kiwoom-mcp-server 0.17.0 → 0.18.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.en.md +9 -3
- package/README.md +8 -2
- package/dist/http.js +38 -15
- package/dist/oauth.js +427 -0
- package/dist/server.js +1 -1
- package/package.json +1 -1
package/README.en.md
CHANGED
|
@@ -222,9 +222,15 @@ MCP_AUTH_TOKEN="$(openssl rand -hex 32)" npx -y kiwoom-mcp-server --http --port
|
|
|
222
222
|
`cloudflared tunnel --url http://localhost:8000` (ephemeral URL — use a named
|
|
223
223
|
tunnel for anything permanent).
|
|
224
224
|
- Register on claude.ai under **Settings → Connectors → Add custom connector** with
|
|
225
|
-
`https://<your-domain>/mcp
|
|
226
|
-
|
|
227
|
-
|
|
225
|
+
`https://<your-domain>/mcp` (leave the OAuth fields in Advanced settings empty).
|
|
226
|
+
On connect, a browser **consent page** opens — enter your `MCP_AUTH_TOKEN` as the
|
|
227
|
+
access password and you are done: the server implements the MCP authorization spec
|
|
228
|
+
(OAuth 2.0 + PKCE with dynamic client registration), so no header configuration is
|
|
229
|
+
needed. A connector added once is available across the web, mobile, and desktop
|
|
230
|
+
clients. Header-capable clients (e.g. Claude Code `--header`) can still use the
|
|
231
|
+
static `Authorization: Bearer <MCP_AUTH_TOKEN>` path. OAuth tokens are persisted
|
|
232
|
+
to `.oauth-state.json` (0600) in the working directory, so restarts don't drop
|
|
233
|
+
the connection.
|
|
228
234
|
- ⚠️ **Kiwoom API calls originate from wherever this server runs.** REAL mode is
|
|
229
235
|
bound to Kiwoom's designated-terminal (8050) IP registration, so running it
|
|
230
236
|
outside a registered IP (e.g. in the cloud) can fail auth. Validate remote
|
package/README.md
CHANGED
|
@@ -211,8 +211,14 @@ MCP_AUTH_TOKEN="$(openssl rand -hex 32)" npx -y kiwoom-mcp-server --http --port
|
|
|
211
211
|
- 공개 HTTPS URL은 [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/) 등으로 만듭니다:
|
|
212
212
|
`cloudflared tunnel --url http://localhost:8000` (임시 URL — 상시 운영은 named tunnel 권장).
|
|
213
213
|
- claude.ai 등록: **Settings → Connectors → Add custom connector**에
|
|
214
|
-
`https://<도메인>/mcp`를
|
|
215
|
-
|
|
214
|
+
`https://<도메인>/mcp`를 입력합니다 (고급 설정의 OAuth 필드는 비워둡니다). 연결 시
|
|
215
|
+
브라우저에 **승인 페이지**가 뜨고, `MCP_AUTH_TOKEN` 값을 접속 암호로 입력하면
|
|
216
|
+
완료됩니다 — 서버가 MCP 인증 스펙(OAuth 2.0 + PKCE, 동적 클라이언트 등록)을 내장하고
|
|
217
|
+
있어 별도 헤더 설정이 필요 없습니다. 등록한 커넥터는 웹/모바일/데스크톱에서 공용입니다.
|
|
218
|
+
헤더를 지정할 수 있는 클라이언트(예: Claude Code `--header`)는 기존처럼
|
|
219
|
+
`Authorization: Bearer <MCP_AUTH_TOKEN>` 정적 헤더로도 접속할 수 있습니다.
|
|
220
|
+
OAuth 토큰은 작업 디렉터리의 `.oauth-state.json`(0600)에 저장되어 서버를 재시작해도
|
|
221
|
+
연결이 유지됩니다.
|
|
216
222
|
- ⚠️ **키움 API 호출은 이 서버가 실행되는 곳에서 나갑니다.** REAL 모드는 키움 지정단말기
|
|
217
223
|
인증(8050)이 IP에 묶이므로, 등록된 IP가 아닌 곳(클라우드 등)에서 실행하면 인증 오류가
|
|
218
224
|
날 수 있습니다. 원격 노출은 모의투자로 먼저 검증하세요.
