@jgardner04/ghost-mcp-server 1.12.5 → 1.13.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jgardner04/ghost-mcp-server",
-  "version": "1.12.5",
+  "version": "1.13.1",
   "description": "A Model Context Protocol (MCP) server for interacting with Ghost CMS via the Admin API",
   "author": "Jonathan Gardner",
   "type": "module",
@@ -19,7 +19,7 @@
     "LICENSE"
   ],
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=24.0.0"
   },
   "repository": {
     "type": "git",
@@ -51,7 +51,7 @@
   },
   "dependencies": {
     "@anthropic-ai/sdk": "^0.39.0",
-    "@modelcontextprotocol/sdk": "^1.24.0",
+    "@modelcontextprotocol/sdk": "^1.25.2",
     "@tryghost/admin-api": "^1.13.12",
     "axios": "^1.12.1",
     "boxen": "^7.1.1",

package/src/__tests__/mcp_server.test.js

@@ -14,6 +14,16 @@ vi.mock('@modelcontextprotocol/sdk/server/mcp.js', () => {
         mockTools.set(name, { name, description, schema, handler });
       }
 
+      registerTool(name, options, handler) {
+        // Store in the same format for backward compatibility with tests
+        mockTools.set(name, {
+          name,
+          description: options.description,
+          schema: options.inputSchema,
+          handler,
+        });
+      }
+
       connect(_transport) {
         return Promise.resolve();
       }
@@ -208,6 +218,8 @@ describe('mcp_server - ghost_get_posts tool', () => {
     expect(tool.schema.shape.include).toBeDefined();
     expect(tool.schema.shape.filter).toBeDefined();
     expect(tool.schema.shape.order).toBeDefined();
+    expect(tool.schema.shape.fields).toBeDefined();
+    expect(tool.schema.shape.formats).toBeDefined();
   });
 
   it('should retrieve posts with default options', async () => {
@@ -320,6 +332,36 @@ describe('mcp_server - ghost_get_posts tool', () => {
     expect(mockGetPosts).toHaveBeenCalledWith({ order: 'published_at DESC' });
   });
 
+  it('should pass fields parameter', async () => {
+    const mockPosts = [{ id: '1', title: 'Test Post', slug: 'test-post' }];
+    mockGetPosts.mockResolvedValue(mockPosts);
+
+    const tool = mockTools.get('ghost_get_posts');
+    await tool.handler({ fields: 'id,title,slug' });
+
+    expect(mockGetPosts).toHaveBeenCalledWith({ fields: 'id,title,slug' });
+  });
+
+  it('should pass formats parameter', async () => {
+    const mockPosts = [{ id: '1', title: 'Test Post', html: '<p>Content</p>' }];
+    mockGetPosts.mockResolvedValue(mockPosts);
+
+    const tool = mockTools.get('ghost_get_posts');
+    await tool.handler({ formats: 'html,plaintext' });
+
+    expect(mockGetPosts).toHaveBeenCalledWith({ formats: 'html,plaintext' });
+  });
+
+  it('should pass both fields and formats parameters', async () => {
+    const mockPosts = [{ id: '1', title: 'Test Post' }];
+    mockGetPosts.mockResolvedValue(mockPosts);
+
+    const tool = mockTools.get('ghost_get_posts');
+    await tool.handler({ fields: 'id,title', formats: 'html' });
+
+    expect(mockGetPosts).toHaveBeenCalledWith({ fields: 'id,title', formats: 'html' });
+  });
+
   it('should pass all parameters combined', async () => {
     const mockPosts = [{ id: '1', title: 'Test Post' }];
     mockGetPosts.mockResolvedValue(mockPosts);
@@ -332,6 +374,8 @@ describe('mcp_server - ghost_get_posts tool', () => {
       include: 'tags,authors',
       filter: 'featured:true',
       order: 'published_at DESC',
+      fields: 'id,title,slug',
+      formats: 'html,plaintext',
     });
 
     expect(mockGetPosts).toHaveBeenCalledWith({
@@ -341,6 +385,8 @@ describe('mcp_server - ghost_get_posts tool', () => {
       include: 'tags,authors',
       filter: 'featured:true',
       order: 'published_at DESC',
+      fields: 'id,title,slug',
+      formats: 'html,plaintext',
     });
   });
 
