@dashflow/ms365-mcp-server 1.0.0

package/dist/auth-tools.js

@@ -0,0 +1,202 @@
+import { z } from "zod";
+function registerAuthTools(server, authManager) {
+  server.tool(
+    "login",
+    "Authenticate with Microsoft using device code flow",
+    {
+      force: z.boolean().default(false).describe("Force a new login even if already logged in")
+    },
+    async ({ force }) => {
+      try {
+        if (!force) {
+          const loginStatus = await authManager.testLogin();
+          if (loginStatus.success) {
+            return {
+              content: [
+                {
+                  type: "text",
+                  text: JSON.stringify({
+                    status: "Already logged in",
+                    ...loginStatus
+                  })
+                }
+              ]
+            };
+          }
+        }
+        const text = await new Promise((resolve, reject) => {
+          authManager.acquireTokenByDeviceCode(resolve).catch(reject);
+        });
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({
+                error: "device_code_required",
+                message: text.trim()
+              })
+            }
+          ]
+        };
+      } catch (error) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({ error: `Authentication failed: ${error.message}` })
+            }
+          ]
+        };
+      }
+    }
+  );
+  server.tool("logout", "Log out from Microsoft account", {}, async () => {
+    try {
+      await authManager.logout();
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({ message: "Logged out successfully" })
+          }
+        ]
+      };
+    } catch {
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({ error: "Logout failed" })
+          }
+        ]
+      };
+    }
+  });
+  server.tool("verify-login", "Check current Microsoft authentication status", {}, async () => {
+    const testResult = await authManager.testLogin();
+    return {
+      content: [
+        {
+          type: "text",
+          text: JSON.stringify(testResult)
+        }
+      ]
+    };
+  });
+  server.tool("list-accounts", "List all available Microsoft accounts", {}, async () => {
+    try {
+      const accounts = await authManager.listAccounts();
+      const selectedAccountId = authManager.getSelectedAccountId();
+      const result = accounts.map((account) => ({
+        id: account.homeAccountId,
+        username: account.username,
+        name: account.name,
+        selected: account.homeAccountId === selectedAccountId
+      }));
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({ accounts: result })
+          }
+        ]
+      };
+    } catch (error) {
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({ error: `Failed to list accounts: ${error.message}` })
+          }
+        ]
+      };
+    }
+  });
+  server.tool(
+    "select-account",
+    "Select a specific Microsoft account to use",
+    {
+      accountId: z.string().describe("The account ID to select")
+    },
+    async ({ accountId }) => {
+      try {
+        const success = await authManager.selectAccount(accountId);
+        if (success) {
+          return {
+            content: [
+              {
+                type: "text",
+                text: JSON.stringify({ message: `Selected account: ${accountId}` })
+              }
+            ]
+          };
+        } else {
+          return {
+            content: [
+              {
+                type: "text",
+                text: JSON.stringify({ error: `Account not found: ${accountId}` })
+              }
+            ]
+          };
+        }
+      } catch (error) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({
+                error: `Failed to select account: ${error.message}`
+              })
+            }
+          ]
+        };
+      }
+    }
+  );
+  server.tool(
+    "remove-account",
+    "Remove a Microsoft account from the cache",
+    {
+      accountId: z.string().describe("The account ID to remove")
+    },
+    async ({ accountId }) => {
+      try {
+        const success = await authManager.removeAccount(accountId);
+        if (success) {
+          return {
+            content: [
+              {
+                type: "text",
+                text: JSON.stringify({ message: `Removed account: ${accountId}` })
+              }
+            ]
+          };
+        } else {
+          return {
+            content: [
+              {