|
package/dist/http.js
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
|
-
import { createHash, timingSafeEqual } from "node:crypto";
|
|
2
1
|
import http from "node:http";
|
|
2
|
+
import path from "node:path";
|
|
3
3
|
import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
|
|
4
|
+
import { handleOAuthRequest, OAuthProvider, requestBaseUrl, timingSafeStringEqual, } from "./oauth.js";
|
|
4
5
|
import { createServer, SERVER_NAME, SERVER_VERSION } from "./server.js";
|
|
5
6
|
const DEFAULT_PORT = 8000;
|
|
6
7
|
const DEFAULT_HOST = "127.0.0.1";
|
|
@@ -59,18 +60,20 @@ export function chooseTransport(argv, env) {
|
|
|
59
60
|
"인증 없이 열려면 --no-auth를 명시하세요 — 계좌 조회 도구가 인터넷에 그대로 노출되므로 " +
|
|
60
61
|
"신뢰할 수 있는 네트워크/모의투자(VIRTUAL) 환경에서만 권장합니다.");
|
|
61
62
|
}
|
|
62
|
-
|
|
63
|
+
const publicUrl = env.MCP_PUBLIC_URL?.trim() || undefined;
|
|
64
|
+
return { mode: "http", options: { port, host, authToken, allowNoAuth, publicUrl } };
|
|
63
65
|
}
|
|
64
|
-
/**
|
|
65
|
-
export function
|
|
66
|
+
/** Extracts the bearer credential from an Authorization header, if any. */
|
|
67
|
+
export function bearerToken(authorizationHeader) {
|
|
66
68
|
if (!authorizationHeader)
|
|
67
|
-
return
|
|
69
|
+
return undefined;
|
|
68
70
|
const match = /^Bearer\s+(.+)$/i.exec(authorizationHeader.trim());
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
71
|
+
return match?.[1];
|
|
72
|
+
}
|
|
73
|
+
/** Timing-safe static bearer-token check. */
|
|
74
|
+
export function isAuthorized(authorizationHeader, token) {
|
|
75
|
+
const presented = bearerToken(authorizationHeader);
|
|
76
|
+
return presented !== undefined && timingSafeStringEqual(presented, token);
|
|
74
77
|
}
|
|
75
78
|
function deny(res, status, message) {
|
|
76
79
|
res.writeHead(status, { "Content-Type": "application/json" }).end(JSON.stringify({
|
|
@@ -87,27 +90,47 @@ function deny(res, status, message) {
|
|
|
87
90
|
* lives at module level and is shared across requests.
|
|
88
91
|
*/
|
|
89
92
|
export function createHttpServer(options) {
|
|
93
|
+
// OAuth rides on the same consent secret as the static bearer: no token → no
|
|
94
|
+
// OAuth endpoints (that is the explicit --no-auth everything-open mode).
|
|
95
|
+
const oauth = options.authToken
|
|
96
|
+
? new OAuthProvider({
|
|
97
|
+
consentToken: options.authToken,
|
|
98
|
+
statePath: options.oauthStatePath ?? path.join(process.cwd(), ".oauth-state.json"),
|
|
99
|
+
})
|
|
100
|
+
: null;
|
|
90
101
|
return http.createServer((req, res) => {
|
|
91
|
-
void handleRequest(req, res, options).catch((error) => {
|
|
102
|
+
void handleRequest(req, res, options, oauth).catch((error) => {
|
|
92
103
|
console.error("HTTP request handling failed:", error);
|
|
93
104
|
if (!res.headersSent)
|
|
94
105
|
deny(res, 500, "internal server error");
|
|
95
106
|
});
|
|
96
107
|
});
|
|
97
108
|
}
|
|
98
|
-
async function handleRequest(req, res, options) {
|
|
109
|
+
async function handleRequest(req, res, options, oauth) {
|
|
99
110
|
const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
|
|
100
111
|
if (url.pathname === HEALTH_PATH) {
|
|
101
112
|
res.writeHead(200, { "Content-Type": "text/plain" }).end("ok");
|
|
102
113
|
return;
|
|
103
114
|
}
|
|
115
|
+
if (oauth && (await handleOAuthRequest(req, res, oauth, options.publicUrl))) {
|
|
116
|
+
return;
|
|
117
|
+
}
|
|
104
118
|
if (url.pathname !== MCP_PATH) {
|
|
105
119
|
deny(res, 404, `not found — MCP endpoint is ${MCP_PATH}`);
|
|
106
120
|
return;
|
|
107
121
|
}
|
|
108
|
-
if (options.authToken
|
|
109
|
-
|
|
110
|
-
|
|
122
|
+
if (options.authToken) {
|
|
123
|
+
const presented = bearerToken(req.headers.authorization);
|
|
124
|
+
const ok = presented !== undefined &&
|
|
125
|
+
(timingSafeStringEqual(presented, options.authToken) ||
|
|
126
|
+
(oauth?.validateAccessToken(presented) ?? false));
|
|
127
|
+
if (!ok) {
|
|
128
|
+
// RFC 9728: point 401s at the protected-resource metadata so MCP
|
|
129
|
+
// clients (claude.ai connectors) can discover the OAuth flow.
