@jgardner04/ghost-mcp-server 1.10.0 → 1.12.0

package/src/services/ghostServiceImproved.js

@@ -792,10 +792,7 @@ export async function deleteTag(tagId) {
  * @throws {GhostAPIError} If the API request fails
  */
 export async function createMember(memberData, options = {}) {
-  // Import and validate input
-  const { validateMemberData } = await import('./memberService.js');
-  validateMemberData(memberData);
-
+  // Input validation is performed at the MCP tool layer using Zod schemas
   try {
     return await handleApiRequest('members', 'add', memberData, options);
   } catch (error) {
@@ -825,14 +822,11 @@ export async function createMember(memberData, options = {}) {
  * @throws {GhostAPIError} If the API request fails
  */
 export async function updateMember(memberId, updateData, options = {}) {
+  // Input validation is performed at the MCP tool layer using Zod schemas
   if (!memberId) {
     throw new ValidationError('Member ID is required for update');
   }
 
-  // Import and validate update data
-  const { validateMemberUpdateData } = await import('./memberService.js');
-  validateMemberUpdateData(updateData);
-
   try {
     // Get existing member to retrieve updated_at for conflict resolution
     const existingMember = await handleApiRequest('members', 'read', { id: memberId });
@@ -889,10 +883,7 @@ export async function deleteMember(memberId) {
  * @throws {GhostAPIError} If the API request fails
  */
 export async function getMembers(options = {}) {
-  // Import and validate query options
-  const { validateMemberQueryOptions } = await import('./memberService.js');
-  validateMemberQueryOptions(options);
-
+  // Input validation is performed at the MCP tool layer using Zod schemas
   const defaultOptions = {
     limit: 15,
     ...options,
@@ -918,12 +909,12 @@ export async function getMembers(options = {}) {
  * @throws {GhostAPIError} If the API request fails
  */
 export async function getMember(params) {
-  // Import and validate lookup parameters
-  const { validateMemberLookup, sanitizeNqlValue } = await import('./memberService.js');
-  const { lookupType, id, email } = validateMemberLookup(params);
+  // Input validation is performed at the MCP tool layer using Zod schemas
+  const { sanitizeNqlValue } = await import('./memberService.js');
+  const { id, email } = params;
 
   try {
-    if (lookupType === 'id') {
+    if (id) {
       // Lookup by ID using read endpoint
       return await handleApiRequest('members', 'read', { id }, { id });
     } else {
@@ -960,11 +951,9 @@ export async function getMember(params) {
  * @throws {GhostAPIError} If the API request fails
  */
 export async function searchMembers(query, options = {}) {
-  // Import and validate search query and options
-  const { validateSearchQuery, validateSearchOptions, sanitizeNqlValue } =
-    await import('./memberService.js');
-  validateSearchOptions(options);
-  const sanitizedQuery = sanitizeNqlValue(validateSearchQuery(query));
+  // Input validation is performed at the MCP tool layer using Zod schemas
+  const { sanitizeNqlValue } = await import('./memberService.js');
+  const sanitizedQuery = sanitizeNqlValue(query.trim());
 
   const limit = options.limit || 15;
 
@@ -1078,6 +1067,131 @@ export async function deleteNewsletter(newsletterId) {
   }
 }
 
