@dashflow/ms365-mcp-server 1.0.0

package/dist/index.js

@@ -0,0 +1,76 @@
+#!/usr/bin/env node
+import "dotenv/config";
+import { parseArgs } from "./cli.js";
+import logger from "./logger.js";
+import AuthManager, { buildScopesFromEndpoints } from "./auth.js";
+import MicrosoftGraphServer from "./server.js";
+import { version } from "./version.js";
+async function main() {
+  try {
+    const args = parseArgs();
+    const includeWorkScopes = args.orgMode || false;
+    if (includeWorkScopes) {
+      logger.info("Organization mode enabled - including work account scopes");
+    }
+    const scopes = buildScopesFromEndpoints(includeWorkScopes, args.enabledTools);
+    const authManager = await AuthManager.create(scopes);
+    await authManager.loadTokenCache();
+    if (args.login) {
+      await authManager.acquireTokenByDeviceCode();
+      logger.info("Login completed, testing connection with Graph API...");
+      const result = await authManager.testLogin();
+      console.log(JSON.stringify(result));
+      process.exit(0);
+    }
+    if (args.verifyLogin) {
+      logger.info("Verifying login...");
+      const result = await authManager.testLogin();
+      console.log(JSON.stringify(result));
+      process.exit(0);
+    }
+    if (args.logout) {
+      await authManager.logout();
+      console.log(JSON.stringify({ message: "Logged out successfully" }));
+      process.exit(0);
+    }
+    if (args.listAccounts) {
+      const accounts = await authManager.listAccounts();
+      const selectedAccountId = authManager.getSelectedAccountId();
+      const result = accounts.map((account) => ({
+        id: account.homeAccountId,
+        username: account.username,
+        name: account.name,
+        selected: account.homeAccountId === selectedAccountId
+      }));
+      console.log(JSON.stringify({ accounts: result }));
+      process.exit(0);
+    }
+    if (args.selectAccount) {
+      const success = await authManager.selectAccount(args.selectAccount);
+      if (success) {
+        console.log(JSON.stringify({ message: `Selected account: ${args.selectAccount}` }));
+      } else {
+        console.log(JSON.stringify({ error: `Account not found: ${args.selectAccount}` }));
+        process.exit(1);
+      }
+      process.exit(0);
+    }
+    if (args.removeAccount) {
+      const success = await authManager.removeAccount(args.removeAccount);
+      if (success) {
+        console.log(JSON.stringify({ message: `Removed account: ${args.removeAccount}` }));
+      } else {
+        console.log(JSON.stringify({ error: `Account not found: ${args.removeAccount}` }));
+        process.exit(1);
+      }
+      process.exit(0);
+    }
+    const server = new MicrosoftGraphServer(authManager, args);
+    await server.initialize(version);
+    await server.start();
+  } catch (error) {
+    logger.error(`Startup error: ${error}`);
+    process.exit(1);
+  }
+}
+main();

