npm - apifm-admin-mcp - Versions diffs - 26.5.2 → 26.5.4 - Mend

apifm-admin-mcp 26.5.2 → 26.5.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -8,7 +8,9 @@ It is designed for Kiro, Cursor, Claude Code, Codex, Windsurf, Trae, Qoder, and
 Secrets must not be pasted into model chat.
-This MCP exposes `apifm_admin_start_auth`, which returns a one-time localhost URL. The user enters Basic Authentication credentials, an existing `X-Token`, or username/email password login details in that local browser page. Those secrets stay in the local MCP process memory and are never part of MCP tool arguments.
+This MCP exposes `apifm_admin_start_auth`, which returns a one-time localhost URL. The user enters Basic Authentication credentials, an existing `X-Token`, username/password login details, email/password login details, email signup details, or mobile signup details in that local browser page. Those secrets stay in the local MCP process memory and are never part of MCP tool arguments.
+If an API call is attempted before authorization, `apifm_admin_call` and `apifm_admin_find_and_call` return the authorization URL directly in both visible text and structured content as `authUrl`. The agent should show that URL immediately instead of asking the user to call another tool.
 The API callers reject payloads and headers containing sensitive field names such as `pwd`, `password`, `token`, `x-token`, `authorization`, `secret`, or `key`.
@@ -51,7 +53,7 @@ If installed globally:
 ## Tools
-- `apifm_admin_start_auth`: Starts a local secure authorization page for Basic Auth, X-Token, username/password login, or email registration.
+- `apifm_admin_start_auth`: Starts a local secure authorization page. The page separates "Log in" from "Register", supports username login, email login, Basic Auth, X-Token, email registration, and mobile registration. Basic Auth fields are merchant number and merchant key. The page supports Simplified Chinese, Traditional Chinese, and English.
 - `apifm_admin_accounts`: Lists local account aliases without revealing secrets.
 - `apifm_admin_switch_account`: Switches the active account alias.
 - `apifm_admin_remove_account`: Clears an account alias and its in-memory secrets.
@@ -65,10 +67,10 @@ For real backend data, agents should call `apifm_admin_find_and_call` or `apifm_
 ## Example Agent Flow
 1. User: "Log in to my admin account and read the user list."
-2. Agent calls `apifm_admin_start_auth` with `authType: "password"`.
-3. User opens the returned local URL and enters username/email and password there.
-4. Agent calls `apifm_admin_find_and_call` with `query: "user list"` and a non-sensitive payload such as `{ "page": 1, "pageSize": 20 }`.
-5. Agent answers from the returned `apiResult`, not from method documentation.
+2. Agent calls `apifm_admin_find_and_call` with `query: "user list"` and a non-sensitive payload such as `{ "page": 1, "pageSize": 20 }`.
+3. If not authorized yet, the tool returns `authUrl` immediately. The user opens that URL and chooses a login method or a registration method.
+4. User completes authorization in the local browser page.
+5. Agent retries the same API call and answers from the returned `apiResult`, not from method documentation.
 ## Local Check

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "apifm-admin-mcp",
-  "version": "26.5.2",
+  "version": "26.5.4",
   "description": "MCP server for safely operating APIFM admin APIs through the apifm-admin SDK.",
   "type": "module",
   "bin": {

package/src/browser-auth.js CHANGED Viewed

@@ -6,7 +6,246 @@ import { getSdk, resetSdkConfig } from './sdk.js'
 const pendingSessions = new Map()
-export async function createAuthSession({ authType, alias = '', domains = {}, port = 0 }) {
+const AUTH_TYPES = new Set([
+  'all',
+  'basic',
+  'x-token',
+  'username-password',
+  'email-password',
+  'register-email',
+  'register-mobile'
+])
+const OPTIONAL_FIELDS = new Set([
+  'alias',
+  'pdomain',
+  'imgcode',
+  'k',
+  'registerName',
+  'registerType',
+  'referrer',
+  'agentKey',
+  'mailCode',
+  'smsCode',
+  'smsImgCode',
+  'smsK'
+])
+const I18N = {
+  'zh-CN': {
+    brand: 'APIFM Admin MCP',
+    title: '安全连接 APIFM 后台',
+    lead: '在本机页面完成授权，密钥只保存在当前 MCP 进程内存，不会进入聊天上下文。',
+    trustLocal: '本地 127.0.0.1 页面提交',
+    trustMemory: '凭证仅在内存中保存',
+    trustSwitch: '支持多个后台账号切换',
+    footer: '授权完成后回到 Agent，重新执行刚才的后台操作。',
+    formTitle: '授权方式',
+    expires: '页面过期时间',
+    alias: '账号别名',
+    aliasPh: 'default-admin',
+    tabLogin: '登录现有账号',
+    tabRegister: '注册新账号',
+    methodUsername: '用户名登录',
+    methodUsernameSub: '用户名 + 密码',
+    methodEmail: '邮箱登录',
+    methodEmailSub: '邮箱 + 密码',
+    methodBasic: 'Basic Auth',
+    methodBasicSub: '商户号 + 商户秘钥',
+    methodToken: 'X-Token',
+    methodTokenSub: '直接使用令牌',
+    methodRegisterEmail: '邮箱注册',
+    methodRegisterEmailSub: '邮箱验证码',
+    methodRegisterMobile: '手机号注册',
+    methodRegisterMobileSub: '短信验证码',
+    usernameHint: '使用后台用户名和密码登录，MCP 会通过 SDK 换取 X-Token。',
+    emailHint: '使用后台邮箱和密码登录，MCP 会通过 SDK 换取 X-Token。',
+    basicHint: '填写 Basic Authentication 信息，将作为 Authorization 请求头调用后台接口。',
+    tokenHint: '直接填写管理员登录后的 X-Token，用于后续所有后台接口调用。',
+    registerEmailHint: '使用邮箱注册开通新后台账号，提交成功后 MCP 会尝试自动登录。',
+    registerMobileHint: '使用手机号注册开通新后台账号，提交成功后 MCP 会尝试自动登录。',
+    username: '用户名',
+    usernamePh: '请输入后台用户名',
+    password: '密码',
+    passwordPh: '请输入登录密码',
+    pdomain: '专属域名，可选',
+    pdomainPh: '例如 yourdomain',
+    imgcode: '图形验证码，可选',
+    imgcodePh: '请输入图形验证码',
+    k: '验证码随机数，可选',
+    kPh: '请输入验证码随机数',
+    email: '邮箱地址',
+    emailPh: 'name@example.com',
+    mobile: '手机号码',
+    mobilePh: '请输入手机号码',
+    merchantNo: '商户号',
+    merchantNoPh: '请输入商户号',
+    merchantKey: '商户秘钥',
+    merchantKeyPh: '请输入商户秘钥',
+    xToken: 'X-Token',
+    xTokenPh: '粘贴管理员 X-Token',
+    registerPassword: '登录密码',
+    registerPasswordPh: '设置登录密码',