@@ -376,6 +422,218 @@ describe('mcp_server - ghost_get_posts tool', () => {
   });
 });
 
+describe('mcp_server - ghost_get_tags tool', () => {
+  beforeEach(async () => {
+    vi.clearAllMocks();
+    // Don't clear mockTools - they're registered once on module load
+    if (mockTools.size === 0) {
+      await import('../mcp_server.js');
+    }
+  });
+
+  it('should register ghost_get_tags tool', () => {
+    expect(mockTools.has('ghost_get_tags')).toBe(true);
+  });
+
+  it('should have correct schema with all optional parameters', () => {
+    const tool = mockTools.get('ghost_get_tags');
+    expect(tool).toBeDefined();
+    expect(tool.description).toContain('tags');
+    expect(tool.schema).toBeDefined();
+    // Zod schemas store field definitions in schema.shape
+    expect(tool.schema.shape.limit).toBeDefined();
+    expect(tool.schema.shape.page).toBeDefined();
+    expect(tool.schema.shape.order).toBeDefined();
+    expect(tool.schema.shape.include).toBeDefined();
+    expect(tool.schema.shape.name).toBeDefined();
+    expect(tool.schema.shape.slug).toBeDefined();
+    expect(tool.schema.shape.visibility).toBeDefined();
+    expect(tool.schema.shape.filter).toBeDefined();
+  });
+
+  it('should retrieve tags with default options', async () => {
+    const mockTags = [
+      { id: '1', name: 'Tag 1', slug: 'tag-1' },
+      { id: '2', name: 'Tag 2', slug: 'tag-2' },
+    ];
+    mockGetTags.mockResolvedValue(mockTags);
+
+    const tool = mockTools.get('ghost_get_tags');
+    const result = await tool.handler({});
+
+    expect(mockGetTags).toHaveBeenCalledWith({});
+    expect(result.content[0].text).toContain('Tag 1');
+    expect(result.content[0].text).toContain('Tag 2');
+  });
+
+  it('should pass limit and page parameters', async () => {
+    const mockTags = [{ id: '1', name: 'Tag 1', slug: 'tag-1' }];
+    mockGetTags.mockResolvedValue(mockTags);
+
+    const tool = mockTools.get('ghost_get_tags');
+    await tool.handler({ limit: 10, page: 2 });
+
+    expect(mockGetTags).toHaveBeenCalledWith({
+      limit: 10,
+      page: 2,
+    });
+  });
+
+  it('should pass order parameter', async () => {
+    const mockTags = [{ id: '1', name: 'Tag 1', slug: 'tag-1' }];
+    mockGetTags.mockResolvedValue(mockTags);
+
+    const tool = mockTools.get('ghost_get_tags');
+    await tool.handler({ order: 'name ASC' });
+
+    expect(mockGetTags).toHaveBeenCalledWith({
+      order: 'name ASC',
+    });
+  });
+
+  it('should pass include parameter', async () => {
+    const mockTags = [{ id: '1', name: 'Tag 1', slug: 'tag-1' }];
+    mockGetTags.mockResolvedValue(mockTags);
+
+    const tool = mockTools.get('ghost_get_tags');
+    await tool.handler({ include: 'count.posts' });
+
+    expect(mockGetTags).toHaveBeenCalledWith({
+      include: 'count.posts',
+    });
+  });
+
+  it('should filter by name parameter', async () => {
+    const mockTags = [{ id: '1', name: 'Test Tag', slug: 'test-tag' }];
+    mockGetTags.mockResolvedValue(mockTags);
+
+    const tool = mockTools.get('ghost_get_tags');
+    await tool.handler({ name: 'Test Tag' });
+
+    expect(mockGetTags).toHaveBeenCalledWith({
+      filter: "name:'Test Tag'",
+    });
+  });
+
+  it('should filter by slug parameter', async () => {
+    const mockTags = [{ id: '1', name: 'Test Tag', slug: 'test-tag' }];
+    mockGetTags.mockResolvedValue(mockTags);
+
+    const tool = mockTools.get('ghost_get_tags');
+    await tool.handler({ slug: 'test-tag' });
+
+    expect(mockGetTags).toHaveBeenCalledWith({
+      filter: "slug:'test-tag'",
+    });
+  });
+
+  it('should filter by visibility parameter', async () => {
