@j0hanz/superfetch 1.2.4 → 2.0.0

package/dist/config/index.d.ts

@@ -1,60 +1,54 @@
-import type { LogLevel } from './types/runtime.js';
 interface RuntimeState {
     httpMode: boolean;
 }
 export declare const config: {
-    readonly server: {
-        readonly name: "superFetch";
-        readonly version: string;
-        readonly port: number;
-        readonly host: string;
-        readonly trustProxy: boolean;
-        readonly sessionTtlMs: number;
-        readonly sessionInitTimeoutMs: number;
-        readonly maxSessions: number;
-    };
-    readonly fetcher: {
-        readonly timeout: number;
-        readonly maxRedirects: 5;
-        readonly userAgent: string;
-        readonly maxContentLength: number;
-    };
-    readonly cache: {
-        readonly enabled: boolean;
-        readonly ttl: number;
-        readonly maxKeys: number;
-    };
-    readonly extraction: {
-        readonly extractMainContent: boolean;
-        readonly includeMetadata: boolean;
-        readonly maxBlockLength: 5000;
-        readonly minParagraphLength: 10;
-    };
-    readonly logging: {
-        readonly level: LogLevel;
-        readonly enabled: boolean;
-    };
-    readonly constants: {
-        readonly maxHtmlSize: number;
-        readonly maxContentSize: number;
-        readonly maxUrlLength: 2048;
-        readonly maxInlineContentChars: number;
-    };
-    readonly security: {
-        readonly blockedHosts: Set<string>;
-        readonly blockedIpPatterns: readonly RegExp[];
-        readonly blockedHeaders: Set<string>;
-        readonly apiKey: string | undefined;
-        readonly allowRemote: boolean;
-        readonly requireAuth: boolean;
-    };
-    readonly rateLimit: {
-        readonly enabled: boolean;
-        readonly maxRequests: number;
-        readonly windowMs: number;
-        readonly cleanupIntervalMs: number;
-    };
-    readonly runtime: RuntimeState;
+    server: {
+        name: string;
+        version: string;
+        port: number;
+        host: string;
+        sessionTtlMs: number;
+        sessionInitTimeoutMs: number;
+        maxSessions: number;
+    };
+    fetcher: {
+        timeout: number;
+        maxRedirects: number;
+        userAgent: string;
+        maxContentLength: number;
+    };
+    cache: {
+        enabled: boolean;
+        ttl: number;
+        maxKeys: number;
+    };
+    extraction: {
+        maxBlockLength: number;
+        minParagraphLength: number;
+    };
+    logging: {
+        level: import("./types/runtime.js").LogLevel;
+    };
+    constants: {
+        maxHtmlSize: number;
+        maxUrlLength: number;
+        maxInlineContentChars: number;
+    };
+    security: {
+        blockedHosts: Set<string>;
+        blockedIpPatterns: RegExp[];
+        allowedHosts: Set<string>;
+        apiKey: string | undefined;
+        allowRemote: boolean;
+    };
+    auth: import("./auth-config.js").AuthConfig;
+    rateLimit: {
+        enabled: boolean;
+        maxRequests: number;
+        windowMs: number;
+        cleanupIntervalMs: number;
+    };
+    runtime: RuntimeState;
 };
 export declare function enableHttpMode(): void;
 export {};

