@anton.andrusenko/shopify-mcp-admin 2.1.2 → 2.2.1

package/dist/mcp-auth-F25V6FEY.js

@@ -0,0 +1,24 @@
+import {
+  MCP_AUTH_ERRORS,
+  createJsonRpcError,
+  createMcpAuthMiddleware,
+  getWwwAuthenticateHeader,
+  isOAuthAccessToken,
+  parseBearerToken,
+  validateMcpApiKey,
+  validateMcpBearerToken,
+  validateOAuthAccessToken
+} from "./chunk-PQKNBYJN.js";
+import "./chunk-5QMYOO4B.js";
+import "./chunk-EGGOXEIC.js";
+export {
+  MCP_AUTH_ERRORS,
+  createJsonRpcError,
+  createMcpAuthMiddleware,
+  getWwwAuthenticateHeader,
+  isOAuthAccessToken,
+  parseBearerToken,
+  validateMcpApiKey,
+  validateMcpBearerToken,
+  validateOAuthAccessToken
+};

package/dist/{security-XP6MXK5B.js → security-44M6F2QU.js}

@@ -1,6 +1,6 @@
 import {
   log
-} from "./chunk-QXLLD2A7.js";
+} from "./chunk-5QMYOO4B.js";
 import "./chunk-EGGOXEIC.js";
 
 // src/middleware/security.ts
@@ -12,7 +12,12 @@ var DEFAULT_SECURITY_OPTIONS = {
   enableSecurityHeaders: true
 };
 var CORS_ALLOWED_METHODS = ["GET", "POST", "DELETE", "OPTIONS"];
-var CORS_ALLOWED_HEADERS = ["Content-Type", "Authorization", "Mcp-Session-Id"];
+var CORS_ALLOWED_HEADERS = [
+  "Content-Type",
+  "Authorization",
+  "Mcp-Session-Id",
+  "MCP-Protocol-Version"
+];
 var CORS_MAX_AGE = 86400;
 var SECURITY_HEADERS = {
   "X-Frame-Options": "DENY",
@@ -51,7 +56,16 @@ function createCorsMiddleware(options) {
     // Allowed HTTP methods
     methods: CORS_ALLOWED_METHODS,
     // Allowed request headers
-    allowedHeaders: CORS_ALLOWED_HEADERS,
+    //
+    // IMPORTANT: For browser-based MCP clients (Claude custom connectors), the client may
+    // include additional non-simple headers (e.g. tracing or client metadata). If we
+    // hardcode allowedHeaders, CORS preflight can fail and the connector will remain
+    // "Disconnected" even though OAuth succeeds.
+    //
+    // The `cors` package will, by default, reflect `Access-Control-Request-Headers` from
+    // the preflight request when `allowedHeaders` is not explicitly set.
+    //
+    // We keep CORS_ALLOWED_HEADERS exported for documentation/tests, but do not enforce it.
     // Headers exposed to browser JavaScript
     exposedHeaders: opts.exposedHeaders,
     // Allow credentials (cookies, authorization headers)

package/dist/{store-FM7HCQVW.js → store-JK2ZU6DR.js}

@@ -1,8 +1,8 @@
 import {
   SessionStore,
   sessionStore
-} from "./chunk-UXI33LQD.js";
-import "./chunk-QXLLD2A7.js";
+} from "./chunk-JU5IFCVJ.js";
+import "./chunk-5QMYOO4B.js";
 import "./chunk-EGGOXEIC.js";
 export {
   SessionStore,

package/dist/tools-HVUCP53D.js

@@ -0,0 +1,82 @@
+import {
+  GID_PATTERN,
+  LOCALE_CODE_PATTERN,
+  articleIdSchema,
+  blogIdSchema,
+  clearRegisteredTools,
+  collectionIdSchema,
+  convertZodToJsonSchema,
+  createHandlerWithContext,
+  deriveDefaultAnnotations,
+  disableTool,
+  enableTool,
+  getAllRegisteredToolNames,
+  getRegisteredTools,
+  getToolByName,
+  getToolCount,
+  getToolNames,
+  gidSchema,
+  imageIdSchema,
+  inventoryItemIdSchema,
+  isToolEnabled,
+  isToolRegistered,
+  isValidToolName,
+  localeCodeSchema,
+  locationIdSchema,
+  marketIdSchema,
+  pageIdSchema,
+  productIdSchema,
+  redirectIdSchema,
+  registerAllTools,
+  registerContextAwareTool,
+  registerTool,
+  resetToolEnabledState,
+  setToolListChangedCallback,
+  validateInput,
+  validateToolName,
+  variantIdSchema,
+  webPresenceIdSchema,
+  wrapToolHandler
+} from "./chunk-LMFNHULG.js";
+import "./chunk-5QMYOO4B.js";
+import "./chunk-EGGOXEIC.js";
+export {
+  GID_PATTERN,
+  LOCALE_CODE_PATTERN,
+  articleIdSchema,
+  blogIdSchema,
+  clearRegisteredTools,
+  collectionIdSchema,
+  convertZodToJsonSchema,
+  createHandlerWithContext,
+  deriveDefaultAnnotations,
+  disableTool,
+  enableTool,
+  getAllRegisteredToolNames,
+  getRegisteredTools,
+  getToolByName,
+  getToolCount,
+  getToolNames,
+  gidSchema,
+  imageIdSchema,
+  inventoryItemIdSchema,
+  isToolEnabled,
+  isToolRegistered,
+  isValidToolName,
+  localeCodeSchema,
+  locationIdSchema,
+  marketIdSchema,
+  pageIdSchema,
+  productIdSchema,
+  redirectIdSchema,
+  registerAllTools,
+  registerContextAwareTool,
+  registerTool,
+  resetToolEnabledState,
+  setToolListChangedCallback,
+  validateInput,
+  validateToolName,
+  variantIdSchema,
+  webPresenceIdSchema,
+  wrapToolHandler
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@anton.andrusenko/shopify-mcp-admin",
-  "version": "2.1.2",
+  "version": "2.2.1",
   "description": "MCP server for Shopify Admin API - enables AI agents to manage Shopify stores with 79 tools for products, inventory, collections, content, SEO, metafields, markets & translations",
   "type": "module",
   "main": "./dist/index.js",
@@ -35,7 +35,9 @@
     "ci": "npm run lint && npm run typecheck && npm run test && npm run build",
     "version:patch": "npm version patch --no-git-tag-version",
     "version:minor": "npm version minor --no-git-tag-version",
-    "version:major": "npm version major --no-git-tag-version"
+    "version:major": "npm version major --no-git-tag-version",
+    "seed:oauth": "npx tsx scripts/seed-oauth-test-data.ts",
+    "db:studio": "npx prisma studio"
   },
   "keywords": [
     "shopify",

