@frontmcp/adapters 0.6.0 → 0.6.2

package/src/openapi/openapi.utils.js

@@ -1,229 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.validateBaseUrl = validateBaseUrl;
-exports.buildRequest = buildRequest;
-exports.applyAdditionalHeaders = applyAdditionalHeaders;
-exports.parseResponse = parseResponse;
-/**
- * Coerce a value to string with type validation.
- * Throws if the value is an object/array that can't be safely stringified.
- *
- * @param value - Value to coerce
- * @param paramName - Parameter name for error messages
- * @param location - Parameter location (path/query/header)
- * @returns String representation of the value
- */
-function coerceToString(value, paramName, location) {
-    if (value === null || value === undefined) {
-        return '';
-    }
-    if (typeof value === 'object') {
-        if (Array.isArray(value)) {
-            // Arrays in query params are common - join with comma
-            if (location === 'query') {
-                return value.map(String).join(',');
-            }
-            throw new Error(`${location} parameter '${paramName}' cannot be an array. Received: ${JSON.stringify(value)}`);
-        }
-        throw new Error(`${location} parameter '${paramName}' cannot be an object. Received: ${JSON.stringify(value)}`);
-    }
-    return String(value);
-}
-/**
- * Validate and normalize a base URL.
- *
- * @param url - URL to validate
- * @returns Validated URL object
- * @throws Error if URL is invalid or uses unsupported protocol
- */
-function validateBaseUrl(url) {
-    try {
-        const parsed = new URL(url);
-        if (!['http:', 'https:'].includes(parsed.protocol)) {
-            throw new Error(`Unsupported protocol: ${parsed.protocol}. Only http: and https: are supported.`);
-        }
-        return parsed;
-    }
-    catch (err) {
-        if (err instanceof Error && err.message.includes('Unsupported protocol')) {
-            throw err;
-        }
-        throw new Error(`Invalid base URL: ${url}`);
-    }
-}
-/**
- * Append a cookie to the Cookie header.
- * Validates cookie name according to RFC 6265.
- *
- * @param headers - Headers object to modify
- * @param name - Cookie name
- * @param value - Cookie value (will be URI encoded)
- */
-function appendCookie(headers, name, value) {
-    // RFC 6265 cookie-name validation (simplified)
-    if (!/^[\w!#$%&'*+\-.^`|~]+$/.test(name)) {
-        throw new Error(`Invalid cookie name: '${name}'. Cookie names must be valid tokens.`);
-    }
-    const existing = headers.get('Cookie') || '';
-    const cookiePair = `${name}=${encodeURIComponent(coerceToString(value, name, 'cookie'))}`;
-    const combined = existing ? `${existing}; ${cookiePair}` : cookiePair;
-    headers.set('Cookie', combined);
-}
-/**
- * Build HTTP request from OpenAPI tool and input parameters
- *
- * @param tool - OpenAPI tool definition with mapper
- * @param input - User input parameters
- * @param security - Resolved security (headers, query params, etc.)