+                type: "text",
+                text: JSON.stringify({ error: `Account not found: ${accountId}` })
+              }
+            ]
+          };
+        }
+      } catch (error) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({
+                error: `Failed to remove account: ${error.message}`
+              })
+            }
+          ]
+        };
+      }
+    }
+  );
+}
+export {
+  registerAuthTools
+};

package/dist/auth.js

@@ -0,0 +1,422 @@
+import { PublicClientApplication } from "@azure/msal-node";
+import logger from "./logger.js";
+import fs, { existsSync, readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import path from "path";
+import { getSecrets } from "./secrets.js";
+import { getCloudEndpoints, getDefaultClientId } from "./cloud-config.js";
+let keytar = null;
+async function getKeytar() {
+  if (keytar === void 0) {
+    return null;
+  }
+  if (keytar === null) {
+    try {
+      keytar = await import("keytar");
+      return keytar;
+    } catch (error) {
+      logger.info("keytar not available, using file-based credential storage");
+      keytar = void 0;
+      return null;
+    }
+  }
+  return keytar;
+}
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const endpointsData = JSON.parse(
+  readFileSync(path.join(__dirname, "endpoints.json"), "utf8")
+);
+const endpoints = {
+  default: endpointsData
+};
+const SERVICE_NAME = "ms-365-mcp-server";
+const TOKEN_CACHE_ACCOUNT = "msal-token-cache";
+const SELECTED_ACCOUNT_KEY = "selected-account";
+const FALLBACK_DIR = path.dirname(fileURLToPath(import.meta.url));
+const FALLBACK_PATH = path.join(FALLBACK_DIR, "..", ".token-cache.json");
+const SELECTED_ACCOUNT_PATH = path.join(FALLBACK_DIR, "..", ".selected-account.json");
+function createMsalConfig(secrets) {
+  const cloudEndpoints = getCloudEndpoints(secrets.cloudType);
+  return {
+    auth: {
+      clientId: secrets.clientId || getDefaultClientId(secrets.cloudType),
+      authority: `${cloudEndpoints.authority}/${secrets.tenantId || "common"}`
+    }
+  };
+}
+const SCOPE_HIERARCHY = {
+  "Mail.ReadWrite": ["Mail.Read"],
+  "Calendars.ReadWrite": ["Calendars.Read"],
+  "Files.ReadWrite": ["Files.Read"],
+  "Tasks.ReadWrite": ["Tasks.Read"],
+  "Contacts.ReadWrite": ["Contacts.Read"]
+};
+function buildScopesFromEndpoints(includeWorkAccountScopes = false, enabledToolsPattern) {
+  const scopesSet = /* @__PURE__ */ new Set();
+  let enabledToolsRegex;
+  if (enabledToolsPattern) {
+    try {
+      enabledToolsRegex = new RegExp(enabledToolsPattern, "i");
+      logger.info(`Building scopes with tool filter pattern: ${enabledToolsPattern}`);
+    } catch (error) {
+      logger.error(
+        `Invalid tool filter regex pattern: ${enabledToolsPattern}. Building scopes without filter.`
+      );
+    }
+  }
+  endpoints.default.forEach((endpoint) => {
+    if (enabledToolsRegex && !enabledToolsRegex.test(endpoint.toolName)) {
+      return;
+    }
+    if (!includeWorkAccountScopes && !endpoint.scopes && endpoint.workScopes) {
+      return;
+    }
+    if (endpoint.scopes && Array.isArray(endpoint.scopes)) {
+      endpoint.scopes.forEach((scope) => scopesSet.add(scope));
+    }
+    if (includeWorkAccountScopes && endpoint.workScopes && Array.isArray(endpoint.workScopes)) {
+      endpoint.workScopes.forEach((scope) => scopesSet.add(scope));
+    }
+  });
+  Object.entries(SCOPE_HIERARCHY).forEach(([higherScope, lowerScopes]) => {
+    if (scopesSet.has(higherScope) && lowerScopes.every((scope) => scopesSet.has(scope))) {
+      lowerScopes.forEach((scope) => scopesSet.delete(scope));
+    }
+  });
+  const scopes = Array.from(scopesSet);
+  if (enabledToolsPattern) {
+    logger.info(`Built ${scopes.length} scopes for filtered tools: ${scopes.join(", ")}`);
+  }
+  return scopes;
+}
+class AuthManager {
+  constructor(config, scopes = buildScopesFromEndpoints()) {
+    logger.info(`And scopes are ${scopes.join(", ")}`, scopes);
+    this.config = config;
+    this.scopes = scopes;
+    this.msalApp = new PublicClientApplication(this.config);
+    this.accessToken = null;
+    this.tokenExpiry = null;
+    this.selectedAccountId = null;
+    const oauthTokenFromEnv = process.env.MS365_MCP_OAUTH_TOKEN;
+    this.oauthToken = oauthTokenFromEnv ?? null;
+    this.isOAuthMode = oauthTokenFromEnv != null;
+  }
+  /**
+   * Creates an AuthManager instance with secrets loaded from the configured provider.
