npm - sap-wm-mcp - Versions diffs - 0.3.2 → 0.3.4 - Mend

sap-wm-mcp 0.3.2 → 0.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/lib/s4hClient.js +44 -44
package/package.json +1 -1

package/lib/s4hClient.js CHANGED Viewed

@@ -21,19 +21,20 @@ function log(level, msg, meta = {}) {
   console.error(JSON.stringify({ ts: new Date().toISOString(), level, msg, ...meta }));
 }
-// ── CSRF token cache ──────────────────────────────────────────────────────────
-// Tokens are valid for the HTTP session. We cache the token + session cookie so
-// each write operation needs only one round trip instead of two.
-let _csrfToken    = null;
-let _cookieHeader = null;
-async function refreshCsrf() {
-  log('debug', 'csrf_refresh');
+// ── CSRF token fetch ──────────────────────────────────────────────────────────
+// Always fetches a fresh token + session cookie before each POST.
+// No caching: avoids session-expiry races and token-echo bugs (some SAP gateway
+// configurations return 'Required' or 'Fetch' on the service root; those are
+// invalid tokens that look valid but cause 403 on every write).
+// The extra round-trip cost is negligible — writes are rare in WM operations.
+async function fetchCsrf() {
+  log('debug', 'csrf_fetch');
   const res = await fetch(`${BASE_URL}${BASE_PATH}`, {
     method:  'GET',
     headers: {
       'Authorization':  `Basic ${AUTH}`,
-      'x-csrf-token':   'fetch',
+      'Accept':         'application/json',
+      'x-csrf-token':   'Fetch',
       'sap-client':     CLIENT
     },
     agent,
@@ -41,16 +42,26 @@ async function refreshCsrf() {
   });
   const token = res.headers.get('x-csrf-token');
-  if (!token) throw new Error('CSRF token fetch failed — no token in response headers');
+  // SAP may echo 'Fetch' or 'Required' back when the endpoint doesn't support
+  // CSRF token issuance — treat those as failures so the error is clear.
+  if (!token || token === 'Fetch' || token === 'Required') {
+    throw new Error(`CSRF token fetch failed — SAP returned: ${token ?? '(no header)'}`);
+  }
-  const raw = res.headers.raw?.()['set-cookie'] ?? res.headers.get('set-cookie');
-  const cookie = Array.isArray(raw)
-    ? raw.map(c => c.split(';')[0]).join('; ')
-    : (raw ?? '').split(',').map(c => c.trim().split(';')[0]).join('; ');
+  // node-fetch v3: getSetCookie() is WHATWG spec (Node 18+); forEach fallback for older envs.
+  let cookieParts;
+  if (typeof res.headers.getSetCookie === 'function') {
+    cookieParts = res.headers.getSetCookie().map(c => c.split(';')[0].trim());
+  } else {
+    cookieParts = [];
+    res.headers.forEach((value, key) => {
+      if (key.toLowerCase() === 'set-cookie') cookieParts.push(value.split(';')[0].trim());
+    });
+  }
-  _csrfToken    = token;
-  _cookieHeader = cookie;
-  log('debug', 'csrf_refreshed');
+  const cookieHeader = cookieParts.join('; ');
+  log('debug', 'csrf_fetch_ok', { hasCookie: !!cookieHeader });
+  return { token, cookieHeader };
 }
 // ── GET ───────────────────────────────────────────────────────────────────────
@@ -93,36 +104,25 @@ export async function s4hPost(path, body) {
   const start = Date.now();
   log('debug', 'odata_post', { url });
-  // Obtain CSRF token (use cache; refresh if missing or if SAP returns 403)
-  if (!_csrfToken) await refreshCsrf();
-  const doPost = async () => fetch(url, {
-    method:  'POST',
-    headers: {
-      'Authorization':  `Basic ${AUTH}`,
-      'Content-Type':   'application/json',
-      'Accept':         'application/json',
-      'x-csrf-token':   _csrfToken,
-      'sap-client':     CLIENT,
-      ...(_cookieHeader ? { 'Cookie': _cookieHeader } : {})
-    },
-    body:   JSON.stringify(body),
-    agent,
-    signal: AbortSignal.timeout(TIMEOUT_MS)
-  });
+  // Always fetch a fresh CSRF token + session cookie before the POST.
+  const { token, cookieHeader } = await fetchCsrf();
   let response;
   try {
-    response = await doPost();
-    // CSRF token expired — refresh once and retry
-    if (response.status === 403) {
-      log('warn', 'csrf_expired_retry', { url });
-      _csrfToken = null;
-      _cookieHeader = null;
-      await refreshCsrf();
-      response = await doPost();
-    }
+    response = await fetch(url, {
+      method:  'POST',
+      headers: {
+        'Authorization':  `Basic ${AUTH}`,
+        'Content-Type':   'application/json',
+        'Accept':         'application/json',
+        'x-csrf-token':   token,
+        'sap-client':     CLIENT,
+        ...(cookieHeader ? { 'Cookie': cookieHeader } : {})
+      },
+      body:   JSON.stringify(body),
+      agent,
+      signal: AbortSignal.timeout(TIMEOUT_MS)
+    });
   } catch (err) {
     log('error', 'odata_post_failed', { url, err: err.message, ms: Date.now() - start });
     throw err;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "sap-wm-mcp",
-  "version": "0.3.2",
+  "version": "0.3.4",
   "description": "MCP server for SAP Classic Warehouse Management — connects AI agents to S/4HANA WM via a custom RAP OData V4 service. For systems where EWM is not active.",
   "type": "module",
   "main": "index.js",