- * @param baseUrl - API base URL
- * @returns Request configuration ready for fetch
- */
-function buildRequest(tool, input, security, baseUrl) {
-    // Normalize base URL by removing trailing slash to prevent double slashes
-    // Validate server URL from OpenAPI spec to prevent SSRF attacks
-    const rawBaseUrl = tool.metadata.servers?.[0]?.url || baseUrl;
-    validateBaseUrl(rawBaseUrl); // Throws if invalid protocol (e.g., file://, javascript:)
-    const apiBaseUrl = rawBaseUrl.replace(/\/+$/, '');
-    let path = tool.metadata.path;
-    const queryParams = new URLSearchParams();
-    const headers = new Headers({
-        accept: 'application/json',
-        ...security.headers,
-    });
-    let body;
-    // Process each mapper entry
-    for (const mapper of tool.mapper) {
-        // Skip security parameters (already handled by SecurityResolver)
-        if (mapper.security)
-            continue;
-        const value = input[mapper.inputKey];
-        // Check required parameters
-        if (value === undefined || value === null) {
-            if (mapper.required) {
-                throw new Error(`Required ${mapper.type} parameter '${mapper.key}' (input: '${mapper.inputKey}') is missing for operation '${tool.name}'`);
-            }
-            continue;
-        }
-        // Apply parameter to correct location
-        switch (mapper.type) {
-            case 'path':
-                // Use replaceAll to handle duplicate path parameters (e.g., /users/{id}/posts/{id})
-                path = path.replaceAll(`{${mapper.key}}`, encodeURIComponent(coerceToString(value, mapper.key, 'path')));
-                break;
-            case 'query':
-                queryParams.set(mapper.key, coerceToString(value, mapper.key, 'query'));
-                break;
-            case 'header': {
-                const headerValue = coerceToString(value, mapper.key, 'header');
-                // Validate header values for injection attacks
-                // Check for: CR, LF, null byte, form feed, vertical tab
-                // eslint-disable-next-line no-control-regex
-                if (/[\r\n\x00\f\v]/.test(headerValue)) {
-                    throw new Error(`Invalid header value for '${mapper.key}': contains control characters (possible header injection attack)`);
-                }
-                headers.set(mapper.key, headerValue);
-                break;
-            }
-            case 'cookie':
-                appendCookie(headers, mapper.key, value);
-                break;
-            case 'body':
-                if (!body)
-                    body = {};
-                body[mapper.key] = value;
-                break;
-            default:
-                throw new Error(`Unknown mapper type '${mapper.type}' for parameter '${mapper.key}' in operation '${tool.name}'`);
-        }
-    }
-    // Add query parameters from security (e.g., API keys in query string)
-    // Detect collisions with user-provided query params (security params take precedence)
-    Object.entries(security.query).forEach(([key, value]) => {
-        if (queryParams.has(key)) {
-            // Security params override user params, but warn about potential misconfiguration
-            throw new Error(`Query parameter collision: '${key}' is provided both as user input and security parameter. ` +
-                `This could indicate a security misconfiguration in operation '${tool.name}'.`);
-        }
-        queryParams.set(key, coerceToString(value, key, 'security query'));
-    });
-    // Add cookies from a security context
-    if (security.cookies && Object.keys(security.cookies).length > 0) {
-        Object.entries(security.cookies).forEach(([key, value]) => {
-            appendCookie(headers, key, value);
-        });
-    }
-    // Ensure all path parameters are resolved
-    if (path.includes('{')) {
-        throw new Error(`Failed to resolve all path parameters in ${path} for operation ${tool.name}`);
-    }
-    // Build final URL
-    const queryString = queryParams.toString();
-    const url = `${apiBaseUrl}${path}${queryString ? `?${queryString}` : ''}`;
-    return { url, headers, body };
-}
-/**
- * Apply custom headers to request
- *
- * @param headers - Current headers
- * @param additionalHeaders - Additional static headers to add
- */
-function applyAdditionalHeaders(headers, additionalHeaders) {
-    if (!additionalHeaders)
-        return;
-    Object.entries(additionalHeaders).forEach(([key, value]) => {
-        headers.set(key, value);
-    });
-}
-/** Default max response size: 10MB */
-const DEFAULT_MAX_RESPONSE_SIZE = 10 * 1024 * 1024;
-/**
- * Parse API response based on content type
- *
- * @param response - Fetch response
- * @param options - Optional parsing options
- * @returns Parsed response data
- */
-async function parseResponse(response, options) {
-    const maxSize = options?.maxResponseSize ?? DEFAULT_MAX_RESPONSE_SIZE;
-    // Check for error responses FIRST - don't expose response body in error
-    // Only include status code, not statusText (which could contain sensitive info)
-    if (!response.ok) {
-        throw new Error(`API request failed: ${response.status}`);
-    }
-    // Check Content-Length header first to avoid loading huge responses
-    const contentLength = response.headers.get('content-length');
-    if (contentLength) {
-        const length = parseInt(contentLength, 10);
-        // Check for NaN, Infinity (from very large numbers), and actual size limit
-        if (!isNaN(length) && isFinite(length) && length > maxSize) {
-            throw new Error(`Response size (${length} bytes) exceeds maximum allowed (${maxSize} bytes)`);
-        }
-        // If length is Infinity or NaN, we'll catch it in the actual byte size check below
-    }
-    // Read response body
-    // NOTE: This size check occurs AFTER loading the full response into memory.
