npm - apifm-admin-mcp - Versions diffs - 26.5.3 → 26.5.4 - Mend

apifm-admin-mcp 26.5.3 → 26.5.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -8,7 +8,7 @@ It is designed for Kiro, Cursor, Claude Code, Codex, Windsurf, Trae, Qoder, and
 Secrets must not be pasted into model chat.
-This MCP exposes `apifm_admin_start_auth`, which returns a one-time localhost URL. The user enters Basic Authentication credentials, an existing `X-Token`, username/password login details, email/password login details, or email signup details in that local browser page. Those secrets stay in the local MCP process memory and are never part of MCP tool arguments.
+This MCP exposes `apifm_admin_start_auth`, which returns a one-time localhost URL. The user enters Basic Authentication credentials, an existing `X-Token`, username/password login details, email/password login details, email signup details, or mobile signup details in that local browser page. Those secrets stay in the local MCP process memory and are never part of MCP tool arguments.
 If an API call is attempted before authorization, `apifm_admin_call` and `apifm_admin_find_and_call` return the authorization URL directly in both visible text and structured content as `authUrl`. The agent should show that URL immediately instead of asking the user to call another tool.
@@ -53,7 +53,7 @@ If installed globally:
 ## Tools
-- `apifm_admin_start_auth`: Starts a local secure authorization page for username login, email login, Basic Auth, X-Token, or email registration. The page supports Simplified Chinese, Traditional Chinese, and English.
+- `apifm_admin_start_auth`: Starts a local secure authorization page. The page separates "Log in" from "Register", supports username login, email login, Basic Auth, X-Token, email registration, and mobile registration. Basic Auth fields are merchant number and merchant key. The page supports Simplified Chinese, Traditional Chinese, and English.
 - `apifm_admin_accounts`: Lists local account aliases without revealing secrets.
 - `apifm_admin_switch_account`: Switches the active account alias.
 - `apifm_admin_remove_account`: Clears an account alias and its in-memory secrets.
@@ -68,7 +68,7 @@ For real backend data, agents should call `apifm_admin_find_and_call` or `apifm_
 1. User: "Log in to my admin account and read the user list."
 2. Agent calls `apifm_admin_find_and_call` with `query: "user list"` and a non-sensitive payload such as `{ "page": 1, "pageSize": 20 }`.
-3. If not authorized yet, the tool returns `authUrl` immediately. The user opens that URL and chooses username login, email login, Basic Auth, X-Token, or email signup.
+3. If not authorized yet, the tool returns `authUrl` immediately. The user opens that URL and chooses a login method or a registration method.
 4. User completes authorization in the local browser page.
 5. Agent retries the same API call and answers from the returned `apiResult`, not from method documentation.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "apifm-admin-mcp",
-  "version": "26.5.3",
+  "version": "26.5.4",
   "description": "MCP server for safely operating APIFM admin APIs through the apifm-admin SDK.",
   "type": "module",
   "bin": {

package/src/browser-auth.js CHANGED Viewed

@@ -6,156 +6,238 @@ import { getSdk, resetSdkConfig } from './sdk.js'
 const pendingSessions = new Map()
+const AUTH_TYPES = new Set([
+  'all',
+  'basic',
+  'x-token',
+  'username-password',
+  'email-password',
+  'register-email',
+  'register-mobile'
+])
+const OPTIONAL_FIELDS = new Set([
+  'alias',
+  'pdomain',
+  'imgcode',
+  'k',
+  'registerName',
+  'registerType',
+  'referrer',
+  'agentKey',
+  'mailCode',
+  'smsCode',
+  'smsImgCode',
+  'smsK'
+])
 const I18N = {
   'zh-CN': {
     brand: 'APIFM Admin MCP',
-    title: '安全连接你的 APIFM 后台',
+    title: '安全连接 APIFM 后台',
     lead: '在本机页面完成授权，密钥只保存在当前 MCP 进程内存，不会进入聊天上下文。',
     trustLocal: '本地 127.0.0.1 页面提交',
     trustMemory: '凭证仅在内存中保存',
     trustSwitch: '支持多个后台账号切换',
     footer: '授权完成后回到 Agent，重新执行刚才的后台操作。',
-    formTitle: '选择授权方式',
+    formTitle: '授权方式',
     expires: '页面过期时间',
     alias: '账号别名',
     aliasPh: 'default-admin',
+    tabLogin: '登录现有账号',
+    tabRegister: '注册新账号',
     methodUsername: '用户名登录',
     methodUsernameSub: '用户名 + 密码',
     methodEmail: '邮箱登录',
     methodEmailSub: '邮箱 + 密码',
     methodBasic: 'Basic Auth',
-    methodBasicSub: '用户名 + 密码',
+    methodBasicSub: '商户号 + 商户秘钥',
     methodToken: 'X-Token',
     methodTokenSub: '直接使用令牌',
-    methodRegister: '邮箱注册',
-    methodRegisterSub: '开通新后台',
+    methodRegisterEmail: '邮箱注册',
+    methodRegisterEmailSub: '邮箱验证码',
+    methodRegisterMobile: '手机号注册',
+    methodRegisterMobileSub: '短信验证码',
     usernameHint: '使用后台用户名和密码登录，MCP 会通过 SDK 换取 X-Token。',
     emailHint: '使用后台邮箱和密码登录，MCP 会通过 SDK 换取 X-Token。',
     basicHint: '填写 Basic Authentication 信息，将作为 Authorization 请求头调用后台接口。',
     tokenHint: '直接填写管理员登录后的 X-Token，用于后续所有后台接口调用。',
-    registerHint: '使用邮箱注册开通新后台账号。需要验证码时，请先通过 SDK 获取邮箱验证码。',