package/dist/lib/microsoft-auth.js

@@ -0,0 +1,73 @@
+import logger from "../logger.js";
+import { getCloudEndpoints } from "../cloud-config.js";
+const microsoftBearerTokenAuthMiddleware = (req, res, next) => {
+  const authHeader = req.headers.authorization;
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    res.status(401).json({ error: "Missing or invalid access token" });
+    return;
+  }
+  const accessToken = authHeader.substring(7);
+  const refreshToken = req.headers["x-microsoft-refresh-token"] || "";
+  req.microsoftAuth = {
+    accessToken,
+    refreshToken
+  };
+  next();
+};
+async function exchangeCodeForToken(code, redirectUri, clientId, clientSecret, tenantId = "common", codeVerifier, cloudType = "global") {
+  const cloudEndpoints = getCloudEndpoints(cloudType);
+  const params = new URLSearchParams({
+    grant_type: "authorization_code",
+    code,
+    redirect_uri: redirectUri,
+    client_id: clientId
+  });
+  if (clientSecret) {
+    params.append("client_secret", clientSecret);
+  }
+  if (codeVerifier) {
+    params.append("code_verifier", codeVerifier);
+  }
+  const response = await fetch(`${cloudEndpoints.authority}/${tenantId}/oauth2/v2.0/token`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: params
+  });
+  if (!response.ok) {
+    const error = await response.text();
+    logger.error(`Failed to exchange code for token: ${error}`);
+    throw new Error(`Failed to exchange code for token: ${error}`);
+  }
+  return response.json();
+}
+async function refreshAccessToken(refreshToken, clientId, clientSecret, tenantId = "common", cloudType = "global") {
+  const cloudEndpoints = getCloudEndpoints(cloudType);
+  const params = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: refreshToken,
+    client_id: clientId
+  });
+  if (clientSecret) {
+    params.append("client_secret", clientSecret);
+  }
+  const response = await fetch(`${cloudEndpoints.authority}/${tenantId}/oauth2/v2.0/token`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: params
+  });
+  if (!response.ok) {
+    const error = await response.text();
+    logger.error(`Failed to refresh token: ${error}`);
+    throw new Error(`Failed to refresh token: ${error}`);
+  }
+  return response.json();
+}
+export {
+  exchangeCodeForToken,
+  microsoftBearerTokenAuthMiddleware,
+  refreshAccessToken
+};

package/dist/logger.js

@@ -0,0 +1,42 @@
+import winston from "winston";
+import path from "path";
+import { fileURLToPath } from "url";
+import fs from "fs";
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const logsDir = path.join(__dirname, "..", "logs");
+if (!fs.existsSync(logsDir)) {
+  fs.mkdirSync(logsDir);
+}
+const logger = winston.createLogger({
+  level: process.env.LOG_LEVEL || "info",
+  format: winston.format.combine(
+    winston.format.timestamp({
+      format: "YYYY-MM-DD HH:mm:ss"
+    }),
+    winston.format.printf(({ level, message, timestamp }) => {
+      return `${timestamp} ${level.toUpperCase()}: ${message}`;
+    })
+  ),
+  transports: [
+    new winston.transports.File({
+      filename: path.join(logsDir, "error.log"),
+      level: "error"
+    }),
+    new winston.transports.File({
+      filename: path.join(logsDir, "mcp-server.log")
+    })
+  ]
+});
+const enableConsoleLogging = () => {
+  logger.add(
+    new winston.transports.Console({
+      format: winston.format.combine(winston.format.colorize(), winston.format.simple()),
+      silent: process.env.SILENT === "true" || process.env.SILENT === "1"
+    })
+  );
+};
+var logger_default = logger;
+export {
+  logger_default as default,
+  enableConsoleLogging
+};

package/dist/oauth-provider.js

@@ -0,0 +1,51 @@
+import { ProxyOAuthServerProvider } from "@modelcontextprotocol/sdk/server/auth/providers/proxyProvider.js";
+import logger from "./logger.js";
+import { getCloudEndpoints } from "./cloud-config.js";
+class MicrosoftOAuthProvider extends ProxyOAuthServerProvider {
+  constructor(authManager, secrets) {
+    const tenantId = secrets.tenantId || "common";
+    const clientId = secrets.clientId;
+    const cloudEndpoints = getCloudEndpoints(secrets.cloudType);
+    super({
+      endpoints: {
+        authorizationUrl: `${cloudEndpoints.authority}/${tenantId}/oauth2/v2.0/authorize`,
+        tokenUrl: `${cloudEndpoints.authority}/${tenantId}/oauth2/v2.0/token`,
+        revocationUrl: `${cloudEndpoints.authority}/${tenantId}/oauth2/v2.0/logout`
+      },
+      verifyAccessToken: async (token) => {
+        try {
+          const response = await fetch(`${cloudEndpoints.graphApi}/v1.0/me`, {
+            headers: {
+              Authorization: `Bearer ${token}`
+            }
+          });
+          if (response.ok) {
+            const userData = await response.json();
+            logger.info(`OAuth token verified for user: ${userData.userPrincipalName}`);
+            await authManager.setOAuthToken(token);
+            return {
+              token,
+              clientId,
+              scopes: []
+            };
+          } else {
+            throw new Error(`Token verification failed: ${response.status}`);
+          }
+        } catch (error) {
+          logger.error(`OAuth token verification error: ${error}`);
+          throw error;
+        }
+      },
+      getClient: async (client_id) => {
+        return {
+          client_id,
+          redirect_uris: ["http://localhost:3000/callback"]
+        };
+      }
+    });
+    this.authManager = authManager;
+  }
+}
+export {
+  MicrosoftOAuthProvider
+};