+    name: '姓名或昵称',
+    namePh: '可选',
+    mailCode: '邮箱验证码',
+    mailCodePh: '请输入邮箱验证码',
+    smsCode: '短信验证码',
+    smsCodePh: '请输入短信验证码',
+    type: '注册类型，可选',
+    typePh: '不填默认为 apifm',
+    referrer: '推荐人用户ID，可选',
+    referrerPh: '请输入推荐人用户ID',
+    agentKey: 'Agent Key，可选',
+    agentKeyPh: '请输入 agentKey',
+    submit: '完成授权',
+    security: '请不要把密码、Token 或 Basic Authentication 内容粘贴到聊天窗口。',
+    closeNote: '提交成功后可以关闭本页面。'
+  },
+  'zh-TW': {
+    brand: 'APIFM Admin MCP',
+    title: '安全連接 APIFM 後台',
+    lead: '在本機頁面完成授權，密鑰只保存在目前 MCP 程序記憶體，不會進入聊天上下文。',
+    trustLocal: '本地 127.0.0.1 頁面提交',
+    trustMemory: '憑證僅在記憶體中保存',
+    trustSwitch: '支援多個後台帳號切換',
+    footer: '授權完成後回到 Agent，重新執行剛才的後台操作。',
+    formTitle: '授權方式',
+    expires: '頁面過期時間',
+    alias: '帳號別名',
+    aliasPh: 'default-admin',
+    tabLogin: '登入現有帳號',
+    tabRegister: '註冊新帳號',
+    methodUsername: '使用者名稱登入',
+    methodUsernameSub: '使用者名稱 + 密碼',
+    methodEmail: '郵箱登入',
+    methodEmailSub: '郵箱 + 密碼',
+    methodBasic: 'Basic Auth',
+    methodBasicSub: '商戶號 + 商戶秘鑰',
+    methodToken: 'X-Token',
+    methodTokenSub: '直接使用令牌',
+    methodRegisterEmail: '郵箱註冊',
+    methodRegisterEmailSub: '郵箱驗證碼',
+    methodRegisterMobile: '手機號註冊',
+    methodRegisterMobileSub: '簡訊驗證碼',
+    usernameHint: '使用後台使用者名稱和密碼登入，MCP 會透過 SDK 換取 X-Token。',
+    emailHint: '使用後台郵箱和密碼登入，MCP 會透過 SDK 換取 X-Token。',
+    basicHint: '填寫 Basic Authentication 資訊，將作為 Authorization 請求頭呼叫後台介面。',
+    tokenHint: '直接填寫管理員登入後的 X-Token，用於後續所有後台介面呼叫。',
+    registerEmailHint: '使用郵箱註冊開通新後台帳號，提交成功後 MCP 會嘗試自動登入。',
+    registerMobileHint: '使用手機號註冊開通新後台帳號，提交成功後 MCP 會嘗試自動登入。',
+    username: '使用者名稱',
+    usernamePh: '請輸入後台使用者名稱',
+    password: '密碼',
+    passwordPh: '請輸入登入密碼',
+    pdomain: '專屬網域，可選',
+    pdomainPh: '例如 yourdomain',
+    imgcode: '圖形驗證碼，可選',
+    imgcodePh: '請輸入圖形驗證碼',
+    k: '驗證碼隨機數，可選',
+    kPh: '請輸入驗證碼隨機數',
+    email: '郵箱地址',
+    emailPh: 'name@example.com',
+    mobile: '手機號碼',
+    mobilePh: '請輸入手機號碼',
+    merchantNo: '商戶號',
+    merchantNoPh: '請輸入商戶號',
+    merchantKey: '商戶秘鑰',
+    merchantKeyPh: '請輸入商戶秘鑰',
+    xToken: 'X-Token',
+    xTokenPh: '貼上管理員 X-Token',
+    registerPassword: '登入密碼',
+    registerPasswordPh: '設定登入密碼',
+    name: '姓名或暱稱',
+    namePh: '可選',
+    mailCode: '郵箱驗證碼',
+    mailCodePh: '請輸入郵箱驗證碼',
+    smsCode: '簡訊驗證碼',
+    smsCodePh: '請輸入簡訊驗證碼',
+    type: '註冊類型，可選',
+    typePh: '不填預設為 apifm',
+    referrer: '推薦人使用者ID，可選',
+    referrerPh: '請輸入推薦人使用者ID',
+    agentKey: 'Agent Key，可選',
+    agentKeyPh: '請輸入 agentKey',
+    submit: '完成授權',
+    security: '請不要把密碼、Token 或 Basic Authentication 內容貼到聊天視窗。',
+    closeNote: '提交成功後可以關閉本頁面。'
+  },
+  en: {
+    brand: 'APIFM Admin MCP',
+    title: 'Connect APIFM admin safely',
+    lead: 'Authorize on this local page. Secrets stay in this MCP process memory and never enter the chat transcript.',
+    trustLocal: 'Submitted to local 127.0.0.1 only',
+    trustMemory: 'Credentials are memory-only',
+    trustSwitch: 'Multiple admin accounts supported',
+    footer: 'After authorization, return to the agent and run the backend action again.',
+    formTitle: 'Authorization method',
+    expires: 'Page expires at',
+    alias: 'Account alias',
+    aliasPh: 'default-admin',
+    tabLogin: 'Log in',
+    tabRegister: 'Register',
+    methodUsername: 'Username login',
+    methodUsernameSub: 'Username + password',
+    methodEmail: 'Email login',
+    methodEmailSub: 'Email + password',
+    methodBasic: 'Basic Auth',
+    methodBasicSub: 'Merchant no. + key',
+    methodToken: 'X-Token',
+    methodTokenSub: 'Use an existing token',
+    methodRegisterEmail: 'Email signup',
+    methodRegisterEmailSub: 'Email code',
+    methodRegisterMobile: 'Mobile signup',
+    methodRegisterMobileSub: 'SMS code',
+    usernameHint: 'Log in with an admin username and password. The MCP will exchange them for an X-Token through the SDK.',
+    emailHint: 'Log in with an admin email and password. The MCP will exchange them for an X-Token through the SDK.',
+    basicHint: 'Enter Basic Authentication credentials. They will be sent as the Authorization header for API calls.',
+    tokenHint: 'Enter an existing admin X-Token for later backend API calls.',
+    registerEmailHint: 'Create a new admin account by email. After signup, the MCP will try to log in automatically.',
+    registerMobileHint: 'Create a new admin account by mobile. After signup, the MCP will try to log in automatically.',
+    username: 'Username',
+    usernamePh: 'Enter admin username',
+    password: 'Password',
+    passwordPh: 'Enter login password',
+    pdomain: 'Private domain, optional',
+    pdomainPh: 'Example: yourdomain',
+    imgcode: 'Image code, optional',
+    imgcodePh: 'Enter image code',
+    k: 'Captcha nonce, optional',
+    kPh: 'Enter captcha nonce',
+    email: 'Email address',
+    emailPh: 'name@example.com',
+    mobile: 'Mobile number',
+    mobilePh: 'Enter mobile number',
+    merchantNo: 'Merchant number',
+    merchantNoPh: 'Enter merchant number',
+    merchantKey: 'Merchant key',
+    merchantKeyPh: 'Enter merchant key',
+    xToken: 'X-Token',
+    xTokenPh: 'Paste admin X-Token',
+    registerPassword: 'Login password',
+    registerPasswordPh: 'Set login password',
+    name: 'Name or nickname',
+    namePh: 'Optional',
+    mailCode: 'Email verification code',
+    mailCodePh: 'Enter email code',
+    smsCode: 'SMS verification code',
+    smsCodePh: 'Enter SMS code',
+    type: 'Signup type, optional',
+    typePh: 'Defaults to apifm',
+    referrer: 'Referrer user ID, optional',
+    referrerPh: 'Enter referrer user ID',
+    agentKey: 'Agent Key, optional',
+    agentKeyPh: 'Enter agentKey',
+    submit: 'Authorize account',
+    security: 'Do not paste passwords, tokens, or Basic Authentication values into the chat window.',
+    closeNote: 'You can close this page after authorization succeeds.'
