@adsim/wordpress-mcp-server 1.0.0 → 3.0.0

package/package.json

@@ -1,60 +1,48 @@
 {
   "name": "@adsim/wordpress-mcp-server",
-  "version": "1.0.0",
-  "description": "MCP Server for WordPress REST API — Manage posts, pages, categories, tags, SEO metadata, and more via Claude Desktop or any MCP-compatible client.",
+  "version": "3.0.0",
+  "description": "A Model Context Protocol (MCP) server for WordPress REST API integration. Manage posts, search content, and interact with your WordPress site through any MCP-compatible client.",
   "type": "module",
-  "main": "dist/index.js",
+  "main": "index.js",
   "bin": {
-    "wordpress-mcp-server": "dist/index.js"
+    "wordpress-mcp-server": "./index.js",
+    "@adsim/wordpress-mcp-server": "./index.js"
   },
   "scripts": {
-    "build": "tsc",
-    "dev": "tsc --watch",
-    "start": "node dist/index.js",
-    "prepublishOnly": "npm run build",
-    "clean": "rm -rf dist"
+    "start": "node index.js",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage"
   },
   "keywords": [
     "mcp",
+    "model-context-protocol",
     "wordpress",
+    "wordpress-api",
     "rest-api",
     "claude",
-    "anthropic",
-    "model-context-protocol",
-    "seo",
-    "rankmath",
-    "yoast",
-    "content-management",
-    "wp-api"
+    "ai",
+    "automation",
+    "cms"
   ],
-  "author": {
-    "name": "Georges Cordewiener",
-    "email": "georges@adsim.be",
-    "url": "https://adsim.be"
-  },
+  "author": "Georges Cordewiener <georges@adsim.be>",
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/GeorgesAdSim/wordpress-mcp-server.git"
+    "url": "git+https://github.com/adsimbe/wordpress-mcp-server.git"
   },
   "bugs": {
-    "url": "https://github.com/GeorgesAdSim/wordpress-mcp-server/issues"
+    "url": "https://github.com/adsimbe/wordpress-mcp-server/issues"
   },
-  "homepage": "https://github.com/GeorgesAdSim/wordpress-mcp-server#readme",
+  "homepage": "https://github.com/adsimbe/wordpress-mcp-server#readme",
   "engines": {
     "node": ">=18.0.0"
   },
-  "files": [
-    "dist/**/*",
-    "README.md",
-    "LICENSE"
-  ],
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.12.0",
-    "zod": "^3.23.0"
+    "@modelcontextprotocol/sdk": "^1.26.0",
+    "node-fetch": "^3.3.2"
   },
   "devDependencies": {
-    "@types/node": "^20.0.0",
-    "typescript": "^5.5.0"
+    "vitest": "^4.0.18"
   }
 }

package/src/auth/bearer.js

@@ -0,0 +1,72 @@
+/**
+ * Bearer token authentication for HTTP transport.
+ *
+ * Provides timing-safe token validation to prevent timing attacks,
+ * structured JSON audit logging on stderr, and configurable auth bypass.
+ */
+
+import { timingSafeEqual } from 'node:crypto';
+
+/**
+ * Validate Bearer token from Authorization header.
+ *
+ * @param {import('node:http').IncomingMessage} req
+ * @param {string|null} authToken  Expected token. null = auth disabled (passthrough).
+ * @returns {{ valid: boolean, status?: number, body?: object }}
+ */
+export function validateBearerToken(req, authToken) {
+  // Auth disabled — passthrough
+  if (!authToken) {
+    return { valid: true };
+  }
+
+  const header = req.headers['authorization'] || '';
+  const match = header.match(/^Bearer\s+(.+)$/i);
+
+  if (!match) {
+    logAuthFailure(req, 'missing_or_malformed_token');
+    return {
+      valid: false,
+      status: 401,
+      body: { error: 'Unauthorized', code: 'INVALID_TOKEN' },
+    };
+  }
+
+  const provided = match[1];
+
+  // Timing-safe comparison: pad both to same length to avoid leaking length info
+  const expected = Buffer.from(authToken, 'utf-8');
+  const received = Buffer.from(provided, 'utf-8');
+
+  const maxLen = Math.max(expected.length, received.length);
+  const a = Buffer.alloc(maxLen);
+  const b = Buffer.alloc(maxLen);
+  expected.copy(a);
+  received.copy(b);
+
+  if (expected.length !== received.length || !timingSafeEqual(a, b)) {
+    logAuthFailure(req, 'invalid_token');
+    return {
+      valid: false,
+      status: 401,
+      body: { error: 'Unauthorized', code: 'INVALID_TOKEN' },
+    };
+  }
+
+  return { valid: true };
+}
+
+/**
+ * @param {import('node:http').IncomingMessage} req
+ * @param {string} reason
+ */
+function logAuthFailure(req, reason) {
+  const record = {
+    timestamp: new Date().toISOString(),
+    event: 'auth_failure',
+    reason,
+    ip: req.socket?.remoteAddress || null,
+    path: req.url || null,
+  };
+  console.error(`[AUTH] ${JSON.stringify(record)}`);
+}

