npm - affine-mcp-server - Versions diffs - 1.4.0 → 1.6.0 - Mend

affine-mcp-server 1.4.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/config.js CHANGED Viewed

@@ -1,3 +1,10 @@
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+import { createRequire } from "module";
+const require = createRequire(import.meta.url);
+const pkg = require("../package.json");
+export const VERSION = pkg.version;
 const defaultEndpoints = {
     listWorkspaces: { method: "GET", path: "/api/workspaces" },
     listDocs: { method: "GET", path: "/api/workspaces/:workspaceId/docs" },
@@ -10,17 +17,106 @@ const defaultEndpoints = {
         path: "/api/workspaces/:workspaceId/search"
     }
 };
+/** Config file location: ~/.config/affine-mcp/config */
+export const CONFIG_DIR = path.join(process.env.XDG_CONFIG_HOME || path.join(os.homedir(), ".config"), "affine-mcp");
+export const CONFIG_FILE = path.join(CONFIG_DIR, "config");
+/** Read key=value config file, returns empty object if missing */
+export function loadConfigFile() {
+    if (!fs.existsSync(CONFIG_FILE))
+        return {};
+    const content = fs.readFileSync(CONFIG_FILE, "utf-8");
+    const result = {};
+    for (const line of content.split("\n")) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("#"))
+            continue;
+        const eq = trimmed.indexOf("=");
+        if (eq === -1)
+            continue;
+        result[trimmed.slice(0, eq)] = trimmed.slice(eq + 1);
+    }
+    return result;
+}
+/** Write config file atomically with 600 permissions (temp + rename). */
+export function writeConfigFile(vars) {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+    const lines = [
+        "# Affine MCP Server credentials",
+        "# Generated by: affine-mcp login",
+        `# ${new Date().toISOString()}`,
+    ];
+    for (const [key, value] of Object.entries(vars)) {
+        if (value)
+            lines.push(`${key}=${value}`);
+    }
+    lines.push("");
+    // Atomic write: write to temp file then rename to prevent partial reads
+    const tmpFile = path.join(CONFIG_DIR, `.config.tmp.${process.pid}`);
+    try {
+        fs.writeFileSync(tmpFile, lines.join("\n"), { mode: 0o600 });
+        fs.renameSync(tmpFile, CONFIG_FILE);
+    }
+    catch (err) {
+        // Clean up temp file on failure
+        try {
+            fs.unlinkSync(tmpFile);
+        }
+        catch { }
+        throw err;
+    }
+}
+/** Validate and sanitize a base URL. Throws on invalid or dangerous URLs. */
+export function validateBaseUrl(input) {
+    let parsed;
+    try {
+        parsed = new URL(input);
+    }
+    catch {
+        throw new Error(`Invalid URL: ${input}`);
+    }
+    // Reject credentials embedded in URL (SSRF vector)
+    if (parsed.username || parsed.password) {
+        throw new Error("URL must not contain embedded credentials (user:pass@host)");
+    }
+    // Only allow http and https schemes
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+        throw new Error(`Unsupported URL scheme: ${parsed.protocol} (only http/https allowed)`);
+    }
+    // Warn (but allow) plain HTTP for non-local targets
+    const host = parsed.hostname;
+    const isLocal = host === "localhost" || host === "127.0.0.1" || host === "::1" || host === "0.0.0.0";
+    if (parsed.protocol === "http:" && !isLocal) {
+        console.error("WARNING: Using plain HTTP for a non-localhost URL. Consider HTTPS for security.");
+    }
+    // Return normalized URL without trailing slash
+    return parsed.origin + parsed.pathname.replace(/\/$/, "");
+}
+/**
+ * Helper: read env var with config file fallback.
+ * Environment variables always take priority over the config file.
+ */
+function env(name, file, fallback) {
+    return process.env[name] || file[name] || fallback;
+}
 export function loadConfig() {
-    const baseUrl = process.env.AFFINE_BASE_URL?.replace(/\/$/, "") || "http://localhost:3010";
-    const apiToken = process.env.AFFINE_API_TOKEN;
-    const cookie = process.env.AFFINE_COOKIE;
-    const email = process.env.AFFINE_EMAIL;
-    const password = process.env.AFFINE_PASSWORD;
+    const file = loadConfigFile();
+    const baseUrl = env("AFFINE_BASE_URL", file, "http://localhost:3010").replace(/\/$/, "");
+    const apiToken = env("AFFINE_API_TOKEN", file);
+    const cookie = env("AFFINE_COOKIE", file);
+    const email = env("AFFINE_EMAIL", file);
+    const password = env("AFFINE_PASSWORD", file);
     let headers = undefined;
     const headersJson = process.env.AFFINE_HEADERS_JSON;
     if (headersJson) {
         try {
             headers = JSON.parse(headersJson);
+            if (headers) {
+                const sensitiveKeys = Object.keys(headers).filter((k) => /^(authorization|cookie)$/i.test(k));
+                if (sensitiveKeys.length) {
+                    console.warn(`WARNING: AFFINE_HEADERS_JSON contains sensitive key(s): ${sensitiveKeys.join(", ")}. ` +
+                        `These may conflict with built-in auth and are not protected by debug-logging guards.`);
+                }
+            }
         }
         catch (e) {
             console.warn("Failed to parse AFFINE_HEADERS_JSON; ignoring.");
@@ -29,8 +125,8 @@ export function loadConfig() {
     if (cookie) {
         headers = { ...(headers || {}), Cookie: cookie };
     }
-    const graphqlPath = process.env.AFFINE_GRAPHQL_PATH || "/graphql";
-    const defaultWorkspaceId = process.env.AFFINE_WORKSPACE_ID;
+    const graphqlPath = env("AFFINE_GRAPHQL_PATH", file, "/graphql");
+    const defaultWorkspaceId = env("AFFINE_WORKSPACE_ID", file);
     let endpoints = defaultEndpoints;
     const endpointsJson = process.env.AFFINE_ENDPOINTS_JSON;
     if (endpointsJson) {

