mcp-wordpress 2.4.2 → 2.5.0

package/src/client/MockWordPressClient.ts

@@ -1,5 +1,6 @@
 import { WordPressClient } from "./api.js";
 import { WordPressClientConfig } from "../types/client.js";
+import { LoggerFactory } from "../utils/logger.js";
 import type {
   WordPressPost,
   WordPressUser,
@@ -15,6 +16,7 @@ import type {
  */
 export class MockWordPressClient extends WordPressClient {
   private isMockMode = true;
+  private logger = LoggerFactory.api("mock");
 
   constructor(config: WordPressClientConfig) {
     super(config);
@@ -24,7 +26,7 @@ export class MockWordPressClient extends WordPressClient {
    * Override authenticate to not make actual requests
    */
   async authenticate(): Promise<boolean> {
-    console.log("INFO: Mock authentication - skipping actual connection");
+    this.logger.info("Mock authentication - skipping actual connection");
     return true;
   }
 
@@ -332,7 +334,7 @@ export class MockWordPressClient extends WordPressClient {
   /**
    * Mock search
    */
-  async search(query: string, types?: string[], subtype?: string): Promise<any[]> {
+  async search(query: string, types?: string[], subtype?: string): Promise<import("../types/wordpress.js").WordPressSearchResult[]> {
     if (!query) {
       return [];
     }

package/src/client/api.ts

@@ -17,6 +17,7 @@ import type {
   ClientStats,
 } from "../types/client.js";
 import { WordPressAPIError, AuthenticationError, RateLimitError } from "../types/client.js";
+import { config } from "../config/Config.js";
 import type {
   WordPressPost,
   WordPressPage,
@@ -45,16 +46,19 @@ import type {
   UpdateTagRequest,
   UploadMediaRequest,
   UpdateMediaRequest,
+  WordPressSiteInfo,
+  WordPressSearchResult,
 } from "../types/wordpress.js";
 import { debug, logError, startTimer } from "../utils/debug.js";
+import type { QueuedRequest } from "../types/requests.js";
 
 /**
  * WordPress REST API Client
- * 
+ *
  * A comprehensive client for interacting with the WordPress REST API v2.
  * Provides full CRUD operations for posts, pages, media, users, comments,
  * categories, tags, and site settings with robust error handling and performance optimization.
- * 
+ *
  * Features:
  * - Multiple authentication methods (App Passwords, JWT, Basic Auth, API Key)
  * - Automatic retry logic with exponential backoff
@@ -63,7 +67,7 @@ import { debug, logError, startTimer } from "../utils/debug.js";
  * - Performance monitoring and request statistics
  * - Caching support for improved performance
  * - Multi-site configuration support
- * 
+ *
  * @example
  * ```typescript
  * // Initialize with app password authentication
@@ -75,14 +79,14 @@ import { debug, logError, startTimer } from "../utils/debug.js";
  *     password: 'xxxx xxxx xxxx xxxx xxxx xxxx'
  *   }
  * });
- * 
+ *
  * // Create a new post
  * const post = await client.createPost({
  *   title: 'My New Post',
  *   content: '<p>This is the content</p>',
  *   status: 'publish'
  * });
- * 
+ *
  * // List posts with filtering
  * const posts = await client.getPosts({
  *   search: 'WordPress',
@@ -90,7 +94,7 @@ import { debug, logError, startTimer } from "../utils/debug.js";
  *   per_page: 10
  * });
  * ```
- * 
+ *
  * @since 1.0.0
  * @author MCP WordPress Team
  * @implements {IWordPressClient}
@@ -101,7 +105,7 @@ export class WordPressClient implements IWordPressClient {
   private timeout: number;
   private maxRetries: number;
   private auth: AuthConfig;
-  private requestQueue: any[] = [];
+  private requestQueue: QueuedRequest[] = [];
   private lastRequestTime: number = 0;
   private requestInterval: number;
   private authenticated: boolean = false;
@@ -110,10 +114,10 @@ export class WordPressClient implements IWordPressClient {
 
