chaimi-keep-mcp 3.1.24

package/oauth.js

@@ -0,0 +1,493 @@
+/**
+ * OAuth Device Flow 管理器
+ * 实现 OAuth 2.0 Device Authorization Grant
+ * 支持双模式：URL Scheme（浏览器环境）/ 纯 Device Flow（CLI环境）
+ */
+
+const fetch = require('node-fetch');
+const { exec } = require('child_process');
+const util = require('util');
+const execPromise = util.promisify(exec);
+const crypto = require('crypto');
+
+class OAuthManager {
+  constructor(config) {
+    this.mcpOAuthUrl = config.mcpOAuthUrl;
+    this.tokenStorage = config.tokenStorage;
+    this.onQrCode = config.onQrCode;
+    this.onTokenReady = config.onTokenReady;
+    this.preferUrlScheme = config.preferUrlScheme !== false;
+  }
+
+  async detectEnvironment() {
+    if (process.env.DISPLAY) {
+      return { supportsBrowser: true, platform: 'linux-gui' };
+    }
+
+    if (process.platform === 'darwin') {
+      return { supportsBrowser: true, platform: 'macos' };
+    }
+
+    if (process.platform === 'win32') {
+      return { supportsBrowser: true, platform: 'windows' };
+    }
+
+    if (process.env.BROWSER) {
+      return { supportsBrowser: true, platform: 'custom' };
+    }
+
+    return { supportsBrowser: false, platform: 'cli' };
+  }
+
+  async startAuthFlow() {
+    try {
+      const env = await this.detectEnvironment();
+      const useUrlScheme = this.preferUrlScheme && env.supportsBrowser;
+      const deviceCodeRes = await this.requestDeviceCode(useUrlScheme);
+
+      await this.saveAuthState({
+        deviceCode: deviceCodeRes.deviceCode,
+        userCode: deviceCodeRes.userCode,
+        timestamp: Date.now(),
+        status: 'pending'
+      });
+
+      if (useUrlScheme && deviceCodeRes.urlScheme) {
+        await this.authorizeWithUrlScheme(deviceCodeRes);
+      } else {
+        await this.authorizeWithDeviceFlow(deviceCodeRes);
+      }
+
+      // 3. 轮询获取 Token
+      // 注意：使用 console.error，避免污染 stdout（MCP 协议通信使用 stdout）
+      console.error('');
+      console.error('⏳ 等待用户授权，请勿关闭窗口...');
+      console.error('   （请在手机微信中完成授权操作）');
+      console.error('');
+      const token = await this.pollForToken(
+        deviceCodeRes.deviceCode,
+        deviceCodeRes.interval * 1000 || 5000
+      );
+
+      await this.tokenStorage.save(token);
+
+      if (this.onTokenReady) {
+        this.onTokenReady(token);
+      }
+
+      return token;
+    } catch (err) {
+      throw err;
+    }
+  }
+
+  async authorizeWithUrlScheme(deviceCodeRes) {
+    const isMobile = this.detectMobileEnvironment();
+
+    if (isMobile) {
+      const url = deviceCodeRes.urlScheme || deviceCodeRes.verificationUriFull;
+
+      try {
+        await this.openBrowser(url);
+      } catch (err) {
+      }
+    } else {
+      const qrCodeUrl = `https://mcp.chaihuo.com/auth?deviceCode=${deviceCodeRes.deviceCode}&userCode=${deviceCodeRes.userCode}`;
+
+      if (this.onQrCode) {
+        await this.onQrCode({
+          userCode: deviceCodeRes.userCode,
+          verificationUri: deviceCodeRes.verificationUri,
+          deviceCode: deviceCodeRes.deviceCode,
+          qrCodeUrl: qrCodeUrl,
+          isPC: true
+        });
+      }
+    }
+  }
+
+  detectMobileEnvironment() {
+    const userAgent = process.env.USER_AGENT || '';
+    if (/iPhone|iPad|iPod|Android|Mobile/i.test(userAgent)) {
+      return true;
+    }
+
+    if (process.env.TERM_PROGRAM === 'Apple_Terminal' && process.platform === 'darwin') {
+      return false;
+    }
