npm - url-safety-validator-mcp - Versions diffs - 1.2.21 → 1.2.22 - Mend

url-safety-validator-mcp 1.2.21 → 1.2.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,9 @@
 All notable changes to URL Safety Validator MCP are documented here.
+## [1.2.22] — 2026-06-18
+- feat: revoke API key on Stripe refund
 ## [1.2.21] — 2026-06-17
 - fix: Stripe webhook now validates payment_link ID — ignores events not belonging to this server

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "url-safety-validator-mcp",
   "mcpName": "io.github.OjasKord/url-safety-validator-mcp",
-  "version": "1.2.21",
+  "version": "1.2.22",
   "description": "URL safety checker for AI agents. Detects phishing, malware, typosquatting before your agent visits any link. BLOCK/ALLOW verdict in one call.",
   "main": "src/server.js",
   "scripts": {

package/src/server.js CHANGED Viewed

@@ -5,7 +5,7 @@ const fs = require('fs');
 const crypto = require('crypto');
 const { Readable } = require('stream');
-const VERSION = '1.2.21';
+const VERSION = '1.2.22';
 const PRO_UPGRADE_URL = 'https://buy.stripe.com/5kQeVc9Ah4n3c8c0h2ebu0t';
 const ENTERPRISE_UPGRADE_URL = 'https://buy.stripe.com/4gMdR88wddXDfko0h2ebu0u';
 const ALLOWED_PAYMENT_LINK_IDS = ['plink_1TQzIHD6WvRe6sn3820kFk07', 'plink_1TQzJdD6WvRe6sn3GN8mQkj9'];
@@ -158,6 +158,26 @@ async function redisExpire(key, seconds) {
   } catch(e) { console.error('[Redis] redisExpire failed:', e); }
 }
+async function redisDelete(key) {
+  try {
+    const res = await fetch(
+      `${UPSTASH_URL}/del/${encodeURIComponent(key)}`,
+      { method: 'POST', headers: { Authorization: `Bearer ${UPSTASH_TOKEN}` } }
+    );
+    const data = await res.json();
+    if (data.error) console.error('[Redis] redisDelete error:', data.error, 'key:', key);
+  } catch(e) { console.error('[Redis] redisDelete failed:', e); }
+}
+async function findCheckoutSessionEmail(paymentIntentId) {
+  const res = await fetch(
+    `https://api.stripe.com/v1/checkout/sessions?payment_intent=${encodeURIComponent(paymentIntentId)}`,
+    { headers: { Authorization: `Bearer ${process.env.STRIPE_SECRET_KEY}` } }
+  );
+  const data = await res.json();
+  return data.data?.[0]?.customer_details?.email || data.data?.[0]?.customer_email || null;
+}
 async function redisKeys(pattern) {
   try {
     const res = await fetch(
@@ -712,6 +732,40 @@ const server = http.createServer(async (req, res) => {
             sendApiKeyEmail(email, key, 'pro').catch(err => console.error('[stripe] Email send failed:', err.message));
           }
         }
+        if (event.type === 'charge.refunded') {
+          if (!process.env.STRIPE_SECRET_KEY) {
+            console.error('[url-safety] STRIPE_SECRET_KEY not set — cannot revoke key on refund');
+            res.writeHead(200, cors); res.end(JSON.stringify({ received: true, ignored: true })); return;
+          }
+          const paymentIntentId = event.data.object.payment_intent;
+          if (!paymentIntentId) {
+            console.log('[url-safety] charge.refunded missing payment_intent — ignoring.');
+            res.writeHead(200, cors); res.end(JSON.stringify({ received: true, ignored: true })); return;
+          }
+          try {
+            const refundEmail = await findCheckoutSessionEmail(paymentIntentId);
+            if (!refundEmail) {
+              console.log('[url-safety] No checkout session/email found for refunded payment_intent ' + paymentIntentId);
+              res.writeHead(200, cors); res.end(JSON.stringify({ received: true, ignored: true })); return;
+            }
+            let revokedKey = null;
+            for (const [k, record] of apiKeys.entries()) {
+              if (record.email === refundEmail) { revokedKey = k; break; }
+            }
+            if (!revokedKey) {
+              console.log('[url-safety] No API key found for ' + refundEmail + ' — refund received, nothing to revoke');
+              res.writeHead(200, cors); res.end(JSON.stringify({ received: true, ignored: true })); return;
+            }
+            apiKeys.delete(revokedKey);
+            await redisDelete(`${REDIS_PREFIX}:key:${revokedKey}`);
+            saveStats();
+            console.log('[Webhook] API key revoked for ' + refundEmail + ' — refund received');
+            res.writeHead(200, cors); res.end(JSON.stringify({ received: true, revoked: true })); return;
+          } catch(e) {
+            console.error('[url-safety] charge.refunded handling error:', e.message);
+            res.writeHead(200, cors); res.end(JSON.stringify({ received: true, ignored: true })); return;
+          }
+        }
         res.writeHead(200, cors); res.end(JSON.stringify({ received: true }));
       } catch(e) {
         res.writeHead(400, cors); res.end(JSON.stringify({ error: e.message }));