@dashflow/ms365-mcp-server 1.0.0

package/dist/server.js

@@ -0,0 +1,387 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
+import express from "express";
+import logger, { enableConsoleLogging } from "./logger.js";
+import { registerAuthTools } from "./auth-tools.js";
+import { registerGraphTools, registerDiscoveryTools } from "./graph-tools.js";
+import GraphClient from "./graph-client.js";
+import { buildScopesFromEndpoints } from "./auth.js";
+import { MicrosoftOAuthProvider } from "./oauth-provider.js";
+import {
+  exchangeCodeForToken,
+  microsoftBearerTokenAuthMiddleware,
+  refreshAccessToken
+} from "./lib/microsoft-auth.js";
+import { getSecrets } from "./secrets.js";
+import { getCloudEndpoints } from "./cloud-config.js";
+import { requestContext } from "./request-context.js";
+function parseHttpOption(httpOption) {
+  if (typeof httpOption === "boolean") {
+    return { host: void 0, port: 3e3 };
+  }
+  const httpString = httpOption.trim();
+  if (httpString.includes(":")) {
+    const [hostPart, portPart] = httpString.split(":");
+    const host = hostPart || void 0;
+    const port2 = parseInt(portPart) || 3e3;
+    return { host, port: port2 };
+  }
+  const port = parseInt(httpString) || 3e3;
+  return { host: void 0, port };
+}
+class MicrosoftGraphServer {
+  constructor(authManager, options = {}) {
+    this.authManager = authManager;
+    this.options = options;
+    this.graphClient = null;
+    this.server = null;
+    this.secrets = null;
+  }
+  async initialize(version) {
+    this.secrets = await getSecrets();
+    const outputFormat = this.options.toon ? "toon" : "json";
+    this.graphClient = new GraphClient(this.authManager, this.secrets, outputFormat);
+    this.server = new McpServer({
+      name: "Microsoft365MCP",
+      version
+    });
+    const shouldRegisterAuthTools = !this.options.http || this.options.enableAuthTools;
+    if (shouldRegisterAuthTools) {
+      registerAuthTools(this.server, this.authManager);
+    }
+    if (this.options.discovery) {
+      logger.info("Discovery mode enabled (experimental) - registering discovery tool only");
+      registerDiscoveryTools(
+        this.server,
+        this.graphClient,
+        this.options.readOnly,
+        this.options.orgMode
+      );
+    } else {
+      registerGraphTools(
+        this.server,
+        this.graphClient,
+        this.options.readOnly,
+        this.options.enabledTools,
+        this.options.orgMode
+      );
+    }
+  }
+  async start() {
+    if (this.options.v) {
+      enableConsoleLogging();
+    }
+    logger.info("Microsoft 365 MCP Server starting...");
+    logger.info("Secrets Check:", {
+      CLIENT_ID: this.secrets?.clientId ? `${this.secrets.clientId.substring(0, 8)}...` : "NOT SET",
+      CLIENT_SECRET: this.secrets?.clientSecret ? "SET" : "NOT SET",
+      TENANT_ID: this.secrets?.tenantId || "NOT SET",
+      NODE_ENV: process.env.NODE_ENV || "NOT SET"
+    });
+    if (this.options.readOnly) {
+      logger.info("Server running in READ-ONLY mode. Write operations are disabled.");
+    }
+    if (this.options.http) {
+      const { host, port } = parseHttpOption(this.options.http);
+      const app = express();
+      app.set("trust proxy", true);
+      app.use(express.json());
+      app.use(express.urlencoded({ extended: true }));
+      const corsOrigin = process.env.MS365_MCP_CORS_ORIGIN || "*";
+      app.use((req, res, next) => {
+        res.header("Access-Control-Allow-Origin", corsOrigin);
+        res.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+        res.header(
+          "Access-Control-Allow-Headers",
+          "Origin, X-Requested-With, Content-Type, Accept, Authorization, mcp-protocol-version"
+        );
+        if (req.method === "OPTIONS") {
+          res.sendStatus(200);
+          return;
+        }
+        next();
+      });
+      const oauthProvider = new MicrosoftOAuthProvider(this.authManager, this.secrets);
+      app.get("/.well-known/oauth-authorization-server", async (req, res) => {
+        const protocol = req.secure ? "https" : "http";
+        const url = new URL(`${protocol}://${req.get("host")}`);
+        const scopes = buildScopesFromEndpoints(this.options.orgMode, this.options.enabledTools);
+        const metadata = {
+          issuer: url.origin,
+          authorization_endpoint: `${url.origin}/authorize`,
+          token_endpoint: `${url.origin}/token`,
+          response_types_supported: ["code"],
+          response_modes_supported: ["query"],
+          grant_types_supported: ["authorization_code", "refresh_token"],
+          token_endpoint_auth_methods_supported: ["none"],
+          code_challenge_methods_supported: ["S256"],
+          scopes_supported: scopes
+        };
+        if (this.options.enableDynamicRegistration) {
+          metadata.registration_endpoint = `${url.origin}/register`;
