@rigstate/mcp 0.6.0 → 0.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/index.js +6 -5
  2. package/dist/index.js.map +1 -1
  3. package/package.json +1 -1
  4. package/src/lib/supabase.ts +9 -13
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@rigstate/mcp",
3
- "version": "0.6.0",
3
+ "version": "0.6.2",
4
4
  "description": "Rigstate MCP Server - Model Context Protocol for AI Editors",
5
5
  "type": "module",
6
6
  "main": "./dist/index.js",
package/src/lib/supabase.ts CHANGED
@@ -69,31 +69,27 @@ export async function authenticateApiKey(apiKey: string): Promise<{
69
69
  error: 'Supabase configuration missing. Set RIGSTATE_SUPABASE_URL and RIGSTATE_SUPABASE_ANON_KEY.'
70
70
  };
71
71
  }
72
+ // Trim whitespace to avoid hash mismatch
73
+ const cleanApiKey = apiKey.trim();
72
74
 
73
75
  // Hash the API key with SHA-256 (same as web app)
74
- const hashedKey = createHash('sha256').update(apiKey).digest('hex');
76
+ const hashedKey = createHash('sha256').update(cleanApiKey).digest('hex');
75
77
 
76
78
  // Use service key if available to bypass RLS, otherwise anon key
77
79
  const clientKey = SUPABASE_SERVICE_KEY || SUPABASE_ANON_KEY;
78
80
  const supabase = createSupabaseClient(SUPABASE_URL, clientKey);
79
81
 
80
- // Look up the API key by HASH (not plain text!)
82
+ // Look up the API key by HASH using the secure RPC
83
+ // This bypasses RLS on the api_keys table via Security Definer function
81
84
  const { data: keyData, error: keyError } = await supabase
82
- .from('api_keys')
83
- .select('id, user_id, project_id, organization_id, scope')
84
- .eq('key_hash', hashedKey)
85
+ .rpc('authenticate_api_key_hash', { hash: hashedKey })
85
86
  .single();
86
87
 
87
88
  if (keyError || !keyData) {
88
89
  return { success: false, error: 'Invalid or revoked API key' };
89
90
  }
90
91
 
91
- // Update last_used_at timestamp (fire and forget)
92
- supabase
93
- .from('api_keys')
94
- .update({ last_used_at: new Date().toISOString() })
95
- .eq('id', keyData.id)
96
- .then();
92
+ const { id, user_id } = keyData as { id: string; user_id: string };
97
93
 
98
94
  // Create a user-scoped client for subsequent operations
99
95
  // Use the most privileged key available (SERVICE_KEY or ANON_KEY)
@@ -102,8 +98,8 @@ export async function authenticateApiKey(apiKey: string): Promise<{
102
98
  return {
103
99
  success: true,
104
100
  context: {
105
- userId: keyData.user_id,
106
- apiKeyId: keyData.id,
101
+ userId: user_id,
102
+ apiKeyId: id,
107
103
  supabase: userSupabase
108
104
  }
109
105
  };