npm - asrai-mcp - Versions diffs - 1.3.2 → 1.3.3 - Mend

asrai-mcp 1.3.2 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/src/sse-server.js +124 -2

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "asrai-mcp",
-  "version": "1.3.2",
+  "version": "1.3.3",
   "description": "Asrai crypto analysis MCP server — pay-per-use via x402 on Base. Zero install: just npx.",
   "keywords": [
     "mcp",

package/src/sse-server.js CHANGED Viewed

@@ -19,7 +19,7 @@
  */
 import express from "express";
-import { randomBytes, randomUUID } from "node:crypto";
+import { randomBytes, randomUUID, createHash } from "node:crypto";
 import { createRequire } from "node:module";
 import { privateKeyToAccount } from "viem/accounts";
@@ -32,6 +32,126 @@ import { connectionStorage } from "./tools.js";
 const app = express();
 app.use(express.json());
+app.use(express.urlencoded({ extended: false }));
+// CORS — required for browser-based MCP clients
+app.use((req, res, next) => {
+  res.setHeader("Access-Control-Allow-Origin", "*");
+  res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS");
+  res.setHeader("Access-Control-Allow-Headers", "Content-Type, mcp-session-id");
+  if (req.method === "OPTIONS") return res.status(204).end();
+  next();
+});
+const BASE_URL = process.env.ASRAI_BASE_URL ?? "https://mcp.asrai.me";
+const escapeHtml = (s = "") =>
+  String(s).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+// ── OAuth 2.1 + PKCE (for Grok and other web-based MCP clients) ──────────────
+const authCodes = new Map();
+function pruneExpiredCodes() {
+  const now = Date.now();
+  for (const [c, d] of authCodes) if (now > d.expiresAt) authCodes.delete(c);
+}
+app.get("/.well-known/oauth-authorization-server", (_req, res) => {
+  res.json({
+    issuer: BASE_URL,
+    authorization_endpoint: `${BASE_URL}/authorize`,
+    token_endpoint: `${BASE_URL}/token`,
+    response_types_supported: ["code"],
+    grant_types_supported: ["authorization_code"],
+    code_challenge_methods_supported: ["S256"],
+    token_endpoint_auth_methods_supported: ["none"],
+  });
+});
+const authPage = (params = {}, error = "") => `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
+  <title>Asrai — Connect to Grok</title>
+  <style>
+    *{box-sizing:border-box;margin:0;padding:0}
+    body{font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif;background:#0f0f0f;color:#e0e0e0;display:flex;align-items:center;justify-content:center;min-height:100vh}
+    .card{background:#1a1a1a;border:1px solid #2a2a2a;border-radius:12px;padding:2rem;width:100%;max-width:420px}
+    h1{font-size:1.2rem;font-weight:600;margin-bottom:.5rem}
+    .sub{color:#888;font-size:.875rem;margin-bottom:1.5rem;line-height:1.5}
+    label{display:block;font-size:.8rem;color:#aaa;margin-bottom:.375rem}
+    input{width:100%;padding:.625rem .75rem;background:#111;border:1px solid #333;border-radius:6px;color:#e0e0e0;font-size:.875rem;font-family:monospace}
+    input:focus{outline:none;border-color:#555}
+    button{margin-top:1rem;width:100%;padding:.625rem;background:#2563eb;border:none;border-radius:6px;color:#fff;font-size:.875rem;font-weight:500;cursor:pointer}
+    button:hover{background:#1d4ed8}
+    .error{color:#f87171;font-size:.8rem;margin-top:.75rem}
+    .hint{color:#555;font-size:.75rem;margin-top:.4rem}
+    .warn{background:#1c1208;border:1px solid #3d2800;border-radius:6px;padding:.75rem;font-size:.8rem;color:#f59e0b;margin-bottom:1rem;line-height:1.5}
+  </style>
+</head>
+<body><div class="card">
+  <h1>Connect Asrai x402 to Grok</h1>
+  <p class="warn">This server uses pay-per-use x402 payments on Base. Each tool call costs $0.005–$0.095 USDC from your wallet.</p>
+  <p class="sub">Enter your EVM wallet private key. Make sure it has USDC on Base.</p>
