@jtalk22/slack-mcp 3.2.5 → 4.1.0

package/scripts/setup-wizard.js

@@ -131,10 +131,18 @@ async function runMacOSSetup(rl) {
     }
     print();
     if (extractionError?.code === "apple_events_javascript_disabled") {
-      print("Fix and retry:");
-      print("  1. In Chrome menu: View > Developer > Allow JavaScript from Apple Events");
-      print("  2. Keep Slack open in a Chrome tab (app.slack.com)");
-      print("  3. Re-run: npx -y @jtalk22/slack-mcp --setup");
+      print();
+      printBox([
+        "Chrome needs one setting enabled (one-time only):",
+        "",
+        "1. Open Chrome",
+        "2. Menu bar: View → Developer → Allow JavaScript",
+        "   from Apple Events  ✓",
+        "3. Run this command again",
+      ], 55);
+      print();
+      print("Once enabled, --setup extracts tokens automatically.");
+      print("No DevTools, no copy-paste, just one command.");
     } else {
       print("Make sure:");
       print("  1. Chrome is running");
@@ -180,42 +188,83 @@ async function runManualSetup(rl) {
   print();
   if (IS_MACOS) {
     info("Switching to manual token entry...");
+    info("Note: On macOS, the session cookie can be extracted automatically.");
   } else {
     info(`Detected platform: ${platform()}`);
     warn("Auto-extraction not available on this platform.");
   }
+
+  const consoleHotkey = IS_MACOS ? "Cmd+Option+J" : "Ctrl+Shift+J";
+  // Token-only one-liner (cookie is HttpOnly and cannot be read via document.cookie)
+  const oneLiner = `copy(JSON.parse(localStorage.localConfig_v2).teams[Object.keys(JSON.parse(localStorage.localConfig_v2).teams)[0]].token)`;
+
   print();
-  print("Follow these steps to extract tokens from Chrome:");
-  print();
-  print(`${colors.bold}Step 1:${colors.reset} Open Chrome and navigate to your Slack workspace`);
-  print("         https://app.slack.com");
+  print(`${colors.bold}Quick extract (recommended):${colors.reset}`);
   print();
-  print(`${colors.bold}Step 2:${colors.reset} Press F12 to open DevTools`);
+  print(`  1. Open Chrome → ${colors.cyan}app.slack.com${colors.reset} (must be logged in)`);
+  print(`  2. Press ${colors.cyan}${consoleHotkey}${colors.reset} to open the Console`);
+  print(`  3. Paste this one-liner and press Enter:`);
   print();
-  print(`${colors.bold}Step 3:${colors.reset} Go to the ${colors.cyan}Console${colors.reset} tab and paste this:`);
+  printBox([oneLiner], oneLiner.length + 4);
   print();
-  printBox([
-    "JSON.parse(localStorage.localConfig_v2).teams[",
-    "  Object.keys(JSON.parse(localStorage.localConfig_v2)",
-    "  .teams)[0]].token",
-  ], 55);
+  print(`  4. Your token is now on the clipboard. Paste below.`);
+  if (IS_MACOS) {
+    print(`  ${colors.dim}(Cookie will be extracted automatically from Chrome)${colors.reset}`);
+  }
   print();
-  print(`         Copy the token (starts with ${colors.cyan}xoxc-${colors.reset})`);
+  print(`${colors.dim}(Or paste a JSON object with token+cookie, or a raw xoxc- token)${colors.reset}`);
   print();
 
-  const token = await question(rl, `${colors.bold}Paste your token:${colors.reset} `);
+  const input = await question(rl, `${colors.bold}Paste token:${colors.reset} `);
+  const trimmed = input.trim();
 
-  if (!token.startsWith('xoxc-')) {
-    error("Invalid token. Token should start with 'xoxc-'");
-    return false;
+  let token, cookie;
+
+  // Try JSON parse first (legacy one-liner output or manual JSON)
+  if (trimmed.startsWith('{')) {
+    try {
+      const parsed = JSON.parse(trimmed);
+      if (parsed.token) token = parsed.token;
+      if (parsed.cookie) cookie = parsed.cookie;
+    } catch (_) {
+      // Not valid JSON — fall through to raw token
+    }
   }
 