+   * Uses Key Vault if MS365_MCP_KEYVAULT_URL is set, otherwise environment variables.
+   */
+  static async create(scopes = buildScopesFromEndpoints()) {
+    const secrets = await getSecrets();
+    const config = createMsalConfig(secrets);
+    return new AuthManager(config, scopes);
+  }
+  async loadTokenCache() {
+    try {
+      let cacheData;
+      try {
+        const kt = await getKeytar();
+        if (kt) {
+          const cachedData = await kt.getPassword(SERVICE_NAME, TOKEN_CACHE_ACCOUNT);
+          if (cachedData) {
+            cacheData = cachedData;
+          }
+        }
+      } catch (keytarError) {
+        logger.warn(
+          `Keychain access failed, falling back to file storage: ${keytarError.message}`
+        );
+      }
+      if (!cacheData && existsSync(FALLBACK_PATH)) {
+        cacheData = readFileSync(FALLBACK_PATH, "utf8");
+      }
+      if (cacheData) {
+        this.msalApp.getTokenCache().deserialize(cacheData);
+      }
+      await this.loadSelectedAccount();
+    } catch (error) {
+      logger.error(`Error loading token cache: ${error.message}`);
+    }
+  }
+  async loadSelectedAccount() {
+    try {
+      let selectedAccountData;
+      try {
+        const kt = await getKeytar();
+        if (kt) {
+          const cachedData = await kt.getPassword(SERVICE_NAME, SELECTED_ACCOUNT_KEY);
+          if (cachedData) {
+            selectedAccountData = cachedData;
+          }
+        }
+      } catch (keytarError) {
+        logger.warn(
+          `Keychain access failed for selected account, falling back to file storage: ${keytarError.message}`
+        );
+      }
+      if (!selectedAccountData && existsSync(SELECTED_ACCOUNT_PATH)) {
+        selectedAccountData = readFileSync(SELECTED_ACCOUNT_PATH, "utf8");
+      }
+      if (selectedAccountData) {
+        const parsed = JSON.parse(selectedAccountData);
+        this.selectedAccountId = parsed.accountId;
+        logger.info(`Loaded selected account: ${this.selectedAccountId}`);
+      }
+    } catch (error) {
+      logger.error(`Error loading selected account: ${error.message}`);
+    }
+  }
+  async saveTokenCache() {
+    try {
+      const cacheData = this.msalApp.getTokenCache().serialize();
+      try {
+        const kt = await getKeytar();
+        if (kt) {
+          await kt.setPassword(SERVICE_NAME, TOKEN_CACHE_ACCOUNT, cacheData);
+        } else {
+          fs.writeFileSync(FALLBACK_PATH, cacheData, { mode: 384 });
+        }
+      } catch (keytarError) {
+        logger.warn(
+          `Keychain save failed, falling back to file storage: ${keytarError.message}`
+        );
+        fs.writeFileSync(FALLBACK_PATH, cacheData, { mode: 384 });
+      }
+    } catch (error) {
+      logger.error(`Error saving token cache: ${error.message}`);
+    }
+  }
+  async saveSelectedAccount() {
+    try {
+      const selectedAccountData = JSON.stringify({ accountId: this.selectedAccountId });
+      try {
+        const kt = await getKeytar();
+        if (kt) {
+          await kt.setPassword(SERVICE_NAME, SELECTED_ACCOUNT_KEY, selectedAccountData);
+        } else {
+          fs.writeFileSync(SELECTED_ACCOUNT_PATH, selectedAccountData, { mode: 384 });
+        }
+      } catch (keytarError) {
+        logger.warn(
+          `Keychain save failed for selected account, falling back to file storage: ${keytarError.message}`
+        );
+        fs.writeFileSync(SELECTED_ACCOUNT_PATH, selectedAccountData, { mode: 384 });
+      }
+    } catch (error) {
+      logger.error(`Error saving selected account: ${error.message}`);
+    }
+  }
+  async setOAuthToken(token) {
+    this.oauthToken = token;
+    this.isOAuthMode = true;
+  }
+  async getToken(forceRefresh = false) {
+    if (this.isOAuthMode && this.oauthToken) {