+
+    return false;
+  }
+
+  async authorizeWithDeviceFlow(deviceCodeRes) {
+    if (this.onQrCode) {
+      await this.onQrCode({
+        userCode: deviceCodeRes.userCode,
+        verificationUri: deviceCodeRes.verificationUri,
+        deviceCode: deviceCodeRes.deviceCode
+      });
+    }
+  }
+
+  async openBrowser(url) {
+    const platform = process.platform;
+    let command;
+
+    if (platform === 'darwin') {
+      command = `open "${url}"`;
+    } else if (platform === 'win32') {
+      command = `start "" "${url}"`;
+    } else if (platform === 'linux') {
+      command = `xdg-open "${url}"`;
+    } else {
+      throw new Error('不支持的平台');
+    }
+
+    await execPromise(command);
+  }
+
+  async requestDeviceCode(useUrlScheme = false) {
+    const response = await fetch(this.mcpOAuthUrl, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify({
+        tool: 'deviceCode',
+        params: {
+          clientId: 'chaihuo-mcp-client',
+          useUrlScheme: useUrlScheme
+        }
+      })
+    });
+
+    const result = await response.json();
+
+    if (!result.success) {
+      throw new Error(`获取设备码失败: ${result.error}`);
+    }
+
+    return result.data;
+  }
+
+  // 单次轮询（用于后台轮询）
+  async pollForTokenOnce(deviceCode) {
+    try {
+      const response = await fetch(this.mcpOAuthUrl, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json'
+        },
+        body: JSON.stringify({
+          tool: 'deviceToken',
+          params: {
+            deviceCode
+          }
+        })
+      });
+
+      const result = await response.json();
+
+      if (result.success) {
+        return {
+          accessToken: result.data.accessToken,
+          refreshToken: result.data.refreshToken,
+          expiresIn: result.data.expiresIn,
+          tokenType: result.data.tokenType,
+          expiresAt: Date.now() + result.data.expiresIn * 1000
+        };
+      }
+
+      if (result.error === 'authorization_pending') {
+        return null; // 还未授权，返回 null
+      }
+
+      if (result.error === 'expired_token') {
+        throw new Error('设备码已过期，请重新授权');
+      }
+
+      if (result.error === 'invalid_device_code') {
+        throw new Error('无效的设备码');
+      }
+
+      throw new Error(`获取 Token 失败: ${result.error}`);
+    } catch (err) {
+      throw err;
+    }
+  }
+
+  async pollForToken(deviceCode, interval) {
+    const maxAttempts = 60;
+    let attempts = 0;
+
+    while (attempts < maxAttempts) {
+      attempts++;
+
+      await this.delay(interval);
+
+      try {
+        const token = await this.pollForTokenOnce(deviceCode);
+        if (token) {
+          return token;
+        }
+        // 未授权，继续轮询
+      } catch (err) {
+        if (err.message.includes('expired') || err.message.includes('invalid')) {
+          throw err;
+        }
+        // 其他错误，继续轮询
+      }
+    }
+
+    throw new Error('授权超时，请重新尝试');
+  }
+
+  async refreshToken() {
+    const currentToken = await this.tokenStorage.load();
+
+    if (!currentToken || !currentToken.refreshToken) {
+      throw new Error('没有可用的 Refresh Token，需要重新授权');
+    }
+
+    try {
+      const response = await fetch(this.mcpOAuthUrl, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json'
+        },
+        body: JSON.stringify({
+          tool: 'refreshToken',
+          params: {
+            refreshToken: currentToken.refreshToken
+          }
+        })
+      });
+
