Merge pull request #40 from mhmzdev/streamable-https

Streamable https

Author: mhmzdev

.changeset/many-owls-shave.md

@@ -0,0 +1,5 @@
+---
+"figma-flutter-mcp": patch
+---
+
+StreamableHTTP and API key setup improved

package.json

@@ -18,12 +18,14 @@
     "dev": "tsx src/cli.ts --http",
     "dev:stdio": "tsx src/cli.ts --stdio",
     "dev:port": "tsx src/cli.ts --http --port",
+    "dev:remote": "tsx src/cli.ts --remote --port 3333",
     "changeset": "changeset add",
     "version": "changeset version && npm install --lockfile-only",
     "release": "changeset publish"
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.0.0",
+    "cors": "^2.8.5",
     "dotenv": "^17.2.1",
     "express": "^4.18.2",
     "node-fetch": "^3.3.2",
@@ -33,6 +35,7 @@
   "devDependencies": {
     "@changesets/changelog-github": "^0.5.1",
     "@changesets/cli": "^2.29.6",
+    "@types/cors": "^2.8.17",
     "@types/express": "^4.17.21",
     "@types/node": "^20.10.0",
     "@types/node-fetch": "^2.6.9",

src/cli.ts

@@ -6,14 +6,31 @@ async function startServer(): Promise<void> {
     const config = getServerConfig();
 
     if (config.isStdioMode) {
-        await startMcpServer(config.figmaApiKey);
+        await startMcpServer(config.figmaApiKey!);
     } else if (config.isHttpMode) {
-        console.log('Starting Figma Flutter MCP Server in HTTP mode...');
+        if (config.isRemoteMode) {
+            console.log('Starting Figma Flutter MCP Server in REMOTE mode...');
+            console.log('⚠️  Users MUST provide their own Figma API keys via:');
+            console.log('  - Authorization header (Bearer token)');
+            console.log('  - X-Figma-Api-Key header');
+            console.log('  - figmaApiKey query parameter');
+            console.log('📝 Get API key: https://help.figma.com/hc/en-us/articles/8085703771159-Manage-personal-access-tokens');
+        } else {
+            console.log('Starting Figma Flutter MCP Server in HTTP mode...');
+        }
         await startHttpServer(config.httpPort, config.figmaApiKey);
     } else {
         console.log('Starting Figma Flutter MCP Server...');
-        console.log('Use --stdio flag for MCP client communication');
-        console.log('Use --http flag for local testing via HTTP');
+        console.log('⚠️  You must provide your Figma API key via:');
+        console.log('   • CLI argument: --figma-api-key=YOUR_KEY');
+        console.log('   • Environment: FIGMA_API_KEY=YOUR_KEY in .env file');
+        console.log('');
+        console.log('Available modes:');
+        console.log('  --stdio   MCP client communication (requires API key)');
+        console.log('  --http    Local testing via HTTP (requires API key)');
+        console.log('  --remote  Remote deployment (users provide keys via HTTP headers)');
+        console.log('');
+        console.log('📝 Get your API key: https://help.figma.com/hc/en-us/articles/8085703771159-Manage-personal-access-tokens');
         console.log('Use --help for more options');
     }
 }

src/config.ts

@@ -4,16 +4,18 @@ import {hideBin} from "yargs/helpers";
 import {resolve} from "path";
 
 export interface ServerConfig {
-    figmaApiKey: string;
+    figmaApiKey?: string;
     outputFormat: "yaml" | "json";
     isStdioMode: boolean;
     isHttpMode: boolean;
+    isRemoteMode: boolean;
     httpPort: number;
     configSources: {
-        figmaApiKey: "cli" | "env";
+        figmaApiKey: "cli" | "env" | "none";
         envFile: "cli" | "default";
         stdio: "cli" | "env" | "default";
         http: "cli" | "env" | "default";
+        remote: "cli" | "env" | "default";
         port: "cli" | "env" | "default";
     };
 }
@@ -28,6 +30,7 @@ interface CliArgs {
     env?: string;
     stdio?: boolean;
     http?: boolean;
+    remote?: boolean;
     port?: number;
 }
 