+  }
+}
+export async function createAuthSession({ authType = 'all', alias = '', domains = {}, port = 0 }) {
+  const initialAuthType = normalizeAuthType(authType)
   const sessionId = crypto.randomUUID()
   const createdAt = Date.now()
   const expiresAt = createdAt + 10 * 60 * 1000
@@ -21,7 +260,7 @@ export async function createAuthSession({ authType, alias = '', domains = {}, po
       }
       if (req.method === 'GET') {
-        sendHtml(res, renderForm({ authType, alias, sessionId, expiresAt }))
+        sendHtml(res, renderForm({ authType: initialAuthType, alias, expiresAt }))
         return
       }
@@ -31,7 +270,7 @@ export async function createAuthSession({ authType, alias = '', domains = {}, po
       }
       const fields = await readForm(req)
-      const account = await finishAuth({ authType, alias, domains, fields })
+      const account = await finishAuth({ authType: fields.authType || initialAuthType, alias, domains, fields })
       pendingSessions.delete(sessionId)
       sendHtml(res, renderSuccess(account))
       setTimeout(() => server.close(), 250)
@@ -46,7 +285,7 @@ export async function createAuthSession({ authType, alias = '', domains = {}, po
   const address = server.address()
   const url = `http://127.0.0.1:${address.port}/${sessionId}`
-  pendingSessions.set(sessionId, { server, authType, alias, createdAt, expiresAt })
+  pendingSessions.set(sessionId, { server, authType: initialAuthType, alias, createdAt, expiresAt })
   setTimeout(() => {
     const pending = pendingSessions.get(sessionId)
     if (pending) {
@@ -58,6 +297,7 @@ export async function createAuthSession({ authType, alias = '', domains = {}, po
   return {
     url,
     sessionId,
+    authType: initialAuthType,
     expiresAt: new Date(expiresAt).toISOString(),
     message:
       'Open this local URL in a browser and enter credentials there. Do not paste secrets into the chat.'
@@ -65,80 +305,77 @@ export async function createAuthSession({ authType, alias = '', domains = {}, po
 }
 async function finishAuth({ authType, alias, domains, fields }) {
-  if (authType === 'basic') {
-    const username = required(fields.username, 'username')
-    const password = required(fields.password, 'password')
+  const selectedAuthType = normalizeAuthType(authType)
+  if (selectedAuthType === 'basic') {
+    const merchantNo = required(fields.basicUsername, 'merchant number')
+    const merchantKey = required(fields.basicPassword, 'merchant key')
     return upsertAccount({
       alias: fields.alias || alias,
-      authType,
-      basicAuth: `Basic ${Buffer.from(`${username}:${password}`).toString('base64')}`,
+      authType: 'basic',
+      basicAuth: `Basic ${Buffer.from(`${merchantNo}:${merchantKey}`).toString('base64')}`,
       domains
     })
   }
-  if (authType === 'x-token') {
+  if (selectedAuthType === 'x-token') {
     return upsertAccount({
       alias: fields.alias || alias,
-      authType,
-      token: required(fields.token, 'X-Token'),
+      authType: selectedAuthType,
+      token: required(fields.xToken, 'X-Token'),
       domains
     })
   }
-  if (authType === 'password') {
-    const loginMode = fields.loginMode === 'email' ? 'email' : 'username'
-    const loginPayload =
-      loginMode === 'email'
-        ? {
-            email: required(fields.email, 'email'),
-            pwd: required(fields.password, 'password'),
-            rememberMe: true
-          }
-        : {
-            userName: required(fields.username, 'username'),
-            pwd: required(fields.password, 'password'),
-            rememberMe: true,
-            pdomain: fields.pdomain || undefined
-          }
-    const sdk = getSdk()
-    resetSdkConfig()
-    if (domains && Object.keys(domains).length) {
-      sdk.setDomains(domains)
-    }
-    const methodName = loginMode === 'email' ? 'loginAdminEmail' : 'loginAdminUserName'
-    if (typeof sdk[methodName] !== 'function') {
-      throw new Error(`apifm-admin does not expose ${methodName}`)
-    }
-    const result = await sdk[methodName](loginPayload)
-    const token = extractToken(result)
-    if (!token) {
-      throw new Error('Login succeeded but no X-Token was found in the SDK response.')