package/src/transport/http.js

@@ -0,0 +1,264 @@
+/**
+ * HTTP Streamable Transport Manager for WordPress MCP Server.
+ *
+ * Implements MCP 2025-03-26 Streamable HTTP spec:
+ *  - POST /mcp  → JSON-RPC request handling (JSON or SSE)
+ *  - GET  /mcp  → SSE stream for server-to-client notifications
+ *  - DELETE /mcp → terminate session
+ *  - GET  /health → health check
+ *
+ * Bearer auth, Origin validation, session management, and audit logging
+ * are applied before any MCP processing.
+ */
+
+import { createServer as createHttpServer } from 'node:http';
+import { randomUUID } from 'node:crypto';
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import { validateBearerToken } from '../auth/bearer.js';
+
+/**
+ * @typedef {object} HttpConfig
+ * @property {number}   [port=3000]
+ * @property {string}   [host='0.0.0.0']
+ * @property {string|null} [authToken=null]
+ * @property {string[]} [allowedOrigins=[]]
+ * @property {number}   [sessionTimeoutMs=1800000]  30 minutes
+ */
+
+const DEFAULT_CONFIG = {
+  port: 3000,
+  host: '0.0.0.0',
+  authToken: null,
+  allowedOrigins: [],
+  sessionTimeoutMs: 30 * 60 * 1000,
+};
+
+export class HttpTransportManager {
+  /**
+   * Create an HTTP server wired to MCP.
+   *
+   * Each new session gets its own MCP Server + Transport pair (the SDK requires
+   * one transport per server instance). The `serverFactory` creates a fresh,
+   * fully-configured Server on each `initialize` request.
+   *
+   * @param {() => import('@modelcontextprotocol/sdk/server/index.js').Server} serverFactory
+   * @param {HttpConfig} [config]
+   * @returns {import('node:http').Server}
+   */
+  createServer(serverFactory, config = {}) {
+    const cfg = { ...DEFAULT_CONFIG, ...config };
+
+    if (!cfg.authToken) {
+      console.error('[WARN] MCP HTTP transport started WITHOUT Bearer auth (MCP_AUTH_TOKEN not set). Any client can connect.');
+    }
+
+    // Map of sessionId → { transport, server, lastActivity }
+    const sessions = new Map();
+
+    // Session reaper
+    const reaper = setInterval(() => {
+      const now = Date.now();
+      for (const [id, entry] of sessions) {
+        if (now - entry.lastActivity > cfg.sessionTimeoutMs) {
+          entry.transport.close().catch(() => {});
+          sessions.delete(id);
+          console.error(`[INFO] Session ${id} expired (timeout ${cfg.sessionTimeoutMs}ms)`);
+        }
+      }
+    }, 60_000);
+    reaper.unref();
+
+    const httpServer = createHttpServer(async (req, res) => {
+      const url = new URL(req.url || '/', `http://${req.headers.host || 'localhost'}`);
+      const pathname = url.pathname;
+
+      // ── Health endpoint ──
+      if (pathname === '/health' && req.method === 'GET') {
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ status: 'ok', transport: 'http', version: '3.0.0' }));
+        return;
+      }
+
+      // ── Only /mcp from here ──
+      if (pathname !== '/mcp') {
+        res.writeHead(404, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Not Found' }));
+        return;
+      }
+
+      // ── Origin validation ──
+      if (cfg.allowedOrigins.length > 0) {
+        const origin = req.headers['origin'];
+        if (origin && !cfg.allowedOrigins.includes(origin)) {
+          logHttpAudit(req, 'origin_rejected', { origin });
+          res.writeHead(403, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Forbidden', code: 'ORIGIN_NOT_ALLOWED' }));
+          return;
+        }
+      }
+
+      // ── Bearer auth ──
+      const auth = validateBearerToken(req, cfg.authToken);
+      if (!auth.valid) {
+        res.writeHead(auth.status, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify(auth.body));
+        return;
+      }
+
+      // ── Route by method ──
+      if (req.method === 'POST') {
+        await handlePost(req, res, serverFactory, sessions);
+      } else if (req.method === 'GET') {
+        await handleGet(req, res, sessions);
+      } else if (req.method === 'DELETE') {
+        await handleDelete(req, res, sessions);
+      } else {
+        res.writeHead(405, { 'Content-Type': 'application/json', 'Allow': 'GET, POST, DELETE' });
+        res.end(JSON.stringify({ error: 'Method Not Allowed' }));
+      }
+    });
+
+    httpServer.on('close', () => {
+      clearInterval(reaper);
+      for (const [, entry] of sessions) {