+    registerEmailHint: '使用邮箱注册开通新后台账号，提交成功后 MCP 会尝试自动登录。',
+    registerMobileHint: '使用手机号注册开通新后台账号，提交成功后 MCP 会尝试自动登录。',
     username: '用户名',
     usernamePh: '请输入后台用户名',
     password: '密码',
     passwordPh: '请输入登录密码',
     pdomain: '专属域名，可选',
     pdomainPh: '例如 yourdomain',
+    imgcode: '图形验证码，可选',
+    imgcodePh: '请输入图形验证码',
+    k: '验证码随机数，可选',
+    kPh: '请输入验证码随机数',
     email: '邮箱地址',
     emailPh: 'name@example.com',
-    basicUser: 'Basic 用户名',
-    basicUserPh: '请输入 Basic 用户名',
-    basicPass: 'Basic 密码',
-    basicPassPh: '请输入 Basic 密码',
+    mobile: '手机号码',
+    mobilePh: '请输入手机号码',
+    merchantNo: '商户号',
+    merchantNoPh: '请输入商户号',
+    merchantKey: '商户秘钥',
+    merchantKeyPh: '请输入商户秘钥',
     xToken: 'X-Token',
     xTokenPh: '粘贴管理员 X-Token',
-    newPassword: '登录密码',
-    newPasswordPh: '设置登录密码',
+    registerPassword: '登录密码',
+    registerPasswordPh: '设置登录密码',
     name: '姓名或昵称',
     namePh: '可选',
     mailCode: '邮箱验证码',
-    mailCodePh: '请输入验证码',
+    mailCodePh: '请输入邮箱验证码',
+    smsCode: '短信验证码',
+    smsCodePh: '请输入短信验证码',
+    type: '注册类型，可选',
+    typePh: '不填默认为 apifm',
+    referrer: '推荐人用户ID，可选',
+    referrerPh: '请输入推荐人用户ID',
+    agentKey: 'Agent Key，可选',
+    agentKeyPh: '请输入 agentKey',
     submit: '完成授权',
     security: '请不要把密码、Token 或 Basic Authentication 内容粘贴到聊天窗口。',
     closeNote: '提交成功后可以关闭本页面。'
   },
   'zh-TW': {
     brand: 'APIFM Admin MCP',
-    title: '安全連接你的 APIFM 後台',
+    title: '安全連接 APIFM 後台',
     lead: '在本機頁面完成授權，密鑰只保存在目前 MCP 程序記憶體，不會進入聊天上下文。',
     trustLocal: '本地 127.0.0.1 頁面提交',
     trustMemory: '憑證僅在記憶體中保存',
     trustSwitch: '支援多個後台帳號切換',
     footer: '授權完成後回到 Agent，重新執行剛才的後台操作。',
-    formTitle: '選擇授權方式',
+    formTitle: '授權方式',
     expires: '頁面過期時間',
     alias: '帳號別名',
     aliasPh: 'default-admin',
+    tabLogin: '登入現有帳號',
+    tabRegister: '註冊新帳號',
     methodUsername: '使用者名稱登入',
     methodUsernameSub: '使用者名稱 + 密碼',
     methodEmail: '郵箱登入',
     methodEmailSub: '郵箱 + 密碼',
     methodBasic: 'Basic Auth',
-    methodBasicSub: '使用者名稱 + 密碼',
+    methodBasicSub: '商戶號 + 商戶秘鑰',
     methodToken: 'X-Token',
     methodTokenSub: '直接使用令牌',
-    methodRegister: '郵箱註冊',
-    methodRegisterSub: '開通新後台',
+    methodRegisterEmail: '郵箱註冊',
+    methodRegisterEmailSub: '郵箱驗證碼',
+    methodRegisterMobile: '手機號註冊',
+    methodRegisterMobileSub: '簡訊驗證碼',
     usernameHint: '使用後台使用者名稱和密碼登入，MCP 會透過 SDK 換取 X-Token。',
     emailHint: '使用後台郵箱和密碼登入，MCP 會透過 SDK 換取 X-Token。',
     basicHint: '填寫 Basic Authentication 資訊，將作為 Authorization 請求頭呼叫後台介面。',
     tokenHint: '直接填寫管理員登入後的 X-Token，用於後續所有後台介面呼叫。',
-    registerHint: '使用郵箱註冊開通新後台帳號。需要驗證碼時，請先透過 SDK 取得郵箱驗證碼。',
+    registerEmailHint: '使用郵箱註冊開通新後台帳號，提交成功後 MCP 會嘗試自動登入。',
+    registerMobileHint: '使用手機號註冊開通新後台帳號，提交成功後 MCP 會嘗試自動登入。',
     username: '使用者名稱',
     usernamePh: '請輸入後台使用者名稱',
     password: '密碼',
     passwordPh: '請輸入登入密碼',
     pdomain: '專屬網域，可選',
     pdomainPh: '例如 yourdomain',
+    imgcode: '圖形驗證碼，可選',
+    imgcodePh: '請輸入圖形驗證碼',
+    k: '驗證碼隨機數，可選',
+    kPh: '請輸入驗證碼隨機數',
     email: '郵箱地址',
     emailPh: 'name@example.com',
-    basicUser: 'Basic 使用者名稱',
-    basicUserPh: '請輸入 Basic 使用者名稱',
-    basicPass: 'Basic 密碼',
-    basicPassPh: '請輸入 Basic 密碼',
+    mobile: '手機號碼',
+    mobilePh: '請輸入手機號碼',
+    merchantNo: '商戶號',
+    merchantNoPh: '請輸入商戶號',
+    merchantKey: '商戶秘鑰',
+    merchantKeyPh: '請輸入商戶秘鑰',
     xToken: 'X-Token',
     xTokenPh: '貼上管理員 X-Token',
-    newPassword: '登入密碼',
-    newPasswordPh: '設定登入密碼',
+    registerPassword: '登入密碼',
+    registerPasswordPh: '設定登入密碼',
     name: '姓名或暱稱',
     namePh: '可選',
     mailCode: '郵箱驗證碼',
-    mailCodePh: '請輸入驗證碼',
+    mailCodePh: '請輸入郵箱驗證碼',
+    smsCode: '簡訊驗證碼',
+    smsCodePh: '請輸入簡訊驗證碼',
+    type: '註冊類型，可選',
+    typePh: '不填預設為 apifm',
+    referrer: '推薦人使用者ID，可選',
+    referrerPh: '請輸入推薦人使用者ID',
+    agentKey: 'Agent Key，可選',
+    agentKeyPh: '請輸入 agentKey',
     submit: '完成授權',
     security: '請不要把密碼、Token 或 Basic Authentication 內容貼到聊天視窗。',
     closeNote: '提交成功後可以關閉本頁面。'
   },
   en: {
     brand: 'APIFM Admin MCP',
-    title: 'Connect your APIFM admin safely',
+    title: 'Connect APIFM admin safely',
     lead: 'Authorize on this local page. Secrets stay in this MCP process memory and never enter the chat transcript.',
     trustLocal: 'Submitted to local 127.0.0.1 only',
     trustMemory: 'Credentials are memory-only',
     trustSwitch: 'Multiple admin accounts supported',
     footer: 'After authorization, return to the agent and run the backend action again.',
-    formTitle: 'Choose an authorization method',
+    formTitle: 'Authorization method',
     expires: 'Page expires at',
     alias: 'Account alias',
     aliasPh: 'default-admin',
+    tabLogin: 'Log in',
+    tabRegister: 'Register',
     methodUsername: 'Username login',
     methodUsernameSub: 'Username + password',
     methodEmail: 'Email login',
     methodEmailSub: 'Email + password',
     methodBasic: 'Basic Auth',
-    methodBasicSub: 'Username + password',
+    methodBasicSub: 'Merchant no. + key',
