@masonator/m365-mcp 0.1.0 → 0.2.0

package/README.md

@@ -13,7 +13,7 @@ MCP server for Microsoft 365 via the Microsoft Graph API. Read-only access to yo
 ### Claude Code
 
 ```bash
-claude mcp add m365-mcp -e MS365_MCP_CLIENT_ID=your-client-id -e MS365_MCP_CLIENT_SECRET=your-secret -e MS365_MCP_TENANT_ID=your-tenant-id -- npx -y @masonator/m365-mcp
+claude mcp add m365-mcp -e MS365_MCP_CLIENT_ID=your-client-id -e MS365_MCP_TENANT_ID=your-tenant-id -- npx -y @masonator/m365-mcp
 ```
 
 ### Claude Desktop
@@ -28,7 +28,6 @@ Add to your Claude Desktop config (`claude_desktop_config.json`):
       "args": ["-y", "@masonator/m365-mcp"],
       "env": {
         "MS365_MCP_CLIENT_ID": "your-azure-ad-client-id",
-        "MS365_MCP_CLIENT_SECRET": "your-azure-ad-client-secret",
         "MS365_MCP_TENANT_ID": "your-azure-ad-tenant-id"
       }
     }
@@ -42,19 +41,20 @@ On first use, the server opens your browser to sign in with Microsoft. After gra
 
 ## Environment Variables
 
-| Variable                  | Required | Description                                      |
-| ------------------------- | -------- | ------------------------------------------------ |
-| `MS365_MCP_CLIENT_ID`     | Yes      | Azure AD application (client) ID                 |
-| `MS365_MCP_CLIENT_SECRET` | Yes      | Azure AD client secret                           |
-| `MS365_MCP_TENANT_ID`     | Yes      | Azure AD tenant ID                               |
-| `MS365_MCP_TIMEZONE`      | No       | Timezone for calendar (default: system timezone) |
+| Variable                  | Required | Description                                                                    |
+| ------------------------- | -------- | ------------------------------------------------------------------------------ |
+| `MS365_MCP_CLIENT_ID`     | Yes      | Azure AD application (client) ID                                               |
+| `MS365_MCP_TENANT_ID`     | Yes      | Azure AD tenant ID                                                             |
+| `MS365_MCP_CLIENT_SECRET` | No       | Azure AD client secret (confidential clients only)                             |
+| `MS365_MCP_TIMEZONE`      | No       | Timezone for calendar (default: system timezone)                               |
+| `MS365_MCP_REDIRECT_URL`  | No       | OAuth redirect URI (default: dynamic port, `http://localhost:{port}/callback`) |
 
 ## Azure AD Setup
 
 Register an application in Azure AD with these settings:
 
 1. **App registration** > New registration
-2. **Redirect URI**: `http://localhost` (Web platform) — the server uses a dynamic port
+2. **Redirect URI**: `http://localhost` (Web platform) — or set a fixed URI via `MS365_MCP_REDIRECT_URL`
 3. **Certificates & secrets** > New client secret
 4. **API permissions** > Add the following **delegated** permissions:
    - `User.Read`

package/dist/__tests__/auth.test.js

@@ -188,27 +188,35 @@ describe('loadAuthConfig', () => {
             tenantId: 'test-tenant-id',
         });
     });
-    it('throws when all env vars are missing', () => {
+    it('throws when all required env vars are missing', () => {
         delete process.env['MS365_MCP_CLIENT_ID'];
         delete process.env['MS365_MCP_CLIENT_SECRET'];
         delete process.env['MS365_MCP_TENANT_ID'];
-        expect(() => loadAuthConfig()).toThrow('Missing required environment variables: MS365_MCP_CLIENT_ID, MS365_MCP_CLIENT_SECRET, MS365_MCP_TENANT_ID');
+        expect(() => loadAuthConfig()).toThrow('Missing required environment variables: MS365_MCP_CLIENT_ID, MS365_MCP_TENANT_ID');
     });
     it('throws when only CLIENT_ID is missing', () => {
         delete process.env['MS365_MCP_CLIENT_ID'];
-        process.env['MS365_MCP_CLIENT_SECRET'] = 'secret';
         process.env['MS365_MCP_TENANT_ID'] = 'tenant';
         expect(() => loadAuthConfig()).toThrow('MS365_MCP_CLIENT_ID');
     });
-    it('throws when only CLIENT_SECRET is missing', () => {
+    it('does not require CLIENT_SECRET (public client support)', () => {
         process.env['MS365_MCP_CLIENT_ID'] = 'client';
         delete process.env['MS365_MCP_CLIENT_SECRET'];
         process.env['MS365_MCP_TENANT_ID'] = 'tenant';
-        expect(() => loadAuthConfig()).toThrow('MS365_MCP_CLIENT_SECRET');
+        const config = loadAuthConfig();
+        expect(config.clientId).toBe('client');
+        expect(config.clientSecret).toBeUndefined();
+        expect(config.tenantId).toBe('tenant');
     });
-    it('throws when only TENANT_ID is missing', () => {
+    it('includes CLIENT_SECRET when provided', () => {
         process.env['MS365_MCP_CLIENT_ID'] = 'client';
         process.env['MS365_MCP_CLIENT_SECRET'] = 'secret';
+        process.env['MS365_MCP_TENANT_ID'] = 'tenant';
+        const config = loadAuthConfig();
+        expect(config.clientSecret).toBe('secret');
+    });
+    it('throws when only TENANT_ID is missing', () => {
+        process.env['MS365_MCP_CLIENT_ID'] = 'client';
         delete process.env['MS365_MCP_TENANT_ID'];
         expect(() => loadAuthConfig()).toThrow('MS365_MCP_TENANT_ID');
     });