   /**
    * Creates a new WordPress API client instance.
-   * 
+   *
    * Initializes the client with configuration options for connecting to a WordPress site.
    * Supports multiple authentication methods and automatic environment variable detection.
-   * 
+   *
    * @param {Partial<WordPressClientConfig>} [options={}] - Configuration options for the client
    * @param {string} [options.baseUrl] - WordPress site URL (falls back to WORDPRESS_SITE_URL env var)
    * @param {number} [options.timeout=30000] - Request timeout in milliseconds
@@ -121,7 +125,7 @@ export class WordPressClient implements IWordPressClient {
    * @param {AuthConfig} [options.auth] - Authentication configuration (auto-detected from env if not provided)
    * @param {boolean} [options.enableCache=true] - Whether to enable response caching
    * @param {number} [options.cacheMaxAge=300000] - Cache max age in milliseconds (5 minutes default)
-   * 
+   *
    * @example
    * ```typescript
    * // Basic configuration with app password
@@ -133,11 +137,11 @@ export class WordPressClient implements IWordPressClient {
    *     password: 'xxxx xxxx xxxx xxxx xxxx xxxx'
    *   }
    * });
-   * 
+   *
    * // Configuration with environment variables
    * // Set WORDPRESS_SITE_URL, WORDPRESS_USERNAME, WORDPRESS_APP_PASSWORD
    * const client = new WordPressClient(); // Auto-detects from env
-   * 
+   *
    * // Custom timeout and retry settings
    * const client = new WordPressClient({
    *   baseUrl: 'https://mysite.com',
@@ -146,22 +150,26 @@ export class WordPressClient implements IWordPressClient {
    *   auth: { method: 'app-password', username: 'user', password: 'pass' }
    * });
    * ```
-   * 
+   *
    * @throws {Error} When required configuration is missing or invalid
-   * 
+   *
    * @since 1.0.0
    */
   constructor(options: Partial<WordPressClientConfig> = {}) {
-    this.baseUrl = options.baseUrl || process.env.WORDPRESS_SITE_URL || "";
+    const cfg = config();
+    const baseUrl = options.baseUrl || cfg.wordpress.siteUrl || "";
+
+    // Validate and sanitize base URL
+    this.baseUrl = this.validateAndSanitizeUrl(baseUrl);
     this.apiUrl = "";
-    this.timeout = options.timeout || parseInt(process.env.WORDPRESS_TIMEOUT || "30000");
-    this.maxRetries = options.maxRetries || parseInt(process.env.WORDPRESS_MAX_RETRIES || "3");
+    this.timeout = options.timeout || cfg.wordpress.timeout;
+    this.maxRetries = options.maxRetries || cfg.wordpress.maxRetries;
 
     // Authentication configuration
     this.auth = options.auth || this.getAuthFromEnv();
 
     // Rate limiting
-    this.requestInterval = 60000 / parseInt(process.env.RATE_LIMIT || "60");
+    this.requestInterval = 60000 / cfg.security.rateLimit;
 
     // Initialize stats
     this._stats = {
@@ -198,58 +206,101 @@ export class WordPressClient implements IWordPressClient {
     return this.baseUrl;
   }
 