+  <form method="POST" action="/authorize">
+    ${Object.entries(params).map(([k,v]) => `<input type="hidden" name="${escapeHtml(k)}" value="${escapeHtml(v)}">`).join("")}
+    <label for="key">Wallet Private Key</label>
+    <input type="text" id="key" name="key" placeholder="0x..." autocomplete="off" autofocus>
+    <p class="hint">Need a wallet? Use the /generate-wallet endpoint or any EVM wallet.</p>
+    ${error ? `<p class="error">${escapeHtml(error)}</p>` : ""}
+    <button type="submit">Connect</button>
+  </form>
+</div></body></html>`;
+app.get("/authorize", (req, res) => {
+  const { response_type, client_id, redirect_uri, code_challenge, code_challenge_method, state } = req.query;
+  if (response_type !== "code" || !redirect_uri || !code_challenge) {
+    return res.status(400).send("Missing required OAuth parameters.");
+  }
+  res.send(authPage({ response_type, client_id: client_id ?? "", redirect_uri, code_challenge, code_challenge_method: code_challenge_method ?? "S256", state: state ?? "" }));
+});
+app.post("/authorize", async (req, res) => {
+  const { response_type, client_id, redirect_uri, code_challenge, code_challenge_method, state, key } = req.body;
+  if (!redirect_uri || !code_challenge) return res.status(400).send("Missing required parameters.");
+  const privateKey = (key ?? "").trim();
+  const params = { response_type, client_id, redirect_uri, code_challenge, code_challenge_method, state };
+  if (!privateKey) return res.send(authPage(params, "Please enter your wallet private key."));
+  try {
+    privateKeyToAccount(privateKey); // validate format
+  } catch {
+    return res.send(authPage(params, "Invalid private key format. Must start with 0x followed by 64 hex characters."));
+  }
+  pruneExpiredCodes();
+  const code = randomUUID();
+  authCodes.set(code, { key: privateKey, codeChallenge: code_challenge, codeChallengeMethod: code_challenge_method ?? "S256", redirectUri: redirect_uri, expiresAt: Date.now() + 5 * 60 * 1000 });
+  const url = new URL(redirect_uri);
+  url.searchParams.set("code", code);
+  if (state) url.searchParams.set("state", state);
+  res.redirect(url.toString());
+});
+app.post("/token", (req, res) => {
+  const { grant_type, code, code_verifier } = req.body;
+  if (grant_type !== "authorization_code") return res.status(400).json({ error: "unsupported_grant_type" });
+  const stored = authCodes.get(code);
+  if (!stored || Date.now() > stored.expiresAt) return res.status(400).json({ error: "invalid_grant" });
+  if (stored.codeChallengeMethod === "S256") {
+    const expected = createHash("sha256").update(code_verifier ?? "").digest("base64url");
+    if (expected !== stored.codeChallenge) return res.status(400).json({ error: "invalid_grant", error_description: "PKCE verification failed" });
+  }
+  authCodes.delete(code);
+  res.json({ access_token: stored.key, token_type: "Bearer", expires_in: 3600 });
+});
 // Track active SSE transports by session ID (for POST /messages routing)
 // Stores { transport, key } so the key is available when POST /messages arrives
@@ -43,7 +163,9 @@ const streamableTransports = {};
 // ── Key extraction helper ─────────────────────────────────────────────────────
 function extractKey(req, res, endpoint) {
-  const key = (req.query.key ?? process.env.ASRAI_PRIVATE_KEY ?? "").trim();
+  const authHeader = req.headers["authorization"] ?? "";
+  const bearerKey = authHeader.startsWith("Bearer ") ? authHeader.slice(7).trim() : "";
+  const key = (req.query.key ?? bearerKey || process.env.ASRAI_PRIVATE_KEY ?? "").trim();
   if (!key) {
     res.status(401).send(`Missing wallet key. Connect with: ${endpoint}?key=0x<private_key>`);
     return null;