@anton.andrusenko/shopify-mcp-admin 2.1.1 → 2.2.1

package/dist/mcp-auth-F25V6FEY.js

@@ -0,0 +1,24 @@
+import {
+  MCP_AUTH_ERRORS,
+  createJsonRpcError,
+  createMcpAuthMiddleware,
+  getWwwAuthenticateHeader,
+  isOAuthAccessToken,
+  parseBearerToken,
+  validateMcpApiKey,
+  validateMcpBearerToken,
+  validateOAuthAccessToken
+} from "./chunk-PQKNBYJN.js";
+import "./chunk-5QMYOO4B.js";
+import "./chunk-EGGOXEIC.js";
+export {
+  MCP_AUTH_ERRORS,
+  createJsonRpcError,
+  createMcpAuthMiddleware,
+  getWwwAuthenticateHeader,
+  isOAuthAccessToken,
+  parseBearerToken,
+  validateMcpApiKey,
+  validateMcpBearerToken,
+  validateOAuthAccessToken
+};

package/dist/schema-SOWYIQIV.js

@@ -0,0 +1,38 @@
+import {
+  configSchema,
+  getAllowedOrigins,
+  getAuthMode,
+  getConfiguredRole,
+  getDatabaseUrl,
+  getEncryptionKey,
+  getServerMode,
+  getShutdownDrainMs,
+  getShutdownDrainSeconds,
+  getStoreUrl,
+  isDebugEnabled,
+  isHSTSEnabled,
+  isLazyLoadingEnabled,
+  isMetricsEnabled,
+  isRemoteMode,
+  requireEncryptionKey,
+  requireStoreUrl
+} from "./chunk-EGGOXEIC.js";
+export {
+  configSchema,
+  getAllowedOrigins,
+  getAuthMode,
+  getConfiguredRole,
+  getDatabaseUrl,
+  getEncryptionKey,
+  getServerMode,
+  getShutdownDrainMs,
+  getShutdownDrainSeconds,
+  getStoreUrl,
+  isDebugEnabled,
+  isHSTSEnabled,
+  isLazyLoadingEnabled,
+  isMetricsEnabled,
+  isRemoteMode,
+  requireEncryptionKey,
+  requireStoreUrl
+};

package/dist/security-44M6F2QU.js

@@ -0,0 +1,112 @@
+import {
+  log
+} from "./chunk-5QMYOO4B.js";
+import "./chunk-EGGOXEIC.js";
+
+// src/middleware/security.ts
+import cors from "cors";
+var DEFAULT_SECURITY_OPTIONS = {
+  allowedOrigins: ["*"],
+  exposedHeaders: ["Mcp-Session-Id"],
+  enableHSTS: false,
+  enableSecurityHeaders: true
+};
+var CORS_ALLOWED_METHODS = ["GET", "POST", "DELETE", "OPTIONS"];
+var CORS_ALLOWED_HEADERS = [
+  "Content-Type",
+  "Authorization",
+  "Mcp-Session-Id",
+  "MCP-Protocol-Version"
+];
+var CORS_MAX_AGE = 86400;
+var SECURITY_HEADERS = {
+  "X-Frame-Options": "DENY",
+  "X-Content-Type-Options": "nosniff",
+  "X-XSS-Protection": "1; mode=block",
+  "Referrer-Policy": "strict-origin-when-cross-origin"
+};
+var HSTS_HEADER_VALUE = "max-age=31536000; includeSubDomains";
+function createCorsMiddleware(options) {
+  const opts = {
+    ...DEFAULT_SECURITY_OPTIONS,
+    ...options
+  };
+  const isWildcard = opts.allowedOrigins.length === 1 && opts.allowedOrigins[0] === "*";
+  log.debug(
+    `CORS middleware configured with ${isWildcard ? "wildcard (*)" : `${opts.allowedOrigins.length} allowed`} origins`
+  );
+  return cors({
+    // Dynamic origin handler for configured origins
+    origin: (origin, callback) => {
+      if (!origin) {
+        callback(null, true);
+        return;
+      }
+      if (isWildcard) {
+        callback(null, true);
+        return;
+      }
+      if (opts.allowedOrigins.includes(origin)) {
+        callback(null, origin);
+        return;
+      }
+      log.debug(`CORS: Origin ${origin} not in allowed list`);
+      callback(null, false);
+    },
+    // Allowed HTTP methods
+    methods: CORS_ALLOWED_METHODS,
+    // Allowed request headers
+    //
+    // IMPORTANT: For browser-based MCP clients (Claude custom connectors), the client may
+    // include additional non-simple headers (e.g. tracing or client metadata). If we
+    // hardcode allowedHeaders, CORS preflight can fail and the connector will remain
+    // "Disconnected" even though OAuth succeeds.
+    //
+    // The `cors` package will, by default, reflect `Access-Control-Request-Headers` from
+    // the preflight request when `allowedHeaders` is not explicitly set.
+    //
+    // We keep CORS_ALLOWED_HEADERS exported for documentation/tests, but do not enforce it.
+    // Headers exposed to browser JavaScript
+    exposedHeaders: opts.exposedHeaders,
+    // Allow credentials (cookies, authorization headers)
+    credentials: true,
+    // Preflight cache duration (24 hours)
+    maxAge: CORS_MAX_AGE,
+    // Let OPTIONS requests succeed
+    preflightContinue: false,
+    optionsSuccessStatus: 204
+  });
+}
+function createSecurityMiddleware(options) {
+  const opts = {
+    ...DEFAULT_SECURITY_OPTIONS,
+    ...options
+  };
+  const logHeaders = opts.enableSecurityHeaders ? `Security headers: enabled, HSTS: ${opts.enableHSTS ? "enabled" : "disabled"}` : "Security headers: disabled";
+  log.debug(`Security middleware configured: ${logHeaders}`);
+  return (_req, res, next) => {
+    if (opts.enableSecurityHeaders) {
+      for (const [header, value] of Object.entries(SECURITY_HEADERS)) {
+        res.setHeader(header, value);
+      }
+    }
+    if (opts.enableHSTS) {
+      res.setHeader("Strict-Transport-Security", HSTS_HEADER_VALUE);
+    }
+    next();
+  };
+}
+function createSecurityMiddlewareStack(options) {
+  return [createCorsMiddleware(options), createSecurityMiddleware(options)];
+}
+export {
+  CORS_ALLOWED_HEADERS,
+  CORS_ALLOWED_METHODS,
+  CORS_MAX_AGE,
+  DEFAULT_SECURITY_OPTIONS,
+  HSTS_HEADER_VALUE,
+  SECURITY_HEADERS,
+  createCorsMiddleware,
+  createSecurityMiddleware,
+  createSecurityMiddlewareStack
+};