-    // For responses without Content-Length headers, this provides defense-in-depth
-    // (detecting oversized responses) but does not protect against memory exhaustion.
-    // A streaming approach would be required for true memory protection, but adds
-    // complexity. The Content-Length check above handles the common case.
-    const text = await response.text();
-    // Check actual byte size (Content-Length may be missing or incorrect)
-    const byteSize = new TextEncoder().encode(text).length;
-    if (byteSize > maxSize) {
-        throw new Error(`Response size (${byteSize} bytes) exceeds maximum allowed (${maxSize} bytes)`);
-    }
-    // Parse JSON responses - use case-insensitive check
-    const contentType = response.headers.get('content-type');
-    if (contentType?.toLowerCase().includes('application/json')) {
-        try {
-            return { data: JSON.parse(text) };
-        }
-        catch {
-            // Invalid JSON, return as text (don't log to console in production)
-            return { data: text };
-        }
-    }
-    // Return text for non-JSON responses
-    return { data: text };
-}
-//# sourceMappingURL=openapi.utils.js.map

package/src/openapi/openapi.utils.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"openapi.utils.js","sourceRoot":"","sources":["../../../src/openapi/openapi.utils.ts"],"names":[],"mappings":";;AA4CA,0CAaC;AA+BD,oCA6GC;AAQD,wDAMC;AAoBD,sCA+CC;AA3QD;;;;;;;;GAQG;AACH,SAAS,cAAc,CAAC,KAAc,EAAE,SAAiB,EAAE,QAAgB;IACzE,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAC1C,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,sDAAsD;YACtD,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;gBACzB,OAAO,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACrC,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,eAAe,SAAS,mCAAmC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACjH,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,eAAe,SAAS,oCAAoC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAClH,CAAC;IACD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;AACvB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,eAAe,CAAC,GAAW;IACzC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CAAC,yBAAyB,MAAM,CAAC,QAAQ,wCAAwC,CAAC,CAAC;QACpG,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC,EAAE,CAAC;YACzE,MAAM,GAAG,CAAC;QACZ,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,qBAAqB,GAAG,EAAE,CAAC,CAAC;IAC9C,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,YAAY,CAAC,OAAgB,EAAE,IAAY,EAAE,KAAc;IAClE,+CAA+C;IAC/C,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,uCAAuC,CAAC,CAAC;IACxF,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC7C,MAAM,UAAU,GAAG,GAAG,IAAI,IAAI,kBAAkB,CAAC,cAAc,CAAC,KAAK,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC,EAAE,CAAC;IAC1F,MAAM,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,GAAG,QAAQ,KAAK,UAAU,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC;IACtE,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;AAClC,CAAC;AAED;;;;;;;;GAQG;AACH,SAAgB,YAAY,CAC1B,IAAoB,EACpB,KAA8B,EAC9B,QAA0D,EAC1D,OAAe;IAEf,0EAA0E;IAC1E,gEAAgE;IAChE,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,OAAO,CAAC;IAC9D,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC,0DAA0D;IACvF,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAClD,IAAI,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC9B,MAAM,WAAW,GAAG,IAAI,eAAe,EAAE,CAAC;IAC1C,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC;QAC1B,MAAM,EAAE,kBAAkB;QAC1B,GAAG,QAAQ,CAAC,OAAO;KACpB,CAAC,CAAC;IACH,IAAI,IAAyC,CAAC;IAE9C,4BAA4B;IAC5B,