npm - crawlforge-mcp-server - Versions diffs - 3.0.10 → 3.0.12 - Mend

crawlforge-mcp-server 3.0.10 → 3.0.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json +1 -1
package/server.js +15 -2
package/setup.js +60 -23
package/src/core/AuthManager.js +18 -8
package/src/tools/search/searchWeb.js +2 -1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "crawlforge-mcp-server",
-  "version": "3.0.10",
+  "version": "3.0.12",
   "description": "CrawlForge MCP Server - Professional Model Context Protocol server with 19 comprehensive web scraping, crawling, and content processing tools.",
   "main": "server.js",
   "bin": {

package/server.js CHANGED Viewed

@@ -8,20 +8,33 @@ import dotenv from 'dotenv';
 // Load .env file early to check for creator secret
 dotenv.config({ path: '.env', quiet: true });
+// SECURITY: Clear any externally-set creator mode env var to prevent bypass
+delete process.env.CRAWLFORGE_CREATOR_MODE;
 const CREATOR_SECRET_HASH = 'cfef62e5068d48e7dd6a39c9e16f0be2615510c6b68274fc8abe3156feb5050b';
+// Module-scoped flag - cannot be set externally
+let _creatorModeVerified = false;
 if (process.env.CRAWLFORGE_CREATOR_SECRET) {
   const providedHash = crypto
     .createHash('sha256')
     .update(process.env.CRAWLFORGE_CREATOR_SECRET)
     .digest('hex');
-  if (providedHash === CREATOR_SECRET_HASH) {
-    process.env.CRAWLFORGE_CREATOR_MODE = 'true';
+  if (crypto.timingSafeEqual(Buffer.from(providedHash, 'hex'), Buffer.from(CREATOR_SECRET_HASH, 'hex'))) {
+    _creatorModeVerified = true;
     console.log('🔓 Creator Mode Enabled - Unlimited Access');
   } else {
     console.warn('⚠️  Invalid creator secret provided');
   }
+  // Clean up the secret from environment
+  delete process.env.CRAWLFORGE_CREATOR_SECRET;
+}
+// Export getter for AuthManager to use
+export function isCreatorModeVerified() {
+  return _creatorModeVerified;
 }
 // Now import everything else

