figma_mcp_server_actor

The server implements the Model Context Protocol (MCP) JSON-RPC 2.0 specification, securely wrapping Figma API calls. It uses a `switch` statement to map incoming MCP methods to specific internal functions, preventing arbitrary method invocation. Input parameters for tools are validated via JSON schemas, reducing the risk of injection vulnerabilities. Authentication relies on a Figma Personal Access Token (PAT) provided as an environment variable or input, which is a standard and secure practice for API keys. It explicitly checks for authentication and throws an error if missing. Cross-Origin Resource Sharing (CORS) is set to allow all origins (`Access-Control-Allow-Origin: *`), which is common for public APIs but means requests can be made from any web domain. There are no obvious signs of 'eval', obfuscation, or direct command injection in the provided code snippets. The server leverages caching for GET requests, enhancing performance without introducing security risks. OAuth 2.0 support is planned but not fully implemented, so PAT is the current sensitive secret to manage.