@jgardner04/ghost-mcp-server 1.13.0 → 1.13.2

package/src/schemas/__tests__/tagSchemas.test.js

@@ -172,6 +172,106 @@ describe('Tag Schemas', () => {
       expect(result).toBeDefined();
       // Note: optional fields with defaults don't apply when field is omitted
     });
+
+    it('should accept limit as "all" string', () => {
+      const query = {
+        limit: 'all',
+      };
+
+      const result = tagQuerySchema.parse(query);
+      expect(result.limit).toBe('all');
+    });
+
+    it('should accept limit as number within range', () => {
+      const query = {
+        limit: 50,
+      };
+
+      const result = tagQuerySchema.parse(query);
+      expect(result.limit).toBe(50);
+    });
+
+    it('should reject limit as invalid string', () => {
+      const query = {
+        limit: 'invalid',
+      };
+
+      expect(() => tagQuerySchema.parse(query)).toThrow();
+    });
+
+    it('should reject limit greater than 100', () => {
+      const query = {
+        limit: 101,
+      };
+
+      expect(() => tagQuerySchema.parse(query)).toThrow();
+    });
+
+    it('should reject limit less than 1', () => {
+      const query = {
+        limit: 0,
+      };
+
+      expect(() => tagQuerySchema.parse(query)).toThrow();
+    });
+
+    it('should accept limit as string number and transform to number', () => {
+      const query = {
+        limit: '50',
+      };
+
+      const result = tagQuerySchema.parse(query);
+      expect(result.limit).toBe(50);
+      expect(typeof result.limit).toBe('number');
+    });
+
+    it('should accept page as string number and transform to number', () => {
+      const query = {
+        page: '3',
+      };
+
+      const result = tagQuerySchema.parse(query);
+      expect(result.page).toBe(3);
+      expect(typeof result.page).toBe('number');
+    });
+
+    it('should reject query with both name and filter parameters', () => {
+      const query = {
+        name: 'Technology',
+        filter: 'visibility:public',
+      };
+
+      expect(() => tagQuerySchema.parse(query)).toThrow();
+      try {
+        tagQuerySchema.parse(query);
+      } catch (error) {
+        expect(error.errors[0].message).toContain('Cannot specify both "name" and "filter"');
+      }
+    });
+
+    it('should reject name with invalid characters', () => {
+      const query = {
+        name: 'test;DROP',
+      };
+
+      expect(() => tagQuerySchema.parse(query)).toThrow(/invalid characters/);
+    });
+
+    it('should accept name with apostrophe', () => {
+      const query = {
+        name: "O'Reilly",
+      };
+
+      expect(() => tagQuerySchema.parse(query)).not.toThrow();
+    });
+
+    it('should accept name with spaces, hyphens, and underscores', () => {
+      const query = {
+        name: 'Tech News 2024-Web_Dev',
+      };
+
+      expect(() => tagQuerySchema.parse(query)).not.toThrow();
+    });
   });
 
   describe('tagIdSchema', () => {

package/src/schemas/pageSchemas.js

@@ -62,8 +62,6 @@ export const createPageSchema = z.object({
   tags: tagsSchema.describe('Array of tag names or IDs (rarely used for pages)'),
   authors: authorsSchema.describe('Array of author IDs or emails'),
   published_at: isoDateSchema.optional().describe('Scheduled publish time (ISO 8601 format)'),
-  updated_at: isoDateSchema.optional(),
-  created_at: isoDateSchema.optional(),
   codeinjection_head: z.string().optional(),
   codeinjection_foot: z.string().optional(),
   custom_template: z.string().optional().describe('Custom template filename'),