+      return this.oauthToken;
+    }
+    if (this.accessToken && this.tokenExpiry && this.tokenExpiry > Date.now() && !forceRefresh) {
+      return this.accessToken;
+    }
+    const currentAccount = await this.getCurrentAccount();
+    if (currentAccount) {
+      const silentRequest = {
+        account: currentAccount,
+        scopes: this.scopes
+      };
+      try {
+        const response = await this.msalApp.acquireTokenSilent(silentRequest);
+        this.accessToken = response.accessToken;
+        this.tokenExpiry = response.expiresOn ? new Date(response.expiresOn).getTime() : null;
+        return this.accessToken;
+      } catch {
+        logger.error("Silent token acquisition failed");
+        throw new Error("Silent token acquisition failed");
+      }
+    }
+    throw new Error("No valid token found");
+  }
+  async getCurrentAccount() {
+    const accounts = await this.msalApp.getTokenCache().getAllAccounts();
+    if (accounts.length === 0) {
+      return null;
+    }
+    if (this.selectedAccountId) {
+      const selectedAccount = accounts.find(
+        (account) => account.homeAccountId === this.selectedAccountId
+      );
+      if (selectedAccount) {
+        return selectedAccount;
+      }
+      logger.warn(
+        `Selected account ${this.selectedAccountId} not found, falling back to first account`
+      );
+    }
+    return accounts[0];
+  }
+  async acquireTokenByDeviceCode(hack) {
+    const deviceCodeRequest = {
+      scopes: this.scopes,
+      deviceCodeCallback: (response) => {
+        const text = ["\n", response.message, "\n"].join("");
+        if (hack) {
+          hack(text + 'After login run the "verify login" command');
+        } else {
+          console.log(text);
+        }
+        logger.info("Device code login initiated");
+      }
+    };
+    try {
+      logger.info("Requesting device code...");
+      logger.info(`Requesting scopes: ${this.scopes.join(", ")}`);
+      const response = await this.msalApp.acquireTokenByDeviceCode(deviceCodeRequest);
+      logger.info(`Granted scopes: ${response?.scopes?.join(", ") || "none"}`);
+      logger.info("Device code login successful");
+      this.accessToken = response?.accessToken || null;
+      this.tokenExpiry = response?.expiresOn ? new Date(response.expiresOn).getTime() : null;
+      if (!this.selectedAccountId && response?.account) {
+        this.selectedAccountId = response.account.homeAccountId;
+        await this.saveSelectedAccount();
+        logger.info(`Auto-selected new account: ${response.account.username}`);
+      }
+      await this.saveTokenCache();
+      return this.accessToken;
+    } catch (error) {
+      logger.error(`Error in device code flow: ${error.message}`);
+      throw error;
+    }
+  }
+  async testLogin() {
+    try {
+      logger.info("Testing login...");
+      const token = await this.getToken();
+      if (!token) {
+        logger.error("Login test failed - no token received");
+        return {
+          success: false,
+          message: "Login failed - no token received"
+        };
+      }
+      logger.info("Token retrieved successfully, testing Graph API access...");
+      try {
+        const secrets = await getSecrets();
+        const cloudEndpoints = getCloudEndpoints(secrets.cloudType);
+        const response = await fetch(`${cloudEndpoints.graphApi}/v1.0/me`, {
+          headers: {
+            Authorization: `Bearer ${token}`
+          }
+        });
+        if (response.ok) {
+          const userData = await response.json();
+          logger.info("Graph API user data fetch successful");
+          return {
+            success: true,
+            message: "Login successful",
+            userData: {
+              displayName: userData.displayName,
