v2.3.1 — Timezone-aware date formatting

What's new

Track play times in get_recent_tracks now display in the correct timezone instead of silently using UTC. Previously, a track played at 11pm Pacific would show as the next day — causing Claude to say "yesterday" when it was today, or confuse morning/evening.

Changes

• Added optional timezone parameter to get_recent_tracks (IANA format, e.g. "America/New_York"). Defaults to UTC.
• All date formatting now uses an explicit UTC timestamp (Mar 17, 2026, 2:04 AM UTC) instead of the runtime-local format (3/17/2026), making dates unambiguous regardless of where the server runs.
• Invalid timezone strings fall back to UTC with a visible warning.
• Shared formatTimestamp utility eliminates duplicated date logic across the codebase.

v2.3.0 - Automatic OAuth Browser Flow

What's New

This release fixes the authentication experience for all MCP clients. Previously, connecting any client (Claude Code, Claude Desktop, opencode) to the server required manually copying and pasting a login URL. Now the browser opens automatically and the entire auth flow is hands-free.

OAuth Browser Flow Fix

• Automatic browser open on first connection — Unauthenticated POST /mcp requests now return 401 + WWW-Authenticate: Bearer resource_metadata=... per the MCP OAuth 2.1 spec. Conforming clients (Claude Code, Claude Desktop, opencode) detect this response and open the browser to Last.fm automatically — no copy-paste URL required
• Preserved manual login path — Clients that previously authenticated via /login continue to work without re-authenticating. The server checks for an existing session via Mcp-Session-Id header + KV lookup before falling through to the OAuth provider
• Legacy session_id param path unchanged — Direct session-based connections (e.g. ?session_id=...) are unaffected

Security Fix (from v2.2.0 hotfix)

• JWT timing side-channel — Replaced string comparison of JWT signatures with crypto.subtle.timingSafeEqual() to prevent timing-based token forgery attacks
• SSE global mutable state — Eliminated a shared mutable Map across requests in the SSE transport layer that could leak session data between concurrent users

Test Infrastructure

• CJS ajv compatibility — The Cloudflare Workers test pool (@cloudflare/vitest-pool-workers) couldn't load the nested CommonJS ajv module from @modelcontextprotocol/sdk. Fixed by aliasing ajv and ajv-formats to minimal ESM stubs in vitest.config.mts, restoring full test suite execution
• New OAuth test suite — 34 tests across 3 files covering: unauthenticated 401 behavior, OAuth metadata endpoints, Mcp-Session-Id header routing, and a full 7-step OAuth round-trip (client registration → PKCE authorize → Last.fm callback → token exchange → authenticated MCP call)

Full Changelog

v2.2.0...v2.3.0

v2.2.0 - Security Hardening & MCP Server Review

What's New

This release addresses all P0 (critical) and P1 (important) findings from a comprehensive security and best-practices review of the MCP server against Cloudflare's MCP server building guidelines.

Security Improvements

• CSRF protection on login flow — /login now sets a _csrf_token secure cookie that is validated on /callback, preventing cross-site request forgery attacks on the OAuth flow
• Content Security Policy headers — The auth success page is now served with Content-Security-Policy, X-Frame-Options: DENY, and X-Content-Type-Options: nosniff headers. Username and session data are sanitized before rendering
• Typed OAuth resource param fix — Replaced unsafe (oauthReqInfo as any).resource = undefined with properly typed assertion to prevent audience mismatch when Claude.ai sends the full MCP endpoint URL

Reliability Improvements

• Error handling on all MCP tools — All 17 tool callbacks (6 public + 11 authenticated) are now wrapped in try/catch with user-friendly error messages via a toolError() helper, preventing unhandled exceptions from crashing tool calls
• Session lookup bug fix — handleUnauthenticatedMcp now checks KV for existing sessions via Mcp-Session-Id header instead of generating a new UUID on every request. This fixes the issue where login worked but subsequent MCP tool calls couldn't find the session
• Context-aware success page — Auth success page now shows "close this window" for users arriving from an MCP client session, and config instructions for manual /login visitors

Code Quality

• Tool code deduplication — Eliminated ~500 lines of duplicated tool registration code between OAuth and non-OAuth paths. Single registerAuthenticatedTools with pluggable AuthMessageConfig, where registerAuthenticatedToolsWithOAuth is a 3-line wrapper
• Deduplicated routes — Removed 5 duplicate route handlers from oauth-handler.ts that were already handled in index-oauth.ts
• OAuth server factory — Replaced per-request McpServer creation in OAuth handler with shared createMcpServer() factory
• ABOUTME comments — All 29 source files now have standardized // ABOUTME: header comments
• Dynamic base URLs — Replaced hardcoded URLs with new URL(request.url).origin derivation
• Bundle size reduced — From 2824 KiB to 2726 KiB (-98 KiB) by removing duplicate client imports