-    }
+  if (selectedAuthType === 'username-password' || selectedAuthType === 'email-password') {
+    const token = await loginAndExtractToken({ authType: selectedAuthType, domains, fields })
     return upsertAccount({
       alias: fields.alias || alias,
-      authType,
+      authType: selectedAuthType,
       token,
       domains
     })
   }
-  if (authType === 'register-email') {
-    const sdk = getSdk()
-    resetSdkConfig()
-    if (domains && Object.keys(domains).length) {
-      sdk.setDomains(domains)
-    }
-    const result = await sdk.registerAdminSaveEmail({
-      email: required(fields.email, 'email'),
-      pwd: required(fields.password, 'password'),
-      name: fields.name || undefined,
-      mailCode: fields.mailCode || fields.code || undefined
+  if (selectedAuthType === 'register-email') {
+    await callSdkMethod({
+      methodName: 'registerAdminSaveEmail',
+      domains,
+      payload: {
+        email: required(fields.registerEmail, 'email'),
+        pwd: required(fields.registerPassword, 'password'),
+        name: fields.registerName || undefined,
+        mailCode: fields.mailCode || undefined,
+        referrer: fields.referrer || undefined
+      }
+    })
+    const token = await loginAndExtractToken({ authType: 'email-password', domains, fields })
+    return upsertAccount({
+      alias: fields.alias || alias,
+      authType: selectedAuthType,
+      token,
+      domains
+    })
+  }
+  if (selectedAuthType === 'register-mobile') {
+    await callSdkMethod({
+      methodName: 'registerAdminSave',
+      domains,
+      payload: {
+        type: fields.registerType || undefined,
+        mobile: required(fields.registerMobile, 'mobile'),
+        pwd: required(fields.registerPassword, 'password'),
+        name: fields.registerName || undefined,
+        smsCode: fields.smsCode || undefined,
+        referrer: fields.referrer || undefined,
+        agentKey: fields.agentKey || undefined
+      }
     })
-    const token = extractToken(result)
+    const token = await loginAndExtractToken({ authType: 'mobile-password', domains, fields })
     return upsertAccount({
       alias: fields.alias || alias,
-      authType,
+      authType: selectedAuthType,
       token,
       domains
     })
@@ -147,18 +384,141 @@ async function finishAuth({ authType, alias, domains, fields }) {
   throw new Error(`Unsupported auth type: ${authType}`)
 }
+async function loginAndExtractToken({ authType, domains, fields }) {
+  const loginConfig = {
+    'username-password': {
+      methodName: 'loginAdminUserName',
+      payload: {
+        userName: required(fields.loginUsername, 'username'),
+        pwd: required(fields.loginPassword, 'password'),
+        rememberMe: true,
+        pdomain: fields.pdomain || undefined,
+        imgcode: fields.imgcode || undefined,
+        k: fields.k || undefined
+      }
+    },
+    'email-password': {
+      methodName: 'loginAdminEmail',
+      payload: {
+        email: required(fields.loginEmail || fields.registerEmail, 'email'),
+        pwd: required(fields.loginPassword || fields.registerPassword, 'password'),
+        rememberMe: true,
+        imgcode: fields.imgcode || undefined,
+        k: fields.k || undefined
+      }
+    },
+    'mobile-password': {
+      methodName: 'loginAdminMobile',
+      payload: {
+        mobile: required(fields.registerMobile, 'mobile'),
+        pwd: required(fields.registerPassword, 'password'),
+        rememberMe: true,
+        imgcode: fields.smsImgCode || fields.imgcode || undefined,
+        k: fields.smsK || fields.k || undefined
+      }
+    }
+  }[authType]
+  const result = await callSdkMethod({
+    methodName: loginConfig.methodName,
+    domains,
+    payload: loginConfig.payload
+  })
+  const token = extractToken(result)
+  if (!token) {
+    throw new Error(
+      `${loginConfig.methodName} did not return an X-Token. Response shape was: ${JSON.stringify(maskResponseForError(result)).slice(0, 600)}`
+    )
+  }
+  return token
+}
+async function callSdkMethod({ methodName, domains, payload }) {
+  const sdk = getSdk()
+  resetSdkConfig()
+  if (domains && Object.keys(domains).length) {
+    sdk.setDomains(domains)
+  }
+  if (typeof sdk[methodName] !== 'function') {
+    throw new Error(`apifm-admin does not expose ${methodName}`)
+  }
+  return sdk[methodName](compactObject(payload))
+}
+function compactObject(input) {
+  return Object.fromEntries(Object.entries(input).filter(([, value]) => value !== undefined && value !== ''))
+}
+function normalizeAuthType(authType) {
+  if (authType === 'password') return 'username-password'
+  if (AUTH_TYPES.has(authType)) return authType
+  return 'all'
+}
 function extractToken(response) {
-  const candidates = [
-    response?.data?.token,
-    response?.data?.xToken,
-    response?.data?.xtoken,
-    response?.data?.x_token,
-    response?.data?.['x-token'],
-    response?.token,
-    response?.xToken,
-    response?.xtoken
+  const directPaths = [
+    ['data', 'token'],
+    ['data', 'xToken'],
+    ['data', 'xtoken'],
+    ['data', 'x_token'],
+    ['data', 'x-token'],
+    ['data', 'X-Token'],
+    ['data', 'loginToken'],
+    ['data', 'adminToken'],
+    ['token'],
+    ['xToken'],
+    ['xtoken'],
+    ['x_token'],
+    ['x-token'],
+    ['X-Token']
   ]
-  return candidates.find((item) => typeof item === 'string' && item.trim()) || ''
+  for (const path of directPaths) {
+    const value = getPath(response, path)
+    if (typeof value === 'string' && value.trim()) return value.trim()
+  }
+  const found = findTokenDeep(response)
+  return found || ''
+}
+function getPath(value, path) {
+  return path.reduce((current, key) => (current && typeof current === 'object' ? current[key] : undefined), value)
+}
+function findTokenDeep(value, depth = 0) {
+  if (!value || typeof value !== 'object' || depth > 5) return ''
+  if (Array.isArray(value)) {
+    for (const item of value) {
+      const found = findTokenDeep(item, depth + 1)
+      if (found) return found
+    }
+    return ''
+  }
+  for (const [key, child] of Object.entries(value)) {
+    const compactKey = key.toLowerCase().replace(/[^a-z0-9]/g, '')
+    if (
+      typeof child === 'string' &&
+      child.trim() &&
+      ['token', 'xtoken', 'xToken', 'xstoken', 'admintoken', 'logintoken'].map((item) => item.toLowerCase()).includes(compactKey)
+    ) {
+      return child.trim()
+    }
+    const found = findTokenDeep(child, depth + 1)
+    if (found) return found
+  }
+  return ''
+}
+function maskResponseForError(value) {
+  if (!value || typeof value !== 'object') return value
+  if (Array.isArray(value)) return value.map(maskResponseForError)
+  return Object.fromEntries(
+    Object.entries(value).map(([key, child]) => [
+      key,
+      /token|password|pwd|secret|key/i.test(key) ? '[REDACTED]' : maskResponseForError(child)
+    ])
+  )
 }
 function required(value, label) {
@@ -203,7 +563,8 @@ function escapeHtml(value) {
 }
 function renderForm({ authType, alias, expiresAt }) {
-  const fields = renderFields(authType)
+  const initialType = authType === 'all' ? 'username-password' : authType
+  const initialGroup = initialType.startsWith('register-') ? 'register' : 'login'
   return `<!doctype html>
 <html lang="zh-CN">
 <head>
@@ -211,79 +572,414 @@ function renderForm({ authType, alias, expiresAt }) {