package/dist/graphqlClient.js CHANGED Viewed

@@ -1,27 +1,54 @@
 import { fetch } from "undici";
+import { VERSION } from "./config.js";
+const GQL_FETCH_TIMEOUT_MS = 30_000;
+/** Strip HTML tags and truncate to a safe length for error messages. */
+function sanitizeErrorBody(s, max = 200) {
+    const stripped = s.replace(/<[^>]*>/g, "").replace(/\s+/g, " ").trim();
+    return stripped.length > max ? stripped.slice(0, max) + "..." : stripped;
+}
 export class GraphQLClient {
     opts;
-    headers;
+    _headers;
     authenticated = false;
     constructor(opts) {
         this.opts = opts;
-        this.headers = { ...(opts.headers || {}) };
+        this._headers = { ...(opts.headers || {}) };
         // Set authentication in priority order
         if (opts.bearer) {
-            this.headers["Authorization"] = `Bearer ${opts.bearer}`;
+            this._headers["Authorization"] = `Bearer ${opts.bearer}`;
             this.authenticated = true;
             console.error("Using Bearer token authentication");
         }
-        else if (this.headers.Cookie) {
+        else if (this._headers.Cookie) {
             this.authenticated = true;
             console.error("Using Cookie authentication");
         }
     }
+    /** The GraphQL endpoint URL */
+    get endpoint() {
+        return this.opts.endpoint;
+    }
+    /** Current request headers (including auth) */
+    get headers() {
+        return { ...this._headers };
+    }
+    /** Cookie header value, if set */
+    get cookie() {
+        return this._headers["Cookie"] || "";
+    }
+    /** Bearer token, if set */
+    get bearer() {
+        const auth = this._headers["Authorization"] || "";
+        return auth.startsWith("Bearer ") ? auth.slice(7) : "";
+    }
     setHeaders(next) {
-        this.headers = { ...this.headers, ...next };
+        this._headers = { ...this._headers, ...next };
     }
     setCookie(cookieHeader) {
-        this.headers["Cookie"] = cookieHeader;
+        if (/[\r\n]/.test(cookieHeader)) {
+            throw new Error("Cookie header contains illegal CR/LF characters");
+        }
+        this._headers["Cookie"] = cookieHeader;
         this.authenticated = true;
         console.error("Session cookies set from email/password login");
     }
@@ -29,16 +56,60 @@ export class GraphQLClient {
         return this.authenticated;
     }
     async request(query, variables) {
-        const headers = { "Content-Type": "application/json", ...this.headers };
-        const res = await fetch(this.opts.endpoint, {
-            method: "POST",
-            headers,
-            body: JSON.stringify({ query, variables })
-        });
+        const headers = {
+            "Content-Type": "application/json",
+            "User-Agent": `affine-mcp-server/${VERSION}`,
+            ...this._headers,
+        };
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), GQL_FETCH_TIMEOUT_MS);
+        let res;
+        try {
+            res = await fetch(this.opts.endpoint, {
+                method: "POST",
+                headers,
+                body: JSON.stringify({ query, variables }),
+                signal: controller.signal,
+            });
+        }
+        catch (err) {
+            if (err.name === "AbortError")
+                throw new Error(`GraphQL request timed out after ${GQL_FETCH_TIMEOUT_MS / 1000}s`);
+            throw err;
+        }
+        finally {
+            clearTimeout(timer);
+        }
+        // Handle redirects (undici may follow them but strip auth headers)
+        if (res.status >= 300 && res.status < 400) {
+            const location = res.headers.get("location");
+            throw new Error(`GraphQL endpoint returned redirect ${res.status} -> ${location || "(no location)"}. ` +
+                `Check AFFINE_BASE_URL.`);
+        }
+        const contentType = res.headers.get("content-type") || "";
+        // Guard against non-JSON responses (Cloudflare challenges, HTML error pages)
+        if (!contentType.includes("application/json") && !contentType.includes("application/graphql")) {
+            const body = await res.text();
+            const snippet = sanitizeErrorBody(body);
+            throw new Error(`GraphQL endpoint returned non-JSON response (${res.status} ${res.statusText}, ` +
+                `Content-Type: ${contentType || "(none)"}). Body: ${snippet}`);
+        }
+        if (!res.ok) {
+            // Try to parse error body as JSON
+            let body;
+            try {
+                const json = await res.json();
+                body = json.errors?.map((e) => e.message).join("; ") || JSON.stringify(json);
+            }
+            catch {
+                body = await res.text().catch(() => "(unreadable body)");
+            }
+            throw new Error(`GraphQL HTTP ${res.status}: ${sanitizeErrorBody(body)}`);
+        }
         const json = await res.json();
-        if (!res.ok || json.errors) {
-            const msg = json.errors?.map((e) => e.message).join("; ") || res.statusText;
-            throw new Error(`GraphQL error: ${msg}`);
+        if (json.errors) {
+            const msg = json.errors.map((e) => e.message).join("; ");
+            throw new Error(`GraphQL error: ${sanitizeErrorBody(msg)}`);
         }
         return json.data;
     }