package/src/schemas/postSchemas.js

@@ -57,11 +57,13 @@ export const createPostSchema = z.object({
     .max(500, 'Twitter description cannot exceed 500 characters')
     .optional(),
   canonical_url: canonicalUrlSchema,
-  tags: tagsSchema.describe('Array of tag names or IDs to associate with the post'),
-  authors: authorsSchema.describe('Array of author IDs or emails'),
+  tags: tagsSchema.describe(
+    'Array of tag names or IDs to associate with the post. On update, this fully replaces the existing tags array (not merged).'
+  ),
+  authors: authorsSchema.describe(
+    'Array of author IDs or emails. On update, this fully replaces the existing authors array (not merged).'
+  ),
   published_at: isoDateSchema.optional().describe('Scheduled publish time (ISO 8601 format)'),
-  updated_at: isoDateSchema.optional(),
-  created_at: isoDateSchema.optional(),
   codeinjection_head: z.string().optional(),
   codeinjection_foot: z.string().optional(),
   custom_template: z.string().optional().describe('Custom template filename'),

package/src/schemas/tagSchemas.js

@@ -57,14 +57,33 @@ export const createTagSchema = z.object({
 export const updateTagSchema = createTagSchema.partial();
 
 /**
- * Schema for tag query/filter parameters
+ * Base schema for tag query/filter parameters (without refinement)
+ * Exported for use in MCP server where .partial() is needed
  */
-export const tagQuerySchema = z.object({
-  name: z.string().optional().describe('Filter by exact tag name'),
+export const tagQueryBaseSchema = z.object({
+  name: z
+    .string()
+    .regex(
+      /^[a-zA-Z0-9\s\-_']+$/,
+      'Tag name contains invalid characters. Only letters, numbers, spaces, hyphens, underscores, and apostrophes are allowed'
+    )
+    .optional()
+    .describe('Filter by exact tag name (legacy parameter, converted to filter internally)'),
   slug: z.string().optional().describe('Filter by tag slug'),
   visibility: visibilitySchema.optional().describe('Filter by visibility'),
-  limit: z.number().int().min(1).max(100).default(15).optional(),
-  page: z.number().int().min(1).default(1).optional(),
+  limit: z
+    .union([
+      z.number().int().min(1).max(100),
+      z.string().regex(/^\d+$/).transform(Number),
+      z.literal('all'),
+    ])
+    .default(15)
+    .optional()
+    .describe('Number of tags to return (1-100) or "all" for all tags'),
+  page: z
+    .union([z.number().int().min(1), z.string().regex(/^\d+$/).transform(Number)])
+    .default(1)
+    .optional(),
   filter: z
     .string()
     .regex(/^[a-zA-Z0-9_\-:.'"\s,[\]<>=!+]+$/, 'Invalid filter: contains disallowed characters')
@@ -77,6 +96,15 @@ export const tagQuerySchema = z.object({
   order: z.string().optional().describe('Order results (e.g., "name ASC", "created_at DESC")'),
 });
 
+/**
+ * Schema for tag query/filter parameters with validation
+ * Note: Only one of 'name' or 'filter' should be provided, not both
+ */
+export const tagQuerySchema = tagQueryBaseSchema.refine((data) => !(data.name && data.filter), {
+  message: 'Cannot specify both "name" and "filter" parameters. Use "filter" for advanced queries.',
+  path: ['filter'],
+});
+
 /**
  * Schema for tag ID parameter
  */

package/src/services/__tests__/ghostService.test.js

@@ -276,24 +276,7 @@ describe('ghostService', () => {
   });
 
   describe('getTags', () => {
-    it('should reject tag names with invalid characters', async () => {
-      await expect(getTags("'; DROP TABLE tags; --")).rejects.toThrow(
-        'Tag name contains invalid characters'
-      );
-    });
-
-    it('should accept valid tag names', async () => {
-      const validNames = ['Test Tag', 'test-tag', 'test_tag', 'Tag123'];
-      const expectedTags = [{ id: '1', name: 'Tag' }];
-      api.tags.browse.mockResolvedValue(expectedTags);
-
-      for (const name of validNames) {
-        const result = await getTags(name);
-        expect(result).toEqual(expectedTags);
-      }
-    });
-
-    it('should handle tags without filter when name is not provided', async () => {
+    it('should get all tags when no options provided', async () => {
       const expectedTags = [
         { id: '1', name: 'Tag1' },
         { id: '2', name: 'Tag2' },
@@ -303,17 +286,41 @@ describe('ghostService', () => {
       const result = await getTags();
 
       expect(result).toEqual(expectedTags);
-      expect(api.tags.browse).toHaveBeenCalledWith({ limit: 'all' }, {});
+      expect(api.tags.browse).toHaveBeenCalledWith({ limit: 15 }, {});
     });
 