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QACjC,iEAAiE;QACjE,IAAI,MAAM,CAAC,QAAQ;YAAE,SAAS;QAE9B,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAErC,4BAA4B;QAC5B,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YAC1C,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpB,MAAM,IAAI,KAAK,CACb,YAAY,MAAM,CAAC,IAAI,eAAe,MAAM,CAAC,GAAG,cAAc,MAAM,CAAC,QAAQ,gCAAgC,IAAI,CAAC,IAAI,GAAG,CAC1H,CAAC;YACJ,CAAC;YACD,SAAS;QACX,CAAC;QAED,sCAAsC;QACtC,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;YACpB,KAAK,MAAM;gBACT,oFAAoF;gBACpF,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,GAAG,GAAG,EAAE,kBAAkB,CAAC,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;gBACzG,MAAM;YAER,KAAK,OAAO;gBACV,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC;gBACxE,MAAM;YAER,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,WAAW,GAAG,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;gBAChE,+CAA+C;gBAC/C,wDAAwD;gBACxD,4CAA4C;gBAC5C,IAAI,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;oBACvC,MAAM,IAAI,KAAK,CACb,6BAA6B,MAAM,CAAC,GAAG,mEAAmE,CAC3G,CAAC;gBACJ,CAAC;gBACD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;gBACrC,MAAM;YACR,CAAC;YAED,KAAK,QAAQ;gBACX,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;gBACzC,MAAM;YAER,KAAK,MAAM;gBACT,IAAI,CAAC,IAAI;oBAAE,IAAI,GAAG,EAAE,CAAC;gBACrB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;gBACzB,MAAM;YAER;gBACE,MAAM,IAAI,KAAK,CACb,wBAAyB,MAA2B,CAAC,IAAI,oBAAoB,MAAM,CAAC,GAAG,mBACrF,IAAI,CAAC,IACP,GAAG,CACJ,CAAC;QACN,CAAC;IACH,CAAC;IAED,sEAAsE;IACtE,sFAAsF;IACtF,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;QACtD,IAAI,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACzB,kFAAkF;YAClF,MAAM,IAAI,KAAK,CACb,+BAA+B,GAAG,2DAA2D;gBAC3F,iEAAiE,IAAI,CAAC,IAAI,IAAI,CACjF,CAAC;QACJ,CAAC;QACD,WAAW,CAAC,GAAG,CAAC,GAAG,EAAE,cAAc,CAAC,KAAK,EAAE,GAAG,EAAE,gBAAgB,CAAC,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,sCAAsC;IACtC,IAAI,QAAQ,CAAC,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjE,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;YACxD,YAAY,CAAC,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC;IACL,CAAC;IAED,0CAA0C;IAC1C,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,4CAA4C,IAAI,kBAAkB,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IACjG,CAAC;IAED,kBAAkB;IAClB,MAAM,WAAW,GAAG,WAAW,CAAC,QAAQ,EAAE,CAAC;IAC3C,MAAM,GAAG,GAAG,GAAG,UAAU,GAAG,IAAI,GAAG,WAAW,CAAC,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAE1E,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAChC,CAAC;AAED;;;;;GAKG;AACH,SAAgB,sBAAsB,CAAC,OAAgB,EAAE,iBAA0C;IACjG,IAAI,CAAC,iBAAiB;QAAE,OAAO;IAE/B,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;QACzD,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC;AAUD,sCAAsC;AACtC,MAAM,yBAAyB,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AAEnD;;;;;;GAMG;AACI,KAAK,UAAU,aAAa,CAAC,QAAkB,EAAE,OAA8B;IACpF,MAAM,OAAO,GAAG,OAAO,EAAE,eAAe,IAAI,yBAAyB,CAAC;IAEtE,wEAAwE;IACxE,gFAAgF;IAChF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,uBAAuB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5D,CAAC;IAED,oEAAoE;IACpE,MAAM,aAAa,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAC7D,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,MAAM,GAAG,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QAC3C,2EAA2E;QAC3E,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,MAAM,GAAG,OAAO,EAAE,CAAC;YAC3D,MAAM,IAAI,KAAK,CAAC,kBAAkB,MAAM,oCAAoC,OAAO,SAAS,CAAC,CAAC;QAChG,CAAC;QACD,mFAAmF;IACrF,CAAC;IAED,qBAAqB;IACrB,4EAA4E;IAC5E,+EAA+E;IAC/E,kFAAkF;IAClF,8EAA8E;IAC9E,sEAAsE;IACtE,