     methodToken: 'X-Token',
     methodTokenSub: 'Use an existing token',
-    methodRegister: 'Email signup',
-    methodRegisterSub: 'Create new admin',
+    methodRegisterEmail: 'Email signup',
+    methodRegisterEmailSub: 'Email code',
+    methodRegisterMobile: 'Mobile signup',
+    methodRegisterMobileSub: 'SMS code',
     usernameHint: 'Log in with an admin username and password. The MCP will exchange them for an X-Token through the SDK.',
     emailHint: 'Log in with an admin email and password. The MCP will exchange them for an X-Token through the SDK.',
     basicHint: 'Enter Basic Authentication credentials. They will be sent as the Authorization header for API calls.',
     tokenHint: 'Enter an existing admin X-Token for later backend API calls.',
-    registerHint: 'Create a new admin account by email. If a verification code is required, request it through the SDK first.',
+    registerEmailHint: 'Create a new admin account by email. After signup, the MCP will try to log in automatically.',
+    registerMobileHint: 'Create a new admin account by mobile. After signup, the MCP will try to log in automatically.',
     username: 'Username',
     usernamePh: 'Enter admin username',
     password: 'Password',
     passwordPh: 'Enter login password',
     pdomain: 'Private domain, optional',
     pdomainPh: 'Example: yourdomain',
+    imgcode: 'Image code, optional',
+    imgcodePh: 'Enter image code',
+    k: 'Captcha nonce, optional',
+    kPh: 'Enter captcha nonce',
     email: 'Email address',
     emailPh: 'name@example.com',
-    basicUser: 'Basic username',
-    basicUserPh: 'Enter Basic username',
-    basicPass: 'Basic password',
-    basicPassPh: 'Enter Basic password',
+    mobile: 'Mobile number',
+    mobilePh: 'Enter mobile number',
+    merchantNo: 'Merchant number',
+    merchantNoPh: 'Enter merchant number',
+    merchantKey: 'Merchant key',
+    merchantKeyPh: 'Enter merchant key',
     xToken: 'X-Token',
     xTokenPh: 'Paste admin X-Token',
-    newPassword: 'Login password',
-    newPasswordPh: 'Set login password',
+    registerPassword: 'Login password',
+    registerPasswordPh: 'Set login password',
     name: 'Name or nickname',
     namePh: 'Optional',
     mailCode: 'Email verification code',
-    mailCodePh: 'Enter verification code',
+    mailCodePh: 'Enter email code',
+    smsCode: 'SMS verification code',
+    smsCodePh: 'Enter SMS code',
+    type: 'Signup type, optional',
+    typePh: 'Defaults to apifm',
+    referrer: 'Referrer user ID, optional',
+    referrerPh: 'Enter referrer user ID',
+    agentKey: 'Agent Key, optional',
+    agentKeyPh: 'Enter agentKey',
     submit: 'Authorize account',
     security: 'Do not paste passwords, tokens, or Basic Authentication values into the chat window.',
     closeNote: 'You can close this page after authorization succeeds.'
@@ -224,13 +306,14 @@ export async function createAuthSession({ authType = 'all', alias = '', domains
 async function finishAuth({ authType, alias, domains, fields }) {
   const selectedAuthType = normalizeAuthType(authType)
   if (selectedAuthType === 'basic') {
-    const username = required(fields.basicUsername, 'Basic username')
-    const password = required(fields.basicPassword, 'Basic password')
+    const merchantNo = required(fields.basicUsername, 'merchant number')
+    const merchantKey = required(fields.basicPassword, 'merchant key')
     return upsertAccount({
       alias: fields.alias || alias,
       authType: 'basic',
-      basicAuth: `Basic ${Buffer.from(`${username}:${password}`).toString('base64')}`,
+      basicAuth: `Basic ${Buffer.from(`${merchantNo}:${merchantKey}`).toString('base64')}`,
       domains
     })
   }
@@ -244,36 +327,8 @@ async function finishAuth({ authType, alias, domains, fields }) {
     })
   }
-  if (selectedAuthType === 'username-password' || selectedAuthType === 'email-password' || selectedAuthType === 'password') {
-    const loginMode = selectedAuthType === 'email-password' ? 'email' : 'username'
-    const loginPayload =
-      loginMode === 'email'
-        ? {
-            email: required(fields.loginEmail, 'email'),
-            pwd: required(fields.loginPassword, 'password'),
-            rememberMe: true
-          }
-        : {
-            userName: required(fields.loginUsername, 'username'),
-            pwd: required(fields.loginPassword, 'password'),
-            rememberMe: true,
-            pdomain: fields.pdomain || undefined
-          }
-    const sdk = getSdk()
-    resetSdkConfig()
-    if (domains && Object.keys(domains).length) {
-      sdk.setDomains(domains)
-    }
-    const methodName = loginMode === 'email' ? 'loginAdminEmail' : 'loginAdminUserName'
-    if (typeof sdk[methodName] !== 'function') {
-      throw new Error(`apifm-admin does not expose ${methodName}`)
-    }
-    const result = await sdk[methodName](loginPayload)
-    const token = extractToken(result)
-    if (!token) {
-      throw new Error('Login succeeded but no X-Token was found in the SDK response.')