+  /**
+   * Validate and sanitize URL for security
+   */
+  private validateAndSanitizeUrl(url: string): string {
+    if (!url) {
+      throw new Error("WordPress site URL is required");
+    }
+
+    try {
+      const parsed = new URL(url);
+
+      // Only allow HTTP/HTTPS protocols
+      if (!["http:", "https:"].includes(parsed.protocol)) {
+        throw new Error("Only HTTP and HTTPS protocols are allowed");
+      }
+
+      // Prevent localhost/private IP access in production
+      if (config().app.isProduction) {
+        const hostname = parsed.hostname.toLowerCase();
+        if (
+          hostname === "localhost" ||
+          hostname === "127.0.0.1" ||
+          hostname === "::1" ||
+          hostname.match(/^10\./) ||
+          hostname.match(/^172\.(1[6-9]|2[0-9]|3[01])\./) ||
+          hostname.match(/^192\.168\./)
+        ) {
+          throw new Error("Private/localhost URLs not allowed in production");
+        }
+      }
+
+      // Return clean URL without query parameters or fragments
+      return `${parsed.protocol}//${parsed.host}${parsed.pathname}`.replace(/\/$/, "");
+    } catch (error) {
+      if (error instanceof TypeError) {
+        throw new Error("Invalid WordPress site URL format");
+      }
+      throw error;
+    }
+  }
+
   private getAuthFromEnv(): AuthConfig {
-    const authMethod = process.env.WORDPRESS_AUTH_METHOD as AuthMethod;
+    const cfg = config();
+    const wp = cfg.wordpress;
+    const authMethod = wp.authMethod as AuthMethod;
 
     // Use explicit auth method if set
-    if (authMethod === "app-password" && process.env.WORDPRESS_USERNAME && process.env.WORDPRESS_APP_PASSWORD) {
+    if (authMethod === "app-password" && wp.username && wp.appPassword) {
       return {
         method: "app-password",
-        username: process.env.WORDPRESS_USERNAME,
-        appPassword: process.env.WORDPRESS_APP_PASSWORD,
+        username: wp.username,
+        appPassword: wp.appPassword,
       };
     }
 
     // Try Application Password first (fallback)
-    if (process.env.WORDPRESS_USERNAME && process.env.WORDPRESS_APP_PASSWORD) {
+    if (wp.username && wp.appPassword) {
       return {
         method: "app-password",
-        username: process.env.WORDPRESS_USERNAME,
-        appPassword: process.env.WORDPRESS_APP_PASSWORD,
+        username: wp.username,
+        appPassword: wp.appPassword,
       };
     }
 
     // Try JWT
-    if (process.env.WORDPRESS_JWT_SECRET && process.env.WORDPRESS_USERNAME && process.env.WORDPRESS_PASSWORD) {
+    if (wp.jwtSecret && wp.username && wp.password) {
       return {
         method: "jwt",
-        secret: process.env.WORDPRESS_JWT_SECRET,
-        username: process.env.WORDPRESS_USERNAME,
-        password: process.env.WORDPRESS_PASSWORD,
+        secret: wp.jwtSecret,
+        username: wp.username,
+        password: wp.password,
       };
     }
 
     // Try API Key
-    if (process.env.WORDPRESS_API_KEY) {
+    if (wp.apiKey) {
       return {
         method: "api-key",
-        apiKey: process.env.WORDPRESS_API_KEY,
+        apiKey: wp.apiKey,
       };
     }
 
     // Try Cookie
-    if (process.env.WORDPRESS_COOKIE_NONCE) {
+    if (wp.cookieNonce) {
       return {
         method: "cookie",
-        nonce: process.env.WORDPRESS_COOKIE_NONCE,
+        nonce: wp.cookieNonce,
       };
     }
 
     // Default to basic authentication
     return {
       method: "basic",
-      username: process.env.WORDPRESS_USERNAME || "",
-      password: process.env.WORDPRESS_PASSWORD || process.env.WORDPRESS_APP_PASSWORD || "",
+      username: wp.username || "",
+      password: wp.password || wp.appPassword || "",
     };
   }
 
@@ -442,10 +493,10 @@ export class WordPressClient implements IWordPressClient {
   /**
    * Make authenticated request to WordPress REST API
    */
-  async request<T = any>(
+  async request<T = unknown>(
     method: HTTPMethod,
     endpoint: string,
-    data: any = null,
+    data: unknown = null,
     options: RequestOptions = {},
   ): Promise<T> {
     const timer = startTimer();
@@ -469,7 +520,7 @@ export class WordPressClient implements IWordPressClient {
     const requestTimeout = options.timeout || this.timeout;
     const timeoutId = setTimeout(() => controller.abort(), requestTimeout);
 
