feat(mcp-server): add DRAWIO_BASE_URL env for private deployments (#467)

* feat(mcp-server): add DRAWIO_BASE_URL env for private deployments * Fix postMessage origin check and URL normalization - Add getOrigin() function to extract scheme+host+port from DRAWIO_BASE_URL - Use DRAWIO_ORIGIN for postMessage security check instead of full URL - Add normalizeUrl() to remove trailing slash and avoid double slashes - This fixes issues when users configure DRAWIO_BASE_URL with trailing slash or path
2026-01-02 22:32:27 +08:00 · 2026-01-01 13:47:39 +08:00
parent 037f32973a
commit 493ee168b1
2 changed files with 52 additions and 3 deletions
--- a/packages/mcp-server/src/http-server.ts
+++ b/packages/mcp-server/src/http-server.ts
@@ -13,6 +13,28 @@ import {
 } from "./history.js"
 import { log } from "./logger.js"

+// Configurable draw.io embed URL for private deployments
+const DRAWIO_BASE_URL =
+    process.env.DRAWIO_BASE_URL || "https://embed.diagrams.net"
+
+// Extract origin (scheme + host + port) from URL for postMessage security check
+function getOrigin(url: string): string {
+    try {
+        const parsed = new URL(url)
+        return `${parsed.protocol}//${parsed.host}`
+    } catch {
+        return url // Fallback if parsing fails
+    }
+}
+
+const DRAWIO_ORIGIN = getOrigin(DRAWIO_BASE_URL)
+
+// Normalize URL for iframe src - ensure no double slashes
+function normalizeUrl(url: string): string {
+    // Remove trailing slash to avoid double slashes
+    return url.replace(/\/$/, '')
+}
+
 interface SessionState {
    xml: string
    version: number
@@ -403,7 +425,7 @@ function getHtmlPage(sessionId: string): string {
            </div>
            <div id="status" class="status disconnected">Connecting...</div>
        </div>
-        <iframe id="drawio" src="https://embed.diagrams.net/?embed=1&proto=json&spin=1&libraries=1"></iframe>
+        <iframe id="drawio" src="${normalizeUrl(DRAWIO_BASE_URL)}/?embed=1&proto=json&spin=1&libraries=1"></iframe>
    </div>
    <button id="history-btn" title="History" ${sessionId ? "" : "disabled"}>
        <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
@@ -433,7 +455,7 @@ function getHtmlPage(sessionId: string): string {
        let pendingAiSvg = false;

        window.addEventListener('message', (e) => {
-            if (e.origin !== 'https://embed.diagrams.net') return;
+            if (e.origin !== '${DRAWIO_ORIGIN}') return;
            try {
                const msg = JSON.parse(e.data);
                if (msg.event === 'init') {