ofw-mcp 2.0.13 → 2.0.14

package/dist/client.js

@@ -1,5 +1,6 @@
 import { dirname, join } from 'path';
 import { fileURLToPath } from 'url';
+import { resolveAuth } from './auth.js';
 // Load .env for local dev; silently skip if dotenv is unavailable (e.g. mcpb bundle)
 try {
     const { config } = await import('dotenv');
@@ -9,24 +10,6 @@ try {
 catch {
     // not available — rely on process.env (mcpb sets credentials via mcp_config.env)
 }
-/**
- * Read an env var, trim whitespace, and treat as unset if blank or if the value
- * looks like an unsubstituted shell placeholder (e.g. `${FOO}`) — defends
- * against MCP hosts that pass .mcp.json env blocks through unexpanded.
- */
-function readVar(key) {
-    const raw = process.env[key];
-    if (typeof raw !== 'string')
-        return undefined;
-    const trimmed = raw.trim();
-    if (trimmed.length === 0)
-        return undefined;
-    if (trimmed === 'undefined' || trimmed === 'null')
-        return undefined;
-    if (/^\$\{[^}]*\}$/.test(trimmed))
-        return undefined;
-    return trimmed;
-}
 const BASE_URL = 'https://ofw.ourfamilywizard.com';
 const OFW_PROTOCOL_HEADERS = {
     'ofw-client': 'WebApplication',
@@ -107,48 +90,18 @@ export class OFWClient {
             return;
         await this.login();
     }
+    // Auth resolution is delegated to `./auth.ts`. This client doesn't care
+    // whether the token came from a password POST or from a one-shot
+    // fetchproxy session-snapshot — it just consumes the result.
+    //
+    // If `expiresAt` is missing (the fetchproxy path on a tab whose
+    // browser didn't persist tokenExpiry), we fall back to the same 6h
+    // estimate the password path uses. The 401-replay path covers us if
+    // the estimate is wrong.
     async login() {
-        const username = readVar('OFW_USERNAME');
-        const password = readVar('OFW_PASSWORD');
-        if (!username || !password) {
-            throw new Error('OFW_USERNAME and OFW_PASSWORD must be set');
-        }
-        // Spring Security requires a SESSION cookie before accepting the login POST.
-        // GET /ofw/login.form with redirect:manual to capture the Set-Cookie from the 303 response.
-        const initResponse = await fetch(`${BASE_URL}/ofw/login.form`, {
-            headers: { ...OFW_PROTOCOL_HEADERS },
-            redirect: 'manual',
-        });
-        // Extract just the SESSION=value part (strip attributes like Path, Secure, etc.)
-        const setCookie = initResponse.headers.get('set-cookie') ?? '';
-        const sessionCookie = setCookie.split(';')[0];
-        const response = await fetch(`${BASE_URL}/ofw/login`, {
-            method: 'POST',
-            headers: {
-                ...OFW_PROTOCOL_HEADERS,
-                Accept: 'application/json',
-                'Content-Type': 'application/x-www-form-urlencoded',
-                ...(sessionCookie ? { Cookie: sessionCookie } : {}),
-            },
-            body: new URLSearchParams({
-                submit: 'Sign In',
-                _eventId: 'submit',
-                username,
-                password,
-            }).toString(),
-        });
-        if (!response.ok) {
-            throw new Error(`OFW login failed: ${response.status} ${response.statusText}`);
-        }
-        const contentType = response.headers.get('content-type') ?? '';
-        if (!contentType.includes('application/json')) {
-            const body = await response.text();
-            throw new Error(`OFW login returned unexpected response (${contentType}): ${body.substring(0, 200)}`);
-        }
-        const data = (await response.json());
-        this.token = data.auth;
-        // Token expiry not returned by login endpoint; use 6h as a safe default
-        this.tokenExpiry = new Date(Date.now() + 6 * 60 * 60 * 1000);
+        const { token, expiresAt } = await resolveAuth();
+        this.token = token;
+        this.tokenExpiry = expiresAt ?? new Date(Date.now() + 6 * 60 * 60 * 1000);
     }
     isTokenExpiredSoon() {
         if (!this.token || !this.tokenExpiry)