package/dist/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
-import { loadConfig } from "./config.js";
+import { loadConfig, VERSION } from "./config.js";
 import { GraphQLClient } from "./graphqlClient.js";
 import { registerWorkspaceTools } from "./tools/workspaces.js";
 import { registerDocTools } from "./tools/docs.js";
@@ -13,9 +13,29 @@ import { registerBlobTools } from "./tools/blobStorage.js";
 import { registerNotificationTools } from "./tools/notifications.js";
 import { loginWithPassword } from "./auth.js";
 import { registerAuthTools } from "./tools/auth.js";
+import { runCli } from "./cli.js";
+// CLI subcommands: affine-mcp login|status|logout
+const subcommand = process.argv[2];
+if (subcommand && await runCli(subcommand)) {
+    process.exit(0);
+}
+// MCP server mode (default)
 const config = loadConfig();
+// Startup diagnostics (visible in Claude Code MCP server logs via stderr)
+import { existsSync } from "fs";
+import { CONFIG_FILE } from "./config.js";
+console.error(`[affine-mcp] Config: ${CONFIG_FILE} (${existsSync(CONFIG_FILE) ? 'found' : 'missing'})`);
+console.error(`[affine-mcp] Endpoint: ${config.baseUrl}${config.graphqlPath}`);
+const hasAuth = !!(config.apiToken || config.cookie || (config.email && config.password));
+console.error(`[affine-mcp] Auth: ${hasAuth ? 'configured' : 'not configured'}`);
+if (hasAuth && config.baseUrl.startsWith("http://")
+    && !config.baseUrl.includes("localhost")
+    && !config.baseUrl.includes("127.0.0.1")) {
+    console.error("WARNING: Credentials configured over plain HTTP. Use HTTPS for remote servers.");
+}
+console.error(`[affine-mcp] Workspace: ${config.defaultWorkspaceId ? 'set' : '(none)'}`);
 async function buildServer() {
-    const server = new McpServer({ name: "affine-mcp", version: "1.4.0" });
+    const server = new McpServer({ name: "affine-mcp", version: VERSION });
     // Initialize GraphQL client with authentication
     const gql = new GraphQLClient({
         endpoint: `${config.baseUrl}${config.graphqlPath}`,
@@ -37,13 +57,23 @@ async function buildServer() {
                 console.error("Failed to authenticate with email/password:", e);
                 console.error("WARNING: Continuing without authentication - some operations may fail");
             }
+            finally {
+                // Clear credentials from memory after authentication attempt
+                config.password = undefined;
+                config.email = undefined;
+            }
         }
         else {
             console.error("No token/cookie; deferring email/password authentication (async after connect)...");
+            // Capture credentials before clearing — async login needs them.
+            const loginEmail = config.email;
+            const loginPassword = config.password;
+            config.password = undefined;
+            config.email = undefined;
             // Fire-and-forget async login so stdio handshake is not delayed.
             (async () => {
                 try {
-                    const { cookieHeader } = await loginWithPassword(config.baseUrl, config.email, config.password);
+                    const { cookieHeader } = await loginWithPassword(config.baseUrl, loginEmail, loginPassword);
                     gql.setCookie(cookieHeader);
                     console.error("Successfully authenticated with email/password (async)");
                 }
@@ -56,7 +86,7 @@ async function buildServer() {
     // Log authentication status
     if (!gql.isAuthenticated()) {
         console.error("WARNING: No authentication configured. Some operations may fail.");
-        console.error("Please provide one of: AFFINE_API_TOKEN, AFFINE_COOKIE, or AFFINE_EMAIL/AFFINE_PASSWORD");
+        console.error("Set AFFINE_API_TOKEN or run: affine-mcp login");
     }
     registerWorkspaceTools(server, gql);
     registerDocTools(server, gql, { workspaceId: config.defaultWorkspaceId });

package/dist/markdown/index.js ADDED Viewed

@@ -0,0 +1,3 @@
+export * from "./types.js";
+export * from "./parse.js";
+export * from "./render.js";