url-safety-validator-mcp 1.2.20 → 1.2.22

package/CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to URL Safety Validator MCP are documented here.
 
+## [1.2.22] — 2026-06-18
+- feat: revoke API key on Stripe refund
+
+## [1.2.21] — 2026-06-17
+- fix: Stripe webhook now validates payment_link ID — ignores events not belonging to this server
+
 ## [1.2.20] — 2026-06-17
 - feat: SmitheryBot detection on check_url — returns mock SAFE verdict without consuming Google Safe Browsing credits
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "url-safety-validator-mcp",
   "mcpName": "io.github.OjasKord/url-safety-validator-mcp",
-  "version": "1.2.20",
+  "version": "1.2.22",
   "description": "URL safety checker for AI agents. Detects phishing, malware, typosquatting before your agent visits any link. BLOCK/ALLOW verdict in one call.",
   "main": "src/server.js",
   "scripts": {

package/src/server.js

@@ -5,9 +5,10 @@ const fs = require('fs');
 const crypto = require('crypto');
 const { Readable } = require('stream');
 
-const VERSION = '1.2.20';
+const VERSION = '1.2.22';
 const PRO_UPGRADE_URL = 'https://buy.stripe.com/5kQeVc9Ah4n3c8c0h2ebu0t';
 const ENTERPRISE_UPGRADE_URL = 'https://buy.stripe.com/4gMdR88wddXDfko0h2ebu0u';
+const ALLOWED_PAYMENT_LINK_IDS = ['plink_1TQzIHD6WvRe6sn3820kFk07', 'plink_1TQzJdD6WvRe6sn3GN8mQkj9'];
 const PORT = process.env.PORT || 3000;
 const STATS_KEY = process.env.STATS_KEY || 'ojas2026';
 const ANTHROPIC_API_KEY = process.env.ANTHROPIC_API_KEY || '';
@@ -157,6 +158,26 @@ async function redisExpire(key, seconds) {
   } catch(e) { console.error('[Redis] redisExpire failed:', e); }
 }
 
+async function redisDelete(key) {
+  try {
+    const res = await fetch(
+      `${UPSTASH_URL}/del/${encodeURIComponent(key)}`,
+      { method: 'POST', headers: { Authorization: `Bearer ${UPSTASH_TOKEN}` } }
+    );
+    const data = await res.json();
+    if (data.error) console.error('[Redis] redisDelete error:', data.error, 'key:', key);
+  } catch(e) { console.error('[Redis] redisDelete failed:', e); }
+}
+
+async function findCheckoutSessionEmail(paymentIntentId) {
+  const res = await fetch(
+    `https://api.stripe.com/v1/checkout/sessions?payment_intent=${encodeURIComponent(paymentIntentId)}`,
+    { headers: { Authorization: `Bearer ${process.env.STRIPE_SECRET_KEY}` } }
+  );
+  const data = await res.json();
+  return data.data?.[0]?.customer_details?.email || data.data?.[0]?.customer_email || null;
+}
+
 async function redisKeys(pattern) {
   try {
     const res = await fetch(
@@ -695,6 +716,11 @@ const server = http.createServer(async (req, res) => {
         const event = JSON.parse(rawBody);
         if (event.type === 'checkout.session.completed') {
           const session = event.data.object;
+          const paymentLinkId = session.payment_link;
+          if (paymentLinkId && !ALLOWED_PAYMENT_LINK_IDS.includes(paymentLinkId)) {
+            console.log('[url-safety] Webhook received but payment link ' + paymentLinkId + ' not for this server — ignoring.');
+            res.writeHead(200, cors); res.end(JSON.stringify({ received: true, ignored: true })); return;
+          }
           const key = 'usv_' + crypto.randomBytes(16).toString('hex');
           const email = session.customer_details?.email || session.customer_email || 'unknown';
           const record = { email, created_at: nowISO(), plan: 'pro' };
@@ -706,6 +732,40 @@ const server = http.createServer(async (req, res) => {
             sendApiKeyEmail(email, key, 'pro').catch(err => console.error('[stripe] Email send failed:', err.message));
           }
         }
+        if (event.type === 'charge.refunded') {
+          if (!process.env.STRIPE_SECRET_KEY) {
+            console.error('[url-safety] STRIPE_SECRET_KEY not set — cannot revoke key on refund');
+            res.writeHead(200, cors); res.end(JSON.stringify({ received: true, ignored: true })); return;
+          }
+          const paymentIntentId = event.data.object.payment_intent;
+          if (!paymentIntentId) {
+            console.log('[url-safety] charge.refunded missing payment_intent — ignoring.');
+            res.writeHead(200, cors); res.end(JSON.stringify({ received: true, ignored: true })); return;
+          }
+          try {
+            const refundEmail = await findCheckoutSessionEmail(paymentIntentId);
+            if (!refundEmail) {
+              console.log('[url-safety] No checkout session/email found for refunded payment_intent ' + paymentIntentId);
+              res.writeHead(200, cors); res.end(JSON.stringify({ received: true, ignored: true })); return;
+            }
+            let revokedKey = null;
+            for (const [k, record] of apiKeys.entries()) {
+              if (record.email === refundEmail) { revokedKey = k; break; }
+            }
+            if (!revokedKey) {
+              console.log('[url-safety] No API key found for ' + refundEmail + ' — refund received, nothing to revoke');
+              res.writeHead(200, cors); res.end(JSON.stringify({ received: true, ignored: true })); return;
+            }
+            apiKeys.delete(revokedKey);
+            await redisDelete(`${REDIS_PREFIX}:key:${revokedKey}`);
+            saveStats();
+            console.log('[Webhook] API key revoked for ' + refundEmail + ' — refund received');
+            res.writeHead(200, cors); res.end(JSON.stringify({ received: true, revoked: true })); return;
+          } catch(e) {
+            console.error('[url-safety] charge.refunded handling error:', e.message);
+            res.writeHead(200, cors); res.end(JSON.stringify({ received: true, ignored: true })); return;
+          }
+        }
         res.writeHead(200, cors); res.end(JSON.stringify({ received: true }));
       } catch(e) {
         res.writeHead(400, cors); res.end(JSON.stringify({ error: e.message }));