|
|
130
|
+
res.setHeader("WWW-Authenticate", `Bearer realm="${SERVER_NAME}", resource_metadata="${requestBaseUrl(req, options.publicUrl)}/.well-known/oauth-protected-resource"`);
|
|
131
|
+
deny(res, 401, "unauthorized — OAuth 승인 또는 Authorization: Bearer <MCP_AUTH_TOKEN> 헤더가 필요합니다");
|
|
132
|
+
return;
|
|
133
|
+
}
|
|
111
134
|
}
|
|
112
135
|
const server = createServer();
|
|
113
136
|
const transport = new StreamableHTTPServerTransport({ sessionIdGenerator: undefined });
|
package/dist/oauth.js
ADDED
|
@@ -0,0 +1,427 @@
|
|
|
1
|
+
import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
|
|
2
|
+
import { existsSync, readFileSync, writeFileSync } from "node:fs";
|
|
3
|
+
/**
|
|
4
|
+
* Minimal built-in OAuth 2.0 authorization server for the HTTP transport,
|
|
5
|
+
* implementing what the MCP authorization spec expects from a remote server
|
|
6
|
+
* (claude.ai custom connectors drive this flow):
|
|
7
|
+
*
|
|
8
|
+
* 401 + WWW-Authenticate → RFC 9728 protected-resource metadata
|
|
9
|
+
* → RFC 8414 authorization-server metadata → RFC 7591 dynamic client
|
|
10
|
+
* registration → authorization-code + PKCE(S256) → opaque bearer tokens.
|
|
11
|
+
*
|
|
12
|
+
* Consent model: this server fronts ONE owner's brokerage account, so the
|
|
13
|
+
* /authorize page asks for the pre-shared MCP_AUTH_TOKEN as an access
|
|
14
|
+
* password instead of a user login. One secret serves both auth paths
|
|
15
|
+
* (static bearer for header-capable clients, OAuth consent for claude.ai).
|
|
16
|
+
*/
|
|
17
|
+
const CODE_TTL_MS = 5 * 60 * 1000;
|
|
18
|
+
const ACCESS_TOKEN_TTL_MS = 60 * 60 * 1000;
|
|
19
|
+
/** Consent brute-force guard: max failures per window, shared across IPs. */
|
|
20
|
+
const MAX_CONSENT_FAILURES = 10;
|
|
21
|
+
const CONSENT_FAILURE_WINDOW_MS = 10 * 60 * 1000;
|
|
22
|
+
const MAX_BODY_BYTES = 64 * 1024;
|
|
23
|
+
const token = (bytes = 32) => randomBytes(bytes).toString("hex");
|
|
24
|
+
const sha256base64url = (value) => createHash("sha256").update(value).digest("base64url");
|
|
25
|
+
/** Timing-safe string comparison (hash first so lengths never short-circuit). */
|
|
26
|
+
export function timingSafeStringEqual(a, b) {
|
|
27
|
+
return timingSafeEqual(createHash("sha256").update(a).digest(), createHash("sha256").update(b).digest());
|
|
28
|
+
}
|
|
29
|
+
/** PKCE S256: does sha256(verifier) match the stored challenge? */
|
|
30
|
+
export function verifyPkce(codeVerifier, codeChallenge) {
|
|
31
|
+
return timingSafeStringEqual(sha256base64url(codeVerifier), codeChallenge);
|
|
32
|
+
}
|
|
33
|
+
const escapeHtml = (s) => s
|
|
34
|
+
.replaceAll("&", "&")
|
|
35
|
+
.replaceAll("<", "<")
|
|
36
|
+
.replaceAll(">", ">")
|
|
37
|
+
.replaceAll('"', """)
|
|
38
|
+
.replaceAll("'", "'");
|
|
39
|
+
/** https-only redirect URIs, except loopback for local development. */
|
|
40
|
+
export function isAllowedRedirectUri(uri) {
|
|
41
|
+
let url;
|
|
42
|
+
try {
|
|
43
|
+
url = new URL(uri);
|
|
44
|
+
}
|
|
45
|
+
catch {
|
|
46
|
+
return false;
|
|
47
|
+
}
|
|
48
|
+
if (url.protocol === "https:")
|
|
49
|
+
return true;
|
|
50
|
+
return url.protocol === "http:" && ["localhost", "127.0.0.1", "[::1]"].includes(url.hostname);
|
|
51
|
+
}
|
|
52
|
+
export class OAuthProvider {
|
|
53
|
+
consentToken;
|
|
54
|
+
statePath;
|
|
55
|
+
clients = new Map();
|
|
56
|
+
codes = new Map();
|
|
57
|
+
tokens = new Map(); // keyed by accessToken
|
|
58
|
+
refresh = new Map(); // keyed by refreshToken
|
|
59
|
+
consentFailures = 0;
|
|
60
|
+
consentWindowStart = 0;
|
|
61
|
+
constructor(options) {
|
|
62
|
+
this.consentToken = options.consentToken;
|
|
63
|
+
this.statePath = options.statePath;
|
|
64
|
+
this.load();
|
|
65
|
+
}
|
|
66
|
+
load() {
|
|
67
|
+
if (!this.statePath || !existsSync(this.statePath))
|
|
68
|
+
return;
|
|
69
|
+
try {
|
|
70
|
+
const state = JSON.parse(readFileSync(this.statePath, "utf8"));
|
|
71
|
+
for (const c of state.clients ?? [])
|
|
72
|
+
this.clients.set(c.clientId, c);
|
|
73
|
+
for (const t of state.tokens ?? []) {
|
|
74
|
+
this.tokens.set(t.accessToken, t);
|
|
75
|
+
this.refresh.set(t.refreshToken, t);
|
|
76
|
+
}
|
|
77
|
+
}
|
|
78
|
+
catch (error) {
|
|
79
|
+
// A corrupt state file only means connectors must re-authorize.