-    }
+  if (selectedAuthType === 'username-password' || selectedAuthType === 'email-password') {
+    const token = await loginAndExtractToken({ authType: selectedAuthType, domains, fields })
     return upsertAccount({
       alias: fields.alias || alias,
       authType: selectedAuthType,
@@ -283,18 +338,41 @@ async function finishAuth({ authType, alias, domains, fields }) {
   }
   if (selectedAuthType === 'register-email') {
-    const sdk = getSdk()
-    resetSdkConfig()
-    if (domains && Object.keys(domains).length) {
-      sdk.setDomains(domains)
-    }
-    const result = await sdk.registerAdminSaveEmail({
-      email: required(fields.registerEmail, 'email'),
-      pwd: required(fields.registerPassword, 'password'),
-      name: fields.registerName || undefined,
-      mailCode: fields.mailCode || fields.code || undefined
+    await callSdkMethod({
+      methodName: 'registerAdminSaveEmail',
+      domains,
+      payload: {
+        email: required(fields.registerEmail, 'email'),
+        pwd: required(fields.registerPassword, 'password'),
+        name: fields.registerName || undefined,
+        mailCode: fields.mailCode || undefined,
+        referrer: fields.referrer || undefined
+      }
+    })
+    const token = await loginAndExtractToken({ authType: 'email-password', domains, fields })
+    return upsertAccount({
+      alias: fields.alias || alias,
+      authType: selectedAuthType,
+      token,
+      domains
     })
-    const token = extractToken(result)
+  }
+  if (selectedAuthType === 'register-mobile') {
+    await callSdkMethod({
+      methodName: 'registerAdminSave',
+      domains,
+      payload: {
+        type: fields.registerType || undefined,
+        mobile: required(fields.registerMobile, 'mobile'),
+        pwd: required(fields.registerPassword, 'password'),
+        name: fields.registerName || undefined,
+        smsCode: fields.smsCode || undefined,
+        referrer: fields.referrer || undefined,
+        agentKey: fields.agentKey || undefined
+      }
+    })
+    const token = await loginAndExtractToken({ authType: 'mobile-password', domains, fields })
     return upsertAccount({
       alias: fields.alias || alias,
       authType: selectedAuthType,
@@ -306,28 +384,141 @@ async function finishAuth({ authType, alias, domains, fields }) {
   throw new Error(`Unsupported auth type: ${authType}`)
 }
+async function loginAndExtractToken({ authType, domains, fields }) {
+  const loginConfig = {
+    'username-password': {
+      methodName: 'loginAdminUserName',
+      payload: {
+        userName: required(fields.loginUsername, 'username'),
+        pwd: required(fields.loginPassword, 'password'),
+        rememberMe: true,
+        pdomain: fields.pdomain || undefined,
+        imgcode: fields.imgcode || undefined,
+        k: fields.k || undefined
+      }
+    },
+    'email-password': {
+      methodName: 'loginAdminEmail',
+      payload: {
+        email: required(fields.loginEmail || fields.registerEmail, 'email'),
+        pwd: required(fields.loginPassword || fields.registerPassword, 'password'),
+        rememberMe: true,
+        imgcode: fields.imgcode || undefined,
+        k: fields.k || undefined
+      }
+    },
+    'mobile-password': {
+      methodName: 'loginAdminMobile',
+      payload: {
+        mobile: required(fields.registerMobile, 'mobile'),
+        pwd: required(fields.registerPassword, 'password'),
+        rememberMe: true,
+        imgcode: fields.smsImgCode || fields.imgcode || undefined,
+        k: fields.smsK || fields.k || undefined
+      }
+    }
+  }[authType]
+  const result = await callSdkMethod({
+    methodName: loginConfig.methodName,
+    domains,
+    payload: loginConfig.payload
+  })
+  const token = extractToken(result)
+  if (!token) {
+    throw new Error(
+      `${loginConfig.methodName} did not return an X-Token. Response shape was: ${JSON.stringify(maskResponseForError(result)).slice(0, 600)}`
+    )
+  }
+  return token
+}
+async function callSdkMethod({ methodName, domains, payload }) {
+  const sdk = getSdk()
+  resetSdkConfig()
+  if (domains && Object.keys(domains).length) {
+    sdk.setDomains(domains)
+  }
+  if (typeof sdk[methodName] !== 'function') {
+    throw new Error(`apifm-admin does not expose ${methodName}`)
+  }
+  return sdk[methodName](compactObject(payload))
+}
+function compactObject(input) {
+  return Object.fromEntries(Object.entries(input).filter(([, value]) => value !== undefined && value !== ''))
+}
 function normalizeAuthType(authType) {
   if (authType === 'password') return 'username-password'
-  if (
-    ['all', 'basic', 'x-token', 'username-password', 'email-password', 'register-email'].includes(authType)
-  ) {
-    return authType
-  }
+  if (AUTH_TYPES.has(authType)) return authType
   return 'all'
 }
 function extractToken(response) {
-  const candidates = [
-    response?.data?.token,
-    response?.data?.xToken,
-    response?.data?.xtoken,
-    response?.data?.x_token,
-    response?.data?.['x-token'],
-    response?.token,
-    response?.xToken,
-    response?.xtoken
+  const directPaths = [
+    ['data', 'token'],
+    ['data', 'xToken'],
+    ['data', 'xtoken'],
+    ['data', 'x_token'],
+    ['data', 'x-token'],
+    ['data', 'X-Token'],
+    ['data', 'loginToken'],
+    ['data', 'adminToken'],
+    ['token'],
+    ['xToken'],
+    ['xtoken'],
+    ['x_token'],
+    ['x-token'],
+    ['X-Token']
   ]
-  return candidates.find((item) => typeof item === 'string' && item.trim()) || ''
+  for (const path of directPaths) {
+    const value = getPath(response, path)
+    if (typeof value === 'string' && value.trim()) return value.trim()
+  }
+  const found = findTokenDeep(response)
+  return found || ''
+}
+function getPath(value, path) {
+  return path.reduce((current, key) => (current && typeof current === 'object' ? current[key] : undefined), value)
+}
+function findTokenDeep(value, depth = 0) {
+  if (!value || typeof value !== 'object' || depth > 5) return ''
+  if (Array.isArray(value)) {
+    for (const item of value) {
