         )
                         await response(scope, receive, send)
                         return
-            elif not await self._validate_session(request, send):
-                return
-            elif not await self._validate_protocol_version(request, send):
+            elif not await self._validate_request_headers(request, send):
                 return
 
             # For notifications and responses only, return 202 Accepted
@@ -562,9 +560,7 @@ async def _handle_get_request(self, request: Request, send: Send) -> None:
             await response(request.scope, request.receive, send)
             return
 
-        if not await self._validate_session(request, send):
-            return
-        if not await self._validate_protocol_version(request, send):
+        if not await self._validate_request_headers(request, send):
             return
 
         # Handle resumability: check for Last-Event-ID header
@@ -649,9 +645,7 @@ async def _handle_delete_request(self, request: Request, send: Send) -> None:
             await response(request.scope, request.receive, send)
             return
 
-        if not await self._validate_session(request, send):
-            return
-        if not await self._validate_protocol_version(request, send):
+        if not await self._validate_request_headers(request, send):
             return
 
         await self._terminate_session()
@@ -711,6 +705,13 @@ async def _handle_unsupported_request(self, request: Request, send: Send) -> Non
         )
         await response(request.scope, request.receive, send)
 
+    async def _validate_request_headers(self, request: Request, send: Send) -> bool:
+        if not await self._validate_session(request, send):
+            return False
+        if not await self._validate_protocol_version(request, send):
+            return False
+        return True
+
     async def _validate_session(self, request: Request, send: Send) -> bool:
         """Validate the session ID in the request."""
         if not self.mcp_session_id: