@alanse/clickup-multi-mcp-server 1.0.0

package/build/middleware/security.js

@@ -0,0 +1,231 @@
+/**
+ * SPDX-FileCopyrightText: © 2025 Talib Kareem <taazkareem@icloud.com>
+ * SPDX-License-Identifier: MIT
+ *
+ * Security Middleware for ClickUp MCP Server
+ *
+ * This module provides optional security enhancements that can be enabled
+ * without breaking existing functionality. All security features are opt-in
+ * to maintain backwards compatibility.
+ */
+import rateLimit from 'express-rate-limit';
+import cors from 'cors';
+import config from '../config.js';
+import { Logger } from '../logger.js';
+const logger = new Logger('Security');
+/**
+ * Origin validation middleware - validates Origin header against whitelist
+ * Only enabled when ENABLE_ORIGIN_VALIDATION=true
+ */
+export function createOriginValidationMiddleware() {
+    return (req, res, next) => {
+        if (!config.enableOriginValidation) {
+            next();
+            return;
+        }
+        const origin = req.headers.origin;
+        const referer = req.headers.referer;
+        // For non-browser requests (like n8n, MCP Inspector), origin might be undefined
+        // In such cases, we allow the request but log it for monitoring
+        if (!origin && !referer) {
+            logger.debug('Request without Origin/Referer header - allowing (likely non-browser client)', {
+                userAgent: req.headers['user-agent'],
+                ip: req.ip,
+                path: req.path
+            });
+            next();
+            return;
+        }
+        // Check if origin is in allowed list
+        if (origin && !config.allowedOrigins.includes(origin)) {
+            logger.warn('Blocked request from unauthorized origin', {
+                origin,
+                ip: req.ip,
+                path: req.path,
+                userAgent: req.headers['user-agent']
+            });
+            res.status(403).json({
+                jsonrpc: '2.0',
+                error: {
+                    code: -32000,
+                    message: 'Forbidden: Origin not allowed'
+                },
+                id: null
+            });
+            return;
+        }
+        // If referer is present, validate it too
+        if (referer) {
+            try {
+                const refererOrigin = new URL(referer).origin;
+                if (!config.allowedOrigins.includes(refererOrigin)) {
+                    logger.warn('Blocked request from unauthorized referer', {
+                        referer,
+                        refererOrigin,
+                        ip: req.ip,
+                        path: req.path
+                    });
+                    res.status(403).json({
+                        jsonrpc: '2.0',
+                        error: {
+                            code: -32000,
+                            message: 'Forbidden: Referer not allowed'
+                        },
+                        id: null
+                    });
+                    return;
+                }
+            }
+            catch (error) {
+                logger.warn('Invalid referer URL', { referer, error: error.message });
+                // Continue processing if referer is malformed
+            }
+        }
+        logger.debug('Origin validation passed', { origin, referer });
+        next();
+    };
+}
+/**
+ * Rate limiting middleware - protects against DoS attacks
+ * Only enabled when ENABLE_RATE_LIMIT=true
+ */
+export function createRateLimitMiddleware() {
+    if (!config.enableRateLimit) {
+        return (_req, _res, next) => next();
+    }
+    return rateLimit({
+        windowMs: config.rateLimitWindowMs,
+        max: config.rateLimitMax,
+        message: {
+            jsonrpc: '2.0',
+            error: {
+                code: -32000,
+                message: 'Too many requests, please try again later'
+            },
+            id: null
+        },
+        standardHeaders: true,
+        legacyHeaders: false,
+        handler: (req, res) => {
+            logger.warn('Rate limit exceeded', {
+                ip: req.ip,
+                path: req.path,
+                userAgent: req.headers['user-agent']
+            });
+            res.status(429).json({
+                jsonrpc: '2.0',
+                error: {
+                    code: -32000,
+                    message: 'Too many requests, please try again later'
+                },
+                id: null
+            });
+        }
+    });
+}
+/**
+ * CORS middleware - configures cross-origin resource sharing
+ * Only enabled when ENABLE_CORS=true
+ */
+export function createCorsMiddleware() {
+    if (!config.enableCors) {
+        return (_req, _res, next) => next();
+    }
+    return cors({
+        origin: (origin, callback) => {
+            // Allow requests with no origin (like mobile apps, Postman, etc.)
+            if (!origin)
+                return callback(null, true);
+            if (config.allowedOrigins.includes(origin)) {
+                callback(null, true);
+            }
+            else {
+                logger.warn('CORS blocked origin', { origin });
+                callback(new Error('Not allowed by CORS'));
+            }
+        },
+        credentials: true,
+        methods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
+        allowedHeaders: ['Content-Type', 'mcp-session-id', 'Authorization'],
+        exposedHeaders: ['mcp-session-id']
+    });
+}
+/**
+ * Security headers middleware - adds security-related HTTP headers
+ * Only enabled when ENABLE_SECURITY_FEATURES=true
+ */
+export function createSecurityHeadersMiddleware() {
+    return (req, res, next) => {
+        if (!config.enableSecurityFeatures) {
+            return next();
+        }
+        // Add security headers
+        res.setHeader('X-Content-Type-Options', 'nosniff');
+        res.setHeader('X-Frame-Options', 'DENY');
+        res.setHeader('X-XSS-Protection', '1; mode=block');
+        res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+        // Only add HSTS for HTTPS
+        if (req.secure || req.headers['x-forwarded-proto'] === 'https') {
+            res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+        }
+        logger.debug('Security headers applied');
+        next();
+    };
+}
+/**
+ * Request logging middleware for security monitoring
+ */
+export function createSecurityLoggingMiddleware() {
+    return (req, res, next) => {
+        if (!config.enableSecurityFeatures) {
+            return next();
+        }
+        const startTime = Date.now();
+        res.on('finish', () => {
+            const duration = Date.now() - startTime;
+            const logData = {
+                method: req.method,
+                path: req.path,
+                statusCode: res.statusCode,
+                duration,
+                ip: req.ip,
+                userAgent: req.headers['user-agent'],
+                origin: req.headers.origin,
+                sessionId: req.headers['mcp-session-id']
+            };
+            if (res.statusCode >= 400) {
+                logger.warn('HTTP error response', logData);
+            }
+            else {
+                logger.debug('HTTP request completed', logData);
+            }
+        });
+        next();
+    };
+}
+/**
+ * Input validation middleware - validates request size and content
+ */
+export function createInputValidationMiddleware() {
+    return (req, res, next) => {
+        // Always enforce reasonable request size limits
+        const contentLength = req.headers['content-length'];
+        if (contentLength && parseInt(contentLength) > 50 * 1024 * 1024) { // 50MB hard limit
+            logger.warn('Request too large', {
+                contentLength,
+                ip: req.ip,
+                path: req.path
+            });
+            res.status(413).json({
+                jsonrpc: '2.0',
+                error: {
+                    code: -32000,
+                    message: 'Request entity too large'
+                },
+                id: null
+            });
+            return;
+        }
+        next();
+    };
+}

package/build/server.js

@@ -0,0 +1,288 @@
+/**
+ * SPDX-FileCopyrightText: © 2025 Talib Kareem <taazkareem@icloud.com>
+ * SPDX-License-Identifier: MIT
+ *
+ * MCP Server for ClickUp integration
+ */
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { CallToolRequestSchema, ListToolsRequestSchema, ListPromptsRequestSchema, GetPromptRequestSchema, ListResourcesRequestSchema } from "@modelcontextprotocol/sdk/types.js";
+import config from "./config.js";
+import { workspaceHierarchyTool, handleGetWorkspaceHierarchy } from "./tools/workspace.js";
+import { createTaskTool, updateTaskTool, moveTaskTool, duplicateTaskTool, getTaskTool, deleteTaskTool, getTaskCommentsTool, createTaskCommentTool, createBulkTasksTool, updateBulkTasksTool, moveBulkTasksTool, deleteBulkTasksTool, attachTaskFileTool, getWorkspaceTasksTool, getTaskTimeEntriesTool, startTimeTrackingTool, stopTimeTrackingTool, addTimeEntryTool, deleteTimeEntryTool, getCurrentTimeEntryTool, handleCreateTask, handleUpdateTask, handleMoveTask, handleDuplicateTask, handleDeleteTask, handleGetTaskComments, handleCreateTaskComment, handleCreateBulkTasks, handleUpdateBulkTasks, handleMoveBulkTasks, handleDeleteBulkTasks, handleGetTask, handleAttachTaskFile, handleGetWorkspaceTasks, handleGetTaskTimeEntries, handleStartTimeTracking, handleStopTimeTracking, handleAddTimeEntry, handleDeleteTimeEntry, handleGetCurrentTimeEntry } from "./tools/task/index.js";
+import { createListTool, handleCreateList, createListInFolderTool, handleCreateListInFolder, getListTool, handleGetList, updateListTool, handleUpdateList, deleteListTool, handleDeleteList } from "./tools/list.js";
+import { createFolderTool, handleCreateFolder, getFolderTool, handleGetFolder, updateFolderTool, handleUpdateFolder, deleteFolderTool, handleDeleteFolder } from "./tools/folder.js";
+import { getSpaceTagsTool, handleGetSpaceTags, addTagToTaskTool, handleAddTagToTask, removeTagFromTaskTool, handleRemoveTagFromTask } from "./tools/tag.js";
+import { createDocumentTool, handleCreateDocument, getDocumentTool, handleGetDocument, listDocumentsTool, handleListDocuments, listDocumentPagesTool, handleListDocumentPages, getDocumentPagesTool, handleGetDocumentPages, createDocumentPageTool, handleCreateDocumentPage, updateDocumentPageTool, handleUpdateDocumentPage } from "./tools/documents.js";
+import { getWorkspaceMembersTool, handleGetWorkspaceMembers, findMemberByNameTool, handleFindMemberByName, resolveAssigneesTool, handleResolveAssignees } from "./tools/member.js";
+import { Logger } from "./logger.js";
+import { clickUpServices } from "./services/shared.js";
+import { enhanceToolsWithWorkspace } from "./tools/tool-enhancer.js";
+// Create a logger instance for server
+const logger = new Logger('Server');
+// Use existing services from shared module instead of creating new ones
+const { workspace } = clickUpServices;
+/**
+ * Determines if a tool should be enabled based on ENABLED_TOOLS and DISABLED_TOOLS configuration.
+ *
+ * Logic:
+ * 1. If ENABLED_TOOLS is specified, only tools in that list are enabled (ENABLED_TOOLS takes precedence)
+ * 2. If ENABLED_TOOLS is not specified but DISABLED_TOOLS is, all tools except those in DISABLED_TOOLS are enabled
+ * 3. If neither is specified, all tools are enabled
+ *
+ * @param toolName - The name of the tool to check
+ * @returns true if the tool should be enabled, false otherwise
+ */
+const isToolEnabled = (toolName) => {
+    // If ENABLED_TOOLS is specified, it takes precedence
+    if (config.enabledTools.length > 0) {
+        return config.enabledTools.includes(toolName);
+    }
+    // If only DISABLED_TOOLS is specified, enable all tools except those disabled
+    if (config.disabledTools.length > 0) {
+        return !config.disabledTools.includes(toolName);
+    }
+    // If neither is specified, enable all tools
+    return true;
+};
+export const server = new Server({
+    name: "clickup-mcp-server",
+    version: "0.8.5",
+}, {
+    capabilities: {
+        tools: {},
+        prompts: {},
+        resources: {},
+    },
+});
+const documentModule = () => {
+    if (config.documentSupport === 'true') {
+        return [
+            createDocumentTool,
+            getDocumentTool,
+            listDocumentsTool,
+            listDocumentPagesTool,
+            getDocumentPagesTool,
+            createDocumentPageTool,
+            updateDocumentPageTool,
+        ];
+    }
+    else {
+        return [];
+    }
+};
+/**
+ * Configure the server routes and handlers
+ */
+export function configureServer() {
+    logger.info("Registering server request handlers");
+    // Register ListTools handler
+    server.setRequestHandler(ListToolsRequestSchema, async () => {
+        logger.debug("Received ListTools request");
+        // Collect all tool definitions
+        const allTools = [
+            workspaceHierarchyTool,
+            createTaskTool,
+            getTaskTool,
+            updateTaskTool,
+            moveTaskTool,
+            duplicateTaskTool,
+            deleteTaskTool,
+            getTaskCommentsTool,
+            createTaskCommentTool,
+            attachTaskFileTool,
+            createBulkTasksTool,
+            updateBulkTasksTool,
+            moveBulkTasksTool,
+            deleteBulkTasksTool,
+            getWorkspaceTasksTool,
+            getTaskTimeEntriesTool,
+            startTimeTrackingTool,
+            stopTimeTrackingTool,
+            addTimeEntryTool,
+            deleteTimeEntryTool,
+            getCurrentTimeEntryTool,
+            createListTool,
+            createListInFolderTool,
+            getListTool,
+            updateListTool,
+            deleteListTool,
+            createFolderTool,
+            getFolderTool,
+            updateFolderTool,
+            deleteFolderTool,
+            getSpaceTagsTool,
+            addTagToTaskTool,
+            removeTagFromTaskTool,
+            getWorkspaceMembersTool,
+            findMemberByNameTool,
+            resolveAssigneesTool,
+            ...documentModule()
+        ];
+        // Enhance all tools with workspace parameter support
+        const enhancedTools = enhanceToolsWithWorkspace(allTools);
+        // Filter based on enabled/disabled tools configuration
+        return {
+            tools: enhancedTools.filter(tool => isToolEnabled(tool.name))
+        };
+    });
+    // Add handler for resources/list
+    server.setRequestHandler(ListResourcesRequestSchema, async (req) => {
+        logger.debug("Received ListResources request");
+        return { resources: [] };
+    });
+    // Register CallTool handler with proper logging
+    logger.info("Registering tool handlers", {
+        toolCount: 36,
+        categories: ["workspace", "task", "time-tracking", "list", "folder", "tag", "member", "document"]
+    });
+    server.setRequestHandler(CallToolRequestSchema, async (req) => {
+        const { name, arguments: params } = req.params;
+        // Improved logging with more context
+        logger.info(`Received CallTool request for tool: ${name}`, {
+            params
+        });
+        // Check if the tool is enabled
+        if (!isToolEnabled(name)) {
+            const reason = config.enabledTools.length > 0
+                ? `Tool '${name}' is not in the enabled tools list.`
+                : `Tool '${name}' is disabled.`;
+            logger.warn(`Tool execution blocked: ${reason}`);
+            throw {
+                code: -32601,
+                message: reason
+            };
+        }
+        try {
+            // Handle tool calls by routing to the appropriate handler
+            switch (name) {
+                case "get_workspace_hierarchy":
+                    return handleGetWorkspaceHierarchy();
+                case "create_task":
+                    return handleCreateTask(params);
+                case "update_task":
+                    return handleUpdateTask(params);
+                case "move_task":
+                    return handleMoveTask(params);
+                case "duplicate_task":
+                    return handleDuplicateTask(params);
+                case "get_task":
+                    return handleGetTask(params);
+                case "delete_task":
+                    return handleDeleteTask(params);
+                case "get_task_comments":
+                    return handleGetTaskComments(params);
+                case "create_task_comment":
+                    return handleCreateTaskComment(params);
+                case "attach_task_file":
+                    return handleAttachTaskFile(params);
+                case "create_bulk_tasks":
+                    return handleCreateBulkTasks(params);
+                case "update_bulk_tasks":
+                    return handleUpdateBulkTasks(params);
+                case "move_bulk_tasks":
+                    return handleMoveBulkTasks(params);
+                case "delete_bulk_tasks":
+                    return handleDeleteBulkTasks(params);
+                case "get_workspace_tasks":
+                    return handleGetWorkspaceTasks(params);
+                case "create_list":
+                    return handleCreateList(params);
+                case "create_list_in_folder":
+                    return handleCreateListInFolder(params);
+                case "get_list":
+                    return handleGetList(params);
+                case "update_list":
+                    return handleUpdateList(params);
+                case "delete_list":
+                    return handleDeleteList(params);
+                case "create_folder":
+                    return handleCreateFolder(params);
+                case "get_folder":
+                    return handleGetFolder(params);
+                case "update_folder":
+                    return handleUpdateFolder(params);
+                case "delete_folder":
+                    return handleDeleteFolder(params);
+                case "get_space_tags":
+                    return handleGetSpaceTags(params);
+                case "add_tag_to_task":
+                    return handleAddTagToTask(params);
+                case "remove_tag_from_task":
+                    return handleRemoveTagFromTask(params);
+                case "get_task_time_entries":
+                    return handleGetTaskTimeEntries(params);
+                case "start_time_tracking":
+                    return handleStartTimeTracking(params);
+                case "stop_time_tracking":
+                    return handleStopTimeTracking(params);
+                case "add_time_entry":
+                    return handleAddTimeEntry(params);
+                case "delete_time_entry":
+                    return handleDeleteTimeEntry(params);
+                case "get_current_time_entry":
+                    return handleGetCurrentTimeEntry(params);
+                case "create_document":
+                    return handleCreateDocument(params);
+                case "get_document":
+                    return handleGetDocument(params);
+                case "list_documents":
+                    return handleListDocuments(params);
+                case "list_document_pages":
+                    return handleListDocumentPages(params);
+                case "get_document_pages":
+                    return handleGetDocumentPages(params);
+                case "create_document_page":
+                    return handleCreateDocumentPage(params);
+                case "update_document_page":
+                    return handleUpdateDocumentPage(params);
+                case "get_workspace_members":
+                    return handleGetWorkspaceMembers();
+                case "find_member_by_name":
+                    return handleFindMemberByName(params);
+                case "resolve_assignees":
+                    return handleResolveAssignees(params);
+                default:
+                    logger.error(`Unknown tool requested: ${name}`);
+                    const error = new Error(`Unknown tool: ${name}`);
+                    error.name = "UnknownToolError";
+                    throw error;
+            }
+        }
+        catch (err) {
+            logger.error(`Error executing tool: ${name}`, err);
+            // Transform error to a more descriptive JSON-RPC error
+            if (err.name === "UnknownToolError") {
+                throw {
+                    code: -32601,
+                    message: `Method not found: ${name}`
+                };
+            }
+            else if (err.name === "ValidationError") {
+                throw {
+                    code: -32602,
+                    message: `Invalid params for tool ${name}: ${err.message}`
+                };
+            }
+            else {
+                // Generic server error
+                throw {
+                    code: -32000,
+                    message: `Error executing tool ${name}: ${err.message}`
+                };
+            }
+        }
+    });
+    server.setRequestHandler(ListPromptsRequestSchema, async () => {
+        logger.info("Received ListPrompts request");
+        return { prompts: [] };
+    });
+    server.setRequestHandler(GetPromptRequestSchema, async () => {
+        logger.error("Received GetPrompt request, but prompts are not supported");
+        throw new Error("Prompt not found");
+    });
+    return server;
+}
+/**
+ * Export the clickup service for use in tool handlers
+ */
+export { workspace };