+    const mockTags = [{ id: '1', name: 'Test Tag', slug: 'test-tag' }];
+    mockGetTags.mockResolvedValue(mockTags);
+
+    const tool = mockTools.get('ghost_get_tags');
+    await tool.handler({ visibility: 'public' });
+
+    expect(mockGetTags).toHaveBeenCalledWith({
+      filter: "visibility:'public'",
+    });
+  });
+
+  it('should escape single quotes in name parameter', async () => {
+    const mockTags = [{ id: '1', name: "O'Reilly", slug: 'oreilly' }];
+    mockGetTags.mockResolvedValue(mockTags);
+
+    const tool = mockTools.get('ghost_get_tags');
+    await tool.handler({ name: "O'Reilly" });
+
+    expect(mockGetTags).toHaveBeenCalledWith({
+      filter: "name:'O''Reilly'",
+    });
+  });
+
+  it('should escape single quotes in slug parameter', async () => {
+    const mockTags = [{ id: '1', name: 'Test', slug: "test'slug" }];
+    mockGetTags.mockResolvedValue(mockTags);
+
+    const tool = mockTools.get('ghost_get_tags');
+    await tool.handler({ slug: "test'slug" });
+
+    expect(mockGetTags).toHaveBeenCalledWith({
+      filter: "slug:'test''slug'",
+    });
+  });
+
+  it('should combine multiple filter parameters', async () => {
+    const mockTags = [{ id: '1', name: 'News', slug: 'news' }];
+    mockGetTags.mockResolvedValue(mockTags);
+
+    const tool = mockTools.get('ghost_get_tags');
+    await tool.handler({ name: 'News', visibility: 'public' });
+
+    expect(mockGetTags).toHaveBeenCalledWith({
+      filter: "name:'News'+visibility:'public'",
+    });
+  });
+
+  it('should combine individual filters with custom filter parameter', async () => {
+    const mockTags = [{ id: '1', name: 'News', slug: 'news' }];
+    mockGetTags.mockResolvedValue(mockTags);
+
+    const tool = mockTools.get('ghost_get_tags');
+    await tool.handler({ name: 'News', filter: 'featured:true' });
+
+    expect(mockGetTags).toHaveBeenCalledWith({
+      filter: "name:'News'+featured:true",
+    });
+  });
+
+  it('should pass all parameters combined', async () => {
+    const mockTags = [{ id: '1', name: 'News', slug: 'news' }];
+    mockGetTags.mockResolvedValue(mockTags);
+
+    const tool = mockTools.get('ghost_get_tags');
+    await tool.handler({
+      limit: 20,
+      page: 1,
+      order: 'name ASC',
+      include: 'count.posts',
+      name: 'News',
+      visibility: 'public',
+    });
+
+    expect(mockGetTags).toHaveBeenCalledWith({
+      limit: 20,
+      page: 1,
+      order: 'name ASC',
+      include: 'count.posts',
+      filter: "name:'News'+visibility:'public'",
+    });
+  });
+
+  it('should handle service errors', async () => {
+    mockGetTags.mockRejectedValue(new Error('Service error'));
+
+    const tool = mockTools.get('ghost_get_tags');
+    const result = await tool.handler({});
+
+    expect(result.isError).toBe(true);
+    expect(result.content[0].text).toContain('Service error');
+  });
+
+  it('should return formatted JSON response', async () => {
+    const mockTags = [{ id: '1', name: 'Test Tag', slug: 'test-tag' }];
+    mockGetTags.mockResolvedValue(mockTags);
+
+    const tool = mockTools.get('ghost_get_tags');
+    const result = await tool.handler({});
+
+    expect(result.content).toBeDefined();
+    expect(result.content[0].type).toBe('text');
+    expect(result.content[0].text).toContain('"id": "1"');
+    expect(result.content[0].text).toContain('"name": "Test Tag"');
+  });
+});
+
 describe('mcp_server - ghost_get_post tool', () => {
   beforeEach(async () => {
     vi.clearAllMocks();

package/src/__tests__/mcp_server_pages.test.js

@@ -14,6 +14,16 @@ vi.mock('@modelcontextprotocol/sdk/server/mcp.js', () => {
         mockTools.set(name, { name, description, schema, handler });
       }
 