+      const found = findTokenDeep(item, depth + 1)
+      if (found) return found
+    }
+    return ''
+  }
+  for (const [key, child] of Object.entries(value)) {
+    const compactKey = key.toLowerCase().replace(/[^a-z0-9]/g, '')
+    if (
+      typeof child === 'string' &&
+      child.trim() &&
+      ['token', 'xtoken', 'xToken', 'xstoken', 'admintoken', 'logintoken'].map((item) => item.toLowerCase()).includes(compactKey)
+    ) {
+      return child.trim()
+    }
+    const found = findTokenDeep(child, depth + 1)
+    if (found) return found
+  }
+  return ''
+}
+function maskResponseForError(value) {
+  if (!value || typeof value !== 'object') return value
+  if (Array.isArray(value)) return value.map(maskResponseForError)
+  return Object.fromEntries(
+    Object.entries(value).map(([key, child]) => [
+      key,
+      /token|password|pwd|secret|key/i.test(key) ? '[REDACTED]' : maskResponseForError(child)
+    ])
+  )
 }
 function required(value, label) {
@@ -373,6 +564,7 @@ function escapeHtml(value) {
 function renderForm({ authType, alias, expiresAt }) {
   const initialType = authType === 'all' ? 'username-password' : authType
+  const initialGroup = initialType.startsWith('register-') ? 'register' : 'login'
   return `<!doctype html>
 <html lang="zh-CN">
 <head>
@@ -392,8 +584,6 @@ function renderForm({ authType, alias, expiresAt }) {
       --accent-ink: oklch(1 0 0);
       --accent-soft: oklch(0.94 0.035 255);
       --success: oklch(0.58 0.15 155);
-      --danger: oklch(0.55 0.18 25);
-      --radius: 12px;
     }
     * { box-sizing: border-box; }
     body {
@@ -406,7 +596,7 @@ function renderForm({ authType, alias, expiresAt }) {
       color: var(--ink);
     }
     .shell {
-      width: min(1080px, calc(100vw - 32px));
+      width: min(1120px, calc(100vw - 32px));
       min-height: 100vh;
       margin: 0 auto;
       display: grid;
@@ -416,7 +606,7 @@ function renderForm({ authType, alias, expiresAt }) {
     .panel {
       width: 100%;
       display: grid;
-      grid-template-columns: minmax(280px, 0.84fr) minmax(320px, 1.16fr);
+      grid-template-columns: minmax(280px, 0.78fr) minmax(340px, 1.22fr);
       background: var(--surface);
       border: 1px solid var(--line);
       border-radius: 16px;
@@ -449,25 +639,35 @@ function renderForm({ authType, alias, expiresAt }) {
     .trust li { display: flex; gap: 10px; align-items: flex-start; color: oklch(0.91 0.015 250); }
     .dot { width: 8px; height: 8px; margin-top: 7px; border-radius: 999px; background: oklch(0.78 0.16 155); flex: 0 0 auto; }
     .content { padding: 30px; }
-    .topbar { display: flex; justify-content: space-between; align-items: center; gap: 16px; margin-bottom: 22px; }
+    .topbar { display: flex; justify-content: space-between; align-items: center; gap: 16px; margin-bottom: 20px; }
     .meta { color: var(--muted); font-size: 0.92rem; }
-    .lang { display: inline-grid; grid-auto-flow: column; gap: 4px; padding: 4px; background: var(--surface-2); border: 1px solid var(--line); border-radius: 999px; }
-    .lang button, .method button {
+    .lang, .tabs {
+      display: inline-grid;
+      grid-auto-flow: column;
+      gap: 4px;
+      padding: 4px;
+      background: var(--surface-2);
+      border: 1px solid var(--line);
+      border-radius: 999px;
+    }
+    .lang button, .tabs button, .method button {
       appearance: none;
       border: 0;
       font: inherit;
       cursor: pointer;
     }
-    .lang button { padding: 6px 10px; border-radius: 999px; color: var(--muted); background: transparent; }
-    .lang button[aria-pressed="true"] { background: var(--ink); color: white; }
+    .lang button, .tabs button { padding: 7px 12px; border-radius: 999px; color: var(--muted); background: transparent; }
+    .lang button[aria-pressed="true"], .tabs button[aria-pressed="true"] { background: var(--ink); color: white; }
+    .tabs { margin-bottom: 14px; }
     .method {
       display: grid;
-      grid-template-columns: repeat(5, minmax(0, 1fr));
+      grid-template-columns: repeat(4, minmax(0, 1fr));
       gap: 8px;
       margin-bottom: 22px;
     }
+    .method[data-group="register"] { grid-template-columns: repeat(2, minmax(0, 1fr)); }
     .method button {
-      min-height: 58px;
+      min-height: 62px;
       padding: 10px;
       border: 1px solid var(--line);
       border-radius: 10px;
@@ -519,11 +719,7 @@ function renderForm({ authType, alias, expiresAt }) {
       transition: transform 160ms ease, filter 160ms ease;
     }
     .submit:hover { filter: brightness(1.03); transform: translateY(-1px); }
-    .note {
-      margin: 12px 0 0;
-      color: var(--muted);
-      font-size: 0.9rem;
-    }
+    .note { margin: 12px 0 0; color: var(--muted); font-size: 0.9rem; }
     .security {
       margin-top: 20px;
       padding: 12px 14px;
@@ -533,17 +729,17 @@ function renderForm({ authType, alias, expiresAt }) {
       font-size: 0.9rem;
     }
     [hidden] { display: none !important; }
-    @media (max-width: 860px) {
+    @media (max-width: 900px) {
       .panel { grid-template-columns: 1fr; }
       .aside { padding: 26px; }
       .method { grid-template-columns: repeat(2, minmax(0, 1fr)); }
       .grid { grid-template-columns: 1fr; }
     }
     @media (max-width: 520px) {
-      .shell { width: min(100vw - 20px, 1080px); padding: 10px 0; }
+      .shell { width: min(100vw - 20px, 1120px); padding: 10px 0; }
       .content { padding: 20px; }
       .topbar { align-items: flex-start; flex-direction: column; }
-      .method { grid-template-columns: 1fr; }
+      .method, .method[data-group="register"] { grid-template-columns: 1fr; }
       h1 { font-size: 1.55rem; }
     }
     @media (prefers-reduced-motion: reduce) {
@@ -556,22 +752,22 @@ function renderForm({ authType, alias, expiresAt }) {
   <section class="panel" aria-labelledby="title">
     <aside class="aside">
       <div>
-        <div class="brand"><span class="mark">A</span><span data-i18n="brand">APIFM Admin MCP</span></div>