+/**
+ * Create a new tier (membership level)
+ * @param {Object} tierData - Tier data
+ * @param {Object} [options={}] - Options for the API request
+ * @returns {Promise<Object>} Created tier
+ */
+export async function createTier(tierData, options = {}) {
+  const { validateTierData } = await import('./tierService.js');
+  validateTierData(tierData);
+
+  try {
+    return await handleApiRequest('tiers', 'add', tierData, options);
+  } catch (error) {
+    if (error instanceof GhostAPIError && error.ghostStatusCode === 422) {
+      throw new ValidationError('Tier creation failed due to validation errors', [
+        { field: 'tier', message: error.originalError },
+      ]);
+    }
+    throw error;
+  }
+}
+
+/**
+ * Update an existing tier
+ * @param {string} id - Tier ID
+ * @param {Object} updateData - Tier update data
+ * @param {Object} [options={}] - Options for the API request
+ * @returns {Promise<Object>} Updated tier
+ */
+export async function updateTier(id, updateData, options = {}) {
+  if (!id || typeof id !== 'string' || id.trim().length === 0) {
+    throw new ValidationError('Tier ID is required for update');
+  }
+
+  const { validateTierUpdateData } = await import('./tierService.js');
+  validateTierUpdateData(updateData);
+
+  try {
+    // Get existing tier for merge
+    const existingTier = await handleApiRequest('tiers', 'read', { id }, { id });
+
+    // Merge updates with existing data
+    const mergedData = {
+      ...existingTier,
+      ...updateData,
+      updated_at: existingTier.updated_at,
+    };
+
+    return await handleApiRequest('tiers', 'edit', mergedData, { id, ...options });
+  } catch (error) {
+    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
+      throw new NotFoundError('Tier', id);
+    }
+    throw error;
+  }
+}
+
+/**
+ * Delete a tier
+ * @param {string} id - Tier ID
+ * @returns {Promise<Object>} Deletion result
+ */
+export async function deleteTier(id) {
+  if (!id || typeof id !== 'string' || id.trim().length === 0) {
+    throw new ValidationError('Tier ID is required for deletion');
+  }
+
+  try {
+    return await handleApiRequest('tiers', 'delete', { id });
+  } catch (error) {
+    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
+      throw new NotFoundError('Tier', id);
+    }
+    throw error;
+  }
+}
+
+/**
+ * Get all tiers with optional filtering
+ * @param {Object} [options={}] - Query options
+ * @param {number} [options.limit] - Number of tiers to return (1-100, default 15)
+ * @param {number} [options.page] - Page number
+ * @param {string} [options.filter] - NQL filter string (e.g., "type:paid", "type:free")
+ * @param {string} [options.order] - Order string
+ * @param {string} [options.include] - Include string
+ * @returns {Promise<Array>} Array of tiers
+ */
+export async function getTiers(options = {}) {
+  const { validateTierQueryOptions } = await import('./tierService.js');
+  validateTierQueryOptions(options);
+
+  const defaultOptions = {
+    limit: 15,
+    ...options,
+  };
+
+  try {
+    const tiers = await handleApiRequest('tiers', 'browse', {}, defaultOptions);
+    return tiers || [];
+  } catch (error) {
+    console.error('Failed to get tiers:', error);
+    throw error;
+  }
+}
+
+/**
+ * Get a single tier by ID
+ * @param {string} id - Tier ID
+ * @returns {Promise<Object>} Tier object
+ */
+export async function getTier(id) {
+  if (!id || typeof id !== 'string' || id.trim().length === 0) {
+    throw new ValidationError('Tier ID is required and must be a non-empty string');
+  }
+
+  try {
+    return await handleApiRequest('tiers', 'read', { id }, { id });
+  } catch (error) {
+    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
+      throw new NotFoundError('Tier', id);
+    }
+    throw error;
+  }
+}
+
 /**
  * Health check for Ghost API connection
  */
@@ -1140,5 +1254,10 @@ export default {
   createNewsletter,
   updateNewsletter,
   deleteNewsletter,
+  createTier,
+  updateTier,
+  deleteTier,
+  getTiers,
+  getTier,
   checkHealth,
 };

package/src/services/postService.js

@@ -1,12 +1,10 @@
 import sanitizeHtml from 'sanitize-html';
-import Joi from 'joi';
 import { createContextLogger } from '../utils/logger.js';
 import {
   createPost as createGhostPost,
   getTags as getGhostTags,
   createTag as createGhostTag,
-  // Import other necessary functions from ghostService later
-} from './ghostService.js'; // Note the relative path
+} from './ghostService.js';
 