+      const result = await response.json();
+
+      if (!result.success) {
+        if (result.error === 'refresh_token_expired') {
+          throw new Error('Refresh Token 已过期，需要重新授权');
+        }
+        throw new Error(`刷新 Token 失败: ${result.error}`);
+      }
+
+      const newToken = {
+        accessToken: result.data.accessToken,
+        refreshToken: result.data.refreshToken,
+        expiresIn: result.data.expiresIn,
+        tokenType: result.data.tokenType,
+        expiresAt: Date.now() + result.data.expiresIn * 1000
+      };
+
+      await this.tokenStorage.save(newToken);
+
+      return newToken;
+    } catch (err) {
+      throw err;
+    }
+  }
+
+  async getValidToken() {
+    const token = await this.tokenStorage.load();
+
+    if (!token) {
+      throw new Error('没有存储的 Token，请先授权');
+    }
+
+    const refreshThreshold = 5 * 60 * 1000;
+    if (Date.now() + refreshThreshold > token.expiresAt) {
+      return await this.refreshToken();
+    }
+
+    return token;
+  }
+
+  delay(ms) {
+    return new Promise(resolve => setTimeout(resolve, ms));
+  }
+
+  async saveAuthState(state) {
+    try {
+      const fs = require('fs').promises;
+      const path = require('path');
+      const stateFile = path.join(require('os').homedir(), '.mcporter', 'auth-state.json');
+      
+      const dir = path.dirname(stateFile);
+      await fs.mkdir(dir, { recursive: true });
+      
+      await fs.writeFile(
+        stateFile,
+        JSON.stringify(state, null, 2),
+        { mode: 0o600 }
+      );
+    } catch (err) {
+    }
+  }
+
+  async loadAuthState() {
+    try {
+      const fs = require('fs').promises;
+      const path = require('path');
+      const stateFile = path.join(require('os').homedir(), '.mcporter', 'auth-state.json');
+      
+      const data = await fs.readFile(stateFile, 'utf8');
+      return JSON.parse(data);
+    } catch (err) {
+      if (err.code === 'ENOENT') {
+        return null;
+      }
+      return null;
+    }
+  }
+
+  async clearAuthState() {
+    try {
+      const fs = require('fs').promises;
+      const path = require('path');
+      const stateFile = path.join(require('os').homedir(), '.mcporter', 'auth-state.json');
+      await fs.unlink(stateFile);
+    } catch (err) {
+    }
+  }
+
+  isAuthStateExpired(state, maxAge = 30 * 60 * 1000) {
+    // 优先检查 expiresAt（如果存在）
+    if (state && state.expiresAt) {
+      return Date.now() > state.expiresAt;
+    }
+    // 兼容旧版本，检查 timestamp
+    if (!state || !state.timestamp) return true;
+    return Date.now() - state.timestamp > maxAge;
+  }
+}
+
+class TokenStorage {
+  async save(token) {
+    throw new Error('TokenStorage.save 必须被子类实现');
+  }
+
+  async load() {
+    throw new Error('TokenStorage.load 必须被子类实现');
+  }
+
+  async clear() {
+    throw new Error('TokenStorage.clear 必须被子类实现');
+  }
+}
+
+// 生成机器唯一标识（用于加密密钥）
+function getMachineId() {
+  const os = require('os');
+  const interfaces = os.networkInterfaces();
+  let macAddress = '';
+
+  // 获取第一个非本地 MAC 地址
+  for (const name of Object.keys(interfaces)) {
+    for (const iface of interfaces[name]) {
+      if (iface.mac && iface.mac !== '00:00:00:00:00:00') {
+        macAddress = iface.mac;
+        break;
+      }
+    }
+    if (macAddress) break;
+  }
+
+  // 结合主机名和平台信息生成密钥
+  const keyMaterial = `${macAddress}-${os.hostname()}-${os.platform()}`;
+  return crypto.createHash('sha256').update(keyMaterial).digest('hex').substring(0, 32);