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAEnC,sEAAsE;IACtE,MAAM,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;IACvD,IAAI,QAAQ,GAAG,OAAO,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,kBAAkB,QAAQ,oCAAoC,OAAO,SAAS,CAAC,CAAC;IAClG,CAAC;IAED,oDAAoD;IACpD,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACzD,IAAI,WAAW,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAC5D,IAAI,CAAC;YACH,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,oEAAoE;YACpE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;QACxB,CAAC;IACH,CAAC;IAED,qCAAqC;IACrC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AACxB,CAAC","sourcesContent":["import type { McpOpenAPITool, SecurityResolver } from 'mcp-from-openapi';\n\n/**\n * Request configuration for building HTTP requests\n */\nexport interface RequestConfig {\n  url: string;\n  headers: Headers;\n  body?: Record<string, unknown>;\n}\n\n/**\n * Coerce a value to string with type validation.\n * Throws if the value is an object/array that can't be safely stringified.\n *\n * @param value - Value to coerce\n * @param paramName - Parameter name for error messages\n * @param location - Parameter location (path/query/header)\n * @returns String representation of the value\n */\nfunction coerceToString(value: unknown, paramName: string, location: string): string {\n  if (value === null || value === undefined) {\n    return '';\n  }\n  if (typeof value === 'object') {\n    if (Array.isArray(value)) {\n      // Arrays in query params are common - join with comma\n      if (location === 'query') {\n        return value.map(String).join(',');\n      }\n      throw new Error(`${location} parameter '${paramName}' cannot be an array. Received: ${JSON.stringify(value)}`);\n    }\n    throw new Error(`${location} parameter '${paramName}' cannot be an object. Received: ${JSON.stringify(value)}`);\n  }\n  return String(value);\n}\n\n/**\n * Validate and normalize a base URL.\n *\n * @param url - URL to validate\n * @returns Validated URL object\n * @throws Error if URL is invalid or uses unsupported protocol\n */\nexport function validateBaseUrl(url: string): URL {\n  try {\n    const parsed = new URL(url);\n    if (!['http:', 'https:'].includes(parsed.protocol)) {\n      throw new Error(`Unsupported protocol: ${parsed.protocol}. Only http: and https: are supported.`);\n    }\n    return parsed;\n  } catch (err) {\n    if (err instanceof Error && err.message.includes('Unsupported protocol')) {\n      throw err;\n    }\n    throw new Error(`Invalid base URL: ${url}`);\n  }\n}\n\n/**\n * Append a cookie to the Cookie header.\n * Validates cookie name according to RFC 6265.\n *\n * @param headers - Headers object to modify\n * @param name - Cookie name\n * @param value - Cookie value (will be URI encoded)\n */\nfunction appendCookie(headers: Headers, name: string, value: unknown): void {\n  // RFC 6265 cookie-name validation (simplified)\n  if (!/^[\\w!#$%&'*+\\-.^`|~]+$/.test(name)) {\n    throw new Error(`Invalid cookie name: '${name}'. Cookie names must be valid tokens.`);\n  }\n\n  const existing = headers.get('Cookie') || '';\n  const cookiePair = `${name}=${encodeURIComponent(coerceToString(value, name, 'cookie'))}`;\n  const combined = existing ? `${existing}; ${cookiePair}` : cookiePair;\n  headers.set('Cookie', combined);\n}\n\n/**\n * Build HTTP request from OpenAPI tool and input parameters\n *\n * @param tool - OpenAPI tool definition with mapper\n * @param input - User input parameters\n * @param security - Resolved security (headers, query params, etc.)