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <title>APIFM Admin MCP Authorization</title>
   <style>
-    body { margin: 0; font: 15px/1.5 system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; background: #f7f7f4; color: #202124; }
-    main { max-width: 560px; margin: 8vh auto; padding: 32px; background: #fff; border: 1px solid #deded8; border-radius: 8px; }
-    h1 { margin: 0 0 8px; font-size: 22px; }
-    p { margin: 0 0 20px; color: #5f6368; }
-    label { display: block; margin: 14px 0 6px; font-weight: 650; }
-    input, select { width: 100%; box-sizing: border-box; padding: 11px 12px; border: 1px solid #c7c7c0; border-radius: 6px; font: inherit; }
-    button { margin-top: 22px; width: 100%; padding: 12px 14px; border: 0; border-radius: 6px; background: #1f6feb; color: white; font: inherit; font-weight: 700; cursor: pointer; }
-    .note { margin-top: 18px; font-size: 13px; color: #6a6f75; }
+    :root {
+      color-scheme: light;
+      --bg: oklch(0.965 0.006 250);
+      --surface: oklch(1 0 0);
+      --surface-2: oklch(0.982 0.006 250);
+      --ink: oklch(0.215 0.028 255);
+      --muted: oklch(0.43 0.028 255);
+      --line: oklch(0.875 0.013 250);
+      --accent: oklch(0.56 0.19 255);
+      --accent-ink: oklch(1 0 0);
+      --accent-soft: oklch(0.94 0.035 255);
+      --success: oklch(0.58 0.15 155);
+    }
+    * { box-sizing: border-box; }
+    body {
+      margin: 0;
+      min-height: 100vh;
+      font: 15px/1.5 system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+      background:
+        radial-gradient(circle at top left, oklch(0.9 0.06 255), transparent 34rem),
+        linear-gradient(135deg, var(--bg), oklch(0.955 0.011 230));
+      color: var(--ink);
+    }
+    .shell {
+      width: min(1120px, calc(100vw - 32px));
+      min-height: 100vh;
+      margin: 0 auto;
+      display: grid;
+      place-items: center;
+      padding: 28px 0;
+    }
+    .panel {
+      width: 100%;
+      display: grid;
+      grid-template-columns: minmax(280px, 0.78fr) minmax(340px, 1.22fr);
+      background: var(--surface);
+      border: 1px solid var(--line);
+      border-radius: 16px;
+      overflow: hidden;
+      box-shadow: 0 8px 28px oklch(0.25 0.02 255 / 0.12);
+    }
+    .aside {
+      padding: 34px;
+      background: linear-gradient(180deg, oklch(0.26 0.07 255), oklch(0.19 0.04 255));
+      color: white;
+      display: flex;
+      flex-direction: column;
+      justify-content: space-between;
+      gap: 32px;
+    }
+    .brand { display: flex; align-items: center; gap: 12px; font-weight: 760; }
+    .mark {
+      width: 38px;
+      height: 38px;
+      display: grid;
+      place-items: center;
+      border-radius: 10px;
+      background: oklch(0.74 0.16 210);
+      color: oklch(0.18 0.04 255);
+      font-weight: 850;
+    }
+    h1 { margin: 28px 0 12px; font-size: 2rem; line-height: 1.12; text-wrap: balance; letter-spacing: 0; }
+    .lead { margin: 0; color: oklch(0.88 0.018 250); max-width: 48ch; }
+    .trust { display: grid; gap: 10px; margin: 28px 0 0; padding: 0; list-style: none; }
+    .trust li { display: flex; gap: 10px; align-items: flex-start; color: oklch(0.91 0.015 250); }
+    .dot { width: 8px; height: 8px; margin-top: 7px; border-radius: 999px; background: oklch(0.78 0.16 155); flex: 0 0 auto; }
+    .content { padding: 30px; }
+    .topbar { display: flex; justify-content: space-between; align-items: center; gap: 16px; margin-bottom: 20px; }
+    .meta { color: var(--muted); font-size: 0.92rem; }
+    .lang, .tabs {
+      display: inline-grid;
+      grid-auto-flow: column;
+      gap: 4px;
+      padding: 4px;
+      background: var(--surface-2);
+      border: 1px solid var(--line);
+      border-radius: 999px;
+    }
+    .lang button, .tabs button, .method button {
+      appearance: none;
+      border: 0;
+      font: inherit;
+      cursor: pointer;
+    }
+    .lang button, .tabs button { padding: 7px 12px; border-radius: 999px; color: var(--muted); background: transparent; }
+    .lang button[aria-pressed="true"], .tabs button[aria-pressed="true"] { background: var(--ink); color: white; }
+    .tabs { margin-bottom: 14px; }
+    .method {
+      display: grid;
+      grid-template-columns: repeat(4, minmax(0, 1fr));
+      gap: 8px;
+      margin-bottom: 22px;
+    }
+    .method[data-group="register"] { grid-template-columns: repeat(2, minmax(0, 1fr)); }
+    .method button {
+      min-height: 62px;
+      padding: 10px;
+      border: 1px solid var(--line);
+      border-radius: 10px;
+      background: var(--surface-2);
+      color: var(--ink);
+      text-align: left;
+      transition: border-color 160ms ease, background 160ms ease, transform 160ms ease;
+    }
+    .method button:hover { border-color: oklch(0.72 0.04 255); transform: translateY(-1px); }
+    .method button[aria-pressed="true"] { border-color: var(--accent); background: var(--accent-soft); }
+    .method strong { display: block; font-size: 0.92rem; line-height: 1.2; }
+    .method span { display: block; margin-top: 4px; color: var(--muted); font-size: 0.78rem; line-height: 1.25; }
+    form { display: grid; gap: 18px; }
+    .grid { display: grid; grid-template-columns: repeat(2, minmax(0, 1fr)); gap: 14px; }
+    .field { display: grid; gap: 7px; }
+    label { color: var(--ink); font-weight: 660; }
+    input {
+      width: 100%;
+      min-height: 44px;
+      padding: 10px 12px;
+      border: 1px solid var(--line);
+      border-radius: 8px;
+      background: white;
+      color: var(--ink);
+      font: inherit;
+      outline: none;
+      transition: border-color 160ms ease, box-shadow 160ms ease;
+    }
+    input::placeholder { color: oklch(0.48 0.025 255); }
+    input:focus { border-color: var(--accent); box-shadow: 0 0 0 3px oklch(0.62 0.16 255 / 0.18); }
+    .section {
+      display: none;
+      padding: 18px;
+      border: 1px solid var(--line);
+      border-radius: 12px;
+      background: var(--surface-2);
+    }
+    .section.active { display: block; }
+    .section-head { margin: 0 0 14px; color: var(--muted); }
+    .submit {
+      min-height: 46px;
+      border: 0;
+      border-radius: 8px;
+      background: var(--accent);
+      color: var(--accent-ink);
+      font: inherit;
+      font-weight: 760;
+      cursor: pointer;
+      transition: transform 160ms ease, filter 160ms ease;
+    }
+    .submit:hover { filter: brightness(1.03); transform: translateY(-1px); }
+    .note { margin: 12px 0 0; color: var(--muted); font-size: 0.9rem; }
+    .security {
+      margin-top: 20px;
+      padding: 12px 14px;
+      border-radius: 10px;
+      background: oklch(0.96 0.025 155);
+      color: oklch(0.31 0.07 155);
+      font-size: 0.9rem;
+    }
+    [hidden] { display: none !important; }
+    @media (max-width: 900px) {
+      .panel { grid-template-columns: 1fr; }
+      .aside { padding: 26px; }
+      .method { grid-template-columns: repeat(2, minmax(0, 1fr)); }
+      .grid { grid-template-columns: 1fr; }
+    }
+    @media (max-width: 520px) {
+      .shell { width: min(100vw - 20px, 1120px); padding: 10px 0; }
+      .content { padding: 20px; }
+      .topbar { align-items: flex-start; flex-direction: column; }
+      .method, .method[data-group="register"] { grid-template-columns: 1fr; }
+      h1 { font-size: 1.55rem; }
+    }