package/dist/config/index.js

@@ -1,39 +1,17 @@
 import packageJson from '../../package.json' with { type: 'json' };
+import { buildAuthConfig } from './auth-config.js';
 import { SIZE_LIMITS, TIMEOUT } from './constants.js';
-function parseInteger(envValue, defaultValue, min, max) {
-    if (!envValue)
-        return defaultValue;
-    const parsed = parseInt(envValue, 10);
-    if (Number.isNaN(parsed))
-        return defaultValue;
-    if (min !== undefined && parsed < min)
-        return defaultValue;
-    if (max !== undefined && parsed > max)
-        return defaultValue;
-    return parsed;
-}
-function parseBoolean(envValue, defaultValue) {
-    if (!envValue)
-        return defaultValue;
-    return envValue !== 'false';
-}
-function parseLogLevel(envValue) {
-    const level = envValue?.toLowerCase();
-    if (!level)
-        return 'info';
-    return isLogLevel(level) ? level : 'info';
-}
-const ALLOWED_LOG_LEVELS = new Set([
-    'debug',
-    'info',
-    'warn',
-    'error',
-]);
-function isLogLevel(value) {
-    return ALLOWED_LOG_LEVELS.has(value);
+import { parseAllowedHosts, parseBoolean, parseInteger, parseLogLevel, } from './env-parsers.js';
+function formatHostForUrl(hostname) {
+    if (hostname.includes(':') && !hostname.startsWith('[')) {
+        return `[${hostname}]`;
+    }
+    return hostname;
 }
 const host = process.env.HOST ?? '127.0.0.1';
-const isLoopbackHost = host === '127.0.0.1' || host === '::1' || host === 'localhost';
+const port = parseInteger(process.env.PORT, 3000, 1024, 65535);
+const baseUrl = new URL(`http://${formatHostForUrl(host)}:${port}`);
+const isRemoteHost = host === '0.0.0.0' || host === '::';
 const runtimeState = {
     httpMode: false,
 };
@@ -41,39 +19,34 @@ export const config = {
     server: {
         name: 'superFetch',
         version: packageJson.version,
-        port: parseInteger(process.env.PORT, 3000, 1024, 65535),
+        port,
         host,
-        trustProxy: parseBoolean(process.env.TRUST_PROXY, false),
-        sessionTtlMs: parseInteger(process.env.SESSION_TTL_MS, TIMEOUT.DEFAULT_SESSION_TTL_MS, TIMEOUT.MIN_SESSION_TTL_MS, TIMEOUT.MAX_SESSION_TTL_MS),
-        sessionInitTimeoutMs: parseInteger(process.env.SESSION_INIT_TIMEOUT_MS, 10000, 1000, 60000),
-        maxSessions: parseInteger(process.env.MAX_SESSIONS, 200, 10, 10000),
+        sessionTtlMs: TIMEOUT.DEFAULT_SESSION_TTL_MS,
+        sessionInitTimeoutMs: 10000,
+        maxSessions: 200,
     },
     fetcher: {
-        timeout: parseInteger(process.env.FETCH_TIMEOUT, TIMEOUT.DEFAULT_FETCH_TIMEOUT_MS, TIMEOUT.MIN_FETCH_TIMEOUT_MS, TIMEOUT.MAX_FETCH_TIMEOUT_MS),
+        timeout: TIMEOUT.DEFAULT_FETCH_TIMEOUT_MS,
         maxRedirects: 5,
-        userAgent: process.env.USER_AGENT ?? 'superFetch-MCP/1.0',
+        userAgent: process.env.USER_AGENT ?? 'superFetch-MCP/2.0',
         maxContentLength: SIZE_LIMITS.TEN_MB,
     },
     cache: {
         enabled: parseBoolean(process.env.CACHE_ENABLED, true),
         ttl: parseInteger(process.env.CACHE_TTL, 3600, 60, 86400),
-        maxKeys: parseInteger(process.env.CACHE_MAX_KEYS, 100, 10, 1000),
+        maxKeys: 100,
     },
     extraction: {
-        extractMainContent: parseBoolean(process.env.EXTRACT_MAIN_CONTENT, true),
-        includeMetadata: parseBoolean(process.env.INCLUDE_METADATA, true),
         maxBlockLength: 5000,
         minParagraphLength: 10,
     },
     logging: {
         level: parseLogLevel(process.env.LOG_LEVEL),
-        enabled: parseBoolean(process.env.ENABLE_LOGGING, true),
     },
     constants: {
         maxHtmlSize: SIZE_LIMITS.TEN_MB,
-        maxContentSize: SIZE_LIMITS.FIVE_MB,
         maxUrlLength: 2048,
-        maxInlineContentChars: parseInteger(process.env.MAX_INLINE_CONTENT_CHARS, 20000, 1000, 200000),
+        maxInlineContentChars: 20000,
     },
     security: {
         blockedHosts: new Set([
@@ -104,23 +77,16 @@ export const config = {
             /^::ffff:192\.168\./,
             /^::ffff:169\.254\./,
         ],
-        blockedHeaders: new Set([
-            'host',
-            'authorization',
-            'cookie',
-            'x-forwarded-for',
-            'x-real-ip',
-            'proxy-authorization',
-        ]),
+        allowedHosts: parseAllowedHosts(process.env.ALLOWED_HOSTS),
         apiKey: process.env.API_KEY,
-        allowRemote: parseBoolean(process.env.ALLOW_REMOTE, false),
-        requireAuth: parseBoolean(process.env.REQUIRE_AUTH, !isLoopbackHost),
+        allowRemote: isRemoteHost,
     },
+    auth: buildAuthConfig(baseUrl),
     rateLimit: {
-        enabled: parseBoolean(process.env.RATE_LIMIT_ENABLED, true),
-        maxRequests: parseInteger(process.env.RATE_LIMIT_MAX, 100, 1, 10000),
-        windowMs: parseInteger(process.env.RATE_LIMIT_WINDOW_MS, 60000, 1000, 3600000),
-        cleanupIntervalMs: parseInteger(process.env.RATE_LIMIT_CLEANUP_MS, 60000, 10000, 3600000),
+        enabled: true,
+        maxRequests: 100,
+        windowMs: 60000,
+        cleanupIntervalMs: 60000,
     },
     runtime: runtimeState,
 };