+      registerTool(name, options, handler) {
+        // Store in the same format for backward compatibility with tests
+        mockTools.set(name, {
+          name,
+          description: options.description,
+          schema: options.inputSchema,
+          handler,
+        });
+      }
+
       connect(_transport) {
         return Promise.resolve();
       }
@@ -104,12 +114,17 @@ vi.mock('axios', () => ({
 // Mock fs
 const mockUnlink = vi.fn((path, cb) => cb(null));
 const mockCreateWriteStream = vi.fn();
-vi.mock('fs', () => ({
-  default: {
-    unlink: (...args) => mockUnlink(...args),
-    createWriteStream: (...args) => mockCreateWriteStream(...args),
-  },
-}));
+vi.mock('fs', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    default: {
+      ...actual.default,
+      unlink: (...args) => mockUnlink(...args),
+      createWriteStream: (...args) => mockCreateWriteStream(...args),
+    },
+  };
+});
 
 // Mock os
 vi.mock('os', () => ({

package/src/controllers/__tests__/tagController.test.js

@@ -44,7 +44,7 @@ describe('tagController', () => {
 
       await getTags(req, res, next);
 
-      expect(ghostService.getTags).toHaveBeenCalledWith(undefined);
+      expect(ghostService.getTags).toHaveBeenCalledWith({});
       expect(res.status).toHaveBeenCalledWith(200);
       expect(res.json).toHaveBeenCalledWith(mockTags);
       expect(next).not.toHaveBeenCalled();
@@ -60,7 +60,7 @@ describe('tagController', () => {
 
       await getTags(req, res, next);
 
-      expect(ghostService.getTags).toHaveBeenCalledWith('Technology');
+      expect(ghostService.getTags).toHaveBeenCalledWith({ filter: "name:'Technology'" });
       expect(res.status).toHaveBeenCalledWith(200);
       expect(res.json).toHaveBeenCalledWith(mockTags);
       expect(next).not.toHaveBeenCalled();
@@ -76,11 +76,126 @@ describe('tagController', () => {
 
       await getTags(req, res, next);
 