 /**
  * Helper to generate a simple meta description from HTML content.
@@ -37,37 +35,13 @@ const generateSimpleMetaDescription = (htmlContent, maxLength = 500) => {
 /**
  * Service layer function to handle the business logic of creating a post.
  * Transforms input data, handles/resolves tags, includes feature image and metadata.
- * @param {object} postInput - Data received from the controller.
+ * Input validation is handled at the MCP layer using Zod schemas.
+ * @param {object} postInput - Validated data received from the MCP tool.
  * @returns {Promise<object>} The created post object from the Ghost API.
  */
-// Validation schema for post input
-const postInputSchema = Joi.object({
-  title: Joi.string().max(255).required(),
-  html: Joi.string().required(),
-  custom_excerpt: Joi.string().max(500).optional(),
-  status: Joi.string().valid('draft', 'published', 'scheduled').optional(),
-  published_at: Joi.string().isoDate().optional(),
-  tags: Joi.array().items(Joi.string().max(50)).max(10).optional(),
-  feature_image: Joi.string().uri().optional(),
-  feature_image_alt: Joi.string().max(255).optional(),
-  feature_image_caption: Joi.string().max(500).optional(),
-  meta_title: Joi.string().max(70).optional(),
-  meta_description: Joi.string().max(160).optional(),
-});
-
 const createPostService = async (postInput) => {
   const logger = createContextLogger('post-service');
 
-  // Validate input to prevent format string vulnerabilities
-  const { error, value: validatedInput } = postInputSchema.validate(postInput);
-  if (error) {
-    logger.error('Post input validation failed', {
-      error: error.details[0].message,
-      inputKeys: Object.keys(postInput),
-    });
-    throw new Error(`Invalid post input: ${error.details[0].message}`);
-  }
-
   const {
     title,
     html,
@@ -80,7 +54,7 @@ const createPostService = async (postInput) => {
     feature_image_caption,
     meta_title,
     meta_description,
-  } = validatedInput;
+  } = postInput;
 
   // --- Resolve Tag Names to Tag Objects (ID/Slug/Name) ---
   let resolvedTags = [];