package/dist/__tests__/graph.test.js

@@ -10,6 +10,7 @@ function mockFetch(response) {
     globalThis.fetch = mock;
     return mock;
 }
+const systemTimezone = Intl.DateTimeFormat().resolvedOptions().timeZone || 'UTC';
 describe('graphFetch', () => {
     it('returns ok with data on successful response', async () => {
         const mock = mockFetch({
@@ -22,7 +23,7 @@ describe('graphFetch', () => {
             headers: expect.objectContaining({
                 Authorization: 'Bearer test-token',
                 'Content-Type': 'application/json',
-                Prefer: 'outlook.timezone="Europe/London"',
+                Prefer: `outlook.timezone="${systemTimezone}"`,
             }),
         }));
     });
@@ -99,7 +100,7 @@ describe('graphFetch', () => {
         await graphFetch('/me', 'test-token');
         expect(mock).toHaveBeenCalledWith(expect.any(String), expect.objectContaining({
             headers: expect.objectContaining({
-                Prefer: 'outlook.timezone="Europe/London"',
+                Prefer: `outlook.timezone="${systemTimezone}"`,
             }),
         }));
     });

package/dist/index.js

@@ -18,11 +18,12 @@ catch (error) {
     process.stderr.write(`Configuration error: ${error instanceof Error ? error.message : String(error)}\n`);
     process.stderr.write('\nRequired environment variables:\n');
     process.stderr.write('  MS365_MCP_CLIENT_ID      - Azure AD application (client) ID\n');
-    process.stderr.write('  MS365_MCP_CLIENT_SECRET   - Azure AD client secret\n');
     process.stderr.write('  MS365_MCP_TENANT_ID       - Azure AD tenant ID\n');
+    process.stderr.write('\nOptional:\n');
+    process.stderr.write('  MS365_MCP_CLIENT_SECRET   - Azure AD client secret (confidential clients only)\n');
     process.exit(1);
 }
-const server = new Server({ name: 'm365-mcp', version: '0.1.0' }, { capabilities: { tools: {} } });
+const server = new Server({ name: 'm365-mcp', version: '0.2.0' }, { capabilities: { tools: {} } });
 server.setRequestHandler(ListToolsRequestSchema, async () => ({
     tools: [
         authStatusToolDefinition,

package/dist/lib/auth.d.ts

@@ -1,5 +1,13 @@
 import { type Server } from 'node:http';
 import type { TokenData, AuthConfig } from '../types/tokens.js';
+/**
+ * Generates a PKCE code verifier (43-128 char base64url random string).
+ */
+export declare function generateCodeVerifier(): string;
+/**
+ * Derives a PKCE code challenge from a verifier using SHA-256.
+ */
+export declare function generateCodeChallenge(verifier: string): string;
 export declare const SCOPES: string[];
 /**
  * Returns the config directory for m365-mcp.
@@ -46,13 +54,13 @@ export declare function openBrowser(url: string): void;
  * Exchanges an authorization code for tokens via Azure AD token endpoint.
  * @internal Exported for testing only.
  */
-export declare function exchangeCodeForTokens(config: AuthConfig, code: string, redirectUri: string): Promise<TokenData>;
+export declare function exchangeCodeForTokens(config: AuthConfig, code: string, redirectUri: string, codeVerifier?: string): Promise<TokenData>;
 /**
  * Starts an HTTP server on the given port and waits for the OAuth callback.
  * Returns the authorization code from the callback query string.
  * @internal Exported for testing only.
  */
-export declare function waitForAuthCallback(port: number, expectedState: string, timeoutMs?: number): {
+export declare function waitForAuthCallback(port: number, expectedState: string, timeoutMs?: number, callbackPath?: string): {
     promise: Promise<string>;
     server: Server;
 };