+        entry.transport.close().catch(() => {});
+      }
+      sessions.clear();
+    });
+
+    return httpServer;
+  }
+}
+
+// ──────────────────────────────────────────────────────────────
+// POST /mcp — JSON-RPC request
+// ──────────────────────────────────────────────────────────────
+
+async function handlePost(req, res, serverFactory, sessions) {
+  // Read body
+  const body = await readBody(req);
+  let parsed;
+  try {
+    parsed = JSON.parse(body);
+  } catch {
+    res.writeHead(400, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Invalid JSON' }));
+    return;
+  }
+
+  // Check if this is an initialization request (method === 'initialize')
+  const isInit = isInitializeRequest(parsed);
+  const sessionId = req.headers['mcp-session-id'];
+
+  if (isInit) {
+    // Create a new transport + server for this session
+    const transport = new StreamableHTTPServerTransport({
+      sessionIdGenerator: () => randomUUID(),
+    });
+
+    const mcpServer = serverFactory();
+
+    transport.onclose = () => {
+      const sid = transport.sessionId;
+      if (sid && sessions.has(sid)) {
+        sessions.delete(sid);
+        console.error(`[INFO] Session ${sid} closed`);
+      }
+    };
+
+    // Connect fresh MCP server to this transport
+    await mcpServer.connect(transport);
+
+    // Handle the request — this will generate the session ID
+    await transport.handleRequest(req, res, parsed);
+
+    // Store session after initialization
+    const sid = transport.sessionId;
+    if (sid) {
+      sessions.set(sid, { transport, server: mcpServer, lastActivity: Date.now() });
+      console.error(`[INFO] New HTTP session: ${sid}`);
+    }
+    return;
+  }
+
+  // Non-init request: must have a valid session
+  if (!sessionId || !sessions.has(sessionId)) {
+    res.writeHead(400, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Bad Request', code: 'INVALID_SESSION' }));
+    return;
+  }
+
+  const entry = sessions.get(sessionId);
+  entry.lastActivity = Date.now();
+  await entry.transport.handleRequest(req, res, parsed);
+}
+
+// ──────────────────────────────────────────────────────────────
+// GET /mcp — SSE stream for server-to-client notifications
+// ──────────────────────────────────────────────────────────────
+
+async function handleGet(req, res, sessions) {
+  const sessionId = req.headers['mcp-session-id'];
+
+  if (!sessionId || !sessions.has(sessionId)) {
+    res.writeHead(400, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Bad Request', code: 'INVALID_SESSION' }));
+    return;
+  }
+
+  const entry = sessions.get(sessionId);
+  entry.lastActivity = Date.now();
+  await entry.transport.handleRequest(req, res);
+}
+
+// ──────────────────────────────────────────────────────────────
+// DELETE /mcp — Terminate session
+// ──────────────────────────────────────────────────────────────
+
+async function handleDelete(req, res, sessions) {
+  const sessionId = req.headers['mcp-session-id'];
+
+  if (!sessionId || !sessions.has(sessionId)) {
+    res.writeHead(404, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Session not found' }));
+    return;
+  }
+
+  const entry = sessions.get(sessionId);
+  await entry.transport.close();
+  sessions.delete(sessionId);
+  console.error(`[INFO] Session ${sessionId} terminated via DELETE`);
+  res.writeHead(200, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify({ status: 'session_terminated' }));
+}
+
+// ──────────────────────────────────────────────────────────────
+// Helpers
+// ──────────────────────────────────────────────────────────────
+
+function readBody(req) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    req.on('data', (chunk) => chunks.push(chunk));
+    req.on('end', () => resolve(Buffer.concat(chunks).toString('utf-8')));
+    req.on('error', reject);
+  });
+}
+
+function isInitializeRequest(parsed) {
+  if (Array.isArray(parsed)) {
+    return parsed.some((msg) => msg.method === 'initialize');
+  }
+  return parsed && parsed.method === 'initialize';
+}
+
+function logHttpAudit(req, event, extra = {}) {
+  const record = {
+    timestamp: new Date().toISOString(),
+    event,
+    ip: req.socket?.remoteAddress || null,
+    path: req.url || null,
+    ...extra,
+  };
+  console.error(`[HTTP] ${JSON.stringify(record)}`);
+}