+        }
+        res.json(metadata);
+      });
+      app.get("/.well-known/oauth-protected-resource", async (req, res) => {
+        const protocol = req.secure ? "https" : "http";
+        const url = new URL(`${protocol}://${req.get("host")}`);
+        const scopes = buildScopesFromEndpoints(this.options.orgMode, this.options.enabledTools);
+        res.json({
+          resource: `${url.origin}/mcp`,
+          authorization_servers: [url.origin],
+          scopes_supported: scopes,
+          bearer_methods_supported: ["header"],
+          resource_documentation: `${url.origin}`
+        });
+      });
+      if (this.options.enableDynamicRegistration) {
+        app.post("/register", async (req, res) => {
+          const body = req.body;
+          logger.info("Client registration request", { body });
+          const clientId = `mcp-client-${Date.now()}`;
+          res.status(201).json({
+            client_id: clientId,
+            client_id_issued_at: Math.floor(Date.now() / 1e3),
+            redirect_uris: body.redirect_uris || [],
+            grant_types: body.grant_types || ["authorization_code", "refresh_token"],
+            response_types: body.response_types || ["code"],
+            token_endpoint_auth_method: body.token_endpoint_auth_method || "none",
+            client_name: body.client_name || "MCP Client"
+          });
+        });
+      }
+      app.get("/authorize", async (req, res) => {
+        const url = new URL(req.url, `${req.protocol}://${req.get("host")}`);
+        const tenantId = this.secrets?.tenantId || "common";
+        const clientId = this.secrets.clientId;
+        const cloudEndpoints = getCloudEndpoints(this.secrets.cloudType);
+        const microsoftAuthUrl = new URL(
+          `${cloudEndpoints.authority}/${tenantId}/oauth2/v2.0/authorize`
+        );
+        const allowedParams = [
+          "response_type",
+          "redirect_uri",
+          "scope",
+          "state",
+          "response_mode",
+          "code_challenge",
+          "code_challenge_method",
+          "prompt",
+          "login_hint",
+          "domain_hint"
+        ];
+        allowedParams.forEach((param) => {
+          const value = url.searchParams.get(param);
+          if (value) {
+            microsoftAuthUrl.searchParams.set(param, value);
+          }
+        });
+        microsoftAuthUrl.searchParams.set("client_id", clientId);
+        if (!microsoftAuthUrl.searchParams.get("scope")) {
+          microsoftAuthUrl.searchParams.set("scope", "User.Read Files.Read Mail.Read");
+        }
+        res.redirect(microsoftAuthUrl.toString());
+      });
+      app.post("/token", async (req, res) => {
+        try {
+          logger.info("Token endpoint called", {
+            method: req.method,
+            url: req.url,
+            contentType: req.get("Content-Type"),
+            grant_type: req.body?.grant_type
+          });
+          const body = req.body;
+          if (!body) {
+            logger.error("Token endpoint: Request body is undefined");
+            res.status(400).json({
+              error: "invalid_request",
+              error_description: "Request body is required"
+            });
+            return;
+          }
+          if (!body.grant_type) {
+            logger.error("Token endpoint: grant_type is missing", { body });
+            res.status(400).json({
+              error: "invalid_request",
+              error_description: "grant_type parameter is required"
+            });
+            return;
+          }
+          if (body.grant_type === "authorization_code") {
+            const tenantId = this.secrets?.tenantId || "common";
+            const clientId = this.secrets.clientId;
+            const clientSecret = this.secrets?.clientSecret;
+            logger.info("Token endpoint: authorization_code exchange", {
+              redirect_uri: body.redirect_uri,
+              has_code: !!body.code,
+              has_code_verifier: !!body.code_verifier,
+              clientId,
+              tenantId,
+              hasClientSecret: !!clientSecret
+            });
+            const result = await exchangeCodeForToken(
+              body.code,
+              body.redirect_uri,
+              clientId,
+              clientSecret,
+              tenantId,
+              body.code_verifier,
+              this.secrets.cloudType
+            );
+            res.json(result);
+          } else if (body.grant_type === "refresh_token") {
+            const tenantId = this.secrets?.tenantId || "common";
+            const clientId = this.secrets.clientId;
+            const clientSecret = this.secrets?.clientSecret;
+            if (clientSecret) {
+              logger.info("Refresh endpoint: Using confidential client with client_secret");
+            } else {