package/dist/request-context.js

@@ -0,0 +1,9 @@
+import { AsyncLocalStorage } from "node:async_hooks";
+const requestContext = new AsyncLocalStorage();
+function getRequestTokens() {
+  return requestContext.getStore();
+}
+export {
+  getRequestTokens,
+  requestContext
+};

package/dist/secrets.js

@@ -0,0 +1,68 @@
+import logger from "./logger.js";
+import { parseCloudType, getDefaultClientId } from "./cloud-config.js";
+class EnvironmentSecretsProvider {
+  async getSecrets() {
+    const cloudType = parseCloudType(process.env.MS365_MCP_CLOUD_TYPE);
+    return {
+      clientId: process.env.MS365_MCP_CLIENT_ID || getDefaultClientId(cloudType),
+      tenantId: process.env.MS365_MCP_TENANT_ID || "common",
+      clientSecret: process.env.MS365_MCP_CLIENT_SECRET,
+      cloudType
+    };
+  }
+}
+class KeyVaultSecretsProvider {
+  constructor(vaultUrl) {
+    this.vaultUrl = vaultUrl;
+  }
+  async getSecrets() {
+    const { DefaultAzureCredential } = await import("@azure/identity");
+    const { SecretClient } = await import("@azure/keyvault-secrets");
+    const credential = new DefaultAzureCredential();
+    const client = new SecretClient(this.vaultUrl, credential);
+    logger.info(`Fetching secrets from Key Vault: ${this.vaultUrl}`);
+    const [clientIdSecret, tenantIdSecret, clientSecretResult, cloudTypeResult] = await Promise.all(
+      [
+        client.getSecret("ms365-mcp-client-id"),
+        client.getSecret("ms365-mcp-tenant-id").catch(() => null),
+        client.getSecret("ms365-mcp-client-secret").catch(() => null),
+        client.getSecret("ms365-mcp-cloud-type").catch(() => null)
+      ]
+    );
+    if (!clientIdSecret.value) {
+      throw new Error("Required secret ms365-mcp-client-id not found in Key Vault");
+    }
+    logger.info("Successfully retrieved secrets from Key Vault");
+    return {
+      clientId: clientIdSecret.value,
+      tenantId: tenantIdSecret?.value || "common",
+      clientSecret: clientSecretResult?.value,
+      cloudType: parseCloudType(cloudTypeResult?.value)
+    };
+  }
+}
+function createSecretsProvider() {
+  const vaultUrl = process.env.MS365_MCP_KEYVAULT_URL;
+  if (vaultUrl) {
+    logger.info("Key Vault URL configured, using Azure Key Vault for secrets");
+    return new KeyVaultSecretsProvider(vaultUrl);
+  }
+  logger.info("Using environment variables for secrets");
+  return new EnvironmentSecretsProvider();
+}
+let cachedSecrets = null;
+async function getSecrets() {
+  if (cachedSecrets) {
+    return cachedSecrets;
+  }
+  const provider = createSecretsProvider();
+  cachedSecrets = await provider.getSecrets();
+  return cachedSecrets;
+}
+function clearSecretsCache() {
+  cachedSecrets = null;
+}
+export {
+  clearSecretsCache,
+  getSecrets
+};