\n * @param baseUrl - API base URL\n * @returns Request configuration ready for fetch\n */\nexport function buildRequest(\n  tool: McpOpenAPITool,\n  input: Record<string, unknown>,\n  security: Awaited<ReturnType<SecurityResolver['resolve']>>,\n  baseUrl: string,\n): RequestConfig {\n  // Normalize base URL by removing trailing slash to prevent double slashes\n  // Validate server URL from OpenAPI spec to prevent SSRF attacks\n  const rawBaseUrl = tool.metadata.servers?.[0]?.url || baseUrl;\n  validateBaseUrl(rawBaseUrl); // Throws if invalid protocol (e.g., file://, javascript:)\n  const apiBaseUrl = rawBaseUrl.replace(/\\/+$/, '');\n  let path = tool.metadata.path;\n  const queryParams = new URLSearchParams();\n  const headers = new Headers({\n    accept: 'application/json',\n    ...security.headers,\n  });\n  let body: Record<string, unknown> | undefined;\n\n  // Process each mapper entry\n  for (const mapper of tool.mapper) {\n    // Skip security parameters (already handled by SecurityResolver)\n    if (mapper.security) continue;\n\n    const value = input[mapper.inputKey];\n\n    // Check required parameters\n    if (value === undefined || value === null) {\n      if (mapper.required) {\n        throw new Error(\n          `Required ${mapper.type} parameter '${mapper.key}' (input: '${mapper.inputKey}') is missing for operation '${tool.name}'`,\n        );\n      }\n      continue;\n    }\n\n    // Apply parameter to correct location\n    switch (mapper.type) {\n      case 'path':\n        // Use replaceAll to handle duplicate path parameters (e.g., /users/{id}/posts/{id})\n        path = path.replaceAll(`{${mapper.key}}`, encodeURIComponent(coerceToString(value, mapper.key, 'path')));\n        break;\n\n      case 'query':\n        queryParams.set(mapper.key, coerceToString(value, mapper.key, 'query'));\n        break;\n\n      case 'header': {\n        const headerValue = coerceToString(value, mapper.key, 'header');\n        // Validate header values for injection attacks\n        // Check for: CR, LF, null byte, form feed, vertical tab\n        // eslint-disable-next-line no-control-regex\n        if (/[\\r\\n\\x00\\f\\v]/.test(headerValue)) {\n          throw new Error(\n            `Invalid header value for '${mapper.key}': contains control characters (possible header injection attack)`,\n          );\n        }\n        headers.set(mapper.key, headerValue);\n        break;\n      }\n\n      case 'cookie':\n        appendCookie(headers, mapper.key, value);\n        break;\n\n      case 'body':\n        if (!body) body = {};\n        body[mapper.key] = value;\n        break;\n\n      default:\n        throw new Error(\n          `Unknown mapper type '${(mapper as { type: string }).type}' for parameter '${mapper.key}' in operation '${\n            tool.name\n          }'`,\n        );\n    }\n  }\n\n  // Add query parameters from security (e.g., API keys in query string)\n  // Detect collisions with user-provided query params (security params take precedence)\n  Object.entries(security.query).forEach(([key, value]) => {\n    if (queryParams.has(key)) {\n      // Security params override user params, but warn about potential misconfiguration\n      throw new Error(\n        `Query parameter collision: '${key}' is provided both as user input and security parameter. ` +\n          `This could indicate a security misconfiguration in operation '${tool.name}'.