|
|
80
|
+
console.error("OAuth state file unreadable — starting empty:", error);
|
|
81
|
+
}
|
|
82
|
+
}
|
|
83
|
+
save() {
|
|
84
|
+
if (!this.statePath)
|
|
85
|
+
return;
|
|
86
|
+
const state = {
|
|
87
|
+
clients: [...this.clients.values()],
|
|
88
|
+
tokens: [...this.refresh.values()],
|
|
89
|
+
};
|
|
90
|
+
try {
|
|
91
|
+
writeFileSync(this.statePath, JSON.stringify(state, null, 2), { mode: 0o600 });
|
|
92
|
+
}
|
|
93
|
+
catch (error) {
|
|
94
|
+
console.error("Failed to persist OAuth state:", error);
|
|
95
|
+
}
|
|
96
|
+
}
|
|
97
|
+
registerClient(meta) {
|
|
98
|
+
const uris = Array.isArray(meta.redirect_uris)
|
|
99
|
+
? meta.redirect_uris.filter((u) => typeof u === "string")
|
|
100
|
+
: [];
|
|
101
|
+
if (uris.length === 0 || !uris.every(isAllowedRedirectUri)) {
|
|
102
|
+
return { error: "redirect_uris must be https URLs (or http loopback)" };
|
|
103
|
+
}
|
|
104
|
+
const client = {
|
|
105
|
+
clientId: token(16),
|
|
106
|
+
redirectUris: uris,
|
|
107
|
+
clientName: typeof meta.client_name === "string" ? meta.client_name.slice(0, 200) : "",
|
|
108
|
+
createdAt: Date.now(),
|
|
109
|
+
};
|
|
110
|
+
this.clients.set(client.clientId, client);
|
|
111
|
+
this.save();
|
|
112
|
+
return client;
|
|
113
|
+
}
|
|
114
|
+
getClient(clientId) {
|
|
115
|
+
return this.clients.get(clientId);
|
|
116
|
+
}
|
|
117
|
+
consentRateLimited() {
|
|
118
|
+
if (Date.now() - this.consentWindowStart > CONSENT_FAILURE_WINDOW_MS)
|
|
119
|
+
return false;
|
|
120
|
+
return this.consentFailures >= MAX_CONSENT_FAILURES;
|
|
121
|
+
}
|
|
122
|
+
/** Validates the consent password; counts failures for the rate limit. */
|
|
123
|
+
checkConsent(password) {
|
|
124
|
+
if (timingSafeStringEqual(password, this.consentToken))
|
|
125
|
+
return true;
|
|
126
|
+
if (Date.now() - this.consentWindowStart > CONSENT_FAILURE_WINDOW_MS) {
|
|
127
|
+
this.consentWindowStart = Date.now();
|
|
128
|
+
this.consentFailures = 0;
|
|
129
|
+
}
|
|
130
|
+
this.consentFailures += 1;
|
|
131
|
+
return false;
|
|
132
|
+
}
|
|
133
|
+
createCode(clientId, redirectUri, codeChallenge) {
|
|
134
|
+
const code = {
|
|
135
|
+
code: token(24),
|
|
136
|
+
clientId,
|
|
137
|
+
redirectUri,
|
|
138
|
+
codeChallenge,
|
|
139
|
+
expiresAt: Date.now() + CODE_TTL_MS,
|
|
140
|
+
};
|
|
141
|
+
this.codes.set(code.code, code);
|
|
142
|
+
return code.code;
|
|
143
|
+
}
|
|
144
|
+
exchangeCode(params) {
|
|
145
|
+
const record = this.codes.get(params.code);
|
|
146
|
+
this.codes.delete(params.code); // single-use, even on failure
|
|
147
|
+
if (!record || record.expiresAt < Date.now())
|
|
148
|
+
return { error: "invalid_grant" };
|
|
149
|
+
if (record.clientId !== params.clientId || record.redirectUri !== params.redirectUri) {
|
|
150
|
+
return { error: "invalid_grant" };
|
|
151
|
+
}
|
|
152
|
+
if (!verifyPkce(params.codeVerifier, record.codeChallenge))
|
|
153
|
+
return { error: "invalid_grant" };
|
|
154
|
+
return this.issueTokens(record.clientId);
|
|
155
|
+
}
|
|
156
|
+
refreshTokens(refreshToken, clientId) {
|
|
157
|
+
const record = this.refresh.get(refreshToken);
|
|
158
|
+
if (!record || record.clientId !== clientId)
|
|
159
|
+
return { error: "invalid_grant" };
|
|
160
|
+
// Rotate: the presented refresh token is spent either way.