package/dist/config.js

@@ -1,12 +1,22 @@
 import { createHash } from 'node:crypto';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
-function readUsername() {
-    const raw = process.env.OFW_USERNAME;
-    if (typeof raw !== 'string' || raw.trim().length === 0) {
-        throw new Error('OFW_USERNAME must be set to derive cache path');
-    }
-    return raw.trim();
+// Cache identity drives the per-user SQLite DB filename. Order of preference:
+//   1. OFW_CACHE_IDENTITY — explicit override for users who want to label the
+//      cache themselves (e.g. when authing via fetchproxy and OFW_USERNAME is
+//      not set).
+//   2. OFW_USERNAME — legacy path; existing users keep their existing DB.
+//   3. "_default" — fallback for fetchproxy-only setups where neither is set.
+//      Single-user installs are fine on this; multi-account users should set
+//      OFW_CACHE_IDENTITY explicitly so their caches don't collide.
+function readCacheIdentity() {
+    const explicit = process.env.OFW_CACHE_IDENTITY;
+    if (typeof explicit === 'string' && explicit.trim().length > 0)
+        return explicit.trim();
+    const username = process.env.OFW_USERNAME;
+    if (typeof username === 'string' && username.trim().length > 0)
+        return username.trim();
+    return '_default';
 }
 export function getCacheDir() {
     const override = process.env.OFW_CACHE_DIR;
@@ -15,8 +25,8 @@ export function getCacheDir() {
     return join(homedir(), '.cache', 'ofw-mcp');
 }
 export function getCacheDbPath() {
-    const username = readUsername();
-    const hash = createHash('sha256').update(username).digest('hex').slice(0, 16);
+    const identity = readCacheIdentity();
+    const hash = createHash('sha256').update(identity).digest('hex').slice(0, 16);
     return join(getCacheDir(), `${hash}.db`);
 }
 export function getAttachmentsDir() {

package/dist/index.js

@@ -17,7 +17,7 @@ import { registerMessageTools } from './tools/messages.js';
 import { registerCalendarTools } from './tools/calendar.js';
 import { registerExpenseTools } from './tools/expenses.js';
 import { registerJournalTools } from './tools/journal.js';
-const server = new McpServer({ name: 'ofw', version: '2.0.13' });
+const server = new McpServer({ name: 'ofw', version: '2.0.14' });
 registerUserTools(server, client);
 registerMessageTools(server, client);
 registerCalendarTools(server, client);

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "ofw-mcp",
-  "version": "2.0.13",
+  "version": "2.0.14",
   "mcpName": "io.github.chrischall/ofw-mcp",
-  "description": "OurFamilyWizard MCP server for Claude — developed and maintained by AI (Claude Code)",
+  "description": "OurFamilyWizard MCP server for Claude \u2014 developed and maintained by AI (Claude Code)",
   "author": "Claude Code (AI) <https://www.anthropic.com/claude>",
   "repository": {
     "type": "git",
@@ -21,12 +21,13 @@
   ],
   "scripts": {
     "build": "tsc && npm run bundle",
-    "bundle": "esbuild src/index.ts --bundle --platform=node --format=esm --external:dotenv --outfile=dist/bundle.js",
+    "bundle": "esbuild src/index.ts --bundle --platform=node --format=esm --external:dotenv --banner:js='import { createRequire as __createRequire } from \"module\"; const require = __createRequire(import.meta.url);' --outfile=dist/bundle.js",
     "dev": "node --env-file=.env dist/index.js",
     "test": "vitest run",
     "test:watch": "vitest"
   },
   "dependencies": {
+    "@fetchproxy/bootstrap": "^0.4.2",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "dotenv": "^17.4.0",
     "zod": "^4.4.2"

package/server.json

@@ -6,12 +6,12 @@
     "url": "https://github.com/chrischall/ofw-mcp",
     "source": "github"
   },
-  "version": "2.0.13",
+  "version": "2.0.14",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "ofw-mcp",
-      "version": "2.0.13",
+      "version": "2.0.14",
       "transport": {
         "type": "stdio"
       },