-    const fetchOptions: any = {
+    const fetchOptions: RequestInit & { headers: Record<string, string> } = {
       ...options, // Spread options first
       method,
       headers, // Headers come after to ensure auth headers aren't overridden
@@ -478,17 +529,21 @@ export class WordPressClient implements IWordPressClient {
 
     // Add body for POST/PUT/PATCH requests
     if (data && ["POST", "PUT", "PATCH"].includes(method)) {
-      if (data instanceof FormData || (data && typeof data.append === "function")) {
+      if (
+        data instanceof FormData ||
+        (typeof data === "object" && data && "append" in data && typeof data.append === "function")
+      ) {
         // For FormData, check if it has getHeaders method (form-data package)
-        if (data && typeof data.getHeaders === "function") {
+        if (typeof (data as { getHeaders?: () => Record<string, string> }).getHeaders === "function") {
           // Use headers from form-data package
-          const formHeaders = data.getHeaders();
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+          const formHeaders = (data as any).getHeaders();
           Object.assign(headers, formHeaders);
         } else {
           // For native FormData, don't set Content-Type (let fetch set it with boundary)
           delete headers["Content-Type"];
         }
-        fetchOptions.body = data;
+        fetchOptions.body = data as FormData;
       } else if (Buffer.isBuffer(data)) {
         // For Buffer data (manual multipart), keep Content-Type from headers
         fetchOptions.body = data;
@@ -550,6 +605,54 @@ export class WordPressClient implements IWordPressClient {
             );
           }
 
+          // Fallback for 404 errors - try index.php approach for REST API
+          if (response.status === 404 && attempt === 0 && url.includes("/wp-json/wp/v2")) {
+            debug.log(`404 on pretty permalinks, trying index.php approach`);
+
+            // Parse the URL to handle query parameters correctly
+            const urlObj = new URL(url);
+            const endpoint = urlObj.pathname.replace("/wp-json/wp/v2", "");
+            const queryParams = urlObj.searchParams.toString();
+
+            let fallbackUrl = `${urlObj.origin}/index.php?rest_route=/wp/v2${endpoint}`;
+            if (queryParams) {
+              fallbackUrl += `&${queryParams}`;
+            }
+
+            try {
+              // Create a new timeout for the fallback request
+              const fallbackController = new AbortController();
+              const fallbackTimeoutId = setTimeout(() => {
+                fallbackController.abort();
+              }, requestTimeout);
+
+              const fallbackOptions = { ...fetchOptions, signal: fallbackController.signal };
+              const fallbackResponse = await fetch(fallbackUrl, fallbackOptions);
+              clearTimeout(fallbackTimeoutId);
+
+              if (fallbackResponse.ok) {
+                const responseText = await fallbackResponse.text();
+                if (!responseText) {
+                  this._stats.successfulRequests++;
+                  const duration = timer.end();
+                  this.updateAverageResponseTime(duration);
+                  return null as T;
+                }
+
+                const result = JSON.parse(responseText);
+                this._stats.successfulRequests++;
+                const duration = timer.end();
+                this.updateAverageResponseTime(duration);
+                return result;
+              } else {
+                // If fallback also fails, continue with original error
+                debug.log(`Fallback also failed with status ${fallbackResponse.status}`);
+              }
+            } catch (fallbackError) {
+              debug.log(`Fallback request failed: ${(fallbackError as Error).message}`);
+            }
+          }
+
           throw new WordPressAPIError(errorMessage, response.status);
         }
 
@@ -583,7 +686,7 @@ export class WordPressClient implements IWordPressClient {
         lastError = error as Error;
 
         // Handle timeout errors
-        if ((error as any).name === "AbortError") {
+        if ((error as Error & { name?: string }).name === "AbortError") {
           lastError = new Error(`Request timeout after ${requestTimeout}ms`);
         }
 
@@ -623,23 +726,23 @@ export class WordPressClient implements IWordPressClient {
   }
 
   // HTTP method helpers
-  async get<T = any>(endpoint: string, options?: RequestOptions): Promise<T> {
+  async get<T = unknown>(endpoint: string, options?: RequestOptions): Promise<T> {
     return this.request<T>("GET", endpoint, null, options);
   }
 