package/dist/config/types/content.d.ts

@@ -1,8 +1,4 @@
-type ContentBlockType = 'metadata' | 'heading' | 'paragraph' | 'list' | 'code' | 'table' | 'image' | 'blockquote';
-interface ContentBlock {
-    type: ContentBlockType;
-}
-export interface MetadataBlock extends ContentBlock {
+export interface MetadataBlock {
     type: 'metadata';
     title?: string;
     description?: string;
@@ -10,40 +6,6 @@ export interface MetadataBlock extends ContentBlock {
     url: string;
     fetchedAt: string;
 }
-export interface HeadingBlock extends ContentBlock {
-    type: 'heading';
-    level: number;
-    text: string;
-}
-export interface ParagraphBlock extends ContentBlock {
-    type: 'paragraph';
-    text: string;
-}
-export interface ListBlock extends ContentBlock {
-    type: 'list';
-    ordered: boolean;
-    readonly items: readonly string[];
-}
-export interface CodeBlock extends ContentBlock {
-    type: 'code';
-    language?: string;
-    text: string;
-}
-export interface TableBlock extends ContentBlock {
-    type: 'table';
-    readonly headers?: readonly string[];
-    readonly rows: readonly (readonly string[])[];
-}
-export interface ImageBlock extends ContentBlock {
-    type: 'image';
-    src: string;
-    alt?: string;
-}
-export interface BlockquoteBlock extends ContentBlock {
-    type: 'blockquote';
-    text: string;
-}
-export type ContentBlockUnion = MetadataBlock | HeadingBlock | ParagraphBlock | ListBlock | CodeBlock | TableBlock | ImageBlock | BlockquoteBlock;
 export interface ExtractedArticle {
     title?: string;
     byline?: string;
@@ -68,21 +30,11 @@ export interface ExtractionResult {
     article: ExtractedArticle | null;
     metadata: ExtractedMetadata;
 }
-export type ParseableTagName = 'h1' | 'h2' | 'h3' | 'h4' | 'h5' | 'h6' | 'p' | 'ul' | 'ol' | 'pre' | 'code' | 'table' | 'img' | 'blockquote';
 export interface MarkdownTransformResult {
     markdown: string;
     title: string | undefined;
     truncated: boolean;
 }
 export interface TransformOptions {
-    extractMainContent: boolean;
     includeMetadata: boolean;
-    maxContentLength?: number;
-}
-export interface JsonlTransformResult {
-    content: string;
-    contentBlocks: number;
-    title: string | undefined;
-    truncated?: boolean;
 }
-export {};

