Slack MCP Server

import type { Response } from "express"; export function parseCsvEnv(value: string | undefined): string[] { if (!value) return []; return value.split(",").map((s) => s.trim()).filter(Boolean); } export function requireApiKey(reqAuthHeader: string | undefined, expected: string) { if (!expected) return; // If no API key is configured, allow all requests (not recommended for production) const token = (reqAuthHeader ?? "").replace(/^Bearer\s+/i, ""); if (!token || token !== expected) { throw new Error("Unauthorized"); } } export function originAllowed(origin: string | undefined, allowedOrigins: string[]): boolean { if (allowedOrigins.length === 0) return true; // If no origins configured, allow all if (!origin) return false; // Reject requests without origin header when allowlist is configured return allowedOrigins.includes(origin); } export function setCorsHeaders(res: Response, origin: string | undefined, allowedOrigins: string[]) { // If origin is allowed, set CORS headers if (origin && originAllowed(origin, allowedOrigins)) { res.setHeader("Access-Control-Allow-Origin", origin); res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS"); res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, Mcp-Session-Id"); res.setHeader("Access-Control-Allow-Credentials", "true"); res.setHeader("Access-Control-Max-Age", "86400"); // 24 hours } else if (allowedOrigins.length === 0) { // If no allowlist, allow all origins (development mode) res.setHeader("Access-Control-Allow-Origin", "*"); res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS"); res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, Mcp-Session-Id"); } }