@@ -37,7 +40,7 @@ export function getServerConfig(): ServerConfig {
         .options({
             "figma-api-key": {
                 type: "string",
-                description: "Figma API key",
+                description: "Your Figma API key (can also be set via FIGMA_API_KEY env var)",
             },
             env: {
                 type: "string",
@@ -53,6 +56,11 @@ export function getServerConfig(): ServerConfig {
                 description: "Run in HTTP mode for local testing",
                 default: false,
             },
+            remote: {
+                type: "boolean",
+                description: "Run in remote mode - users provide their own Figma API keys",
+                default: false,
+            },
             port: {
                 type: "number",
                 description: "Port number for HTTP server",
@@ -79,28 +87,31 @@ export function getServerConfig(): ServerConfig {
     loadEnv({path: envFilePath, override: !!argv.env});
 
     const config: ServerConfig = {
-        figmaApiKey: "",
+        figmaApiKey: undefined,
         outputFormat: "json",
         isStdioMode: false,
         isHttpMode: false,
+        isRemoteMode: false,
         httpPort: 3333,
         configSources: {
-            figmaApiKey: "env",
+            figmaApiKey: "none",
             envFile: envFileSource,
             stdio: "default",
             http: "default",
+            remote: "default",
             port: "default",
         },
     };
 
-    // Handle FIGMA_API_KEY
+    // Handle FIGMA_API_KEY - Users must provide their own API key
     if (argv["figma-api-key"]) {
         config.figmaApiKey = argv["figma-api-key"];
         config.configSources.figmaApiKey = "cli";
     } else if (process.env.FIGMA_API_KEY) {
         config.figmaApiKey = process.env.FIGMA_API_KEY;
         config.configSources.figmaApiKey = "env";
     }
+    // Users can provide API key via CLI args, .env file, or HTTP headers (in remote mode)
 
     // Handle stdio mode
     if (argv.stdio) {
@@ -120,6 +131,17 @@ export function getServerConfig(): ServerConfig {
         config.configSources.http = "env";
     }
 
+    // Handle remote mode
+    if (argv.remote) {
+        config.isRemoteMode = true;
+        config.isHttpMode = true; // Remote mode implies HTTP mode
+        config.configSources.remote = "cli";
+    } else if (process.env.REMOTE_MODE === "true") {
+        config.isRemoteMode = true;
+        config.isHttpMode = true; // Remote mode implies HTTP mode
+        config.configSources.remote = "env";
+    }
+
     // Handle port configuration
     if (argv.port) {
         config.httpPort = argv.port;
@@ -129,21 +151,36 @@ export function getServerConfig(): ServerConfig {
         config.configSources.port = "env";
     }
 
-    // Validate configuration
-    if (!config.figmaApiKey) {
-        console.error("Error: FIGMA_API_KEY is required (via CLI argument or .env file)");
+    // Validate configuration - Users must provide their own API key for ALL modes except remote
+    if (!config.figmaApiKey && !config.isRemoteMode) {
+        console.error("Error: FIGMA_API_KEY is required.");
+        console.error("Please provide your Figma API key via one of these methods:");
+        console.error("  1. CLI argument: --figma-api-key=YOUR_API_KEY");
+        console.error("  2. Environment variable: FIGMA_API_KEY=YOUR_API_KEY in .env file");
+        console.error("");
+        console.error("Get your API key from: https://help.figma.com/hc/en-us/articles/8085703771159-Manage-personal-access-tokens");
+        console.error("");
+        console.error("Examples:");
+        console.error("  npx figma-flutter-mcp --figma-api-key=YOUR_KEY --stdio");
+        console.error("  echo 'FIGMA_API_KEY=YOUR_KEY' > .env && npx figma-flutter-mcp --stdio");
+        console.error("  npx figma-flutter-mcp --remote  # Users provide keys via HTTP headers");
         process.exit(1);
     }
 