|
|
161
|
+
this.refresh.delete(refreshToken);
|
|
162
|
+
this.tokens.delete(record.accessToken);
|
|
163
|
+
return this.issueTokens(clientId);
|
|
164
|
+
}
|
|
165
|
+
issueTokens(clientId) {
|
|
166
|
+
const record = {
|
|
167
|
+
accessToken: token(32),
|
|
168
|
+
refreshToken: token(32),
|
|
169
|
+
clientId,
|
|
170
|
+
accessExpiresAt: Date.now() + ACCESS_TOKEN_TTL_MS,
|
|
171
|
+
createdAt: Date.now(),
|
|
172
|
+
};
|
|
173
|
+
this.tokens.set(record.accessToken, record);
|
|
174
|
+
this.refresh.set(record.refreshToken, record);
|
|
175
|
+
this.save();
|
|
176
|
+
return record;
|
|
177
|
+
}
|
|
178
|
+
validateAccessToken(accessToken) {
|
|
179
|
+
const record = this.tokens.get(accessToken);
|
|
180
|
+
return record !== undefined && record.accessExpiresAt > Date.now();
|
|
181
|
+
}
|
|
182
|
+
}
|
|
183
|
+
/** Base URL for metadata/issuer: explicit override, else the request's own host. */
|
|
184
|
+
export function requestBaseUrl(req, publicUrl) {
|
|
185
|
+
if (publicUrl)
|
|
186
|
+
return publicUrl.replace(/\/+$/, "");
|
|
187
|
+
const forwardedProto = req.headers["x-forwarded-proto"];
|
|
188
|
+
const proto = (Array.isArray(forwardedProto) ? forwardedProto[0] : forwardedProto)?.split(",")[0]?.trim() ||
|
|
189
|
+
"http";
|
|
190
|
+
return `${proto}://${req.headers.host ?? "localhost"}`;
|
|
191
|
+
}
|
|
192
|
+
export function buildProtectedResourceMetadata(base) {
|
|
193
|
+
return {
|
|
194
|
+
resource: `${base}/mcp`,
|
|
195
|
+
authorization_servers: [base],
|
|
196
|
+
bearer_methods_supported: ["header"],
|
|
197
|
+
};
|
|
198
|
+
}
|
|
199
|
+
export function buildAuthServerMetadata(base) {
|
|
200
|
+
return {
|
|
201
|
+
issuer: base,
|
|
202
|
+
authorization_endpoint: `${base}/authorize`,
|
|
203
|
+
token_endpoint: `${base}/token`,
|
|
204
|
+
registration_endpoint: `${base}/register`,
|
|
205
|
+
response_types_supported: ["code"],
|
|
206
|
+
grant_types_supported: ["authorization_code", "refresh_token"],
|
|
207
|
+
code_challenge_methods_supported: ["S256"],
|
|
208
|
+
token_endpoint_auth_methods_supported: ["none"],
|
|
209
|
+
scopes_supported: [],
|
|
210
|
+
};
|
|
211
|
+
}
|
|
212
|
+
async function readBody(req) {
|
|
213
|
+
const chunks = [];
|
|
214
|
+
let size = 0;
|
|
215
|
+
for await (const chunk of req) {
|
|
216
|
+
size += chunk.length;
|
|
217
|
+
if (size > MAX_BODY_BYTES)
|
|
218
|
+
throw new Error("body too large");
|
|
219
|
+
chunks.push(chunk);
|
|
220
|
+
}
|
|
221
|
+
return Buffer.concat(chunks).toString("utf8");
|
|
222
|
+
}
|
|
223
|
+
function parseBodyParams(raw, contentType) {
|
|
224
|
+
if (contentType?.includes("application/json")) {
|
|
225
|
+
const parsed = JSON.parse(raw);
|
|
226
|
+
const out = {};
|
|
227
|
+
if (parsed && typeof parsed === "object") {
|
|
228
|
+
for (const [k, v] of Object.entries(parsed))
|
|
229
|
+
if (typeof v === "string")
|
|
230
|
+
out[k] = v;
|
|
231