+              logger.info("Refresh endpoint: Using public client without client_secret");
+            }
+            const result = await refreshAccessToken(
+              body.refresh_token,
+              clientId,
+              clientSecret,
+              tenantId,
+              this.secrets.cloudType
+            );
+            res.json(result);
+          } else {
+            res.status(400).json({
+              error: "unsupported_grant_type",
+              error_description: `Grant type '${body.grant_type}' is not supported`
+            });
+          }
+        } catch (error) {
+          logger.error("Token endpoint error:", error);
+          res.status(500).json({
+            error: "server_error",
+            error_description: "Internal server error during token exchange"
+          });
+        }
+      });
+      app.use(
+        mcpAuthRouter({
+          provider: oauthProvider,
+          issuerUrl: new URL(`http://localhost:${port}`)
+        })
+      );
+      app.get(
+        "/mcp",
+        microsoftBearerTokenAuthMiddleware,
+        async (req, res) => {
+          const handler = async () => {
+            const transport = new StreamableHTTPServerTransport({
+              sessionIdGenerator: void 0
+              // Stateless mode
+            });
+            res.on("close", () => {
+              transport.close();
+            });
+            await this.server.connect(transport);
+            await transport.handleRequest(req, res, void 0);
+          };
+          try {
+            if (req.microsoftAuth) {
+              await requestContext.run(
+                {
+                  accessToken: req.microsoftAuth.accessToken,
+                  refreshToken: req.microsoftAuth.refreshToken
+                },
+                handler
+              );
+            } else {
+              await handler();
+            }
+          } catch (error) {
+            logger.error("Error handling MCP GET request:", error);
+            if (!res.headersSent) {
+              res.status(500).json({
+                jsonrpc: "2.0",
+                error: {
+                  code: -32603,
+                  message: "Internal server error"
+                },
+                id: null
+              });
+            }
+          }
+        }
+      );
+      app.post(
+        "/mcp",
+        microsoftBearerTokenAuthMiddleware,
+        async (req, res) => {
+          const handler = async () => {
+            const transport = new StreamableHTTPServerTransport({
+              sessionIdGenerator: void 0
+              // Stateless mode
+            });
+            res.on("close", () => {
+              transport.close();
+            });
+            await this.server.connect(transport);
+            await transport.handleRequest(req, res, req.body);
+          };
+          try {
+            if (req.microsoftAuth) {
+              await requestContext.run(
+                {
+                  accessToken: req.microsoftAuth.accessToken,
+                  refreshToken: req.microsoftAuth.refreshToken
+                },
+                handler
+              );
+            } else {
+              await handler();
+            }
+          } catch (error) {
+            logger.error("Error handling MCP POST request:", error);
+            if (!res.headersSent) {
+              res.status(500).json({
+                jsonrpc: "2.0",
+                error: {
+                  code: -32603,
+                  message: "Internal server error"
+                },
+                id: null
+              });
+            }
+          }
+        }
+      );
+      app.get("/", (req, res) => {
+        res.send("Microsoft 365 MCP Server is running");
+      });
+      if (host) {
+        app.listen(port, host, () => {
+          logger.info(`Server listening on ${host}:${port}`);
+          logger.info(`  - MCP endpoint: http://${host}:${port}/mcp`);
+          logger.info(`  - OAuth endpoints: http://${host}:${port}/auth/*`);
+          logger.info(
+            `  - OAuth discovery: http://${host}:${port}/.well-known/oauth-authorization-server`
+          );
+        });
+      } else {
+        app.listen(port, () => {
+          logger.info(`Server listening on all interfaces (0.0.0.0:${port})`);
+          logger.info(`  - MCP endpoint: http://localhost:${port}/mcp`);
+          logger.info(`  - OAuth endpoints: http://localhost:${port}/auth/*`);
+          logger.info(
+            `  - OAuth discovery: http://localhost:${port}/.well-known/oauth-authorization-server`
+          );
+        });
+      }
+    } else {
+      const transport = new StdioServerTransport();
+      await this.server.connect(transport);
+      logger.info("Server connected to stdio transport");
+    }
+  }
+}
+var server_default = MicrosoftGraphServer;
+export {
+  server_default as default
+};