-    it('should properly escape tag names in filter', async () => {
-      const expectedTags = [{ id: '1', name: "Tag's Name" }];
+    it('should pass options to browse endpoint', async () => {
+      const expectedTags = [{ id: '1', name: 'Tag' }];
       api.tags.browse.mockResolvedValue(expectedTags);
 
-      // This should work because we properly escape single quotes
-      const result = await getTags('Valid Tag');
+      const result = await getTags({ limit: 5, filter: "name:'Test'" });
 
       expect(result).toEqual(expectedTags);
+      expect(api.tags.browse).toHaveBeenCalledWith({ limit: 5, filter: "name:'Test'" }, {});
+    });
+
+    it('should return empty array on null response', async () => {
+      api.tags.browse.mockResolvedValue(null);
+
+      const result = await getTags();
+
+      expect(result).toEqual([]);
+    });
+
+    it('should handle errors and rethrow', async () => {
+      const error = new Error('API error');
+      api.tags.browse.mockRejectedValue(error);
+
+      await expect(getTags()).rejects.toThrow('API error');
+    });
+
+    it('should merge default limit with custom options', async () => {
+      const expectedTags = [{ id: '1', name: 'Tag' }];
+      api.tags.browse.mockResolvedValue(expectedTags);
+
+      await getTags({ filter: "name:'Custom'" });
+
+      expect(api.tags.browse).toHaveBeenCalledWith({ limit: 15, filter: "name:'Custom'" }, {});
     });
   });
 });

package/src/services/__tests__/ghostServiceImproved.members.test.js

@@ -144,7 +144,7 @@ describe('ghostServiceImproved - Members', () => {
   });
 
   describe('updateMember', () => {
-    it('should update a member with valid ID and data', async () => {
+    it('should send only update fields and updated_at, not the full existing member', async () => {
       const memberId = 'member-1';
       const updateData = {
         name: 'Jane Doe',
@@ -153,8 +153,10 @@ describe('ghostServiceImproved - Members', () => {
 
       const mockExistingMember = {
         id: memberId,
+        uuid: 'abc-def-123',
         email: 'test@example.com',
         name: 'John Doe',
+        status: 'free',
         updated_at: '2023-01-01T00:00:00.000Z',
       };
 
@@ -169,13 +171,15 @@ describe('ghostServiceImproved - Members', () => {
       const result = await updateMember(memberId, updateData);
 
       expect(api.members.read).toHaveBeenCalledWith(expect.any(Object), { id: memberId });
+      // Should send ONLY updateData + updated_at, NOT the full existing member
       expect(api.members.edit).toHaveBeenCalledWith(
-        expect.objectContaining({
-          ...mockExistingMember,
-          ...updateData,
-        }),
+        { name: 'Jane Doe', note: 'Updated note', updated_at: '2023-01-01T00:00:00.000Z' },
         expect.objectContaining({ id: memberId })
       );
+      // Verify read-only fields are NOT sent
+      const editCallData = api.members.edit.mock.calls[0][0];
+      expect(editCallData).not.toHaveProperty('uuid');
+      expect(editCallData).not.toHaveProperty('status');
       expect(result).toEqual(mockUpdatedMember);
     });
 

package/src/services/__tests__/ghostServiceImproved.newsletters.test.js

@@ -194,10 +194,12 @@ describe('ghostServiceImproved - Newsletter Operations', () => {
   });
 
   describe('updateNewsletter', () => {
-    it('should update a newsletter successfully', async () => {
+    it('should send only update fields and updated_at, not the full existing newsletter', async () => {
       const existingNewsletter = {
         id: 'newsletter-123',
+        uuid: 'abc-def-123',
         name: 'Old Name',
+        slug: 'old-name',
         updated_at: '2024-01-01T00:00:00.000Z',
       };
       const updateData = { name: 'New Name' };
@@ -210,13 +212,15 @@ describe('ghostServiceImproved - Newsletter Operations', () => {
 