package/src/services/tierService.js

@@ -0,0 +1,304 @@
+import { ValidationError } from '../errors/index.js';
+
+/**
+ * Maximum length constants (following Ghost's database constraints)
+ */
+const MAX_NAME_LENGTH = 191; // Ghost's typical varchar limit
+const MAX_DESCRIPTION_LENGTH = 2000; // Reasonable limit for descriptions
+
+/**
+ * Query constraints for tier browsing
+ */
+const MIN_LIMIT = 1;
+const MAX_LIMIT = 100;
+const MIN_PAGE = 1;
+
+/**
+ * Currency code validation regex (3-letter uppercase)
+ */
+const CURRENCY_REGEX = /^[A-Z]{3}$/;
+
+/**
+ * URL validation regex (simple HTTP/HTTPS validation)
+ */
+const URL_REGEX = /^https?:\/\/.+/i;
+
+/**
+ * Validates tier data for creation
+ * @param {Object} tierData - The tier data to validate
+ * @throws {ValidationError} If validation fails
+ */
+export function validateTierData(tierData) {
+  const errors = [];
+
+  // Name is required and must be a non-empty string
+  if (!tierData.name || typeof tierData.name !== 'string' || tierData.name.trim().length === 0) {
+    errors.push({ field: 'name', message: 'Name is required and must be a non-empty string' });
+  } else if (tierData.name.length > MAX_NAME_LENGTH) {
+    errors.push({ field: 'name', message: `Name must not exceed ${MAX_NAME_LENGTH} characters` });
+  }
+
+  // Currency is required and must be a 3-letter uppercase code
+  if (!tierData.currency || typeof tierData.currency !== 'string') {
+    errors.push({ field: 'currency', message: 'Currency is required' });
+  } else if (!CURRENCY_REGEX.test(tierData.currency)) {
+    errors.push({
+      field: 'currency',
+      message: 'Currency must be a 3-letter uppercase code (e.g., USD, EUR)',
+    });
+  }
+
+  // Description is optional but must be a string with valid length if provided
+  if (tierData.description !== undefined) {
+    if (typeof tierData.description !== 'string') {
+      errors.push({ field: 'description', message: 'Description must be a string' });
+    } else if (tierData.description.length > MAX_DESCRIPTION_LENGTH) {
+      errors.push({
+        field: 'description',
+        message: `Description must not exceed ${MAX_DESCRIPTION_LENGTH} characters`,
+      });
+    }
+  }
+
+  // Monthly price is optional but must be a non-negative number if provided
+  if (tierData.monthly_price !== undefined) {
+    if (typeof tierData.monthly_price !== 'number' || tierData.monthly_price < 0) {
+      errors.push({
+        field: 'monthly_price',
+        message: 'Monthly price must be a non-negative number',
+      });
+    }
+  }
+
+  // Yearly price is optional but must be a non-negative number if provided
+  if (tierData.yearly_price !== undefined) {
+    if (typeof tierData.yearly_price !== 'number' || tierData.yearly_price < 0) {
+      errors.push({
+        field: 'yearly_price',
+        message: 'Yearly price must be a non-negative number',
+      });
+    }
+  }
+
+  // Benefits is optional but must be an array of non-empty strings if provided
+  if (tierData.benefits !== undefined) {
+    if (!Array.isArray(tierData.benefits)) {
+      errors.push({ field: 'benefits', message: 'Benefits must be an array' });
+    } else {
+      // Validate each benefit is a non-empty string
+      const invalidBenefits = tierData.benefits.filter(
+        (benefit) => typeof benefit !== 'string' || benefit.trim().length === 0
+      );
+      if (invalidBenefits.length > 0) {
+        errors.push({
+          field: 'benefits',
+          message: 'Each benefit must be a non-empty string',
+        });
+      }
+    }
+  }
+
+  // Welcome page URL is optional but must be a valid HTTP/HTTPS URL if provided
+  if (tierData.welcome_page_url !== undefined) {
+    if (
+      typeof tierData.welcome_page_url !== 'string' ||
+      !URL_REGEX.test(tierData.welcome_page_url)
+    ) {
+      errors.push({
+        field: 'welcome_page_url',
+        message: 'Welcome page URL must be a valid URL',
+      });
+    }
+  }
+
+  if (errors.length > 0) {
+    throw new ValidationError('Tier validation failed', errors);
+  }
+}
+
+/**
+ * Validates tier data for update
+ * All fields are optional for updates, but if provided they must be valid
+ * @param {Object} updateData - The tier update data to validate
+ * @throws {ValidationError} If validation fails
+ */
+export function validateTierUpdateData(updateData) {
+  const errors = [];
+
+  // Name is optional for update but must be a non-empty string with valid length if provided
+  if (updateData.name !== undefined) {
+    if (typeof updateData.name !== 'string' || updateData.name.trim().length === 0) {
+      errors.push({ field: 'name', message: 'Name must be a non-empty string' });
+    } else if (updateData.name.length > MAX_NAME_LENGTH) {
+      errors.push({ field: 'name', message: `Name must not exceed ${MAX_NAME_LENGTH} characters` });
+    }
+  }
+
+  // Currency is optional for update but must be a 3-letter uppercase code if provided
+  if (updateData.currency !== undefined) {
+    if (typeof updateData.currency !== 'string' || !CURRENCY_REGEX.test(updateData.currency)) {
+      errors.push({
+        field: 'currency',
+        message: 'Currency must be a 3-letter uppercase code (e.g., USD, EUR)',