package/dist/config/types/runtime.d.ts

@@ -28,13 +28,7 @@ export type ToolContentBlock = {
     };
 };
 export interface FetchOptions {
-    customHeaders?: Record<string, string>;
     signal?: AbortSignal;
-    timeout?: number;
-}
-export interface TruncationResult {
-    readonly content: string;
-    readonly truncated: boolean;
 }
 export interface SessionEntry {
     readonly transport: StreamableHTTPServerTransport;
@@ -43,25 +37,23 @@ export interface SessionEntry {
 }
 export type LogLevel = 'debug' | 'info' | 'warn' | 'error';
 export type LogMetadata = Record<string, unknown>;
+export interface McpRequestParams {
+    _meta?: Record<string, unknown>;
+    [key: string]: unknown;
+}
 export interface McpRequestBody {
-    method?: string;
+    jsonrpc: '2.0';
+    method: string;
     id?: string | number;
-    jsonrpc?: '2.0';
-    params?: unknown;
+    params?: McpRequestParams;
 }
 export interface FetchPipelineOptions<T> {
     /** URL to fetch */
     url: string;
-    /** Cache namespace (e.g., 'url', 'links', 'markdown') */
+    /** Cache namespace (e.g., 'markdown') */
     cacheNamespace: string;
-    /** Optional custom HTTP headers */
-    customHeaders?: Record<string, string>;
-    /** Optional: number of retry attempts (1-10, defaults to 3) */
-    retries?: number;
     /** Optional: AbortSignal for request cancellation */
     signal?: AbortSignal;
-    /** Optional: per-request timeout override in milliseconds */
-    timeout?: number;
     /** Optional: cache variation input for headers/flags */
     cacheVary?: Record<string, unknown> | string;
     /** Transform function to process HTML into desired format */

package/dist/config/types/tools.d.ts

@@ -1,30 +1,6 @@
 import type { ToolContentBlock } from './runtime.js';
-interface RequestOptions {
-    /** Custom HTTP headers for the request */
-    customHeaders?: Record<string, string> | undefined;
-    /** Request timeout in milliseconds (1000-120000) */
-    timeout?: number | undefined;
-    /** Number of retry attempts (1-10) */
-    retries?: number | undefined;
-}
-export interface FetchUrlInput extends RequestOptions {
-    url: string;
-    extractMainContent?: boolean | undefined;
-    includeMetadata?: boolean | undefined;
-    maxContentLength?: number | undefined;
-    format?: 'jsonl' | 'markdown' | undefined;
-    includeContentBlocks?: boolean | undefined;
-}
-export interface FetchMarkdownInput extends RequestOptions {
+export interface FetchUrlInput {
     url: string;
-    extractMainContent?: boolean | undefined;
-    includeMetadata?: boolean | undefined;
-    maxContentLength?: number | undefined;
-}
-export interface FileDownloadInfo {
-    downloadUrl: string;
-    fileName: string;
-    expiresAt: string;
 }
 export interface ErrorResponse {
     error: {
@@ -41,8 +17,7 @@ export interface ToolErrorResponse {
     structuredContent: {
         error: string;
         url: string;
-        errorCode: string;
-    } & Record<string, unknown>;
+    };
     isError: true;
 }
 export interface ToolResponseBase {
@@ -51,4 +26,3 @@ export interface ToolResponseBase {
     structuredContent?: Record<string, unknown>;
     isError?: boolean;
 }
-export {};

package/dist/http/accept-policy.d.ts

@@ -0,0 +1,3 @@
+import type { Request } from 'express';
+export declare function ensurePostAcceptHeader(req: Request): void;
+export declare function acceptsEventStream(req: Request): boolean;