+    @media (prefers-reduced-motion: reduce) {
+      *, *::before, *::after { transition-duration: 0.01ms !important; animation-duration: 0.01ms !important; }
+    }
   </style>
 </head>
 <body>
-<main>
-  <h1>APIFM Admin MCP Authorization</h1>
-  <p>Secrets entered here stay inside this local MCP process memory and are not sent through the chat transcript.</p>
-  <form method="post" autocomplete="off">
-    <label for="alias">Account alias</label>
-    <input id="alias" name="alias" value="${escapeHtml(alias)}" placeholder="default-admin">
-    ${fields}
-    <button type="submit">Authorize</button>
-  </form>
-  <p class="note">This local page expires at ${escapeHtml(new Date(expiresAt).toLocaleString())}. Close it after authorization.</p>
+<main class="shell">
+  <section class="panel" aria-labelledby="title">
+    <aside class="aside">
+      <div>
+        <div class="brand"><span class="mark">A</span><span data-i18n="brand"></span></div>
+        <h1 id="title" data-i18n="title"></h1>
+        <p class="lead" data-i18n="lead"></p>
+        <ul class="trust">
+          <li><span class="dot"></span><span data-i18n="trustLocal"></span></li>
+          <li><span class="dot"></span><span data-i18n="trustMemory"></span></li>
+          <li><span class="dot"></span><span data-i18n="trustSwitch"></span></li>
+        </ul>
+      </div>
+      <p class="lead" data-i18n="footer"></p>
+    </aside>
+    <div class="content">
+      <div class="topbar">
+        <div>
+          <strong data-i18n="formTitle"></strong>
+          <div class="meta"><span data-i18n="expires"></span>: ${escapeHtml(new Date(expiresAt).toLocaleString())}</div>
+        </div>
+        <div class="lang" aria-label="Language">
+          <button type="button" data-lang="zh-CN" aria-pressed="true">简</button>
+          <button type="button" data-lang="zh-TW" aria-pressed="false">繁</button>
+          <button type="button" data-lang="en" aria-pressed="false">EN</button>
+        </div>
+      </div>
+      <div class="tabs" role="tablist" aria-label="Account mode">
+        <button type="button" data-group-tab="login" aria-pressed="${initialGroup === 'login'}" data-i18n="tabLogin"></button>
+        <button type="button" data-group-tab="register" aria-pressed="${initialGroup === 'register'}" data-i18n="tabRegister"></button>
+      </div>
+      <div class="method" data-group="login">
+        ${renderMethodButton('username-password', initialType)}
+        ${renderMethodButton('email-password', initialType)}
+        ${renderMethodButton('basic', initialType)}
+        ${renderMethodButton('x-token', initialType)}
+      </div>
+      <div class="method" data-group="register" hidden>
+        ${renderMethodButton('register-email', initialType)}
+        ${renderMethodButton('register-mobile', initialType)}
+      </div>
+      <form method="post" autocomplete="off" id="authForm">
+        <input type="hidden" id="authType" name="authType" value="${escapeHtml(initialType)}">
+        <div class="field">
+          <label for="alias" data-i18n="alias"></label>
+          <input id="alias" name="alias" value="${escapeHtml(alias)}" data-i18n-placeholder="aliasPh">
+        </div>
+        ${renderSections()}
+        <button class="submit" type="submit" data-i18n="submit"></button>
+      </form>
+      <div class="security" data-i18n="security"></div>
+      <p class="note" data-i18n="closeNote"></p>
+    </div>
+  </section>
 </main>
-</body>
-</html>`
-}
+<script>
+  const messages = ${JSON.stringify(I18N)}
+  const initialType = ${JSON.stringify(initialType)}
+  const methodGroups = {
+    'username-password': 'login',
+    'email-password': 'login',
+    basic: 'login',
+    'x-token': 'login',
+    'register-email': 'register',
+    'register-mobile': 'register'
+  }
+  const optionalFields = new Set(${JSON.stringify([...OPTIONAL_FIELDS])})
+  let activeLang = localStorage.getItem('apifm-auth-lang') || 'zh-CN'
+  const authTypeInput = document.querySelector('#authType')
+  const sections = [...document.querySelectorAll('[data-section]')]
+  const methodButtons = [...document.querySelectorAll('[data-method]')]
+  const groupTabs = [...document.querySelectorAll('[data-group-tab]')]
+  const methodGroupsEl = [...document.querySelectorAll('.method[data-group]')]
+  const langButtons = [...document.querySelectorAll('[data-lang]')]
-function renderFields(authType) {
-  if (authType === 'basic') {
-    return `
-      <label for="username">Basic username</label>
-      <input id="username" name="username" required>
-      <label for="password">Basic password</label>
-      <input id="password" name="password" type="password" required>`
+  function t(key) {
+    return messages[activeLang][key] || messages['zh-CN'][key] || key
   }
-  if (authType === 'x-token') {
-    return `
-      <label for="token">X-Token</label>
-      <input id="token" name="token" type="password" required>`
+  function setLang(lang) {
+    activeLang = messages[lang] ? lang : 'zh-CN'
+    localStorage.setItem('apifm-auth-lang', activeLang)
+    document.documentElement.lang = activeLang
+    document.querySelectorAll('[data-i18n]').forEach((node) => {
+      node.textContent = t(node.dataset.i18n)
+    })
+    document.querySelectorAll('[data-i18n-placeholder]').forEach((node) => {
+      node.placeholder = t(node.dataset.i18nPlaceholder)
+    })
+    langButtons.forEach((button) => {
+      button.setAttribute('aria-pressed', String(button.dataset.lang === activeLang))
+    })
   }
-  if (authType === 'password') {
-    return `
-      <label for="loginMode">Login mode</label>
-      <select id="loginMode" name="loginMode">
-        <option value="username">Username and password</option>
-        <option value="email">Email and password</option>
-      </select>
-      <label for="username">Username</label>
-      <input id="username" name="username">
-      <label for="email">Email</label>
-      <input id="email" name="email" type="email">
-      <label for="password">Password</label>
-      <input id="password" name="password" type="password" required>
-      <label for="pdomain">Private domain (optional)</label>
-      <input id="pdomain" name="pdomain">`
+  function setGroup(group) {
+    groupTabs.forEach((button) => button.setAttribute('aria-pressed', String(button.dataset.groupTab === group)))
+    methodGroupsEl.forEach((node) => {
+      node.hidden = node.dataset.group !== group
+    })
+    const currentMethod = authTypeInput.value
+    if (methodGroups[currentMethod] !== group) {
+      const firstMethod = methodButtons.find((button) => methodGroups[button.dataset.method] === group)?.dataset.method
+      setMethod(firstMethod)
+    }
   }
-  if (authType === 'register-email') {
-    return `
-      <label for="email">Email</label>
-      <input id="email" name="email" type="email" required>
-      <label for="password">Password</label>
-      <input id="password" name="password" type="password" required>
-      <label for="name">Name</label>
-      <input id="name" name="name">
-      <label for="mailCode">Email verification code</label>
-      <input id="mailCode" name="mailCode">`
+  function setMethod(method) {
+    if (!method) return
+    authTypeInput.value = method
+    const group = methodGroups[method]
+    groupTabs.forEach((button) => button.setAttribute('aria-pressed', String(button.dataset.groupTab === group)))