|
+
}
|
|
232
|
+
return out;
|
|
233
|
+
}
|
|
234
|
+
return Object.fromEntries(new URLSearchParams(raw));
|
|
235
|
+
}
|
|
236
|
+
function sendJson(res, status, body) {
|
|
237
|
+
res
|
|
238
|
+
.writeHead(status, { "Content-Type": "application/json", "Cache-Control": "no-store" })
|
|
239
|
+
.end(JSON.stringify(body));
|
|
240
|
+
}
|
|
241
|
+
function sendHtml(res, status, body) {
|
|
242
|
+
res
|
|
243
|
+
.writeHead(status, {
|
|
244
|
+
"Content-Type": "text/html; charset=utf-8",
|
|
245
|
+
"Cache-Control": "no-store",
|
|
246
|
+
"Content-Security-Policy": "default-src 'none'; style-src 'unsafe-inline'",
|
|
247
|
+
})
|
|
248
|
+
.end(body);
|
|
249
|
+
}
|
|
250
|
+
function consentPage(fields, clientName, error) {
|
|
251
|
+
const hidden = Object.entries(fields)
|
|
252
|
+
.map(([k, v]) => `<input type="hidden" name="${escapeHtml(k)}" value="${escapeHtml(v)}">`)
|
|
253
|
+
.join("\n ");
|
|
254
|
+
return `<!doctype html>
|
|
255
|
+
<html lang="ko"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1">
|
|
256
|
+
<title>kiwoom-mcp-server 연결 승인</title>
|
|
257
|
+
<style>
|
|
258
|
+
body { font-family: -apple-system, sans-serif; max-width: 26rem; margin: 4rem auto; padding: 0 1rem; }
|
|
259
|
+
input[type=password] { width: 100%; padding: .6rem; font-size: 1rem; margin: .8rem 0; box-sizing: border-box; }
|
|
260
|
+
button { padding: .6rem 1.4rem; font-size: 1rem; }
|
|
261
|
+
.err { color: #c0392b; }
|
|
262
|
+
.meta { color: #666; font-size: .85rem; }
|
|
263
|
+
</style></head>
|
|
264
|
+
<body>
|
|
265
|
+
<h2>kiwoom-mcp-server 연결 승인</h2>
|
|
266
|
+
<p>클라이언트${clientName ? ` <strong>${escapeHtml(clientName)}</strong>` : ""}가 이 서버의
|
|
267
|
+
주식 조회 도구(읽기 전용)에 접근하려고 합니다.</p>
|
|
268
|
+
<p class="meta">승인하려면 서버의 <code>MCP_AUTH_TOKEN</code> 값을 입력하세요.</p>
|
|
269
|
+
${error ? `<p class="err">${escapeHtml(error)}</p>` : ""}
|
|
270
|
+
<form method="post" action="/authorize">
|
|
271
|
+
${hidden}
|
|
272
|
+
<input type="password" name="password" placeholder="접속 암호 (MCP_AUTH_TOKEN)" autofocus required>
|
|
273
|
+
<button type="submit">승인</button>
|
|
274
|
+
</form>
|
|
275
|
+
</body></html>`;
|
|
276
|
+
}
|
|
277
|
+
/** Shared /authorize validation for GET (render) and POST (approve). */
|
|
278
|
+
function validateAuthorizeParams(provider, q, res) {
|
|
279
|
+
const client = q.client_id ? provider.getClient(q.client_id) : undefined;
|
|
280
|
+
if (!client) {
|
|
281
|
+
sendHtml(res, 400, consentPage({}, "", "알 수 없는 client_id입니다. 커넥터를 다시 등록해 주세요."));
|
|
282
|
+
return null;
|
|
283
|
+
}
|
|
284
|
+
const redirectUri = q.redirect_uri ?? "";
|
|
285
|
+
if (!client.redirectUris.includes(redirectUri)) {
|
|
286
|
+
sendHtml(res, 400, consentPage({}, client.clientName, "redirect_uri가 등록된 값과 다릅니다."));
|
|
287
|
+
return null;
|
|
288
|
+
}
|
|
289
|
+
// From here on the redirect target is trusted — protocol errors go back via redirect.