-        <h1 id="title" data-i18n="title">安全连接你的 APIFM 后台</h1>
-        <p class="lead" data-i18n="lead">在本机页面完成授权，密钥只保存在当前 MCP 进程内存，不会进入聊天上下文。</p>
+        <div class="brand"><span class="mark">A</span><span data-i18n="brand"></span></div>
+        <h1 id="title" data-i18n="title"></h1>
+        <p class="lead" data-i18n="lead"></p>
         <ul class="trust">
-          <li><span class="dot"></span><span data-i18n="trustLocal">本地 127.0.0.1 页面提交</span></li>
-          <li><span class="dot"></span><span data-i18n="trustMemory">凭证仅在内存中保存</span></li>
-          <li><span class="dot"></span><span data-i18n="trustSwitch">支持多个后台账号切换</span></li>
+          <li><span class="dot"></span><span data-i18n="trustLocal"></span></li>
+          <li><span class="dot"></span><span data-i18n="trustMemory"></span></li>
+          <li><span class="dot"></span><span data-i18n="trustSwitch"></span></li>
         </ul>
       </div>
-      <p class="lead" data-i18n="footer">授权完成后回到 Agent，重新执行刚才的后台操作。</p>
+      <p class="lead" data-i18n="footer"></p>
     </aside>
     <div class="content">
       <div class="topbar">
         <div>
-          <strong data-i18n="formTitle">选择授权方式</strong>
-          <div class="meta"><span data-i18n="expires">页面过期时间</span>: ${escapeHtml(new Date(expiresAt).toLocaleString())}</div>
+          <strong data-i18n="formTitle"></strong>
+          <div class="meta"><span data-i18n="expires"></span>: ${escapeHtml(new Date(expiresAt).toLocaleString())}</div>
         </div>
         <div class="lang" aria-label="Language">
           <button type="button" data-lang="zh-CN" aria-pressed="true">简</button>
@@ -580,112 +776,57 @@ function renderForm({ authType, alias, expiresAt }) {
         </div>
       </div>
-      <div class="method" role="tablist" aria-label="Auth methods">
+      <div class="tabs" role="tablist" aria-label="Account mode">
+        <button type="button" data-group-tab="login" aria-pressed="${initialGroup === 'login'}" data-i18n="tabLogin"></button>
+        <button type="button" data-group-tab="register" aria-pressed="${initialGroup === 'register'}" data-i18n="tabRegister"></button>
+      </div>
+      <div class="method" data-group="login">
         ${renderMethodButton('username-password', initialType)}
         ${renderMethodButton('email-password', initialType)}
         ${renderMethodButton('basic', initialType)}
         ${renderMethodButton('x-token', initialType)}
+      </div>
+      <div class="method" data-group="register" hidden>
         ${renderMethodButton('register-email', initialType)}
+        ${renderMethodButton('register-mobile', initialType)}
       </div>
       <form method="post" autocomplete="off" id="authForm">
         <input type="hidden" id="authType" name="authType" value="${escapeHtml(initialType)}">
         <div class="field">
-          <label for="alias" data-i18n="alias">账号别名</label>
-          <input id="alias" name="alias" value="${escapeHtml(alias)}" placeholder="default-admin" data-i18n-placeholder="aliasPh">
+          <label for="alias" data-i18n="alias"></label>
+          <input id="alias" name="alias" value="${escapeHtml(alias)}" data-i18n-placeholder="aliasPh">
         </div>
-        <section class="section" data-section="username-password">
-          <p class="section-head" data-i18n="usernameHint">使用后台用户名和密码登录，MCP 会通过 SDK 换取 X-Token。</p>
-          <div class="grid">
-            <div class="field">
-              <label for="loginUsername" data-i18n="username">用户名</label>
-              <input id="loginUsername" name="loginUsername" data-i18n-placeholder="usernamePh">
-            </div>
-            <div class="field">
-              <label for="loginPasswordUser" data-i18n="password">密码</label>
-              <input id="loginPasswordUser" name="loginPassword" type="password" data-i18n-placeholder="passwordPh">
-            </div>
-          </div>
-          <div class="field" style="margin-top:14px">
-            <label for="pdomain" data-i18n="pdomain">专属域名，可选</label>
-            <input id="pdomain" name="pdomain" data-i18n-placeholder="pdomainPh">
-          </div>
-        </section>
-        <section class="section" data-section="email-password">
-          <p class="section-head" data-i18n="emailHint">使用后台邮箱和密码登录，MCP 会通过 SDK 换取 X-Token。</p>
-          <div class="grid">
-            <div class="field">
-              <label for="loginEmail" data-i18n="email">邮箱地址</label>
-              <input id="loginEmail" name="loginEmail" type="email" data-i18n-placeholder="emailPh">
-            </div>
-            <div class="field">
-              <label for="loginPasswordEmail" data-i18n="password">密码</label>
-              <input id="loginPasswordEmail" name="loginPassword" type="password" data-i18n-placeholder="passwordPh">
-            </div>
-          </div>
-        </section>
-        <section class="section" data-section="basic">
-          <p class="section-head" data-i18n="basicHint">填写 Basic Authentication 信息，将作为 Authorization 请求头调用后台接口。</p>
-          <div class="grid">
-            <div class="field">
-              <label for="basicUsername" data-i18n="basicUser">Basic 用户名</label>
-              <input id="basicUsername" name="basicUsername" data-i18n-placeholder="basicUserPh">
-            </div>
-            <div class="field">
-              <label for="basicPassword" data-i18n="basicPass">Basic 密码</label>
-              <input id="basicPassword" name="basicPassword" type="password" data-i18n-placeholder="basicPassPh">
-            </div>
-          </div>
-        </section>
-        <section class="section" data-section="x-token">
-          <p class="section-head" data-i18n="tokenHint">直接填写管理员登录后的 X-Token，用于后续所有后台接口调用。</p>
-          <div class="field">
-            <label for="xToken" data-i18n="xToken">X-Token</label>
-            <input id="xToken" name="xToken" type="password" data-i18n-placeholder="xTokenPh">
-          </div>
-        </section>
-        <section class="section" data-section="register-email">
-          <p class="section-head" data-i18n="registerHint">使用邮箱注册开通新后台账号。需要验证码时，请先通过 SDK 获取邮箱验证码。</p>
