@adobe/helix-onedrive-support 12.3.11 → 12.4.1

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+## [12.4.1](https://github.com/adobe/helix-onedrive-support/compare/v12.4.0...v12.4.1) (2026-06-23)
+
+
+### Bug Fixes
+
+* **deps:** update external fixes ([#759](https://github.com/adobe/helix-onedrive-support/issues/759)) ([5b86e2b](https://github.com/adobe/helix-onedrive-support/commit/5b86e2b083c9d592bd2730c04a7a66aad8a3ecdd))
+
+# [12.4.0](https://github.com/adobe/helix-onedrive-support/compare/v12.3.11...v12.4.0) (2026-06-11)
+
+
+### Features
+
+* add sanitizeCache to repair MSAL refresh-token cache key mismatches ([#757](https://github.com/adobe/helix-onedrive-support/issues/757)) ([077d05a](https://github.com/adobe/helix-onedrive-support/commit/077d05a28d3d7e87f18281bd933bea049d6978ee))
+
 ## [12.3.11](https://github.com/adobe/helix-onedrive-support/compare/v12.3.10...v12.3.11) (2026-06-08)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-onedrive-support",
-  "version": "12.3.11",
+  "version": "12.4.1",
   "description": "Helix OneDrive Support",
   "main": "src/index.js",
   "exports": {
@@ -30,13 +30,13 @@
     "@adobe/fetch": "^4.2.3",
     "@adobe/helix-shared-string": "^2.1.0",
     "@adobe/helix-shared-tokencache": "^1.4.19",
-    "@azure/msal-common": "16.6.2",
-    "@azure/msal-node": "5.2.2",
+    "@azure/msal-common": "16.7.0",
+    "@azure/msal-node": "5.2.3",
     "jose": "6.2.3"
   },
   "devDependencies": {
     "@adobe/eslint-config-helix": "3.0.28",
-    "@aws-sdk/client-s3": "3.1053.0",
+    "@aws-sdk/client-s3": "3.1064.0",
     "@eslint/config-helpers": "0.6.0",
     "@semantic-release/changelog": "6.0.3",
     "@semantic-release/git": "10.0.1",
@@ -50,12 +50,12 @@
     "jsdoc-to-markdown": "9.1.3",
     "jsdoc-tsimport-plugin": "1.0.5",
     "junit-report-builder": "5.1.2",
-    "lint-staged": "17.0.5",
+    "lint-staged": "17.0.7",
     "mocha": "11.7.6",
     "mocha-multi-reporters": "1.5.1",
     "mocha-suppress-logs": "0.6.0",
     "nock": "14.0.15",
-    "npm": "11.15.0",
+    "npm": "11.16.0",
     "semantic-release": "25.0.3"
   },
   "lint-staged": {

package/src/index.js

@@ -19,3 +19,5 @@ export { Range } from './excel/Range.js';
 export { Table } from './excel/Table.js';
 export { Workbook } from './excel/Workbook.js';
 export { Worksheet } from './excel/Worksheet.js';
+
+export { sanitizeCache } from './sanitizeCache.js';

package/src/sanitizeCache.js

@@ -0,0 +1,87 @@
+/*
+ * Copyright 2026 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+// internals is not part of MSAL's public API — pin @azure/msal-node tightly
+// and revisit if Deserializer is ever exposed publicly.
+import { internals } from '@azure/msal-node';
+
+/**
+ * Derives the canonical MSAL cache key for a refresh token, matching the
+ * format used by MSAL's internal serializer: segments are joined with `-` and
+ * lowercased. Empty realm, target, and tokenType segments are included to keep
+ * the key structure consistent with all other credential types.
+ *
+ * @param {object} refreshToken deserialized MSAL refresh-token entry
+ * @param {string} refreshToken.homeAccountId account identifier
+ * @param {string} refreshToken.environment authority host (e.g. `login.microsoftonline.com`)
+ * @param {string} refreshToken.credentialType always `"RefreshToken"` for this entry type
+ * @param {string} [refreshToken.familyId] family ID for first-party apps; takes precedence over
+ *   clientId
+ * @param {string} refreshToken.clientId application client ID
+ * @returns {string} lowercase hyphen-joined cache key
+ */
+function generateKey(refreshToken) {
+  const {
+    homeAccountId, environment, credentialType, familyId, clientId,
+  } = refreshToken;
+  const credentialKey = [
+    homeAccountId,
+    environment,
+    credentialType,
+    familyId || clientId, // first-party apps share a family token; fall back to clientId
+    '', // realm
+    '', // target
+    '', // tokenType
+  ];
+  return credentialKey.join('-').toLowerCase();
+}
+
+/**
+ * Removes refresh-token entries whose cache key no longer matches the key that
+ * MSAL would generate for them today. This repairs caches that were written by
+ * an older MSAL version using a different key scheme.
+ *
+ * Mutates {@link data}.RefreshToken in place.
+ *
+ * If all tokens are outdated the cache is left untouched and a warning is
+ * logged, because wiping every token would sign out all active sessions.
+ *
+ * @param {object} data raw MSAL serialized cache (JSON-parsed)
+ * @param {{ info: Function, warn: Function }} log logger instance
+ */
+export function sanitizeCache(data, log) {
+  const deserialized = internals.Deserializer.deserializeAllCache(data);
+  const { refreshTokens } = deserialized;
+
+  const outdatedKeys = [];
+  for (const [actualKey, refreshToken] of Object.entries(refreshTokens)) {
+    const expectedKey = generateKey(refreshToken);
+    if (actualKey !== expectedKey) {
+      outdatedKeys.push(actualKey);
+    }
+  }
+  if (outdatedKeys.length === 0) {
+    return;
+  }
+
+  // If every token is outdated the key scheme itself probably changed; removing
+  // them all would revoke all sessions, so bail out and let the caller decide.
+  if (Object.keys(refreshTokens).length === outdatedKeys.length) {
+    log.warn('All refresh tokens have an unexpected key, generation might have changed.');
+    return;
+  }
+
+  for (const key of outdatedKeys) {
+    delete data.RefreshToken[key];
+    log.info(`Removed RefreshToken with key: ${key}`);
+  }
+}