+    methodGroupsEl.forEach((node) => {
+      node.hidden = node.dataset.group !== group
+    })
+    sections.forEach((section) => {
+      const active = section.dataset.section === method
+      section.classList.toggle('active', active)
+      section.querySelectorAll('input').forEach((input) => {
+        input.disabled = !active
+        input.required = active && !optionalFields.has(input.name)
+      })
+    })
+    methodButtons.forEach((button) => {
+      button.setAttribute('aria-pressed', String(button.dataset.method === method))
+    })
   }
-  return ''
+  methodButtons.forEach((button) => button.addEventListener('click', () => setMethod(button.dataset.method)))
+  groupTabs.forEach((button) => button.addEventListener('click', () => setGroup(button.dataset.groupTab)))
+  langButtons.forEach((button) => button.addEventListener('click', () => setLang(button.dataset.lang)))
+  setLang(activeLang)
+  setMethod(initialType)
+</script>
+</body>
+</html>`
+}
+function renderSections() {
+  return `
+    <section class="section" data-section="username-password">
+      <p class="section-head" data-i18n="usernameHint"></p>
+      <div class="grid">
+        ${field('loginUsername', 'loginUsername', 'username', 'usernamePh')}
+        ${field('loginPasswordUser', 'loginPassword', 'password', 'passwordPh', 'password')}
+        ${field('pdomain', 'pdomain', 'pdomain', 'pdomainPh')}
+        ${field('imgcode', 'imgcode', 'imgcode', 'imgcodePh')}
+        ${field('k', 'k', 'k', 'kPh')}
+      </div>
+    </section>
+    <section class="section" data-section="email-password">
+      <p class="section-head" data-i18n="emailHint"></p>
+      <div class="grid">
+        ${field('loginEmail', 'loginEmail', 'email', 'emailPh', 'email')}
+        ${field('loginPasswordEmail', 'loginPassword', 'password', 'passwordPh', 'password')}
+        ${field('imgcodeEmail', 'imgcode', 'imgcode', 'imgcodePh')}
+        ${field('kEmail', 'k', 'k', 'kPh')}
+      </div>
+    </section>
+    <section class="section" data-section="basic">
+      <p class="section-head" data-i18n="basicHint"></p>
+      <div class="grid">
+        ${field('basicUsername', 'basicUsername', 'merchantNo', 'merchantNoPh')}
+        ${field('basicPassword', 'basicPassword', 'merchantKey', 'merchantKeyPh', 'password')}
+      </div>
+    </section>
+    <section class="section" data-section="x-token">
+      <p class="section-head" data-i18n="tokenHint"></p>
+      ${field('xToken', 'xToken', 'xToken', 'xTokenPh', 'password')}
+    </section>
+    <section class="section" data-section="register-email">
+      <p class="section-head" data-i18n="registerEmailHint"></p>
+      <div class="grid">
+        ${field('registerEmail', 'registerEmail', 'email', 'emailPh', 'email')}
+        ${field('registerPasswordEmail', 'registerPassword', 'registerPassword', 'registerPasswordPh', 'password')}
+        ${field('registerNameEmail', 'registerName', 'name', 'namePh')}
+        ${field('mailCode', 'mailCode', 'mailCode', 'mailCodePh')}
+        ${field('referrerEmail', 'referrer', 'referrer', 'referrerPh')}
+      </div>
+    </section>
+    <section class="section" data-section="register-mobile">
+      <p class="section-head" data-i18n="registerMobileHint"></p>
+      <div class="grid">
+        ${field('registerMobile', 'registerMobile', 'mobile', 'mobilePh', 'tel')}
+        ${field('registerPasswordMobile', 'registerPassword', 'registerPassword', 'registerPasswordPh', 'password')}
+        ${field('registerNameMobile', 'registerName', 'name', 'namePh')}
+        ${field('smsCode', 'smsCode', 'smsCode', 'smsCodePh')}
+        ${field('registerType', 'registerType', 'type', 'typePh')}
+        ${field('referrerMobile', 'referrer', 'referrer', 'referrerPh')}
+        ${field('agentKey', 'agentKey', 'agentKey', 'agentKeyPh')}
+        ${field('smsImgCode', 'smsImgCode', 'imgcode', 'imgcodePh')}
+        ${field('smsK', 'smsK', 'k', 'kPh')}
+      </div>
+    </section>`
+}
+function field(id, name, labelKey, placeholderKey, type = 'text') {
+  return `<div class="field">
+    <label for="${id}" data-i18n="${labelKey}"></label>
+    <input id="${id}" name="${name}" type="${type}" data-i18n-placeholder="${placeholderKey}">
+  </div>`
+}
+function renderMethodButton(method, activeType) {
+  const keys = {
+    'username-password': ['methodUsername', 'methodUsernameSub'],
+    'email-password': ['methodEmail', 'methodEmailSub'],
+    basic: ['methodBasic', 'methodBasicSub'],
+    'x-token': ['methodToken', 'methodTokenSub'],
+    'register-email': ['methodRegisterEmail', 'methodRegisterEmailSub'],
+    'register-mobile': ['methodRegisterMobile', 'methodRegisterMobileSub']
+  }[method]
+  return `<button type="button" role="tab" data-method="${method}" aria-pressed="${method === activeType}">
+    <strong data-i18n="${keys[0]}"></strong>
+    <span data-i18n="${keys[1]}"></span>
+  </button>`
 }
 function renderSuccess(account) {
-  return `<!doctype html><html lang="zh-CN"><meta charset="utf-8"><body style="font:16px system-ui;padding:40px"><h1>Authorized</h1><p>Account <strong>${escapeHtml(account.alias)}</strong> is ready. You can close this tab.</p></body></html>`
+  return `<!doctype html><html lang="zh-CN"><meta charset="utf-8"><body style="font:16px system-ui;padding:40px;background:#f7f8fb;color:#202124"><main style="max-width:560px;margin:10vh auto;background:white;border:1px solid #dde2ea;border-radius:14px;padding:32px"><h1>授权成功</h1><p>账号 <strong>${escapeHtml(account.alias)}</strong> 已准备好。你可以关闭本页面，回到 Agent 继续操作。</p></main></body></html>`
 }
 function renderError(error) {
-  return `<!doctype html><html lang="zh-CN"><meta charset="utf-8"><body style="font:16px system-ui;padding:40px"><h1>Authorization failed</h1><p>${escapeHtml(error.message)}</p><p>Go back, check the values, and submit again.</p></body></html>`
+  return `<!doctype html><html lang="zh-CN"><meta charset="utf-8"><body style="font:16px system-ui;padding:40px;background:#f7f8fb;color:#202124"><main style="max-width:620px;margin:10vh auto;background:white;border:1px solid #dde2ea;border-radius:14px;padding:32px"><h1>授权失败</h1><p>${escapeHtml(error.message)}</p><p>请返回上一页检查填写内容后重新提交。</p></main></body></html>`
 }

package/src/index.js CHANGED Viewed

@@ -21,7 +21,7 @@ import {
   summarizeMetadata
 } from './sdk.js'
-const VERSION = '26.5.2'
+const VERSION = '26.5.4'
 const server = new McpServer(
   {
@@ -32,7 +32,7 @@ const server = new McpServer(
     instructions: [
       'Use this MCP server to operate APIFM admin APIs through the apifm-admin SDK.',
       'Never ask users to paste passwords, Basic Authentication values, X-Token values, or API keys into chat.',
-      'Use apifm_admin_start_auth to collect secrets through a local browser page, then call APIs by account alias.',
+      'Use apifm_admin_start_auth to collect secrets through a local browser page, then call APIs by account alias. If an API call is attempted before authorization, the tool will return an authorization URL directly.',
       'For user requests that ask to read, create, update, delete, or operate backend data, call apifm_admin_find_and_call or apifm_admin_call and return the live apiResult.',
       'apifm_admin_search_methods and apifm_admin_method_info are only planning helpers; do not treat their parameter documentation as the final answer.'