package/dist/http/accept-policy.js

@@ -0,0 +1,45 @@
+function getAcceptHeader(req) {
+    const value = req.headers.accept;
+    if (typeof value === 'string')
+        return value;
+    return '';
+}
+function setAcceptHeader(req, value) {
+    req.headers.accept = value;
+    const { rawHeaders } = req;
+    if (!Array.isArray(rawHeaders))
+        return;
+    for (let i = 0; i + 1 < rawHeaders.length; i += 2) {
+        const key = rawHeaders[i];
+        if (typeof key === 'string' && key.toLowerCase() === 'accept') {
+            rawHeaders[i + 1] = value;
+            return;
+        }
+    }
+    rawHeaders.push('Accept', value);
+}
+function hasToken(header, token) {
+    return header
+        .split(',')
+        .map((part) => part.trim().toLowerCase())
+        .some((part) => part === token || part.startsWith(`${token};`));
+}
+export function ensurePostAcceptHeader(req) {
+    const accept = getAcceptHeader(req);
+    // Some clients send */* or omit Accept; the SDK transport is picky.
+    if (!accept || hasToken(accept, '*/*')) {
+        setAcceptHeader(req, 'application/json, text/event-stream');
+        return;
+    }
+    const hasJson = hasToken(accept, 'application/json');
+    const hasSse = hasToken(accept, 'text/event-stream');
+    if (!hasJson || !hasSse) {
+        setAcceptHeader(req, 'application/json, text/event-stream');
+    }
+}
+export function acceptsEventStream(req) {
+    const accept = getAcceptHeader(req);
+    if (!accept)
+        return false;
+    return hasToken(accept, 'text/event-stream');
+}

package/dist/http/async-handler.d.ts

@@ -0,0 +1,2 @@
+import type { NextFunction, Request, Response } from 'express';
+export declare function wrapAsync(fn: (req: Request, res: Response) => void | Promise<void>): (req: Request, res: Response, next: NextFunction) => void;

package/dist/http/async-handler.js

@@ -0,0 +1,5 @@
+export function wrapAsync(fn) {
+    return (req, res, next) => {
+        Promise.resolve(fn(req, res)).catch(next);
+    };
+}

package/dist/http/auth-introspection.d.ts

@@ -0,0 +1,2 @@
+import type { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
+export declare function verifyWithIntrospection(token: string): Promise<AuthInfo>;