-  async post<T = any>(endpoint: string, data?: any, options?: RequestOptions): Promise<T> {
+  async post<T = unknown>(endpoint: string, data?: unknown, options?: RequestOptions): Promise<T> {
     return this.request<T>("POST", endpoint, data, options);
   }
 
-  async put<T = any>(endpoint: string, data?: any, options?: RequestOptions): Promise<T> {
+  async put<T = unknown>(endpoint: string, data?: unknown, options?: RequestOptions): Promise<T> {
     return this.request<T>("PUT", endpoint, data, options);
   }
 
-  async patch<T = any>(endpoint: string, data?: any, options?: RequestOptions): Promise<T> {
+  async patch<T = unknown>(endpoint: string, data?: unknown, options?: RequestOptions): Promise<T> {
     return this.request<T>("PATCH", endpoint, data, options);
   }
 
-  async delete<T = any>(endpoint: string, options?: RequestOptions): Promise<T> {
+  async delete<T = unknown>(endpoint: string, options?: RequestOptions): Promise<T> {
     return this.request<T>("DELETE", endpoint, null, options);
   }
 
@@ -647,7 +750,7 @@ export class WordPressClient implements IWordPressClient {
 
   // Posts
   async getPosts(params?: PostQueryParams): Promise<WordPressPost[]> {
-    const queryString = params ? "?" + new URLSearchParams(params as any).toString() : "";
+    const queryString = params ? "?" + new URLSearchParams(params as Record<string, string>).toString() : "";
     return this.get<WordPressPost[]>(`posts${queryString}`);
   }
 
@@ -674,7 +777,10 @@ export class WordPressClient implements IWordPressClient {
 
   // Pages
   async getPages(params?: PostQueryParams): Promise<WordPressPage[]> {
-    const queryString = params ? "?" + new URLSearchParams(params as any).toString() : "";
+    const normalizedParams = params
+      ? Object.fromEntries(Object.entries(params).map(([k, v]) => [k, String(v)]))
+      : undefined;
+    const queryString = normalizedParams ? "?" + new URLSearchParams(normalizedParams).toString() : "";
     return this.get<WordPressPage[]>(`pages${queryString}`);
   }
 
@@ -701,7 +807,10 @@ export class WordPressClient implements IWordPressClient {
 
   // Media
   async getMedia(params?: MediaQueryParams): Promise<WordPressMedia[]> {
-    const queryString = params ? "?" + new URLSearchParams(params as any).toString() : "";
+    const normalizedParams = params
+      ? Object.fromEntries(Object.entries(params).map(([k, v]) => [k, String(v)]))
+      : undefined;
+    const queryString = normalizedParams ? "?" + new URLSearchParams(normalizedParams).toString() : "";
     return this.get<WordPressMedia[]>(`media${queryString}`);
   }
 
@@ -781,7 +890,10 @@ export class WordPressClient implements IWordPressClient {
 
   // Users
   async getUsers(params?: UserQueryParams): Promise<WordPressUser[]> {
-    const queryString = params ? "?" + new URLSearchParams(params as any).toString() : "";
+    const normalizedParams = params
+      ? Object.fromEntries(Object.entries(params).map(([k, v]) => [k, String(v)]))
+      : undefined;
+    const queryString = normalizedParams ? "?" + new URLSearchParams(normalizedParams).toString() : "";
     return this.get<WordPressUser[]>(`users${queryString}`);
   }
 
@@ -809,7 +921,10 @@ export class WordPressClient implements IWordPressClient {
 
   // Comments
   async getComments(params?: CommentQueryParams): Promise<WordPressComment[]> {
-    const queryString = params ? "?" + new URLSearchParams(params as any).toString() : "";
+    const normalizedParams = params
+      ? Object.fromEntries(Object.entries(params).map(([k, v]) => [k, String(v)]))
+      : undefined;
+    const queryString = normalizedParams ? "?" + new URLSearchParams(normalizedParams).toString() : "";
     return this.get<WordPressComment[]>(`comments${queryString}`);
   }
 