-      expect(ghostService.getTags).toHaveBeenCalledWith(undefined);
+      expect(ghostService.getTags).toHaveBeenCalledWith({});
       expect(res.status).not.toHaveBeenCalled();
       expect(res.json).not.toHaveBeenCalled();
       expect(next).toHaveBeenCalledWith(mockError);
     });
+
+    it('should return 400 when name contains invalid characters', async () => {
+      const req = createMockRequest({ query: { name: "'; DROP TABLE tags; --" } });
+      const res = createMockResponse();
+      const next = createMockNext();
+
+      await getTags(req, res, next);
+
+      expect(ghostService.getTags).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(400);
+      expect(res.json).toHaveBeenCalledWith(
+        expect.objectContaining({
+          message: 'Invalid query parameters',
+          errors: expect.arrayContaining([
+            expect.objectContaining({
+              path: 'name',
+              message: expect.stringContaining('invalid characters'),
+            }),
+          ]),
+        })
+      );
+      expect(next).not.toHaveBeenCalled();
+    });
+
+    it('should pass through additional query parameters', async () => {
+      const mockTags = [{ id: '1', name: 'Tech', slug: 'tech' }];
+      ghostService.getTags.mockResolvedValue(mockTags);
+
+      const req = createMockRequest({
+        query: {
+          limit: '10',
+          order: 'name asc',
+          include: 'count.posts',
+        },
+      });
+      const res = createMockResponse();
+      const next = createMockNext();
+
+      await getTags(req, res, next);
+
+      expect(ghostService.getTags).toHaveBeenCalledWith({
+        limit: 10,
+        order: 'name asc',
+        include: 'count.posts',
+      });
+      expect(res.status).toHaveBeenCalledWith(200);
+    });
+
+    it('should return 400 when both name and filter parameters are provided', async () => {
+      const req = createMockRequest({
+        query: {
+          name: 'Technology',
+          filter: 'slug:tech',
+        },
+      });
+      const res = createMockResponse();
+      const next = createMockNext();
+
+      await getTags(req, res, next);
+
+      expect(ghostService.getTags).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(400);
+      expect(res.json).toHaveBeenCalledWith(
+        expect.objectContaining({
+          message: 'Invalid query parameters',
+          errors: expect.arrayContaining([
+            expect.objectContaining({
+              path: 'filter',
+              message: expect.stringContaining('Cannot specify both'),
+            }),
+          ]),
+        })
+      );
+      expect(next).not.toHaveBeenCalled();
+    });
+
+    it('should return 400 for NQL injection attempts in name', async () => {
+      const req = createMockRequest({ query: { name: 'test]+[slug:other' } });
+      const res = createMockResponse();
+      const next = createMockNext();
+
+      await getTags(req, res, next);
+
+      expect(ghostService.getTags).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(400);
+      expect(res.json).toHaveBeenCalledWith(
+        expect.objectContaining({
+          message: 'Invalid query parameters',
+          errors: expect.arrayContaining([
+            expect.objectContaining({
+              path: 'name',
+              message: expect.stringContaining('invalid characters'),
+            }),
+          ]),
+        })
+      );
+      expect(next).not.toHaveBeenCalled();
+    });
+
+    it('should return 400 for NQL operator injection in name', async () => {
+      const req = createMockRequest({ query: { name: 'name+slug:test' } });
+      const res = createMockResponse();
+      const next = createMockNext();
+
+      await getTags(req, res, next);
+
+      expect(ghostService.getTags).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(400);
+      expect(res.json).toHaveBeenCalledWith(
+        expect.objectContaining({
+          message: 'Invalid query parameters',
+        })
+      );
+      expect(next).not.toHaveBeenCalled();
+    });
   });
 
   describe('createTag', () => {

package/src/controllers/tagController.js

@@ -1,5 +1,7 @@
 import { getTags as getGhostTags, createTag as createGhostTag } from '../services/ghostService.js';
 import { createContextLogger } from '../utils/logger.js';
+import { tagQuerySchema } from '../schemas/tagSchemas.js';
+import { ZodError } from 'zod';
 
 /**
  * Controller to handle fetching tags.
@@ -9,24 +11,48 @@ const getTags = async (req, res, next) => {
   const logger = createContextLogger('tag-controller');
 
   try {
-    const { name } = req.query; // Get name from query params like /api/tags?name=some-tag
+    // Validate query parameters using Zod schema
+    const validatedQuery = tagQuerySchema.parse(req.query);
+
+    // Build options object
+    const options = {};
+
+    // Handle legacy name parameter by converting to filter
+    if (validatedQuery.name) {
+      // Escape single quotes and backslashes to prevent injection
+      const safeName = validatedQuery.name.replace(/\\/g, '\\\\').replace(/'/g, "\\'");
+      options.filter = `name:'${safeName}'`;
+    }
+
+    // Add other query parameters
+    if (validatedQuery.limit) options.limit = validatedQuery.limit;
+    if (validatedQuery.filter) options.filter = validatedQuery.filter;
+    if (validatedQuery.order) options.order = validatedQuery.order;
+    if (validatedQuery.include) options.include = validatedQuery.include;
+
     logger.info('Fetching tags', {
-      filtered: !!name,
-      filterName: name,
+      options,
     });
 
-    const tags = await getGhostTags(name);
+    const tags = await getGhostTags(options);
 
     logger.info('Tags retrieved successfully', {
       count: tags.length,
-      filtered: !!name,
     });
 
     res.status(200).json(tags);
   } catch (error) {
+    if (error instanceof ZodError) {
+      logger.warn('Invalid query parameters', { errors: error.errors });
+      return res.status(400).json({
+        message: 'Invalid query parameters',
+        errors: error.errors.map((e) => ({ path: e.path.join('.'), message: e.message })),
+      });
+    }
+
     logger.error('Get tags failed', {
       error: error.message,
-      filterName: req.query?.name,
+      query: req.query,
     });
     next(error);
   }