package/dist/http/auth-introspection.js

@@ -0,0 +1,141 @@
+import { InvalidTokenError, ServerError, } from '@modelcontextprotocol/sdk/server/auth/errors.js';
+import { config } from '../config/index.js';
+import { isRecord } from '../utils/guards.js';
+function stripHash(url) {
+    const copy = new URL(url.href);
+    copy.hash = '';
+    return copy.href;
+}
+function parseScopes(value) {
+    if (typeof value === 'string') {
+        return value
+            .split(' ')
+            .map((scope) => scope.trim())
+            .filter((scope) => scope.length > 0);
+    }
+    if (Array.isArray(value)) {
+        return value.filter((scope) => typeof scope === 'string');
+    }
+    return [];
+}
+function parseResourceUrl(value) {
+    if (typeof value !== 'string')
+        return undefined;
+    if (!URL.canParse(value))
+        return undefined;
+    return new URL(value);
+}
+function parseAudResource(aud) {
+    if (typeof aud === 'string') {
+        return parseResourceUrl(aud);
+    }
+    if (Array.isArray(aud)) {
+        for (const entry of aud) {
+            const parsed = parseResourceUrl(entry);
+            if (parsed)
+                return parsed;
+        }
+    }
+    return undefined;
+}
+function extractResource(data) {
+    const resource = parseResourceUrl(data.resource);
+    if (resource)
+        return resource;
+    return parseAudResource(data.aud);
+}
+function extractScopes(data) {
+    if (data.scope !== undefined) {
+        return parseScopes(data.scope);
+    }
+    if (data.scopes !== undefined) {
+        return parseScopes(data.scopes);
+    }
+    if (data.scp !== undefined) {
+        return parseScopes(data.scp);
+    }
+    return [];
+}
+function readExpiresAt(data) {
+    const expiresAt = typeof data.exp === 'number' ? data.exp : Number.NaN;
+    if (!Number.isFinite(expiresAt)) {
+        throw new InvalidTokenError('Token has no expiration time');
+    }
+    return expiresAt;
+}
+function resolveClientId(data) {
+    if (typeof data.client_id === 'string')
+        return data.client_id;
+    if (typeof data.cid === 'string')
+        return data.cid;
+    if (typeof data.sub === 'string')
+        return data.sub;
+    return 'unknown';
+}
+function ensureResourceMatch(resource) {
+    if (resource && stripHash(resource) !== stripHash(config.auth.resourceUrl)) {
+        throw new InvalidTokenError('Token resource mismatch');
+    }
+    return resource;
+}
+function buildIntrospectionAuthInfo(token, data) {
+    const resource = ensureResourceMatch(extractResource(data));
+    return {
+        token,
+        clientId: resolveClientId(data),
+        scopes: extractScopes(data),
+        expiresAt: readExpiresAt(data),
+        resource: resource ?? config.auth.resourceUrl,
+        extra: data,
+    };
+}
+function buildBasicAuthHeader(clientId, clientSecret) {
+    const secret = clientSecret ?? '';
+    const basic = Buffer.from(`${clientId}:${secret}`, 'utf8').toString('base64');
+    return `Basic ${basic}`;
+}
+function buildIntrospectionRequest(token, resourceUrl, clientId, clientSecret) {
+    const body = new URLSearchParams({
+        token,
+        token_type_hint: 'access_token',
+        resource: stripHash(resourceUrl),
+    }).toString();
+    const headers = {
+        'content-type': 'application/x-www-form-urlencoded',
+    };
+    if (clientId) {
+        headers.authorization = buildBasicAuthHeader(clientId, clientSecret);
+    }
+    return { body, headers };
+}
+async function requestIntrospection(introspectionUrl, request, timeoutMs) {
+    const response = await fetch(introspectionUrl, {
+        method: 'POST',
+        headers: request.headers,
+        body: request.body,
+        signal: AbortSignal.timeout(timeoutMs),
+    });
+    if (!response.ok) {
+        await response.body?.cancel();
+        throw new ServerError(`Token introspection failed: ${response.status}`);
+    }
+    return response.json();
+}
+function parseIntrospectionPayload(payload) {
+    if (!isRecord(payload) || Array.isArray(payload)) {
+        throw new ServerError('Invalid introspection response');
+    }
+    if (payload.active !== true) {
+        throw new InvalidTokenError('Token is inactive');
+    }
+    return payload;
+}
+export async function verifyWithIntrospection(token) {
+    const { auth } = config;
+    if (!auth.introspectionUrl) {
+        throw new ServerError('Token introspection is not configured');
+    }
+    const request = buildIntrospectionRequest(token, auth.resourceUrl, auth.clientId, auth.clientSecret);
+    const payload = await requestIntrospection(auth.introspectionUrl, request, auth.introspectionTimeoutMs);
+    return buildIntrospectionAuthInfo(token, parseIntrospectionPayload(payload));
+}

package/dist/http/auth-static.d.ts

@@ -0,0 +1,2 @@
+import type { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
+export declare function verifyStaticToken(token: string): AuthInfo;

package/dist/http/auth-static.js

@@ -0,0 +1,23 @@
+import { InvalidTokenError } from '@modelcontextprotocol/sdk/server/auth/errors.js';
+import { config } from '../config/index.js';
+import { timingSafeEqualUtf8 } from '../utils/crypto.js';
+const STATIC_TOKEN_TTL_SECONDS = 60 * 60 * 24;
+function buildStaticAuthInfo(token) {
+    return {
+        token,
+        clientId: 'static-token',
+        scopes: config.auth.requiredScopes,
+        expiresAt: Math.floor(Date.now() / 1000) + STATIC_TOKEN_TTL_SECONDS,
+        resource: config.auth.resourceUrl,
+    };
+}
+export function verifyStaticToken(token) {
+    if (config.auth.staticTokens.length === 0) {
+        throw new InvalidTokenError('No static tokens configured');
+    }
+    const matched = config.auth.staticTokens.some((candidate) => timingSafeEqualUtf8(candidate, token));
+    if (!matched) {
+        throw new InvalidTokenError('Invalid token');
+    }
+    return buildStaticAuthInfo(token);
+}

package/dist/http/auth.d.ts

@@ -1,2 +1,3 @@
-import type { NextFunction, Request, Response } from 'express';
-export declare function createAuthMiddleware(authToken: string): (req: Request, res: Response, next: NextFunction) => void;
+import type { RequestHandler, Router } from 'express';
+export declare function createAuthMiddleware(): RequestHandler;
+export declare function createAuthMetadataRouter(): Router | null;