-          <div class="grid">
-            <div class="field">
-              <label for="registerEmail" data-i18n="email">邮箱地址</label>
-              <input id="registerEmail" name="registerEmail" type="email" data-i18n-placeholder="emailPh">
-            </div>
-            <div class="field">
-              <label for="registerPassword" data-i18n="newPassword">登录密码</label>
-              <input id="registerPassword" name="registerPassword" type="password" data-i18n-placeholder="newPasswordPh">
-            </div>
-            <div class="field">
-              <label for="registerName" data-i18n="name">姓名或昵称</label>
-              <input id="registerName" name="registerName" data-i18n-placeholder="namePh">
-            </div>
-            <div class="field">
-              <label for="mailCode" data-i18n="mailCode">邮箱验证码</label>
-              <input id="mailCode" name="mailCode" data-i18n-placeholder="mailCodePh">
-            </div>
-          </div>
-        </section>
-        <button class="submit" type="submit" data-i18n="submit">完成授权</button>
+        ${renderSections()}
+        <button class="submit" type="submit" data-i18n="submit"></button>
       </form>
-      <div class="security" data-i18n="security">请不要把密码、Token 或 Basic Authentication 内容粘贴到聊天窗口。</div>
-      <p class="note" data-i18n="closeNote">提交成功后可以关闭本页面。</p>
+      <div class="security" data-i18n="security"></div>
+      <p class="note" data-i18n="closeNote"></p>
     </div>
   </section>
 </main>
 <script>
   const messages = ${JSON.stringify(I18N)}
   const initialType = ${JSON.stringify(initialType)}
+  const methodGroups = {
+    'username-password': 'login',
+    'email-password': 'login',
+    basic: 'login',
+    'x-token': 'login',
+    'register-email': 'register',
+    'register-mobile': 'register'
+  }
+  const optionalFields = new Set(${JSON.stringify([...OPTIONAL_FIELDS])})
   let activeLang = localStorage.getItem('apifm-auth-lang') || 'zh-CN'
   const authTypeInput = document.querySelector('#authType')
   const sections = [...document.querySelectorAll('[data-section]')]
   const methodButtons = [...document.querySelectorAll('[data-method]')]
+  const groupTabs = [...document.querySelectorAll('[data-group-tab]')]
+  const methodGroupsEl = [...document.querySelectorAll('.method[data-group]')]
   const langButtons = [...document.querySelectorAll('[data-lang]')]
   function t(key) {
@@ -707,14 +848,32 @@ function renderForm({ authType, alias, expiresAt }) {
     })
   }
+  function setGroup(group) {
+    groupTabs.forEach((button) => button.setAttribute('aria-pressed', String(button.dataset.groupTab === group)))
+    methodGroupsEl.forEach((node) => {
+      node.hidden = node.dataset.group !== group
+    })
+    const currentMethod = authTypeInput.value
+    if (methodGroups[currentMethod] !== group) {
+      const firstMethod = methodButtons.find((button) => methodGroups[button.dataset.method] === group)?.dataset.method
+      setMethod(firstMethod)
+    }
+  }
   function setMethod(method) {
+    if (!method) return
     authTypeInput.value = method
+    const group = methodGroups[method]
+    groupTabs.forEach((button) => button.setAttribute('aria-pressed', String(button.dataset.groupTab === group)))
+    methodGroupsEl.forEach((node) => {
+      node.hidden = node.dataset.group !== group
+    })
     sections.forEach((section) => {
       const active = section.dataset.section === method
       section.classList.toggle('active', active)
       section.querySelectorAll('input').forEach((input) => {
         input.disabled = !active
-        input.required = active && input.type !== 'hidden' && !['pdomain', 'registerName', 'mailCode'].includes(input.name)
+        input.required = active && !optionalFields.has(input.name)
       })
     })
     methodButtons.forEach((button) => {
@@ -723,6 +882,7 @@ function renderForm({ authType, alias, expiresAt }) {
   }
   methodButtons.forEach((button) => button.addEventListener('click', () => setMethod(button.dataset.method)))
+  groupTabs.forEach((button) => button.addEventListener('click', () => setGroup(button.dataset.groupTab)))
   langButtons.forEach((button) => button.addEventListener('click', () => setLang(button.dataset.lang)))
   setLang(activeLang)
   setMethod(initialType)
@@ -731,13 +891,84 @@ function renderForm({ authType, alias, expiresAt }) {
 </html>`
 }
+function renderSections() {
+  return `
+    <section class="section" data-section="username-password">
+      <p class="section-head" data-i18n="usernameHint"></p>
+      <div class="grid">
+        ${field('loginUsername', 'loginUsername', 'username', 'usernamePh')}
+        ${field('loginPasswordUser', 'loginPassword', 'password', 'passwordPh', 'password')}
+        ${field('pdomain', 'pdomain', 'pdomain', 'pdomainPh')}
+        ${field('imgcode', 'imgcode', 'imgcode', 'imgcodePh')}
+        ${field('k', 'k', 'k', 'kPh')}
+      </div>
+    </section>
+    <section class="section" data-section="email-password">
+      <p class="section-head" data-i18n="emailHint"></p>
+      <div class="grid">
+        ${field('loginEmail', 'loginEmail', 'email', 'emailPh', 'email')}
+        ${field('loginPasswordEmail', 'loginPassword', 'password', 'passwordPh', 'password')}
+        ${field('imgcodeEmail', 'imgcode', 'imgcode', 'imgcodePh')}
+        ${field('kEmail', 'k', 'k', 'kPh')}
+      </div>
+    </section>
+    <section class="section" data-section="basic">
+      <p class="section-head" data-i18n="basicHint"></p>
+      <div class="grid">
+        ${field('basicUsername', 'basicUsername', 'merchantNo', 'merchantNoPh')}
+        ${field('basicPassword', 'basicPassword', 'merchantKey', 'merchantKeyPh', 'password')}
+      </div>
+    </section>
+    <section class="section" data-section="x-token">
+      <p class="section-head" data-i18n="tokenHint"></p>
+      ${field('xToken', 'xToken', 'xToken', 'xTokenPh', 'password')}
+    </section>
+    <section class="section" data-section="register-email">
+      <p class="section-head" data-i18n="registerEmailHint"></p>