     // Log configuration sources (only in non-stdio mode)
     if (!config.isStdioMode) {
         console.log("\nConfiguration:");
         console.log(`- ENV_FILE: ${envFilePath} (source: ${config.configSources.envFile})`);
-        console.log(
-            `- FIGMA_API_KEY: ${maskApiKey(config.figmaApiKey)} (source: ${config.configSources.figmaApiKey})`
-        );
+        if (config.figmaApiKey) {
+            console.log(
+                `- FIGMA_API_KEY: ${maskApiKey(config.figmaApiKey)} (source: ${config.configSources.figmaApiKey})`
+            );
+        } else {
+            console.log(`- FIGMA_API_KEY: Not set - users will provide their own (source: ${config.configSources.figmaApiKey})`);
+        }
         console.log(`- STDIO_MODE: ${config.isStdioMode} (source: ${config.configSources.stdio})`);
         console.log(`- HTTP_MODE: ${config.isHttpMode} (source: ${config.configSources.http})`);
+        console.log(`- REMOTE_MODE: ${config.isRemoteMode} (source: ${config.configSources.remote})`);
         if (config.isHttpMode) {
             console.log(`- HTTP_PORT: ${config.httpPort} (source: ${config.configSources.port})`);
         }

src/server.ts

@@ -1,6 +1,7 @@
 import { randomUUID } from "node:crypto";
 import express, { type Request, type Response } from "express";
 import { Server } from "http";
+import cors from "cors";
 import {McpServer} from "@modelcontextprotocol/sdk/server/mcp.js";
 import {StdioServerTransport} from "@modelcontextprotocol/sdk/server/stdio.js";
 import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
@@ -19,12 +20,44 @@ export function createServer(figmaApiKey: string) {
     return server;
 }
 
+// Create a server instance that can handle per-user API keys
+export function createServerForUser(figmaApiKey: string) {
+    return createServer(figmaApiKey);
+}
+
 let httpServer: Server | null = null;
 const transports = {
   streamable: {} as Record<string, StreamableHTTPServerTransport>,
   sse: {} as Record<string, SSEServerTransport>,
 };
 
+// Store MCP server instances per session (for per-user API keys)
+const sessionServers = {} as Record<string, McpServer>;
+
+// Helper function to extract Figma API key from request
+function extractFigmaApiKey(req: Request, fallbackApiKey?: string): string | null {
+  // Try to get from Authorization header (Bearer token)
+  const authHeader = req.headers.authorization;
+  if (authHeader && authHeader.startsWith('Bearer ')) {
+    return authHeader.substring(7);
+  }
+  
+  // Try to get from custom header
+  const figmaApiKey = req.headers['x-figma-api-key'] as string;
+  if (figmaApiKey) {
+    return figmaApiKey;
+  }
+  
+  // Try to get from query parameter (less secure, but convenient for testing)
+  const queryApiKey = req.query.figmaApiKey as string;
+  if (queryApiKey) { 
+    return queryApiKey;
+  }
+  
+  // Fall back to server-wide API key (only for non-remote HTTP mode)
+  return fallbackApiKey || null;
+}
+
 export async function startMcpServer(figmaApiKey: string): Promise<void> {
     try {
         const server = createServer(figmaApiKey);
@@ -37,10 +70,18 @@ export async function startMcpServer(figmaApiKey: string): Promise<void> {
     }
 }
 
-export async function startHttpServer(port: number, figmaApiKey: string): Promise<void> {
-  const mcpServer = createServer(figmaApiKey);
+export async function startHttpServer(port: number, figmaApiKey?: string): Promise<void> {
+  // For remote mode, we don't create a single server instance
+  // Instead, we create per-user servers based on their API keys
+  // For non-remote HTTP mode, we use the provided API key
   const app = express();
 
+  // Configure CORS to expose Mcp-Session-Id header for browser-based clients
+  app.use(cors({
+    origin: '*', // Allow all origins - adjust as needed for production
+    exposedHeaders: ['Mcp-Session-Id']
+  }));
+
   // Parse JSON requests for the Streamable HTTP endpoint only, will break SSE endpoint
   app.use("/mcp", express.json());
 
@@ -49,39 +90,70 @@ export async function startHttpServer(port: number, figmaApiKey: string): Promis
     Logger.log("Received StreamableHTTP request");
     const sessionId = req.headers["mcp-session-id"] as string | undefined;
 