-  print();
-  print(`${colors.bold}Step 4:${colors.reset} Go to ${colors.cyan}Application${colors.reset} tab → ${colors.cyan}Cookies${colors.reset} → slack.com`);
-  print(`         Find the '${colors.cyan}d${colors.reset}' cookie and copy its value`);
-  print();
+  // Treat as raw token
+  if (!token) {
+    token = trimmed;
+    if (!token.startsWith('xoxc-')) {
+      error("Invalid input. Expected a token starting with 'xoxc-'");
+      return false;
+    }
+  }
+
+  // On macOS, try to extract cookie from Chrome's cookie database automatically
+  if (!cookie && IS_MACOS) {
+    print();
+    print("Extracting session cookie from Chrome...");
+    const chromeTokens = extractFromChrome();
+    if (chromeTokens?.cookie) {
+      cookie = chromeTokens.cookie;
+      success("Cookie extracted from Chrome automatically");
+    } else {
+      warn("Could not extract cookie automatically.");
+      print(`  Paste the cookie manually. In Chrome: ${colors.cyan}Application${colors.reset} tab → ${colors.cyan}Cookies${colors.reset} → find '${colors.cyan}d${colors.reset}'`);
+      print();
+      const cookieInput = await question(rl, `${colors.bold}Paste cookie (xoxd-...):${colors.reset} `);
+      cookie = cookieInput.trim();
+    }
+  }
 
-  const cookie = await question(rl, `${colors.bold}Paste your cookie:${colors.reset} `);
+  // Non-macOS: always ask for cookie
+  if (!cookie) {
+    print();
+    print(`Paste the cookie. In Chrome: ${colors.cyan}Application${colors.reset} tab → ${colors.cyan}Cookies${colors.reset} → find '${colors.cyan}d${colors.reset}'`);
+    print();
+    const cookieInput = await question(rl, `${colors.bold}Paste cookie (xoxd-...):${colors.reset} `);
+    cookie = cookieInput.trim();
+  }
 
   if (!cookie.startsWith('xoxd-')) {
     error("Invalid cookie. Cookie should start with 'xoxd-'");

package/server.json

@@ -2,7 +2,7 @@
   "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
   "name": "io.github.jtalk22/slack-mcp-server",
   "title": "Slack MCP Server",
-  "description": "Claude-first Slack MCP for self-host or managed Cloud, with Gemini CLI, deployment review, and secure-default HTTP.",
+  "description": "Slack MCP without OAuth — no app registration, no admin approval. Works with Claude Code, Cursor, Copilot (where the official server doesn't). 16 tools, one command.",
   "websiteUrl": "https://mcp.revasserlabs.com",
   "icons": [
     {
@@ -17,7 +17,7 @@
     "url": "https://github.com/jtalk22/slack-mcp-server",
     "source": "github"
   },
-  "version": "3.2.5",
+  "version": "4.1.0",
   "remotes": [
     {
       "type": "streamable-http",
@@ -28,7 +28,7 @@
     {
       "registryType": "npm",
       "identifier": "@jtalk22/slack-mcp",
-      "version": "3.2.5",
+      "version": "4.1.0",
       "transport": {
         "type": "stdio"
       },

package/src/server.js

@@ -150,7 +150,7 @@ server.setRequestHandler(GetPromptRequestSchema, async (request) => {
     }
     case "summarize-channel": {
       const channelId = args?.channel_id || "";
-      const days = parseInt(args?.days) || 7;
+      const days = parseInt(args?.days, 10) || 7;
       const since = Math.floor(Date.now() / 1000) - (days * 24 * 60 * 60);
       return {
         messages: [

package/src/web-server.js

@@ -11,8 +11,7 @@ import express from "express";
 import { randomBytes } from "crypto";
 import { fileURLToPath } from "url";
 import { dirname, join } from "path";
-import { existsSync, readFileSync, writeFileSync } from "fs";
-import { execSync } from "child_process";
+import { existsSync, readFileSync, writeFileSync, chmodSync } from "fs";
 import { homedir } from "os";
 import { loadTokensReadOnly } from "../lib/token-store.js";
 import { PUBLIC_METADATA, RELEASE_VERSION } from "../lib/public-metadata.js";
@@ -60,7 +59,7 @@ function getOrCreateAPIKey() {
   const newKey = `smcp_${randomBytes(24).toString('base64url')}`;
   try {
     writeFileSync(API_KEY_FILE, newKey);
-    execSync(`chmod 600 "${API_KEY_FILE}"`);
+    chmodSync(API_KEY_FILE, 0o600);
   } catch {}
 
   return newKey;
@@ -98,6 +97,12 @@ app.use((req, res, next) => {
   next();
 });
 