       expect(result).toEqual(updatedNewsletter);
       expect(mockNewslettersApi.read).toHaveBeenCalledWith({}, { id: 'newsletter-123' });
+      // Should send ONLY updateData + updated_at, NOT the full existing newsletter
       expect(mockNewslettersApi.edit).toHaveBeenCalledWith(
-        {
-          ...existingNewsletter,
-          ...updateData,
-        },
+        { name: 'New Name', updated_at: '2024-01-01T00:00:00.000Z' },
         { id: 'newsletter-123' }
       );
+      // Verify read-only fields are NOT sent
+      const editCallData = mockNewslettersApi.edit.mock.calls[0][0];
+      expect(editCallData).not.toHaveProperty('uuid');
+      expect(editCallData).not.toHaveProperty('slug');
     });
 
     it('should update newsletter with email settings', async () => {
@@ -236,9 +240,11 @@ describe('ghostServiceImproved - Newsletter Operations', () => {
 
       await updateNewsletter('newsletter-123', updateData);
 
-      expect(mockNewslettersApi.edit).toHaveBeenCalledWith(expect.objectContaining(updateData), {
-        id: 'newsletter-123',
-      });
+      // Should send ONLY updateData + updated_at
+      expect(mockNewslettersApi.edit).toHaveBeenCalledWith(
+        { ...updateData, updated_at: '2024-01-01T00:00:00.000Z' },
+        { id: 'newsletter-123' }
+      );
     });
 
     it('should throw ValidationError if ID is missing', async () => {
@@ -270,10 +276,9 @@ describe('ghostServiceImproved - Newsletter Operations', () => {
 
       await updateNewsletter('newsletter-123', updateData);
 
+      // Should send ONLY updateData + updated_at
       expect(mockNewslettersApi.edit).toHaveBeenCalledWith(
-        expect.objectContaining({
-          updated_at: '2024-01-01T00:00:00.000Z',
-        }),
+        { description: 'Updated description', updated_at: '2024-01-01T00:00:00.000Z' },
         { id: 'newsletter-123' }
       );
     });

package/src/services/__tests__/ghostServiceImproved.pages.test.js

@@ -63,6 +63,7 @@ import {
   api,
   validators,
 } from '../ghostServiceImproved.js';
+import { createPageSchema, updatePageSchema } from '../../schemas/pageSchemas.js';
 
 describe('ghostServiceImproved - Pages', () => {
   beforeEach(() => {
@@ -219,7 +220,7 @@ describe('ghostServiceImproved - Pages', () => {
       expect(api.pages.add).toHaveBeenCalledWith(pageData, { source: 'html' });
     });
 
-    it('should sanitize HTML content', async () => {
+    it('should pass HTML through without service-layer sanitization (schema layer handles it)', async () => {
       const pageData = {
         title: 'Test Page',
         html: '<p>Safe content</p><script>alert("xss")</script>',
@@ -228,10 +229,10 @@ describe('ghostServiceImproved - Pages', () => {
 
       await createPage(pageData);
 
-      // Verify that the HTML was sanitized (script tags removed)
+      // HTML sanitization is enforced at the schema layer via htmlContentSchema,
+      // not at the service layer
       const calledWith = api.pages.add.mock.calls[0][0];
-      expect(calledWith.html).not.toContain('<script>');
-      expect(calledWith.html).toContain('<p>Safe content</p>');
+      expect(calledWith.html).toBeDefined();
     });
 
     it('should handle Ghost API validation errors (422)', async () => {
@@ -266,12 +267,16 @@ describe('ghostServiceImproved - Pages', () => {
       await expect(updatePage('', { title: 'Updated' })).rejects.toThrow('Page ID is required');
     });
 
