@jgardner04/ghost-mcp-server 1.13.2 → 1.13.3

package/src/services/ghostServiceImproved.js

@@ -11,6 +11,7 @@ import {
   retryWithBackoff,
 } from '../errors/index.js';
 import { createContextLogger } from '../utils/logger.js';
+import { sanitizeNqlValue } from '../utils/nqlSanitizer.js';
 
 dotenv.config();
 
@@ -257,6 +258,53 @@ const validators = {
   },
 };
 
+/**
+ * Shared CRUD helper: read a single resource by ID with 404→NotFoundError handling
+ */
+async function readResource(resource, id, label, options = {}) {
+  if (!id) throw new ValidationError(`${label} ID is required`);
+  try {
+    return await handleApiRequest(resource, 'read', { id }, options);
+  } catch (error) {
+    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
+      throw new NotFoundError(label, id);
+    }
+    throw error;
+  }
+}
+
+/**
+ * Shared CRUD helper: update a resource with optimistic concurrency control (OCC)
+ * Reads the current version, merges updated_at, then edits.
+ */
+async function updateWithOCC(resource, id, updateData, options = {}, label = resource) {
+  const existing = await readResource(resource, id, label);
+  const editData = { ...updateData, updated_at: existing.updated_at };
+  try {
+    return await handleApiRequest(resource, 'edit', { id, ...editData }, options);
+  } catch (error) {
+    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
+      throw new NotFoundError(label, id);
+    }
+    throw error;
+  }
+}
+
+/**
+ * Shared CRUD helper: delete a resource by ID with 404→NotFoundError handling
+ */
+async function deleteResource(resource, id, label) {
+  if (!id) throw new ValidationError(`${label} ID is required for deletion`);
+  try {
+    return await handleApiRequest(resource, 'delete', { id });
+  } catch (error) {
+    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
+      throw new NotFoundError(label, id);
+    }
+    throw error;
+  }
+}
+
 /**
  * Service functions with enhanced error handling
  */
@@ -305,53 +353,15 @@ export async function updatePost(postId, updateData, options = {}) {
     validators.validateScheduledStatus(updateData, 'Post');
   }
 
-  // Get the current post first to ensure it exists
-  try {
-    const existingPost = await handleApiRequest('posts', 'read', { id: postId });
-
-    // Send only changed fields + updated_at for OCC (optimistic concurrency control)
-    const editData = {
-      ...updateData,
-      updated_at: existingPost.updated_at,
-    };
-
-    return await handleApiRequest('posts', 'edit', editData, { id: postId, ...options });
-  } catch (error) {
-    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
-      throw new NotFoundError('Post', postId);
-    }
-    throw error;
-  }
+  return updateWithOCC('posts', postId, updateData, options, 'Post');
 }
 
 export async function deletePost(postId) {
-  if (!postId) {
-    throw new ValidationError('Post ID is required for deletion');
-  }
-
-  try {
-    return await handleApiRequest('posts', 'delete', { id: postId });
-  } catch (error) {
-    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
-      throw new NotFoundError('Post', postId);
-    }
-    throw error;
-  }
+  return deleteResource('posts', postId, 'Post');
 }
 
 export async function getPost(postId, options = {}) {
-  if (!postId) {
-    throw new ValidationError('Post ID is required');
-  }
-
-  try {
-    return await handleApiRequest('posts', 'read', { id: postId }, options);
-  } catch (error) {
-    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
-      throw new NotFoundError('Post', postId);
-    }
-    throw error;
-  }
+  return readResource('posts', postId, 'Post', options);
 }
 
 export async function getPosts(options = {}) {
@@ -376,7 +386,7 @@ export async function searchPosts(query, options = {}) {
   }
 
   // Sanitize query - escape special NQL characters to prevent injection
-  const sanitizedQuery = query.replace(/\\/g, '\\\\').replace(/'/g, "\\'");
+  const sanitizedQuery = sanitizeNqlValue(query);
 
   // Build filter with fuzzy title match using Ghost NQL
   const filterParts = [`title:~'${sanitizedQuery}'`];
@@ -441,53 +451,15 @@ export async function updatePage(pageId, updateData, options = {}) {
     validators.validateScheduledStatus(updateData, 'Page');
   }
 