+}
+
+// 加密 Token
+function encryptToken(token, key) {
+  const iv = crypto.randomBytes(16);
+  const cipher = crypto.createCipheriv('aes-256-cbc', Buffer.from(key), iv);
+  let encrypted = cipher.update(JSON.stringify(token), 'utf8', 'hex');
+  encrypted += cipher.final('hex');
+  return iv.toString('hex') + ':' + encrypted;
+}
+
+// 解密 Token
+function decryptToken(encryptedData, key) {
+  const parts = encryptedData.split(':');
+  const iv = Buffer.from(parts[0], 'hex');
+  const encrypted = parts[1];
+  const decipher = crypto.createDecipheriv('aes-256-cbc', Buffer.from(key), iv);
+  let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+  decrypted += decipher.final('utf8');
+  return JSON.parse(decrypted);
+}
+
+class FileTokenStorage extends TokenStorage {
+  constructor(filePath) {
+    super();
+    this.filePath = filePath;
+    this.fs = require('fs').promises;
+    this.path = require('path');
+    this.key = getMachineId();
+  }
+
+  async save(token) {
+    const dir = this.path.dirname(this.filePath);
+    await this.fs.mkdir(dir, { recursive: true });
+
+    // 加密 Token 后保存
+    const encrypted = encryptToken(token, this.key);
+    const data = {
+      version: '2.0',
+      encrypted: encrypted,
+      algorithm: 'aes-256-cbc',
+      updatedAt: new Date().toISOString()
+    };
+
+    await this.fs.writeFile(
+      this.filePath,
+      JSON.stringify(data, null, 2),
+      { mode: 0o600 }
+    );
+  }
+
+  async load() {
+    try {
+      const data = await this.fs.readFile(this.filePath, 'utf8');
+      const parsed = JSON.parse(data);
+
+      // 向后兼容：检测旧版明文格式
+      if (!parsed.version || parsed.version === '1.0') {
+        console.error('检测到旧版 Token 格式，自动升级...');
+        // 返回明文数据，但下次保存时会自动加密
+        return {
+          accessToken: parsed.accessToken,
+          refreshToken: parsed.refreshToken,
+          expiresAt: parsed.expiresAt,
+          expiresIn: parsed.expiresIn,
+          tokenType: parsed.tokenType
+        };
+      }
+
+      // 新版加密格式，解密后返回
+      return decryptToken(parsed.encrypted, this.key);
+    } catch (err) {
+      if (err.code === 'ENOENT') {
+        return null;
+      }
+      throw err;
+    }
+  }
+
+  async clear() {
+    try {
+      await this.fs.unlink(this.filePath);
+    } catch (err) {
+      if (err.code !== 'ENOENT') {
+        throw err;
+      }
+    }
+  }
+}
+
+module.exports = {
+  OAuthManager,
+  TokenStorage,
+  FileTokenStorage
+};

package/package.json

@@ -0,0 +1,42 @@
+{
+  "name": "chaimi-keep-mcp",
+  "version": "3.1.24",
+  "description": "柴米记账 MCP Server - 支持 Claude、Cursor、OpenClaw、WorkBuddy 等 AI 工具直接记账",
+  "main": "server.js",
+  "bin": {
+    "chaimi-keep-mcp": "bin/cli.js"
+  },
+  "type": "commonjs",
+  "scripts": {
+    "start": "node server.js",
+    "dev": "node server.js"
+  },
+  "keywords": [
+    "mcp",
+    "记账",
+    "微信小程序",
+    "openclaw",
+    "chaihuo",
+    "chaimi",
+    "AI记账",
+    "model-context-protocol"
+  ],
+  "author": "柴米记账团队,songyangx@gmail.com",
+  "license": "MIT",
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "dotenv": "^17.3.1",
+    "node-fetch": "^2.7.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/yourusername/chaimi-bookkeeping-mcp.git"
+  },
+  "bugs": {
+    "url": "https://github.com/yourusername/chaimi-bookkeeping-mcp/issues"
+  },
+  "homepage": "https://github.com/yourusername/chaimi-bookkeeping-mcp#readme"
+}