     ].join('\n')
@@ -44,12 +44,13 @@ server.registerTool(
   {
     title: 'Start secure APIFM admin authorization',
     description:
-      'Creates a localhost browser page for entering Basic Auth, X-Token, username/password, or email registration details. Secrets are stored only in this MCP process memory and must not be pasted into chat.',
+      'Creates a localhost browser page for login, Basic Auth, X-Token, email registration, or mobile registration. Secrets are stored only in this MCP process memory and must not be pasted into chat.',
     inputSchema: z.object({
       authType: z
-        .enum(['basic', 'x-token', 'password', 'register-email'])
+        .enum(['all', 'basic', 'x-token', 'password', 'username-password', 'email-password', 'register-email', 'register-mobile'])
+        .optional()
         .describe(
-          'basic = Basic Authentication, x-token = existing admin X-Token, password = username/email + password login, register-email = create admin account by email'
+          'Optional initial auth method. all shows every method in one browser page. basic = Basic Authentication, x-token = existing admin X-Token, username-password/email-password = SDK login, register-email/register-mobile = create admin account.'
         ),
       alias: z.string().optional().describe('Friendly local account alias, for example prod or test-shop.'),
       domains: z
@@ -59,7 +60,7 @@ server.registerTool(
       port: z.number().int().min(0).max(65535).optional().describe('Optional localhost port. 0 chooses a free port.')
     })
   },
-  async ({ authType, alias, domains, port }) => {
+  async ({ authType = 'all', alias, domains, port }) => {
     const session = await createAuthSession({ authType, alias, domains, port })
     return toolJson({
       ...session,
@@ -276,8 +277,20 @@ async function callToolResult({
   const account = getAccount(alias)
   if (!account) {
+    const session = await createAuthSession({ authType: 'all', alias, domains })
     return toolError(
-      'No APIFM admin account is authorized. Call apifm_admin_start_auth first, then use the returned local browser URL.'
+      [
+        'No APIFM admin account is authorized.',
+        `Open this local authorization URL now: ${session.url}`,
+        'Complete authorization in the browser, then run the same API call again.'
+      ].join('\n'),
+      {
+        reason: 'authorization_required',
+        authUrl: session.url,
+        sessionId: session.sessionId,
+        expiresAt: session.expiresAt,
+        nextStep: 'Open authUrl in a browser, complete authorization, then retry the same tool call.'
+      }
     )
   }
@@ -322,7 +335,7 @@ function findCallableMethod(query) {
   return candidates.find((candidate) => typeof sdk[candidate.methodName] === 'function')?.methodName || ''
 }
-function toolError(message) {
+function toolError(message, extra = {}) {
   return {
     isError: true,
     content: [
@@ -331,7 +344,7 @@ function toolError(message) {
         text: message
       }
     ],
-    structuredContent: { error: message }
+    structuredContent: { error: message, ...extra }
   }
 }

package/src/self-check.js CHANGED Viewed

@@ -32,9 +32,45 @@ try {
     }
   }
+  const auth = await client.callTool({
+    name: 'apifm_admin_start_auth',
+    arguments: {}
+  })
+  const authData = JSON.parse(auth.content[0].text)
+  if (!authData.url?.startsWith('http://127.0.0.1:')) {
+    throw new Error('start_auth should return a local authorization URL.')
+  }
+  const authPage = await fetch(authData.url).then((response) => response.text())
+  for (const expected of [
+    'data-lang="zh-CN"',
+    'data-lang="zh-TW"',
+    'data-lang="en"',
+    'data-group-tab="login"',
+    'data-group-tab="register"',
+    'data-method="basic"',
+    'data-method="x-token"',
+    'data-method="register-mobile"',
+    'merchantNo',
+    'merchantKey'
+  ]) {
+    if (!authPage.includes(expected)) {
+      throw new Error(`Authorization page is missing ${expected}.`)
+    }
+  }
+  const mobileAuth = await client.callTool({
+    name: 'apifm_admin_start_auth',
+    arguments: { authType: 'register-mobile' }
+  })
+  const mobileAuthData = JSON.parse(mobileAuth.content[0].text)
+  const mobileAuthPage = await fetch(mobileAuthData.url).then((response) => response.text())
+  if (!mobileAuthPage.includes('value="register-mobile"')) {
+    throw new Error('register-mobile should be accepted as an initial auth type.')
+  }
   const search = await client.callTool({
     name: 'apifm_admin_search_methods',
-    arguments: { query: '用户 列表', limit: 5 }
+    arguments: { query: 'user list', limit: 5 }
   })
   const searchData = JSON.parse(search.content[0].text)
   if (!searchData.sdkMethodCount || !Array.isArray(searchData.results)) {
@@ -55,12 +91,16 @@ try {
   const findAndCall = await client.callTool({
     name: 'apifm_admin_find_and_call',
     arguments: {
-      query: '用户列表',
+      query: 'user list',
       payload: { page: 1, pageSize: 1 }
     }
   })
-  if (!findAndCall.isError || !findAndCall.content[0].text.includes('No APIFM admin account is authorized')) {
-    throw new Error('find_and_call should attempt execution and require authorization before returning API data.')
+  const findAndCallData = findAndCall.structuredContent || {}
+  if (!findAndCall.isError || !findAndCallData.authUrl?.startsWith('http://127.0.0.1:')) {
+    throw new Error('find_and_call should return a local authUrl when authorization is missing.')
+  }
+  if (!findAndCall.content[0].text.includes(findAndCallData.authUrl)) {
+    throw new Error('find_and_call should show the authUrl in the visible tool text.')
   }
   await client.close()