package/dist/tool-categories.js

@@ -0,0 +1,93 @@
+const TOOL_CATEGORIES = {
+  mail: {
+    name: "mail",
+    pattern: /mail|attachment|draft/i,
+    description: "Email operations (read, send, manage folders, attachments)"
+  },
+  calendar: {
+    name: "calendar",
+    pattern: /calendar|event/i,
+    description: "Calendar and event management"
+  },
+  files: {
+    name: "files",
+    pattern: /drive|file|upload|download|folder|item/i,
+    description: "OneDrive file and folder operations"
+  },
+  personal: {
+    name: "personal",
+    pattern: /mail|calendar|drive|contact|todo|onenote|attachment|draft|event|file|folder/i,
+    description: "Personal productivity tools (mail, calendar, files, contacts, tasks, notes)"
+  },
+  work: {
+    name: "work",
+    pattern: /team|channel|chat|sharepoint|planner|site|list|shared/i,
+    description: "Organization/work tools (Teams, SharePoint, shared mailboxes)",
+    requiresOrgMode: true
+  },
+  excel: {
+    name: "excel",
+    pattern: /excel|worksheet|workbook|range|chart/i,
+    description: "Excel spreadsheet operations"
+  },
+  contacts: {
+    name: "contacts",
+    pattern: /contact/i,
+    description: "Outlook contacts management"
+  },
+  tasks: {
+    name: "tasks",
+    pattern: /todo|planner|task/i,
+    description: "Task and planning tools (To Do, Planner)"
+  },
+  onenote: {
+    name: "onenote",
+    pattern: /onenote|notebook|section|page/i,
+    description: "OneNote notebook operations"
+  },
+  search: {
+    name: "search",
+    pattern: /search|query/i,
+    description: "Microsoft Search capabilities"
+  },
+  users: {
+    name: "users",
+    pattern: /user|list-users/i,
+    description: "User directory access",
+    requiresOrgMode: true
+  },
+  all: {
+    name: "all",
+    pattern: /.*/,
+    description: "All available tools"
+  }
+};
+function getCombinedPresetPattern(presets) {
+  const patterns = presets.map((preset) => {
+    const category = TOOL_CATEGORIES[preset];
+    if (!category) {
+      throw new Error(
+        `Unknown preset: ${preset}. Available presets: ${Object.keys(TOOL_CATEGORIES).join(", ")}`
+      );
+    }
+    return category.pattern.source;
+  });
+  return patterns.join("|");
+}
+function listPresets() {
+  return Object.values(TOOL_CATEGORIES).map((category) => ({
+    name: category.name,
+    description: category.description,
+    requiresOrgMode: category.requiresOrgMode
+  }));
+}
+function presetRequiresOrgMode(preset) {
+  const category = TOOL_CATEGORIES[preset];
+  return category?.requiresOrgMode || false;
+}
+export {
+  TOOL_CATEGORIES,
+  getCombinedPresetPattern,
+  listPresets,
+  presetRequiresOrgMode
+};

package/dist/version.js

@@ -0,0 +1,10 @@
+import { readFileSync } from "fs";
+import path from "path";
+import { fileURLToPath } from "url";
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const packageJsonPath = path.join(__dirname, "..", "package.json");
+const packageJson = JSON.parse(readFileSync(packageJsonPath, "utf8"));
+const version = packageJson.version;
+export {
+  version
+};