@@ -845,8 +960,11 @@ export class WordPressClient implements IWordPressClient {
   }
 
   // Taxonomies
-  async getCategories(params?: any): Promise<WordPressCategory[]> {
-    const queryString = params ? "?" + new URLSearchParams(params).toString() : "";
+  async getCategories(params?: Record<string, string | number | boolean>): Promise<WordPressCategory[]> {
+    const normalizedParams = params
+      ? Object.fromEntries(Object.entries(params).map(([k, v]) => [k, String(v)]))
+      : undefined;
+    const queryString = normalizedParams ? "?" + new URLSearchParams(normalizedParams).toString() : "";
     return this.get<WordPressCategory[]>(`categories${queryString}`);
   }
 
@@ -867,8 +985,11 @@ export class WordPressClient implements IWordPressClient {
     return this.delete(`categories/${id}?force=${force}`);
   }
 
-  async getTags(params?: any): Promise<WordPressTag[]> {
-    const queryString = params ? "?" + new URLSearchParams(params).toString() : "";
+  async getTags(params?: Record<string, string | number | boolean>): Promise<WordPressTag[]> {
+    const normalizedParams = params
+      ? Object.fromEntries(Object.entries(params).map(([k, v]) => [k, String(v)]))
+      : undefined;
+    const queryString = normalizedParams ? "?" + new URLSearchParams(normalizedParams).toString() : "";
     return this.get<WordPressTag[]>(`tags${queryString}`);
   }
 
@@ -898,7 +1019,7 @@ export class WordPressClient implements IWordPressClient {
     return this.post<WordPressSiteSettings>("settings", settings);
   }
 
-  async getSiteInfo(): Promise<any> {
+  async getSiteInfo(): Promise<WordPressSiteInfo> {
     return this.get("");
   }
 
@@ -912,7 +1033,7 @@ export class WordPressClient implements IWordPressClient {
     name: string,
     appId?: string,
   ): Promise<WordPressApplicationPassword> {
-    const data: any = { name };
+    const data: Record<string, unknown> = { name };
     if (appId) data.app_id = appId;
     return this.post<WordPressApplicationPassword>(`users/${userId}/application-passwords`, data);
   }
@@ -922,12 +1043,12 @@ export class WordPressClient implements IWordPressClient {
   }
 
   // Search
-  async search(query: string, types?: string[], subtype?: string): Promise<any[]> {
+  async search(query: string, types?: string[], subtype?: string): Promise<WordPressSearchResult[]> {
     const params = new URLSearchParams({ search: query });
     if (types) params.append("type", types.join(","));
     if (subtype) params.append("subtype", subtype);
 
-    return this.get<any[]>(`search?${params.toString()}`);
+    return this.get<WordPressSearchResult[]>(`search?${params.toString()}`);
   }
 
   // Utility Methods
@@ -940,7 +1061,7 @@ export class WordPressClient implements IWordPressClient {
     }
   }
 
-  async getServerInfo(): Promise<Record<string, any>> {
+  async getServerInfo(): Promise<Record<string, unknown>> {
     return this.get("");
   }
 
@@ -948,10 +1069,11 @@ export class WordPressClient implements IWordPressClient {
     return /^[a-zA-Z0-9\/\-_]+$/.test(endpoint);
   }
 
-  buildUrl(endpoint: string, params?: Record<string, any>): string {
+  buildUrl(endpoint: string, params?: Record<string, unknown>): string {
     const url = `${this.apiUrl}/${endpoint.replace(/^\/+/, "")}`;
     if (params) {
-      const searchParams = new URLSearchParams(params);
+      const normalizedParams = Object.fromEntries(Object.entries(params).map(([k, v]) => [k, String(v)]));
+      const searchParams = new URLSearchParams(normalizedParams);
       return `${url}?${searchParams.toString()}`;
     }
     return url;