package/tests/helpers/mockWpRequest.js

@@ -0,0 +1,135 @@
+/**
+ * Shared test helpers for WordPress MCP Server tool tests.
+ *
+ * Provides:
+ *  - makeRequest(name, args)  — build the { params } envelope handleToolCall expects
+ *  - mockSuccess(data, opts)  — configure fetch to return a successful JSON response
+ *  - mockError(status, body)  — configure fetch to return an HTTP error response
+ *  - parseResult(result)      — extract parsed JSON from the MCP { content } wrapper
+ *  - getAuditLogs()           — collect [AUDIT] lines written to console.error
+ */
+
+import fetch from 'node-fetch';
+
+// ---------------------------------------------------------------------------
+// Request builder
+// ---------------------------------------------------------------------------
+
+/**
+ * Build the request object that handleToolCall expects.
+ * @param {string} name   Tool name, e.g. "wp_search"
+ * @param {object} args   Tool arguments
+ * @returns {{ params: { name: string, arguments: object } }}
+ */
+export function makeRequest(name, args = {}) {
+  return { params: { name, arguments: args } };
+}
+
+// ---------------------------------------------------------------------------
+// Fetch mock helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Configure node-fetch mock to resolve with a JSON success response.
+ * Supports chaining: call multiple times via mockImplementationOnce to queue
+ * sequential responses.
+ *
+ * @param {*}      data           JSON-serialisable payload
+ * @param {object} [opts]
+ * @param {number} [opts.status]  HTTP status code (default 200)
+ * @param {boolean} [opts.once]   If true use mockImplementationOnce (default true)
+ */
+export function mockSuccess(data, opts = {}) {
+  const status = opts.status ?? 200;
+  const response = {
+    ok: true,
+    status,
+    headers: {
+      get: (h) => {
+        if (h === 'content-type') return 'application/json';
+        return null;
+      },
+    },
+    json: () => Promise.resolve(data),
+    text: () => Promise.resolve(JSON.stringify(data)),
+  };
+  const impl = () => Promise.resolve(response);
+
+  if (opts.once === false) {
+    fetch.mockImplementation(impl);
+  } else {
+    fetch.mockImplementationOnce(impl);
+  }
+  return response;
+}
+
+/**
+ * Configure node-fetch mock to resolve with an HTTP error response.
+ *
+ * @param {number} status  HTTP status code (e.g. 403, 404)
+ * @param {string} [body]  Response body text
+ * @param {object} [opts]
+ * @param {boolean} [opts.once]  If true use mockImplementationOnce (default true)
+ */
+export function mockError(status, body = '', opts = {}) {
+  const response = {
+    ok: false,
+    status,
+    headers: {
+      get: (h) => {
+        if (h === 'content-type') return 'application/json';
+        if (h === 'retry-after') return null;
+        return null;
+      },
+    },
+    json: () => Promise.resolve({}),
+    text: () => Promise.resolve(body),
+  };
+  const impl = () => Promise.resolve(response);
+
+  if (opts.once === false) {
+    fetch.mockImplementation(impl);
+  } else {
+    fetch.mockImplementationOnce(impl);
+  }
+  return response;
+}
+
+// ---------------------------------------------------------------------------
+// Result parser
+// ---------------------------------------------------------------------------
+
+/**
+ * Parse the JSON payload from the MCP tool result envelope.
+ *
+ * handleToolCall returns `{ content: [{ type: 'text', text: '...' }] }`.
+ * This extracts and JSON-parses the text field.
+ *
+ * @param {object} result  Return value from handleToolCall
+ * @returns {object}       Parsed JSON object
+ */
+export function parseResult(result) {
+  const text = result?.content?.[0]?.text;
+  if (!text) return result;
+  return JSON.parse(text);
+}
+
+// ---------------------------------------------------------------------------
+// Audit log collector
+// ---------------------------------------------------------------------------
+
+/**
+ * Return all `[AUDIT]` entries that have been written to console.error
+ * during the current test.  Relies on the `consoleSpy` created in each
+ * test file's `beforeEach`.
+ *
+ * @returns {object[]}  Array of parsed audit-log JSON objects.
+ */
+export function getAuditLogs() {
+  const spy = console.error;
+  if (!spy || !spy.mock) return [];
+  return spy.mock.calls
+    .map((c) => c[0])
+    .filter((msg) => typeof msg === 'string' && msg.startsWith('[AUDIT]'))
+    .map((msg) => JSON.parse(msg.replace('[AUDIT] ', '')));
+}