+              userPrincipalName: userData.userPrincipalName
+            }
+          };
+        } else {
+          const errorText = await response.text();
+          logger.error(`Graph API user data fetch failed: ${response.status} - ${errorText}`);
+          return {
+            success: false,
+            message: `Login successful but Graph API access failed: ${response.status}`
+          };
+        }
+      } catch (graphError) {
+        logger.error(`Error fetching user data: ${graphError.message}`);
+        return {
+          success: false,
+          message: `Login successful but Graph API access failed: ${graphError.message}`
+        };
+      }
+    } catch (error) {
+      logger.error(`Login test failed: ${error.message}`);
+      return {
+        success: false,
+        message: `Login failed: ${error.message}`
+      };
+    }
+  }
+  async logout() {
+    try {
+      const accounts = await this.msalApp.getTokenCache().getAllAccounts();
+      for (const account of accounts) {
+        await this.msalApp.getTokenCache().removeAccount(account);
+      }
+      this.accessToken = null;
+      this.tokenExpiry = null;
+      this.selectedAccountId = null;
+      try {
+        const kt = await getKeytar();
+        if (kt) {
+          await kt.deletePassword(SERVICE_NAME, TOKEN_CACHE_ACCOUNT);
+          await kt.deletePassword(SERVICE_NAME, SELECTED_ACCOUNT_KEY);
+        }
+      } catch (keytarError) {
+        logger.warn(`Keychain deletion failed: ${keytarError.message}`);
+      }
+      if (fs.existsSync(FALLBACK_PATH)) {
+        fs.unlinkSync(FALLBACK_PATH);
+      }
+      if (fs.existsSync(SELECTED_ACCOUNT_PATH)) {
+        fs.unlinkSync(SELECTED_ACCOUNT_PATH);
+      }
+      return true;
+    } catch (error) {
+      logger.error(`Error during logout: ${error.message}`);
+      throw error;
+    }
+  }
+  // Multi-account support methods
+  async listAccounts() {
+    return await this.msalApp.getTokenCache().getAllAccounts();
+  }
+  async selectAccount(accountId) {
+    const accounts = await this.listAccounts();
+    const account = accounts.find((acc) => acc.homeAccountId === accountId);
+    if (!account) {
+      logger.error(`Account with ID ${accountId} not found`);
+      return false;
+    }
+    this.selectedAccountId = accountId;
+    await this.saveSelectedAccount();
+    this.accessToken = null;
+    this.tokenExpiry = null;
+    logger.info(`Selected account: ${account.username} (${accountId})`);
+    return true;
+  }
+  async removeAccount(accountId) {
+    const accounts = await this.listAccounts();
+    const account = accounts.find((acc) => acc.homeAccountId === accountId);
+    if (!account) {
+      logger.error(`Account with ID ${accountId} not found`);
+      return false;
+    }
+    try {
+      await this.msalApp.getTokenCache().removeAccount(account);
+      if (this.selectedAccountId === accountId) {
+        this.selectedAccountId = null;
+        await this.saveSelectedAccount();
+        this.accessToken = null;
+        this.tokenExpiry = null;
+      }
+      logger.info(`Removed account: ${account.username} (${accountId})`);
+      return true;
+    } catch (error) {
+      logger.error(`Failed to remove account ${accountId}: ${error.message}`);
+      return false;
+    }
+  }
+  getSelectedAccountId() {
+    return this.selectedAccountId;
+  }
+}
+var auth_default = AuthManager;
+export {
+  buildScopesFromEndpoints,
+  auth_default as default
+};

package/dist/cli.js

@@ -0,0 +1,78 @@
+import { Command } from "commander";
+import { readFileSync } from "fs";
+import path from "path";
+import { fileURLToPath } from "url";
+import { getCombinedPresetPattern, listPresets, presetRequiresOrgMode } from "./tool-categories.js";
