npm - crawlforge-mcp-server - Versions diffs - 3.0.11 → 3.0.12 - Mend

crawlforge-mcp-server 3.0.11 → 3.0.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +1 -1
package/server.js +15 -2
package/src/core/AuthManager.js +18 -8
package/src/tools/search/searchWeb.js +2 -1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "crawlforge-mcp-server",
-  "version": "3.0.11",
+  "version": "3.0.12",
   "description": "CrawlForge MCP Server - Professional Model Context Protocol server with 19 comprehensive web scraping, crawling, and content processing tools.",
   "main": "server.js",
   "bin": {

package/server.js CHANGED Viewed

@@ -8,20 +8,33 @@ import dotenv from 'dotenv';
 // Load .env file early to check for creator secret
 dotenv.config({ path: '.env', quiet: true });
+// SECURITY: Clear any externally-set creator mode env var to prevent bypass
+delete process.env.CRAWLFORGE_CREATOR_MODE;
 const CREATOR_SECRET_HASH = 'cfef62e5068d48e7dd6a39c9e16f0be2615510c6b68274fc8abe3156feb5050b';
+// Module-scoped flag - cannot be set externally
+let _creatorModeVerified = false;
 if (process.env.CRAWLFORGE_CREATOR_SECRET) {
   const providedHash = crypto
     .createHash('sha256')
     .update(process.env.CRAWLFORGE_CREATOR_SECRET)
     .digest('hex');
-  if (providedHash === CREATOR_SECRET_HASH) {
-    process.env.CRAWLFORGE_CREATOR_MODE = 'true';
+  if (crypto.timingSafeEqual(Buffer.from(providedHash, 'hex'), Buffer.from(CREATOR_SECRET_HASH, 'hex'))) {
+    _creatorModeVerified = true;
     console.log('🔓 Creator Mode Enabled - Unlimited Access');
   } else {
     console.warn('⚠️  Invalid creator secret provided');
   }
+  // Clean up the secret from environment
+  delete process.env.CRAWLFORGE_CREATOR_SECRET;
+}
+// Export getter for AuthManager to use
+export function isCreatorModeVerified() {
+  return _creatorModeVerified;
 }
 // Now import everything else

package/src/core/AuthManager.js CHANGED Viewed

@@ -6,6 +6,7 @@
 // Using native fetch (Node.js 18+)
 import fs from 'fs/promises';
 import path from 'path';
+import { isCreatorModeVerified } from '../../server.js';
 class AuthManager {
   constructor() {
@@ -21,10 +22,10 @@ class AuthManager {
   /**
    * Check if running in creator mode (unlimited access, no API required)
-   * Reads from environment variable dynamically to ensure proper initialization order
+   * Uses module-scoped verified flag from server.js - cannot be bypassed via env vars
    */
   isCreatorMode() {
-    return process.env.CRAWLFORGE_CREATOR_MODE === 'true';
+    return isCreatorModeVerified();
   }
   /**
@@ -83,8 +84,8 @@ class AuthManager {
     const configDir = path.dirname(this.configPath);
     await fs.mkdir(configDir, { recursive: true });
-    // Save config
-    await fs.writeFile(this.configPath, JSON.stringify(config, null, 2));
+    // Save config with owner-only permissions (contains API key)
+    await fs.writeFile(this.configPath, JSON.stringify(config, null, 2), { mode: 0o600 });
     this.config = config;
   }
@@ -183,7 +184,8 @@ class AuthManager {
       const response = await fetch(`${this.apiEndpoint}/api/v1/credits`, {
         headers: {
           'X-API-Key': this.config.apiKey
-        }
+        },
+        signal: AbortSignal.timeout(5000)
       });
       if (response.ok) {
@@ -193,11 +195,19 @@ class AuthManager {
         return data.creditsRemaining >= estimatedCredits;
       }
     } catch (error) {
-      // If can't check, allow operation but log error
       console.error('Failed to check credits:', error.message);
-    }
-    return true; // Allow operation if can't verify
+      // Grace period: allow stale cached credits during transient network failures
+      // This prevents outages from blocking authenticated users while still
+      // failing closed when there's no cached data (no free usage bypass)
+      const cached = this.creditCache.get(this.config.userId);
+      if (cached !== undefined && cached >= estimatedCredits) {
+        console.warn('Using cached credits due to network error — will re-verify on next call');
+        return true;
+      }
+      throw new Error('Unable to verify credits. Please check your connection and try again.');
+    }
   }
   /**

package/src/tools/search/searchWeb.js CHANGED Viewed

@@ -5,6 +5,7 @@ import { QueryExpander } from './queryExpander.js';
 import { ResultRanker } from './ranking/ResultRanker.js';
 import { ResultDeduplicator } from './ranking/ResultDeduplicator.js';
 import LocalizationManager from '../../core/LocalizationManager.js';
+import { isCreatorModeVerified } from '../../../server.js';
 const SearchWebSchema = z.object({
   query: z.string().min(1),
@@ -73,7 +74,7 @@ export class SearchWebTool {
     } = options;
     // Check for Creator Mode - allows search without API key for development/testing
-    const isCreatorMode = process.env.CRAWLFORGE_CREATOR_MODE === 'true';
+    const isCreatorMode = isCreatorModeVerified();
     if (!apiKey && !isCreatorMode) {
       throw new Error('CrawlForge API key is required for search functionality');