package/dist/chunk-DCQTHXKI.js

@@ -1,124 +0,0 @@
-import {
-  log
-} from "./chunk-QXLLD2A7.js";
-
-// src/middleware/mcp-auth.ts
-var MCP_AUTH_ERROR_CODES = {
-  AUTH_REQUIRED: -32001,
-  // Missing authentication
-  AUTH_INVALID: -32002,
-  // Invalid API key format or key
-  AUTH_REVOKED: -32003,
-  // API key has been revoked
-  AUTH_FORBIDDEN: -32004
-  // Tenant suspended or no access
-};
-function createJsonRpcError(code, message, hint) {
-  const error = {
-    jsonrpc: "2.0",
-    error: {
-      code,
-      message
-    },
-    id: null
-  };
-  if (hint) {
-    error.error.data = { hint };
-  }
-  return error;
-}
-function parseBearerToken(authHeader) {
-  if (!authHeader) {
-    return null;
-  }
-  const parts = authHeader.split(" ");
-  if (parts.length !== 2 || parts[0].toLowerCase() !== "bearer") {
-    return null;
-  }
-  const token = parts[1];
-  if (!token || token.trim() === "") {
-    return null;
-  }
-  return token;
-}
-async function validateMcpApiKey(authHeader, apiKeyService, prisma) {
-  const token = parseBearerToken(authHeader);
-  if (!token) {
-    return {
-      valid: false,
-      error: "Authentication required",
-      httpStatus: 401
-    };
-  }
-  const validationResult = await apiKeyService.validate(token);
-  if (!validationResult.valid) {
-    const isRevoked = validationResult.error?.includes("revoked");
-    return {
-      valid: false,
-      error: validationResult.error || "Invalid API key",
-      httpStatus: isRevoked ? 403 : 401
-    };
-  }
-  const tenant = validationResult.tenant;
-  const tenantShops = await prisma.tenantShop.findMany({
-    where: {
-      tenantId: tenant.tenantId,
-      uninstalledAt: null
-      // Only active shops
-    },
-    select: {
-      shopDomain: true,
-      scopes: true
-    }
-  });
-  const allowedShops = tenantShops.map((shop) => shop.shopDomain);
-  const mcpTenantContext = {
-    tenantId: tenant.tenantId,
-    email: tenant.email,
-    defaultShop: validationResult.shop,
-    allowedShops
-  };
-  return {
-    valid: true,
-    tenant: mcpTenantContext
-  };
-}
-function createMcpAuthMiddleware(options) {
-  const { apiKeyService, prisma, isRemote } = options;
-  return async (req, res, next) => {
-    if (!isRemote) {
-      log.debug("[mcp-auth] Local mode: skipping API key validation");
-      next();
-      return;
-    }
-    const authResult = await validateMcpApiKey(req.headers.authorization, apiKeyService, prisma);
-    if (!authResult.valid) {
-      log.debug(`[mcp-auth] Auth failed: ${authResult.error}`);
-      let errorCode;
-      let hint;
-      if (authResult.httpStatus === 401) {
-        errorCode = authResult.error === "Authentication required" ? MCP_AUTH_ERROR_CODES.AUTH_REQUIRED : MCP_AUTH_ERROR_CODES.AUTH_INVALID;
-        hint = "Include Authorization: Bearer sk_live_xxx header";
-      } else {
-        errorCode = authResult.error?.includes("revoked") ? MCP_AUTH_ERROR_CODES.AUTH_REVOKED : MCP_AUTH_ERROR_CODES.AUTH_FORBIDDEN;
-        hint = "API key has been revoked or tenant is inactive";
-      }
-      res.status(authResult.httpStatus || 401).json(createJsonRpcError(errorCode, authResult.error || "Authentication failed", hint));
-      return;
-    }
-    req.mcpTenantContext = authResult.tenant;
-    log.debug(
-      `[mcp-auth] Auth successful for tenant: ${authResult.tenant?.tenantId?.substring(0, 8)}...`
-    );
-    next();
-  };
-}
-var MCP_AUTH_ERRORS = MCP_AUTH_ERROR_CODES;
-
-export {
-  createJsonRpcError,
-  parseBearerToken,
-  validateMcpApiKey,
-  createMcpAuthMiddleware,
-  MCP_AUTH_ERRORS
-};