package/setup.js CHANGED Viewed

@@ -15,9 +15,10 @@ import AuthManager from './src/core/AuthManager.js';
  * Add CrawlForge to an MCP client configuration file
  * @param {string} configPath - Path to the config file
  * @param {string} clientName - Name of the client (for messages)
+ * @param {string} apiKey - The CrawlForge API key to include in env
  * @returns {object} Result with success status and message
  */
-function addToMcpConfig(configPath, clientName) {
+function addToMcpConfig(configPath, clientName, apiKey) {
   // Check if config exists
   if (!fs.existsSync(configPath)) {
     return {
@@ -37,8 +38,9 @@ function addToMcpConfig(configPath, clientName) {
       config.mcpServers = {};
     }
-    // Check if crawlforge is already configured
-    if (config.mcpServers.crawlforge) {
+    // Check if crawlforge is already configured with the correct API key
+    const existingConfig = config.mcpServers.crawlforge;
+    if (existingConfig && existingConfig.env?.CRAWLFORGE_API_KEY === apiKey) {
       return {
         success: true,
         message: `CrawlForge already configured in ${clientName}`,
@@ -46,12 +48,14 @@ function addToMcpConfig(configPath, clientName) {
       };
     }
-    // Add crawlforge MCP server configuration
+    // Add or update crawlforge MCP server configuration with API key
     config.mcpServers.crawlforge = {
       type: "stdio",
       command: "crawlforge",
       args: [],
-      env: {}
+      env: {
+        CRAWLFORGE_API_KEY: apiKey
+      }
     };
     // Write updated config
@@ -59,7 +63,9 @@ function addToMcpConfig(configPath, clientName) {
     return {
       success: true,
-      message: `CrawlForge added to ${clientName} MCP config`
+      message: existingConfig
+        ? `CrawlForge API key updated in ${clientName} MCP config`
+        : `CrawlForge added to ${clientName} MCP config`
     };
   } catch (error) {
     return {
@@ -71,9 +77,10 @@ function addToMcpConfig(configPath, clientName) {
 /**
  * Configure all detected MCP clients
+ * @param {string} apiKey - The CrawlForge API key to include in env
  * @returns {object} Results for each client
  */
-function configureMcpClients() {
+function configureMcpClients(apiKey) {
   const results = {
     claudeCode: null,
     cursor: null
@@ -81,7 +88,7 @@ function configureMcpClients() {
   // Claude Code config path
   const claudeConfigPath = path.join(os.homedir(), '.claude.json');
-  results.claudeCode = addToMcpConfig(claudeConfigPath, 'Claude Code');
+  results.claudeCode = addToMcpConfig(claudeConfigPath, 'Claude Code', apiKey);
   // Cursor config path (macOS)
   const cursorConfigPath = path.join(os.homedir(), '.cursor', 'mcp.json');
@@ -95,20 +102,47 @@ function configureMcpClients() {
         // Ignore creation errors
       }
     }
-    results.cursor = addToMcpConfig(cursorConfigPath, 'Cursor');
+    results.cursor = addToMcpConfig(cursorConfigPath, 'Cursor', apiKey);
   }
   return results;
 }
-const rl = readline.createInterface({
-  input: process.stdin,
-  output: process.stdout
-});
+let rl = null;
+function getReadline() {
+  if (!rl) {
+    rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+  }
+  return rl;
+}
-const question = (query) => new Promise((resolve) => rl.question(query, resolve));
+const question = (query) => new Promise((resolve) => getReadline().question(query, resolve));
+function closeReadline() {
+  if (rl) {
+    rl.close();
+    rl = null;
+  }
+}
 async function main() {
+  // Check if running interactively
+  const isInteractive = process.stdin.isTTY;
+  if (!isInteractive) {
+    console.log('');
+    console.log('❌ Setup requires an interactive terminal.');
+    console.log('');
+    console.log('Please run this command directly in your terminal:');
+    console.log('  npx crawlforge-setup');
+    console.log('');
+    process.exit(1);
+  }
   console.log('');
   console.log('╔═══════════════════════════════════════════════════════╗');
   console.log('║           CrawlForge MCP Server Setup Wizard          ║');
@@ -138,7 +172,7 @@ async function main() {
     if (overwrite.toLowerCase() !== 'y') {
       console.log('Setup cancelled.');
-      rl.close();
+      closeReadline();
       process.exit(0);
     }
     console.log('');
@@ -151,7 +185,7 @@ async function main() {
     console.log('');
     console.log('❌ API key is required');
     console.log('Get your free API key at: https://www.crawlforge.dev/signup');
-    rl.close();
+    closeReadline();
     process.exit(1);
   }
@@ -168,9 +202,9 @@ async function main() {
     console.log('🎉 Setup complete! You can now use CrawlForge MCP Server.');
     console.log('');
-    // Auto-configure MCP clients (Claude Code, Cursor)
+    // Auto-configure MCP clients (Claude Code, Cursor) with API key
     console.log('🔧 Configuring MCP client integrations...');
-    const clientResults = configureMcpClients();
+    const clientResults = configureMcpClients(apiKey.trim());
     let anyConfigured = false;
     let needsRestart = false;
@@ -219,7 +253,10 @@ async function main() {
       console.log('     "mcpServers": {');
       console.log('       "crawlforge": {');
       console.log('         "type": "stdio",');
-      console.log('         "command": "crawlforge"');
+      console.log('         "command": "crawlforge",');
+      console.log('         "env": {');
+      console.log(`           "CRAWLFORGE_API_KEY": "${apiKey.trim()}"`);
+      console.log('         }');
       console.log('       }');
       console.log('     }');
       console.log('   }');
@@ -242,11 +279,11 @@ async function main() {
     console.log('  • Documentation: https://www.crawlforge.dev/docs');
     console.log('  • Support: support@crawlforge.dev');
     console.log('');
-    rl.close();
+    closeReadline();
     process.exit(1);
   }
-  rl.close();
+  closeReadline();
 }
 // Handle errors
@@ -254,13 +291,13 @@ process.on('unhandledRejection', (error) => {
   console.error('');
   console.error('❌ Setup error:', error.message);
   console.error('');
-  rl.close();
+  closeReadline();
   process.exit(1);
 });
 // Run setup
 main().catch((error) => {
   console.error('❌ Fatal error:', error);
-  rl.close();
+  closeReadline();
   process.exit(1);
 });