+    // Extract Figma API key from request
+    const userFigmaApiKey = extractFigmaApiKey(req, figmaApiKey);
+    if (!userFigmaApiKey) {
+      res.status(401).json({
+        jsonrpc: "2.0",
+        error: {
+          code: -32001,
+          message: "Unauthorized: Figma API key required. You must provide your own Figma API key via Authorization header (Bearer token), X-Figma-Api-Key header, or figmaApiKey query parameter. Get your API key from: https://help.figma.com/hc/en-us/articles/8085703771159-Manage-personal-access-tokens",
+        },
+        id: null,
+      });
+      return;
+    }
+    
     let transport: StreamableHTTPServerTransport;
+    let mcpServer: McpServer;
 
     if (sessionId && transports.streamable[sessionId]) {
-      // Reuse existing transport
+      // Reuse existing transport and server
       Logger.log("Reusing existing StreamableHTTP transport for sessionId", sessionId);
       transport = transports.streamable[sessionId];
+      mcpServer = sessionServers[sessionId];
     } else if (isInitializeRequest(req.body)) {
-      Logger.log("New initialization request for StreamableHTTP sessionId", sessionId);
+      Logger.log("New initialization request for StreamableHTTP");
+      
+      // Create new server instance for this user's API key
+      mcpServer = createServerForUser(userFigmaApiKey);
+      
       transport = new StreamableHTTPServerTransport({
         sessionIdGenerator: () => randomUUID(),
-        onsessioninitialized: (sessionId) => {
-          // Store the transport by session ID
-          transports.streamable[sessionId] = transport;
+        enableJsonResponse: true, // Enable JSON response mode for better remote compatibility
+        onsessioninitialized: (newSessionId) => {
+          // Store the transport and server by session ID
+          transports.streamable[newSessionId] = transport;
+          sessionServers[newSessionId] = mcpServer;
+          Logger.log("Session initialized with ID:", newSessionId);
         },
       });
       transport.onclose = () => {
         if (transport.sessionId) {
           delete transports.streamable[transport.sessionId];
+          delete sessionServers[transport.sessionId];
         }
       };
       await mcpServer.connect(transport);
     } else if (sessionId) {
       // Session ID provided but transport not found - create new one
       Logger.log("Creating new transport for existing sessionId", sessionId);
+      
+      // Create new server instance for this user's API key
+      mcpServer = createServerForUser(userFigmaApiKey);
+      
       transport = new StreamableHTTPServerTransport({
         sessionIdGenerator: () => sessionId,
+        enableJsonResponse: true, // Enable JSON response mode for better remote compatibility
         onsessioninitialized: (newSessionId) => {
           transports.streamable[newSessionId] = transport;
+          sessionServers[newSessionId] = mcpServer;
         },
       });
       transport.onclose = () => {
         if (transport.sessionId) {
           delete transports.streamable[transport.sessionId];
+          delete sessionServers[transport.sessionId];
         }
       };
       await mcpServer.connect(transport);
@@ -157,12 +229,28 @@ export async function startHttpServer(port: number, figmaApiKey: string): Promis
 
   app.get("/sse", async (req, res) => {
     Logger.log("Establishing new SSE connection");
+    
+    // Extract Figma API key from request
+    const userFigmaApiKey = extractFigmaApiKey(req, figmaApiKey);
+    if (!userFigmaApiKey) {
+      res.status(401).json({
+        error: "Unauthorized: Figma API key required. You must provide your own Figma API key via Authorization header (Bearer token), X-Figma-Api-Key header, or figmaApiKey query parameter. Get your API key from: https://help.figma.com/hc/en-us/articles/8085703771159-Manage-personal-access-tokens",
+      });
+      return;
+    }
+    
     const transport = new SSEServerTransport("/messages", res);
     Logger.log(`New SSE connection established for sessionId ${transport.sessionId}`);
 
+    // Create server instance for this user's API key
+    const mcpServer = createServerForUser(userFigmaApiKey);
+
     transports.sse[transport.sessionId] = transport;
+    sessionServers[transport.sessionId] = mcpServer;
+    
     res.on("close", () => {
       delete transports.sse[transport.sessionId];
+      delete sessionServers[transport.sessionId];
     });
 
     await mcpServer.connect(transport);