-  try {
-    // Get existing page to retrieve updated_at for conflict resolution
-    const existingPage = await handleApiRequest('pages', 'read', { id: pageId });
-
-    // Send only changed fields + updated_at for OCC (optimistic concurrency control)
-    const editData = {
-      ...updateData,
-      updated_at: existingPage.updated_at,
-    };
-
-    return await handleApiRequest('pages', 'edit', editData, { id: pageId, ...options });
-  } catch (error) {
-    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
-      throw new NotFoundError('Page', pageId);
-    }
-    throw error;
-  }
+  return updateWithOCC('pages', pageId, updateData, options, 'Page');
 }
 
 export async function deletePage(pageId) {
-  if (!pageId) {
-    throw new ValidationError('Page ID is required for delete');
-  }
-
-  try {
-    return await handleApiRequest('pages', 'delete', { id: pageId });
-  } catch (error) {
-    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
-      throw new NotFoundError('Page', pageId);
-    }
-    throw error;
-  }
+  return deleteResource('pages', pageId, 'Page');
 }
 
 export async function getPage(pageId, options = {}) {
-  if (!pageId) {
-    throw new ValidationError('Page ID is required');
-  }
-
-  try {
-    return await handleApiRequest('pages', 'read', { id: pageId }, options);
-  } catch (error) {
-    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
-      throw new NotFoundError('Page', pageId);
-    }
-    throw error;
-  }
+  return readResource('pages', pageId, 'Page', options);
 }
 
 export async function getPages(options = {}) {
@@ -512,7 +484,7 @@ export async function searchPages(query, options = {}) {
   }
 
   // Sanitize query - escape special NQL characters to prevent injection
-  const sanitizedQuery = query.replace(/\\/g, '\\\\').replace(/'/g, "\\'");
+  const sanitizedQuery = sanitizeNqlValue(query);
 
   // Build filter with fuzzy title match using Ghost NQL
   const filterParts = [`title:~'${sanitizedQuery}'`];
@@ -603,18 +575,7 @@ export async function getTags(options = {}) {
 }
 
 export async function getTag(tagId, options = {}) {
-  if (!tagId) {
-    throw new ValidationError('Tag ID is required');
-  }
-
-  try {
-    return await handleApiRequest('tags', 'read', { id: tagId }, options);
-  } catch (error) {
-    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
-      throw new NotFoundError('Tag', tagId);
-    }
-    throw error;
-  }
+  return readResource('tags', tagId, 'Tag', options);
 }
 
 export async function updateTag(tagId, updateData) {
@@ -622,14 +583,11 @@ export async function updateTag(tagId, updateData) {
     throw new ValidationError('Tag ID is required for update');
   }
 
-  validators.validateTagUpdateData(updateData); // Validate update data
+  validators.validateTagUpdateData(updateData);
 
   try {
-    // Verify tag exists before updating
-    await getTag(tagId);
-
-    // Send only changed fields (tags don't use updated_at for OCC)
-    return await handleApiRequest('tags', 'edit', { ...updateData }, { id: tagId });
+    await readResource('tags', tagId, 'Tag');
+    return await handleApiRequest('tags', 'edit', { id: tagId, ...updateData });
   } catch (error) {
     if (error instanceof NotFoundError) {
       throw error;
@@ -644,18 +602,7 @@ export async function updateTag(tagId, updateData) {
 }
 
 export async function deleteTag(tagId) {
-  if (!tagId) {
-    throw new ValidationError('Tag ID is required for deletion');
-  }
-
-  try {
-    return await handleApiRequest('tags', 'delete', { id: tagId });
-  } catch (error) {
-    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
-      throw new NotFoundError('Tag', tagId);
-    }
-    throw error;
-  }
+  return deleteResource('tags', tagId, 'Tag');
 }
 
 /**
@@ -713,23 +660,7 @@ export async function updateMember(memberId, updateData, options = {}) {
     throw new ValidationError('Member ID is required for update');
   }
 
-  try {
-    // Get existing member to retrieve updated_at for conflict resolution
-    const existingMember = await handleApiRequest('members', 'read', { id: memberId });
-
-    // Send only changed fields + updated_at for OCC (optimistic concurrency control)
-    const editData = {
-      ...updateData,
-      updated_at: existingMember.updated_at,
-    };
-
-    return await handleApiRequest('members', 'edit', editData, { id: memberId, ...options });
-  } catch (error) {
-    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
-      throw new NotFoundError('Member', memberId);
-    }
-    throw error;
-  }
+  return updateWithOCC('members', memberId, updateData, options, 'Member');
 }
 