|
|
290
|
+
const redirectError = (error) => {
|
|
291
|
+
const url = new URL(redirectUri);
|
|
292
|
+
url.searchParams.set("error", error);
|
|
293
|
+
if (q.state)
|
|
294
|
+
url.searchParams.set("state", q.state);
|
|
295
|
+
res.writeHead(302, { Location: url.toString() }).end();
|
|
296
|
+
return null;
|
|
297
|
+
};
|
|
298
|
+
if (q.response_type !== "code")
|
|
299
|
+
return redirectError("unsupported_response_type");
|
|
300
|
+
if (!q.code_challenge || (q.code_challenge_method ?? "S256") !== "S256") {
|
|
301
|
+
return redirectError("invalid_request");
|
|
302
|
+
}
|
|
303
|
+
return { client, redirectUri, codeChallenge: q.code_challenge, state: q.state ?? "" };
|
|
304
|
+
}
|
|
305
|
+
/**
|
|
306
|
+
* Handles OAuth endpoints. Returns true when the request was consumed.
|
|
307
|
+
* Wire this BEFORE the /mcp route; call only when auth is enabled.
|
|
308
|
+
*/
|
|
309
|
+
export async function handleOAuthRequest(req, res, provider, publicUrl) {
|
|
310
|
+
const base = requestBaseUrl(req, publicUrl);
|
|
311
|
+
const url = new URL(req.url ?? "/", base);
|
|
312
|
+
if (url.pathname === "/.well-known/oauth-protected-resource") {
|
|
313
|
+
sendJson(res, 200, buildProtectedResourceMetadata(base));
|
|
314
|
+
return true;
|
|
315
|
+
}
|
|
316
|
+
if (url.pathname === "/.well-known/oauth-authorization-server") {
|
|
317
|
+
sendJson(res, 200, buildAuthServerMetadata(base));
|
|
318
|
+
return true;
|
|
319
|
+
}
|
|
320
|
+
if (url.pathname === "/register" && req.method === "POST") {
|
|
321
|
+
let meta;
|
|
322
|
+
try {
|
|
323
|
+
meta = JSON.parse(await readBody(req));
|
|
324
|
+
}
|
|
325
|
+
catch {
|
|
326
|
+
sendJson(res, 400, { error: "invalid_client_metadata" });
|
|
327
|
+
return true;
|
|
328
|
+
}
|
|
329
|
+
const client = provider.registerClient(meta);
|
|
330
|
+
if ("error" in client) {
|
|
331
|
+
sendJson(res, 400, { error: "invalid_redirect_uri", error_description: client.error });
|
|
332
|
+
return true;
|
|
333
|
+
}
|
|
334
|
+
sendJson(res, 201, {
|
|
335
|
+
client_id: client.clientId,
|
|
336
|
+
client_id_issued_at: Math.floor(client.createdAt / 1000),
|
|
337
|
+
redirect_uris: client.redirectUris,
|
|
338
|
+
client_name: client.clientName || undefined,
|
|
339
|
+
token_endpoint_auth_method: "none",
|
|
340
|
+
grant_types: ["authorization_code", "refresh_token"],
|
|
341
|
+
response_types: ["code"],
|
|
342
|
+
});
|
|
343
|
+
return true;
|
|
344
|
+
}
|
|
345
|
+
if (url.pathname === "/authorize" && req.method === "GET") {
|
|
346
|
+
const q = Object.fromEntries(url.searchParams);
|
|
347
|
+
const params = validateAuthorizeParams(provider, q, res);
|
|
348
|
+
if (!params)
|
|
349
|
+
return true;
|
|
350
|
+
sendHtml(res, 200, consentPage({
|
|
351
|
+
client_id: params.client.clientId,
|
|
352
|
+
redirect_uri: params.redirectUri,
|
|
353
|
+
state: params.state,
|
|
354
|
+
code_challenge: params.codeChallenge,
|
|
355
|
+
code_challenge_method: "S256",
|
|
356
|
+
response_type: "code",
|
|
357
|
+
}, params.client.clientName));
|
|
358
|
+
return true;
|
|
359
|
+
}
|
|
360
|
+
if (url.pathname === "/authorize" && req.method === "POST") {
|
|
361
|
+
let form;
|
|
362
|
+
try {
|
|
363
|
+
form = parseBodyParams(await readBody(req), req.headers["content-type"]);
|
|
364
|
+
}
|
|
365
|
+
catch {
|
|
366
|
+
sendHtml(res, 400, consentPage({}, "", "요청을 읽지 못했습니다. 다시 시도해 주세요."));
|