+function safeParseInt(value, fallback, max = 10000) {
+  const n = parseInt(value, 10);
+  if (isNaN(n) || n < 1) return fallback;
+  return Math.min(n, max);
+}
+
 // API Key authentication
 function authenticate(req, res, next) {
   const authHeader = req.headers.authorization;
@@ -209,7 +214,7 @@ app.get("/conversations", authenticate, async (req, res) => {
   try {
     const result = await handleListConversations({
       types: req.query.types || "im,mpim",
-      limit: parseInt(req.query.limit) || 100
+      limit: safeParseInt(req.query.limit, 100)
     });
     res.json(extractContent(result));
   } catch (e) {
@@ -222,7 +227,7 @@ app.get("/conversations/unreads", authenticate, async (req, res) => {
   try {
     const result = await handleConversationsUnreads({
       types: req.query.types || "im,mpim,public_channel,private_channel",
-      limit: parseInt(req.query.limit) || 50
+      limit: safeParseInt(req.query.limit, 50)
     });
     res.json(extractContent(result));
   } catch (e) {
@@ -235,7 +240,7 @@ app.get("/conversations/:id/history", authenticate, async (req, res) => {
   try {
     const result = await handleConversationsHistory({
       channel_id: req.params.id,
-      limit: parseInt(req.query.limit) || 50,
+      limit: safeParseInt(req.query.limit, 50),
       oldest: req.query.oldest,
       latest: req.query.latest,
       resolve_users: req.query.resolve_users !== "false"
@@ -253,7 +258,7 @@ app.get("/conversations/:id/full", authenticate, async (req, res) => {
       channel_id: req.params.id,
       oldest: req.query.oldest,
       latest: req.query.latest,
-      max_messages: parseInt(req.query.max_messages) || 2000,
+      max_messages: safeParseInt(req.query.max_messages, 2000, 50000),
       include_threads: req.query.include_threads !== "false",
       output_file: req.query.output_file
     });
@@ -312,7 +317,7 @@ app.get("/search", authenticate, async (req, res) => {
     }
     const result = await handleSearchMessages({
       query: req.query.q,
-      count: parseInt(req.query.count) || 20
+      count: safeParseInt(req.query.count, 20)
     });
     res.json(extractContent(result));
   } catch (e) {
@@ -347,7 +352,7 @@ app.post("/messages", authenticate, async (req, res) => {
 app.get("/users", authenticate, async (req, res) => {
   try {
     const result = await handleListUsers({
-      limit: parseInt(req.query.limit) || 100
+      limit: safeParseInt(req.query.limit, 100)
     });
     res.json(extractContent(result));
   } catch (e) {
@@ -369,7 +374,7 @@ app.get("/users/search", authenticate, async (req, res) => {
     }
     const result = await handleUsersSearch({
       query: req.query.q,
-      limit: parseInt(req.query.limit) || 20
+      limit: safeParseInt(req.query.limit, 20)
     });
     res.json(extractContent(result));
   } catch (e) {
@@ -452,9 +457,9 @@ async function main() {
     console.error(`\n${"═".repeat(60)}`);
     console.error(`  Slack Web API Server v${RELEASE_VERSION}`);
     console.error(`${"═".repeat(60)}`);
-    console.error(`\n  Dashboard: http://localhost:${PORT}/?key=${API_KEY}`);
-    console.error(`\n  API Key:   ${API_KEY}`);
-    console.error(`\n  curl -H "Authorization: Bearer ${API_KEY}" http://localhost:${PORT}/health`);
+    console.error(`\n  Dashboard: http://localhost:${PORT}/?key=${API_KEY.slice(0, 8)}...`);
+    console.error(`\n  API Key:   ${API_KEY.slice(0, 8)}${"*".repeat(12)}`);
+    console.error(`\n  curl -H "Authorization: Bearer <key>" http://localhost:${PORT}/health`);
     console.error(`\n  Security: Bound to localhost only (127.0.0.1)`);
     console.error(`\n${"═".repeat(60)}\n`);
   });