-    it('should update page with valid data', async () => {
+    it('should send only update fields and updated_at, not the full existing page', async () => {
       const pageId = 'page-123';
       const existingPage = {
         id: pageId,
+        uuid: 'abc-def-123',
         title: 'Original Title',
+        slug: 'original-title',
         html: '<p>Original content</p>',
+        url: 'https://example.com/original-title',
+        reading_time: 2,
         updated_at: '2024-01-01T00:00:00.000Z',
       };
       const updateData = { title: 'Updated Title' };
@@ -285,10 +290,16 @@ describe('ghostServiceImproved - Pages', () => {
       expect(result).toEqual(expectedPage);
       // handleApiRequest calls read with (options, data), where options={} and data={id}
       expect(api.pages.read).toHaveBeenCalledWith({}, { id: pageId });
+      // Should send ONLY updateData + updated_at, NOT the full existing page
       expect(api.pages.edit).toHaveBeenCalledWith(
-        { ...existingPage, ...updateData },
+        { title: 'Updated Title', updated_at: '2024-01-01T00:00:00.000Z' },
         { id: pageId }
       );
+      // Verify read-only fields are NOT sent
+      const editCallData = api.pages.edit.mock.calls[0][0];
+      expect(editCallData).not.toHaveProperty('uuid');
+      expect(editCallData).not.toHaveProperty('url');
+      expect(editCallData).not.toHaveProperty('reading_time');
     });
 
     it('should handle page not found (404)', async () => {
@@ -317,16 +328,18 @@ describe('ghostServiceImproved - Pages', () => {
       expect(editCall.updated_at).toBe('2024-01-01T00:00:00.000Z');
     });
 
-    it('should sanitize HTML content in updates', async () => {
+    it('should throw ValidationError when updating to scheduled without published_at', async () => {
       const pageId = 'page-123';
-      const existingPage = { id: pageId, title: 'Test', updated_at: '2024-01-01T00:00:00.000Z' };
+      const existingPage = {
+        id: pageId,
+        title: 'Test Page',
+        updated_at: '2024-01-01T00:00:00.000Z',
+      };
       api.pages.read.mockResolvedValue(existingPage);
-      api.pages.edit.mockResolvedValue({ ...existingPage });
 
-      await updatePage(pageId, { html: '<p>Safe</p><script>alert("xss")</script>' });
-
-      const editCall = api.pages.edit.mock.calls[0][0];
-      expect(editCall.html).not.toContain('<script>');
+      await expect(updatePage(pageId, { status: 'scheduled' })).rejects.toThrow(
+        'Page validation failed'
+      );
     });
   });
 
@@ -558,4 +571,34 @@ describe('ghostServiceImproved - Pages', () => {
       expect(browseCall.filter).toContain('+');
     });
   });
+
+  describe('HTML sanitization (schema + service integration)', () => {
+    it('should strip XSS from page HTML when input flows through schema validation (production path)', async () => {
+      const rawInput = { title: 'Test Page', html: '<p>Safe</p><script>alert("xss")</script>' };
+      const validated = createPageSchema.parse(rawInput);
+
+      api.pages.add.mockResolvedValue({ id: '1', ...validated });
+      await createPage(validated);
+
+      const sentToApi = api.pages.add.mock.calls[0][0];
+      expect(sentToApi.html).not.toContain('<script>');
+      expect(sentToApi.html).not.toContain('alert');
+      expect(sentToApi.html).toContain('<p>Safe</p>');
+    });
+
+    it('should strip XSS from page HTML on update when input flows through schema validation', async () => {
+      const rawUpdate = { html: '<p>Updated</p><img src=x onerror="alert(1)">' };
+      const validated = updatePageSchema.parse(rawUpdate);
+
+      const existingPage = { id: 'page-1', updated_at: '2024-01-01T00:00:00.000Z' };
+      api.pages.read.mockResolvedValue(existingPage);
+      api.pages.edit.mockResolvedValue({ ...existingPage, ...validated });
+
+      await updatePage('page-1', validated);
+
+      const sentToApi = api.pages.edit.mock.calls[0][0];
+      expect(sentToApi.html).not.toContain('onerror');
+      expect(sentToApi.html).toContain('<img src="x"');
+    });
+  });
 });