package/src/core/AuthManager.js CHANGED Viewed

@@ -6,6 +6,7 @@
 // Using native fetch (Node.js 18+)
 import fs from 'fs/promises';
 import path from 'path';
+import { isCreatorModeVerified } from '../../server.js';
 class AuthManager {
   constructor() {
@@ -21,10 +22,10 @@ class AuthManager {
   /**
    * Check if running in creator mode (unlimited access, no API required)
-   * Reads from environment variable dynamically to ensure proper initialization order
+   * Uses module-scoped verified flag from server.js - cannot be bypassed via env vars
    */
   isCreatorMode() {
-    return process.env.CRAWLFORGE_CREATOR_MODE === 'true';
+    return isCreatorModeVerified();
   }
   /**
@@ -83,8 +84,8 @@ class AuthManager {
     const configDir = path.dirname(this.configPath);
     await fs.mkdir(configDir, { recursive: true });
-    // Save config
-    await fs.writeFile(this.configPath, JSON.stringify(config, null, 2));
+    // Save config with owner-only permissions (contains API key)
+    await fs.writeFile(this.configPath, JSON.stringify(config, null, 2), { mode: 0o600 });
     this.config = config;
   }
@@ -183,7 +184,8 @@ class AuthManager {
       const response = await fetch(`${this.apiEndpoint}/api/v1/credits`, {
         headers: {
           'X-API-Key': this.config.apiKey
-        }
+        },
+        signal: AbortSignal.timeout(5000)
       });
       if (response.ok) {
@@ -193,11 +195,19 @@ class AuthManager {
         return data.creditsRemaining >= estimatedCredits;
       }
     } catch (error) {
-      // If can't check, allow operation but log error
       console.error('Failed to check credits:', error.message);
-    }
-    return true; // Allow operation if can't verify
+      // Grace period: allow stale cached credits during transient network failures
+      // This prevents outages from blocking authenticated users while still
+      // failing closed when there's no cached data (no free usage bypass)
+      const cached = this.creditCache.get(this.config.userId);
+      if (cached !== undefined && cached >= estimatedCredits) {
+        console.warn('Using cached credits due to network error — will re-verify on next call');
+        return true;
+      }
+      throw new Error('Unable to verify credits. Please check your connection and try again.');
+    }
   }
   /**

package/src/tools/search/searchWeb.js CHANGED Viewed

@@ -5,6 +5,7 @@ import { QueryExpander } from './queryExpander.js';
 import { ResultRanker } from './ranking/ResultRanker.js';
 import { ResultDeduplicator } from './ranking/ResultDeduplicator.js';
 import LocalizationManager from '../../core/LocalizationManager.js';
+import { isCreatorModeVerified } from '../../../server.js';
 const SearchWebSchema = z.object({
   query: z.string().min(1),
@@ -73,7 +74,7 @@ export class SearchWebTool {
     } = options;
     // Check for Creator Mode - allows search without API key for development/testing
-    const isCreatorMode = process.env.CRAWLFORGE_CREATOR_MODE === 'true';
+    const isCreatorMode = isCreatorModeVerified();
     if (!apiKey && !isCreatorMode) {
       throw new Error('CrawlForge API key is required for search functionality');