+      <div class="grid">
+        ${field('registerEmail', 'registerEmail', 'email', 'emailPh', 'email')}
+        ${field('registerPasswordEmail', 'registerPassword', 'registerPassword', 'registerPasswordPh', 'password')}
+        ${field('registerNameEmail', 'registerName', 'name', 'namePh')}
+        ${field('mailCode', 'mailCode', 'mailCode', 'mailCodePh')}
+        ${field('referrerEmail', 'referrer', 'referrer', 'referrerPh')}
+      </div>
+    </section>
+    <section class="section" data-section="register-mobile">
+      <p class="section-head" data-i18n="registerMobileHint"></p>
+      <div class="grid">
+        ${field('registerMobile', 'registerMobile', 'mobile', 'mobilePh', 'tel')}
+        ${field('registerPasswordMobile', 'registerPassword', 'registerPassword', 'registerPasswordPh', 'password')}
+        ${field('registerNameMobile', 'registerName', 'name', 'namePh')}
+        ${field('smsCode', 'smsCode', 'smsCode', 'smsCodePh')}
+        ${field('registerType', 'registerType', 'type', 'typePh')}
+        ${field('referrerMobile', 'referrer', 'referrer', 'referrerPh')}
+        ${field('agentKey', 'agentKey', 'agentKey', 'agentKeyPh')}
+        ${field('smsImgCode', 'smsImgCode', 'imgcode', 'imgcodePh')}
+        ${field('smsK', 'smsK', 'k', 'kPh')}
+      </div>
+    </section>`
+}
+function field(id, name, labelKey, placeholderKey, type = 'text') {
+  return `<div class="field">
+    <label for="${id}" data-i18n="${labelKey}"></label>
+    <input id="${id}" name="${name}" type="${type}" data-i18n-placeholder="${placeholderKey}">
+  </div>`
+}
 function renderMethodButton(method, activeType) {
   const keys = {
     'username-password': ['methodUsername', 'methodUsernameSub'],
     'email-password': ['methodEmail', 'methodEmailSub'],
     basic: ['methodBasic', 'methodBasicSub'],
     'x-token': ['methodToken', 'methodTokenSub'],
-    'register-email': ['methodRegister', 'methodRegisterSub']
+    'register-email': ['methodRegisterEmail', 'methodRegisterEmailSub'],
+    'register-mobile': ['methodRegisterMobile', 'methodRegisterMobileSub']
   }[method]
   return `<button type="button" role="tab" data-method="${method}" aria-pressed="${method === activeType}">
     <strong data-i18n="${keys[0]}"></strong>
@@ -750,5 +981,5 @@ function renderSuccess(account) {
 }
 function renderError(error) {
-  return `<!doctype html><html lang="zh-CN"><meta charset="utf-8"><body style="font:16px system-ui;padding:40px"><h1>Authorization failed</h1><p>${escapeHtml(error.message)}</p><p>Go back, check the values, and submit again.</p></body></html>`
+  return `<!doctype html><html lang="zh-CN"><meta charset="utf-8"><body style="font:16px system-ui;padding:40px;background:#f7f8fb;color:#202124"><main style="max-width:620px;margin:10vh auto;background:white;border:1px solid #dde2ea;border-radius:14px;padding:32px"><h1>授权失败</h1><p>${escapeHtml(error.message)}</p><p>请返回上一页检查填写内容后重新提交。</p></main></body></html>`
 }

package/src/index.js CHANGED Viewed

@@ -21,7 +21,7 @@ import {
   summarizeMetadata
 } from './sdk.js'
-const VERSION = '26.5.3'
+const VERSION = '26.5.4'
 const server = new McpServer(
   {
@@ -44,13 +44,13 @@ server.registerTool(
   {
     title: 'Start secure APIFM admin authorization',
     description:
-      'Creates a localhost browser page for entering Basic Auth, X-Token, username/password, or email registration details. Secrets are stored only in this MCP process memory and must not be pasted into chat.',
+      'Creates a localhost browser page for login, Basic Auth, X-Token, email registration, or mobile registration. Secrets are stored only in this MCP process memory and must not be pasted into chat.',
     inputSchema: z.object({
       authType: z
-        .enum(['all', 'basic', 'x-token', 'password', 'username-password', 'email-password', 'register-email'])
+        .enum(['all', 'basic', 'x-token', 'password', 'username-password', 'email-password', 'register-email', 'register-mobile'])
         .optional()
         .describe(
-          'Optional initial auth method. all shows every method in one browser page. basic = Basic Authentication, x-token = existing admin X-Token, username-password/email-password = SDK login, register-email = create admin account by email.'
+          'Optional initial auth method. all shows every method in one browser page. basic = Basic Authentication, x-token = existing admin X-Token, username-password/email-password = SDK login, register-email/register-mobile = create admin account.'
         ),
       alias: z.string().optional().describe('Friendly local account alias, for example prod or test-shop.'),
       domains: z

package/src/self-check.js CHANGED Viewed

@@ -41,12 +41,33 @@ try {
     throw new Error('start_auth should return a local authorization URL.')
   }
   const authPage = await fetch(authData.url).then((response) => response.text())
-  for (const expected of ['data-lang="zh-CN"', 'data-lang="zh-TW"', 'data-lang="en"', 'data-method="basic"', 'data-method="x-token"']) {
+  for (const expected of [
+    'data-lang="zh-CN"',
+    'data-lang="zh-TW"',
+    'data-lang="en"',
+    'data-group-tab="login"',
+    'data-group-tab="register"',
+    'data-method="basic"',
+    'data-method="x-token"',
+    'data-method="register-mobile"',
+    'merchantNo',
+    'merchantKey'
+  ]) {
     if (!authPage.includes(expected)) {
       throw new Error(`Authorization page is missing ${expected}.`)
     }
   }
+  const mobileAuth = await client.callTool({
+    name: 'apifm_admin_start_auth',
+    arguments: { authType: 'register-mobile' }
+  })
+  const mobileAuthData = JSON.parse(mobileAuth.content[0].text)
+  const mobileAuthPage = await fetch(mobileAuthData.url).then((response) => response.text())
+  if (!mobileAuthPage.includes('value="register-mobile"')) {
+    throw new Error('register-mobile should be accepted as an initial auth type.')
+  }
   const search = await client.callTool({
     name: 'apifm_admin_search_methods',
     arguments: { query: 'user list', limit: 5 }