package/eslint.config.js

@@ -0,0 +1,43 @@
+import js from '@eslint/js';
+import globals from 'globals';
+import tseslint from '@typescript-eslint/eslint-plugin';
+import tsparser from '@typescript-eslint/parser';
+
+export default [
+  js.configs.recommended,
+  {
+    files: ['**/*.{ts,tsx,js,mjs}'],
+    languageOptions: {
+      parser: tsparser,
+      parserOptions: {
+        ecmaVersion: 2022,
+        sourceType: 'module',
+      },
+      globals: {
+        ...globals.node,
+        ...globals.vitest,
+        ...globals.jest,
+        fs: 'readonly',
+      },
+    },
+    plugins: {
+      '@typescript-eslint': tseslint,
+    },
+    rules: {
+      ...tseslint.configs.recommended.rules,
+      '@typescript-eslint/no-unused-vars': ['warn', { argsIgnorePattern: '^_' }],
+      '@typescript-eslint/no-explicit-any': 'warn',
+      'no-console': 'off',
+    },
+  },
+  {
+    ignores: [
+      'node_modules/**',
+      'dist/**',
+      'coverage/**',
+      'bin/**',
+      'src/generated/**',
+      '.venv/**',
+    ],
+  },
+];

package/glama.json

@@ -0,0 +1,4 @@
+{
+  "$schema": "https://glama.ai/mcp/schemas/server.json",
+  "maintainers": ["eirikb"]
+}

package/package.json

@@ -0,0 +1,79 @@
+{
+  "name": "@dashflow/ms365-mcp-server",
+  "version": "1.0.0",
+  "description": "A Model Context Protocol (MCP) server for interacting with Microsoft 365 and Office services through the Graph API",
+  "type": "module",
+  "main": "dist/index.js",
+  "bin": {
+    "ms365-mcp-server": "dist/index.js"
+  },
+  "scripts": {
+    "generate": "node bin/generate-graph-client.mjs",
+    "build": "tsup",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "dev": "tsx src/index.ts",
+    "dev:http": "tsx --watch src/index.ts --http 127.0.0.1:3000 -v",
+    "format": "prettier --write \"**/*.{ts,mts,js,mjs,json,md}\"",
+    "format:check": "prettier --check \"**/*.{ts,mts,js,mjs,json,md}\"",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
+    "verify": "npm run generate && npm run lint && npm run format:check && npm run build && npm run test",
+    "inspector": "npx @modelcontextprotocol/inspector tsx src/index.ts"
+  },
+  "keywords": [
+    "microsoft",
+    "365",
+    "mcp",
+    "server",
+    "dashflow"
+  ],
+  "author": "Dashflow",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@azure/msal-node": "^3.8.0",
+    "@modelcontextprotocol/sdk": "^1.25.0",
+    "@toon-format/toon": "^0.8.0",
+    "commander": "^11.1.0",
+    "dotenv": "^17.0.1",
+    "express": "^5.2.1",
+    "js-yaml": "^4.1.1",
+    "winston": "^3.17.0",
+    "zod": "^3.24.2"
+  },
+  "optionalDependencies": {
+    "@azure/identity": "^4.5.0",
+    "@azure/keyvault-secrets": "^4.9.0",
+    "keytar": "^7.9.0"
+  },
+  "devDependencies": {
+    "@redocly/cli": "^2.11.1",
+    "@semantic-release/exec": "^7.1.0",
+    "@semantic-release/git": "^10.0.1",
+    "@semantic-release/github": "^11.0.3",
+    "@semantic-release/npm": "^13.1.3",
+    "@types/express": "^5.0.3",
+    "@types/node": "^22.15.15",
+    "@typescript-eslint/eslint-plugin": "^8.38.0",
+    "@typescript-eslint/parser": "^8.38.0",
+    "@vitest/coverage-v8": "^3.2.4",
+    "eslint": "^9.31.0",
+    "globals": "^16.3.0",
+    "prettier": "^3.5.3",
+    "semantic-release": "^25.0.2",
+    "tsup": "^8.5.1",
+    "tsx": "^4.19.4",
+    "typescript": "^5.8.3",
+    "vitest": "^3.1.1"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/dashflow/ms365-mcp-server.git"
+  }
+}