|
367
|
+
return true;
|
|
368
|
+
}
|
|
369
|
+
const params = validateAuthorizeParams(provider, form, res);
|
|
370
|
+
if (!params)
|
|
371
|
+
return true;
|
|
372
|
+
if (provider.consentRateLimited()) {
|
|
373
|
+
sendHtml(res, 429, consentPage({}, params.client.clientName, "시도 횟수를 초과했습니다. 10분 후 다시 시도해 주세요."));
|
|
374
|
+
return true;
|
|
375
|
+
}
|
|
376
|
+
if (!provider.checkConsent(form.password ?? "")) {
|
|
377
|
+
const { password: _password, ...fields } = form;
|
|
378
|
+
sendHtml(res, 401, consentPage(fields, params.client.clientName, "접속 암호가 일치하지 않습니다."));
|
|
379
|
+
return true;
|
|
380
|
+
}
|
|
381
|
+
const code = provider.createCode(params.client.clientId, params.redirectUri, params.codeChallenge);
|
|
382
|
+
const target = new URL(params.redirectUri);
|
|
383
|
+
target.searchParams.set("code", code);
|
|
384
|
+
if (params.state)
|
|
385
|
+
target.searchParams.set("state", params.state);
|
|
386
|
+
res.writeHead(302, { Location: target.toString() }).end();
|
|
387
|
+
return true;
|
|
388
|
+
}
|
|
389
|
+
if (url.pathname === "/token" && req.method === "POST") {
|
|
390
|
+
let form;
|
|
391
|
+
try {
|
|
392
|
+
form = parseBodyParams(await readBody(req), req.headers["content-type"]);
|
|
393
|
+
}
|
|
394
|
+
catch {
|
|
395
|
+
sendJson(res, 400, { error: "invalid_request" });
|
|
396
|
+
return true;
|
|
397
|
+
}
|
|
398
|
+
let result;
|
|
399
|
+
if (form.grant_type === "authorization_code") {
|
|
400
|
+
result = provider.exchangeCode({
|
|
401
|
+
code: form.code ?? "",
|
|
402
|
+
codeVerifier: form.code_verifier ?? "",
|
|
403
|
+
clientId: form.client_id ?? "",
|
|
404
|
+
redirectUri: form.redirect_uri ?? "",
|
|
405
|
+
});
|
|
406
|
+
}
|
|
407
|
+
else if (form.grant_type === "refresh_token") {
|
|
408
|
+
result = provider.refreshTokens(form.refresh_token ?? "", form.client_id ?? "");
|
|
409
|
+
}
|
|
410
|
+
else {
|
|
411
|
+
sendJson(res, 400, { error: "unsupported_grant_type" });
|
|
412
|
+
return true;
|
|
413
|
+
}
|
|
414
|
+
if ("error" in result) {
|
|
415
|
+
sendJson(res, 400, { error: result.error });
|
|
416
|
+
return true;
|
|
417
|
+
}
|
|
418
|
+
sendJson(res, 200, {
|
|
419
|
+
access_token: result.accessToken,
|
|
420
|
+
token_type: "Bearer",
|
|
421
|
+
expires_in: Math.floor(ACCESS_TOKEN_TTL_MS / 1000),
|
|
422
|
+
refresh_token: result.refreshToken,
|
|
423
|
+
});
|
|
424
|
+
return true;
|
|
425
|
+
}
|
|
426
|
+
return false;
|
|
427
|
+
}
|
package/dist/server.js
CHANGED
|
@@ -27,7 +27,7 @@ import { registerTransactionsTool } from "./tools/transactions.js";
|
|
|
27
27
|
import { registerViStocksTool } from "./tools/vi-stocks.js";
|
|
28
28
|
import { registerWatchlistGroupsTool, registerWatchlistTool } from "./tools/watchlist.js";
|
|
29
29
|
export const SERVER_NAME = "kiwoom-mcp-server";
|
|
30
|
-
export const SERVER_VERSION = "0.
|
|
30
|
+
export const SERVER_VERSION = "0.18.0";
|
|
31
31
|
export function createServer() {
|
|
32
32
|
const server = new McpServer({
|
|
33
33
|
name: SERVER_NAME,
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "kiwoom-mcp-server",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.18.0",
|
|
4
4
|
"description": "Read-only MCP server exposing the Kiwoom Securities REST API (market data, account inquiry, ISA tax-allowance calculator) to Claude Desktop / Claude Code.",
|
|
5
5
|
"private": false,
|
|
6
6
|
"type": "module",
|