 /**
@@ -741,18 +672,7 @@ export async function updateMember(memberId, updateData, options = {}) {
  * @throws {GhostAPIError} If the API request fails
  */
 export async function deleteMember(memberId) {
-  if (!memberId) {
-    throw new ValidationError('Member ID is required for deletion');
-  }
-
-  try {
-    return await handleApiRequest('members', 'delete', { id: memberId });
-  } catch (error) {
-    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
-      throw new NotFoundError('Member', memberId);
-    }
-    throw error;
-  }
+  return deleteResource('members', memberId, 'Member');
 }
 
 /**
@@ -795,7 +715,6 @@ export async function getMembers(options = {}) {
  */
 export async function getMember(params) {
   // Input validation is performed at the MCP tool layer using Zod schemas
-  const { sanitizeNqlValue } = await import('./memberService.js');
   const { id, email } = params;
 
   try {
@@ -837,7 +756,6 @@ export async function getMember(params) {
  */
 export async function searchMembers(query, options = {}) {
   // Input validation is performed at the MCP tool layer using Zod schemas
-  const { sanitizeNqlValue } = await import('./memberService.js');
   const sanitizedQuery = sanitizeNqlValue(query.trim());
 
   const limit = options.limit || 15;
@@ -875,18 +793,7 @@ export async function getNewsletters(options = {}) {
 }
 
 export async function getNewsletter(newsletterId) {
-  if (!newsletterId) {
-    throw new ValidationError('Newsletter ID is required');
-  }
-
-  try {
-    return await handleApiRequest('newsletters', 'read', { id: newsletterId });
-  } catch (error) {
-    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
-      throw new NotFoundError('Newsletter', newsletterId);
-    }
-    throw error;
-  }
+  return readResource('newsletters', newsletterId, 'Newsletter');
 }
 
 export async function createNewsletter(newsletterData) {
@@ -911,22 +818,8 @@ export async function updateNewsletter(newsletterId, updateData) {
   }
 
   try {
-    // Get existing newsletter to retrieve updated_at for conflict resolution
-    const existingNewsletter = await handleApiRequest('newsletters', 'read', {
-      id: newsletterId,
-    });
-
-    // Send only changed fields + updated_at for OCC (optimistic concurrency control)
-    const editData = {
-      ...updateData,
-      updated_at: existingNewsletter.updated_at,
-    };
-
-    return await handleApiRequest('newsletters', 'edit', editData, { id: newsletterId });
+    return await updateWithOCC('newsletters', newsletterId, updateData, {}, 'Newsletter');
   } catch (error) {
-    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
-      throw new NotFoundError('Newsletter', newsletterId);
-    }
     if (error instanceof GhostAPIError && error.ghostStatusCode === 422) {
       throw new ValidationError('Newsletter update failed', [
         { field: 'newsletter', message: error.originalError },
@@ -937,18 +830,7 @@ export async function updateNewsletter(newsletterId, updateData) {
 }
 
 export async function deleteNewsletter(newsletterId) {
-  if (!newsletterId) {
-    throw new ValidationError('Newsletter ID is required for deletion');
-  }
-
-  try {
-    return await handleApiRequest('newsletters', 'delete', newsletterId);
-  } catch (error) {
-    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
-      throw new NotFoundError('Newsletter', newsletterId);
-    }
-    throw error;
-  }
+  return deleteResource('newsletters', newsletterId, 'Newsletter');
 }
 
 /**
@@ -988,23 +870,7 @@ export async function updateTier(id, updateData, options = {}) {
   const { validateTierUpdateData } = await import('./tierService.js');
   validateTierUpdateData(updateData);
 
-  try {
-    // Get existing tier to retrieve updated_at for conflict resolution
-    const existingTier = await handleApiRequest('tiers', 'read', { id }, { id });
-
-    // Send only changed fields + updated_at for OCC (optimistic concurrency control)
-    const editData = {
-      ...updateData,
-      updated_at: existingTier.updated_at,
-    };
-
-    return await handleApiRequest('tiers', 'edit', editData, { id, ...options });
-  } catch (error) {
-    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
-      throw new NotFoundError('Tier', id);
-    }
-    throw error;
-  }
+  return updateWithOCC('tiers', id, updateData, options, 'Tier');
 }
 
 /**
@@ -1017,14 +883,7 @@ export async function deleteTier(id) {
     throw new ValidationError('Tier ID is required for deletion');
   }
 
-  try {
-    return await handleApiRequest('tiers', 'delete', { id });
-  } catch (error) {
-    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
-      throw new NotFoundError('Tier', id);
-    }
-    throw error;
-  }
+  return deleteResource('tiers', id, 'Tier');
 }
 