+      });
+    }
+  }
+
+  // Description is optional but must be a string with valid length if provided
+  if (updateData.description !== undefined) {
+    if (typeof updateData.description !== 'string') {
+      errors.push({ field: 'description', message: 'Description must be a string' });
+    } else if (updateData.description.length > MAX_DESCRIPTION_LENGTH) {
+      errors.push({
+        field: 'description',
+        message: `Description must not exceed ${MAX_DESCRIPTION_LENGTH} characters`,
+      });
+    }
+  }
+
+  // Monthly price is optional but must be a non-negative number if provided
+  if (updateData.monthly_price !== undefined) {
+    if (typeof updateData.monthly_price !== 'number' || updateData.monthly_price < 0) {
+      errors.push({
+        field: 'monthly_price',
+        message: 'Monthly price must be a non-negative number',
+      });
+    }
+  }
+
+  // Yearly price is optional but must be a non-negative number if provided
+  if (updateData.yearly_price !== undefined) {
+    if (typeof updateData.yearly_price !== 'number' || updateData.yearly_price < 0) {
+      errors.push({
+        field: 'yearly_price',
+        message: 'Yearly price must be a non-negative number',
+      });
+    }
+  }
+
+  // Benefits is optional but must be an array of non-empty strings if provided
+  if (updateData.benefits !== undefined) {
+    if (!Array.isArray(updateData.benefits)) {
+      errors.push({ field: 'benefits', message: 'Benefits must be an array' });
+    } else {
+      // Validate each benefit is a non-empty string
+      const invalidBenefits = updateData.benefits.filter(
+        (benefit) => typeof benefit !== 'string' || benefit.trim().length === 0
+      );
+      if (invalidBenefits.length > 0) {
+        errors.push({
+          field: 'benefits',
+          message: 'Each benefit must be a non-empty string',
+        });
+      }
+    }
+  }
+
+  // Welcome page URL is optional but must be a valid HTTP/HTTPS URL if provided
+  if (updateData.welcome_page_url !== undefined) {
+    if (
+      typeof updateData.welcome_page_url !== 'string' ||
+      !URL_REGEX.test(updateData.welcome_page_url)
+    ) {
+      errors.push({
+        field: 'welcome_page_url',
+        message: 'Welcome page URL must be a valid URL',
+      });
+    }
+  }
+
+  if (errors.length > 0) {
+    throw new ValidationError('Tier validation failed', errors);
+  }
+}
+
+/**
+ * Validates query options for tier browsing
+ * @param {Object} options - The query options to validate
+ * @param {number} [options.limit] - Number of tiers to return (1-100)
+ * @param {number} [options.page] - Page number (1+)
+ * @param {string} [options.filter] - NQL filter string
+ * @param {string} [options.order] - Order string (e.g., 'created_at desc')
+ * @param {string} [options.include] - Include string (e.g., 'monthly_price,yearly_price')
+ * @throws {ValidationError} If validation fails
+ */
+export function validateTierQueryOptions(options) {
+  const errors = [];
+
+  // Validate limit
+  if (options.limit !== undefined) {
+    if (
+      typeof options.limit !== 'number' ||
+      options.limit < MIN_LIMIT ||
+      options.limit > MAX_LIMIT
+    ) {
+      errors.push({
+        field: 'limit',
+        message: `Limit must be a number between ${MIN_LIMIT} and ${MAX_LIMIT}`,
+      });
+    }
+  }
+
+  // Validate page
+  if (options.page !== undefined) {
+    if (typeof options.page !== 'number' || options.page < MIN_PAGE) {
+      errors.push({
+        field: 'page',
+        message: `Page must be a number >= ${MIN_PAGE}`,
+      });
+    }
+  }
+
+  // Validate filter (must be non-empty string if provided)
+  if (options.filter !== undefined) {
+    if (typeof options.filter !== 'string' || options.filter.trim().length === 0) {
+      errors.push({
+        field: 'filter',
+        message: 'Filter must be a non-empty string',
+      });
+    }
+  }
+
+  // Validate order (must be non-empty string if provided)
+  if (options.order !== undefined) {
+    if (typeof options.order !== 'string' || options.order.trim().length === 0) {
+      errors.push({
+        field: 'order',
+        message: 'Order must be a non-empty string',
+      });
+    }
+  }
+
+  // Validate include (must be non-empty string if provided)
+  if (options.include !== undefined) {
+    if (typeof options.include !== 'string' || options.include.trim().length === 0) {
+      errors.push({
+        field: 'include',
+        message: 'Include must be a non-empty string',
+      });
+    }
+  }
+
+  if (errors.length > 0) {
+    throw new ValidationError('Tier query validation failed', errors);
+  }
+}
+
+/**
+ * Sanitizes a value for use in NQL filters to prevent injection
+ * Escapes backslashes, single quotes, and double quotes
+ * @param {string} value - The value to sanitize
+ * @returns {string} The sanitized value
+ */
+export function sanitizeNqlValue(value) {
+  if (!value) return value;
+  // Escape backslashes first, then quotes
+  return value.replace(/\\/g, '\\\\').replace(/'/g, "\\'").replace(/"/g, '\\"');
+}
+
+export default {
+  validateTierData,
+  validateTierUpdateData,
+  validateTierQueryOptions,
+  sanitizeNqlValue,
+};