New Files

• src/utils/security.ts — CSRF token generation/validation, CSP header builder, HTML sanitization
• src/mcp/tools/error-handler.ts — Reusable toolError() helper for MCP tool error responses
• docs/MCP-SERVER-REVIEW.md — Full assessment document with all findings
• docs/TODO.md — P2 cleanup items for future work

Full Changelog

v2.1.1...v2.2.0

v2.1.1

What's New

Unauthenticated MCP Access

MCP clients that don't support OAuth 2.1 (like Antigravity, Windsurf) can now connect and use public tools without authentication.

• Public tools work immediately - track info, artist info, album info, similar artists/tracks
• Authenticated tools prompt for login - when you try to access personal data, you'll get a helpful message with login instructions
• Session ID support - the server generates and returns an Mcp-Session-Id header for session continuity

Redesigned Setup Documentation

The marketing page setup section has been completely redesigned:

• Vertical list layout instead of cramped grid
• Complete JSON configs for each client (not just snippets)
• Added setup instructions for:
  • Claude.ai / Claude Desktop
  • Windsurf / Antigravity
  • Claude Code
  • OpenCode
  • Cursor
  • Continue.dev / Zed / Other MCP Clients

Other Changes

• Standardized test file naming (*.test.ts)
• Fixed auth_status → lastfm_auth_status typo in README
• Added implementation plan documentation

Full Changelog

• Allow unauthenticated MCP initialization for non-OAuth clients
• Redesign setup section with complete client configurations
• Add OpenCode setup with correct config format

v2.1.0 - Marketing Page Redesign

What's New

• Dark theme with Last.fm red (#d51007) accents
• Updated setup instructions for Claude.ai, Windsurf, and other MCP clients
• Sample queries section in 2×2 grid layout
• Copy buttons on code blocks
• Red headphone SVG favicon
• Cleaner, more minimal design

v2.0.0 - OAuth 2.0 Support for All Clients

Major release with full OAuth 2.0 support for Claude.ai, Claude Desktop, Claude Code, and Windsurf.

What's New

OAuth 2.0 Authentication

• Full OAuth 2.0 support now works with all major MCP clients
• No more manual session URL workarounds needed
• Seamless browser-based authentication flow
• Persistent sessions across conversations

Bug Fixes

• Fixed OAuth token audience mismatch with Claude.ai
• Clear resource parameter in authorize handler to prevent audience being set
• Strip resource parameter from token requests
• Updated oauth-protected-resource to return base URL without path

Documentation

• Simplified README with unified setup instructions
• Custom domain: https://lastfm-mcp.com

Breaking Changes

• Old OAuth grants have been invalidated (users need to re-authenticate once)

Last.fm MCP Server v1.0.0 - Official Launch

Hey y'all, happy to call this the first stable release of the Last.fm MCP Server! This production-ready server bridges AI assistants with Last.fm's comprehensive music database.

🌟 What's Included

🎧 Personal Music Data

• Recent listening history with pagination
• Top artists, albums, and loved tracks
• Comprehensive listening statistics
• Personalized music recommendations

🕰️ Temporal Queries ⭐ New Feature

• Ask "When did I start listening to Led Zeppelin?"
• Explore "What was I obsessed with in summer 2023?"
• Access your complete Last.fm listening history by time period
• Weekly artist and track charts from any date range

🎵 Public Music Information

• Detailed track, artist, and album information
• Music discovery with similar artists and tracks
• Rich metadata and music recommendations

🔐 Secure & Reliable

• Last.fm Web Authentication with 7-day sessions
• Smart caching system optimized for different data types
• Rate limiting and retry logic built-in
• Global edge deployment on Cloudflare Workers

🚀 Getting Started

Add to your Claude Desktop config:

 {
   "mcpServers": {
     "lastfm": {
       "command": "npx",
       "args": ["mcp-remote", "https://lastfm-mcp-prod.rian-db8.workers.dev/sse"]
     }
   }
 }

Then ask Claude questions like:

• "What are my recent tracks?"
• "When did I start listening to [artist]?"
• "What was I listening to in [time period]?"
• "Find artists similar to my favorites"

🎯 Perfect For

• Music enthusiasts who want AI-powered music insights
• Developers building music-related AI applications
• Data analysts exploring personal listening patterns
• Anyone curious about their musical journey over time

📚 Full Documentation

See the README.md for complete setup instructions, API documentation, and examples.