`,\n      );\n    }\n    queryParams.set(key, coerceToString(value, key, 'security query'));\n  });\n\n  // Add cookies from a security context\n  if (security.cookies && Object.keys(security.cookies).length > 0) {\n    Object.entries(security.cookies).forEach(([key, value]) => {\n      appendCookie(headers, key, value);\n    });\n  }\n\n  // Ensure all path parameters are resolved\n  if (path.includes('{')) {\n    throw new Error(`Failed to resolve all path parameters in ${path} for operation ${tool.name}`);\n  }\n\n  // Build final URL\n  const queryString = queryParams.toString();\n  const url = `${apiBaseUrl}${path}${queryString ? `?${queryString}` : ''}`;\n\n  return { url, headers, body };\n}\n\n/**\n * Apply custom headers to request\n *\n * @param headers - Current headers\n * @param additionalHeaders - Additional static headers to add\n */\nexport function applyAdditionalHeaders(headers: Headers, additionalHeaders?: Record<string, string>): void {\n  if (!additionalHeaders) return;\n\n  Object.entries(additionalHeaders).forEach(([key, value]) => {\n    headers.set(key, value);\n  });\n}\n\n/**\n * Options for response parsing\n */\nexport interface ParseResponseOptions {\n  /** Maximum response size in bytes (default: 10MB) */\n  maxResponseSize?: number;\n}\n\n/** Default max response size: 10MB */\nconst DEFAULT_MAX_RESPONSE_SIZE = 10 * 1024 * 1024;\n\n/**\n * Parse API response based on content type\n *\n * @param response - Fetch response\n * @param options - Optional parsing options\n * @returns Parsed response data\n */\nexport async function parseResponse(response: Response, options?: ParseResponseOptions): Promise<{ data: unknown }> {\n  const maxSize = options?.maxResponseSize ?? DEFAULT_MAX_RESPONSE_SIZE;\n\n  // Check for error responses FIRST - don't expose response body in error\n  // Only include status code, not statusText (which could contain sensitive info)\n  if (!response.ok) {\n    throw new Error(`API request failed: ${response.status}`);\n  }\n\n  // Check Content-Length header first to avoid loading huge responses\n  const contentLength = response.headers.get('content-length');\n  if (contentLength) {\n    const length = parseInt(contentLength, 10);\n    // Check for NaN, Infinity (from very large numbers), and actual size limit\n    if (!isNaN(length) && isFinite(length) && length > maxSize) {\n      throw new Error(`Response size (${length} bytes) exceeds maximum allowed (${maxSize} bytes)`);\n    }\n    // If length is Infinity or NaN, we'll catch it in the actual byte size check below\n  }\n\n  // Read response body\n  // NOTE: This size check occurs AFTER loading the full response into memory.\n  // For responses without Content-Length headers, this provides defense-in-depth\n  // (detecting oversized responses) but does not protect against memory exhaustion.\n  // A streaming approach would be required for true memory protection, but adds\n  // complexity. The Content-Length check above handles the common case.\n  const text = await response.text();\n\n  // Check actual byte size (Content-Length may be missing or incorrect)\n  const byteSize = new TextEncoder().encode(text).length;\n  if (byteSize > maxSize) {\n    throw new Error(`Response size (${byteSize} bytes) exceeds maximum allowed (${maxSize} bytes)`);\n  }\n\n  // Parse JSON responses - use case-insensitive check\n  const contentType = response.headers.get('content-type');\n  if (contentType?.toLowerCase().includes('application/json')) {\n    try {\n      return { data: JSON.parse(text) };\n    } catch {\n      // Invalid JSON, return as text (don't log to console in production)\n      return { data: text };\n    }\n  }\n\n  // Return text for non-JSON responses\n  return { data: text };\n}\n"]}