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const packageJsonPath = path.join(__dirname, "..", "package.json");
+const packageJson = JSON.parse(readFileSync(packageJsonPath, "utf8"));
+const version = packageJson.version;
+const program = new Command();
+program.name("ms-365-mcp-server").description("Microsoft 365 MCP Server").version(version).option("-v", "Enable verbose logging").option("--login", "Login using device code flow").option("--logout", "Log out and clear saved credentials").option("--verify-login", "Verify login without starting the server").option("--list-accounts", "List all cached accounts").option("--select-account <accountId>", "Select a specific account by ID").option("--remove-account <accountId>", "Remove a specific account by ID").option("--read-only", "Start server in read-only mode, disabling write operations").option(
+  "--http [address]",
+  'Use Streamable HTTP transport instead of stdio. Format: [host:]port (e.g., "localhost:3000", ":3000", "3000"). Default: all interfaces on port 3000'
+).option(
+  "--enable-auth-tools",
+  "Enable login/logout tools when using HTTP mode (disabled by default in HTTP mode)"
+).option(
+  "--enabled-tools <pattern>",
+  'Filter tools using regex pattern (e.g., "excel|contact" to enable Excel and Contact tools)'
+).option(
+  "--preset <names>",
+  "Use preset tool categories (comma-separated). Available: mail, calendar, files, personal, work, excel, contacts, tasks, onenote, search, users, all"
+).option("--list-presets", "List all available presets and exit").option(
+  "--org-mode",
+  "Enable organization/work mode from start (includes Teams, SharePoint, etc.)"
+).option("--work-mode", "Alias for --org-mode").option("--force-work-scopes", "Backwards compatibility alias for --org-mode (deprecated)").option("--toon", "(experimental) Enable TOON output format for 30-60% token reduction").option("--discovery", "Enable runtime tool discovery and loading (experimental feature)").option("--cloud <type>", "Microsoft cloud environment: global (default) or china (21Vianet)").option(
+  "--enable-dynamic-registration",
+  "Enable OAuth Dynamic Client Registration endpoint (required for some MCP clients like Open WebUI)"
+);
+function parseArgs() {
+  program.parse();
+  const options = program.opts();
+  if (options.listPresets) {
+    const presets = listPresets();
+    console.log(JSON.stringify({ presets }, null, 2));
+    process.exit(0);
+  }
+  if (options.preset) {
+    const presetNames = options.preset.split(",").map((p) => p.trim());
+    try {
+      options.enabledTools = getCombinedPresetPattern(presetNames);
+      const requiresOrgMode = presetNames.some((preset) => presetRequiresOrgMode(preset));
+      if (requiresOrgMode && !options.orgMode) {
+        console.warn(
+          `Warning: Preset(s) [${presetNames.filter((p) => presetRequiresOrgMode(p)).join(", ")}] require --org-mode to function properly`
+        );
+      }
+    } catch (error) {
+      console.error(`Error: ${error.message}`);
+      process.exit(1);
+    }
+  }
+  if (process.env.READ_ONLY === "true" || process.env.READ_ONLY === "1") {
+    options.readOnly = true;
+  }
+  if (process.env.ENABLED_TOOLS) {
+    options.enabledTools = process.env.ENABLED_TOOLS;
+  }
+  if (process.env.MS365_MCP_ORG_MODE === "true" || process.env.MS365_MCP_ORG_MODE === "1") {
+    options.orgMode = true;
+  }
+  if (process.env.MS365_MCP_FORCE_WORK_SCOPES === "true" || process.env.MS365_MCP_FORCE_WORK_SCOPES === "1") {
+    options.forceWorkScopes = true;
+  }
+  if (options.workMode || options.forceWorkScopes) {
+    options.orgMode = true;
+  }
+  if (process.env.MS365_MCP_OUTPUT_FORMAT === "toon") {
+    options.toon = true;
+  }
+  if (options.cloud) {
+    process.env.MS365_MCP_CLOUD_TYPE = options.cloud;
+  }
+  return options;
+}
+export {
+  parseArgs
+};