 /**
@@ -1065,14 +924,7 @@ export async function getTier(id) {
     throw new ValidationError('Tier ID is required and must be a non-empty string');
   }
 
-  try {
-    return await handleApiRequest('tiers', 'read', { id }, { id });
-  } catch (error) {
-    if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
-      throw new NotFoundError('Tier', id);
-    }
-    throw error;
-  }
+  return readResource('tiers', id, 'Tier');
 }
 
 /**

package/src/services/imageProcessingService.js

@@ -89,7 +89,7 @@ const processImage = async (inputPath, outputDir) => {
     });
     // If processing fails, maybe fall back to using the original?
     // Or throw the error to fail the upload.
-    throw new Error('Image processing failed: ' + error.message);
+    throw new Error('Image processing failed: ' + error.message, { cause: error });
   }
 };
 

package/src/services/memberService.js

@@ -204,18 +204,6 @@ export function validateMemberUpdateData(updateData) {
   }
 }
 
-/**
- * Sanitizes a value for use in NQL filters to prevent injection
- * Escapes backslashes, single quotes, and double quotes
- * @param {string} value - The value to sanitize
- * @returns {string} The sanitized value
- */
-export function sanitizeNqlValue(value) {
-  if (!value) return value;
-  // Escape backslashes first, then quotes
-  return value.replace(/\\/g, '\\\\').replace(/'/g, "\\'").replace(/"/g, '\\"');
-}
-
 /**
  * Validates query options for member browsing
  * @param {Object} options - The query options to validate
@@ -388,5 +376,4 @@ export default {
   validateMemberLookup,
   validateSearchQuery,
   validateSearchOptions,
-  sanitizeNqlValue,
 };

package/src/services/tierService.js

@@ -284,21 +284,8 @@ export function validateTierQueryOptions(options) {
   }
 }
 
-/**
- * Sanitizes a value for use in NQL filters to prevent injection
- * Escapes backslashes, single quotes, and double quotes
- * @param {string} value - The value to sanitize
- * @returns {string} The sanitized value
- */
-export function sanitizeNqlValue(value) {
-  if (!value) return value;
-  // Escape backslashes first, then quotes
-  return value.replace(/\\/g, '\\\\').replace(/'/g, "\\'").replace(/"/g, '\\"');
-}
-
 export default {
   validateTierData,
   validateTierUpdateData,
   validateTierQueryOptions,
-  sanitizeNqlValue,
 };

package/src/utils/__tests__/nqlSanitizer.test.js

@@ -0,0 +1,38 @@
+import { describe, it, expect } from 'vitest';
+import { sanitizeNqlValue } from '../nqlSanitizer.js';
+
+describe('sanitizeNqlValue', () => {
+  it('should escape backslashes', () => {
+    expect(sanitizeNqlValue('hello\\world')).toBe('hello\\\\world');
+  });
+
+  it('should escape single quotes', () => {
+    expect(sanitizeNqlValue("it's")).toBe("it\\'s");
+  });
+
+  it('should escape double quotes', () => {
+    expect(sanitizeNqlValue('say "hello"')).toBe('say \\"hello\\"');
+  });
+
+  it('should escape all three special characters combined', () => {
+    expect(sanitizeNqlValue('a\\b\'c"d')).toBe('a\\\\b\\\'c\\"d');
+  });
+
+  it('should return null as-is', () => {
+    expect(sanitizeNqlValue(null)).toBe(null);
+  });
+
+  it('should return undefined as-is', () => {
+    expect(sanitizeNqlValue(undefined)).toBe(undefined);
+  });
+
+  it('should return empty string as-is', () => {
+    expect(sanitizeNqlValue('')).toBe('');
+  });
+
+  it('should pass through normal strings without special characters', () => {
+    expect(sanitizeNqlValue('simple-value')).toBe('simple-value');
+    expect(sanitizeNqlValue('test@example.com')).toBe('test@example.com');
+    expect(sanitizeNqlValue('hello world 123')).toBe('hello world 123');
+  });
+});

package/src/utils/nqlSanitizer.js

@@ -0,0 +1,11 @@
+/**
+ * Sanitizes a value for use in NQL (Ghost's filter query language) to prevent injection.
+ * Escapes backslashes, single quotes, and double quotes.
+ * @param {string} value - The value to sanitize
+ * @returns {string} The sanitized value
+ */
+export function sanitizeNqlValue(value) {
+  if (!value) return value;
+  // Escape backslashes first, then quotes
+  return value.replace(/\\/g, '\\\\').replace(/'/g, "\\'").replace(/"/g, '\\"');
+}