package/dist/lib/auth.js

@@ -4,11 +4,24 @@ import { homedir } from 'node:os';
 import { createServer } from 'node:net';
 import { createServer as createHttpServer } from 'node:http';
 import { URL } from 'node:url';
-import { randomBytes } from 'node:crypto';
+import { randomBytes, createHash } from 'node:crypto';
 import { execFile } from 'node:child_process';
 const TOKEN_FILENAME = 'tokens.json';
 const EXPIRY_BUFFER_MS = 120000; // 2 minutes
 const AUTH_TIMEOUT_MS = 300000; // 5 minutes
+const DEFAULT_CALLBACK_PATH = '/callback';
+/**
+ * Generates a PKCE code verifier (43-128 char base64url random string).
+ */
+export function generateCodeVerifier() {
+    return randomBytes(32).toString('base64url');
+}
+/**
+ * Derives a PKCE code challenge from a verifier using SHA-256.
+ */
+export function generateCodeChallenge(verifier) {
+    return createHash('sha256').update(verifier).digest('base64url');
+}
 function escapeHtml(text) {
     return text
         .replace(/&/g, '&')
@@ -92,13 +105,11 @@ export function isTokenExpired(tokens) {
  */
 export function loadAuthConfig() {
     const clientId = process.env['MS365_MCP_CLIENT_ID'];
-    const clientSecret = process.env['MS365_MCP_CLIENT_SECRET'];
+    const clientSecret = process.env['MS365_MCP_CLIENT_SECRET'] || undefined;
     const tenantId = process.env['MS365_MCP_TENANT_ID'];
     const missing = [];
     if (!clientId)
         missing.push('MS365_MCP_CLIENT_ID');
-    if (!clientSecret)
-        missing.push('MS365_MCP_CLIENT_SECRET');
     if (!tenantId)
         missing.push('MS365_MCP_TENANT_ID');
     if (missing.length > 0) {
@@ -106,7 +117,7 @@ export function loadAuthConfig() {
     }
     return {
         clientId: clientId,
-        clientSecret: clientSecret,
+        clientSecret,
         tenantId: tenantId,
     };
 }
@@ -159,18 +170,31 @@ export function openBrowser(url) {
  * Exchanges an authorization code for tokens via Azure AD token endpoint.
  * @internal Exported for testing only.
  */
-export async function exchangeCodeForTokens(config, code, redirectUri) {
+export async function exchangeCodeForTokens(config, code, redirectUri, codeVerifier) {
     const tokenUrl = `https://login.microsoftonline.com/${config.tenantId}/oauth2/v2.0/token`;
-    const body = new URLSearchParams({
+    const params = {
         grant_type: 'authorization_code',
         client_id: config.clientId,
-        client_secret: config.clientSecret,
         code,
         redirect_uri: redirectUri,
-    });
+    };
+    if (config.clientSecret) {
+        params['client_secret'] = config.clientSecret;
+    }
+    if (codeVerifier) {
+        params['code_verifier'] = codeVerifier;
+    }
+    const body = new URLSearchParams(params);
+    const headers = {
+        'Content-Type': 'application/x-www-form-urlencoded',
+    };
+    if (redirectUri) {
+        const origin = new URL(redirectUri).origin;
+        headers['Origin'] = origin;
+    }
     const response = await fetch(tokenUrl, {
         method: 'POST',
-        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        headers,
         body: body.toString(),
     });
     if (!response.ok) {
@@ -190,7 +214,7 @@ export async function exchangeCodeForTokens(config, code, redirectUri) {
  * Returns the authorization code from the callback query string.
  * @internal Exported for testing only.
  */
-export function waitForAuthCallback(port, expectedState, timeoutMs = AUTH_TIMEOUT_MS) {
+export function waitForAuthCallback(port, expectedState, timeoutMs = AUTH_TIMEOUT_MS, callbackPath = DEFAULT_CALLBACK_PATH) {
     let httpServer;
     const promise = new Promise((resolve, reject) => {
         const closeServer = () => {
@@ -202,7 +226,7 @@ export function waitForAuthCallback(port, expectedState, timeoutMs = AUTH_TIMEOU
             reject(new Error('Authentication timed out after 5 minutes. Please try again.'));
         }, timeoutMs);
         httpServer = createHttpServer((req, res) => {
-            if (!req.url?.startsWith('/callback')) {
+            if (!req.url?.startsWith(callbackPath)) {
                 res.writeHead(404);
                 res.end('Not found');
                 return;
@@ -253,20 +277,37 @@ export function waitForAuthCallback(port, expectedState, timeoutMs = AUTH_TIMEOU
  * exchanges the authorization code for tokens, saves them, and returns the TokenData.
  */
 export async function startAuthFlow(config) {
-    const port = await findAvailablePort();
-    const redirectUri = `http://localhost:${port}/callback`;
+    const redirectUrl = process.env['MS365_MCP_REDIRECT_URL'];
+    let port;
+    let callbackPath;
+    let redirectUri;
+    if (redirectUrl) {
+        const parsed = new URL(redirectUrl);
+        port = parseInt(parsed.port, 10) || 80;
+        callbackPath = parsed.pathname;
+        redirectUri = redirectUrl;
+    }
+    else {
+        port = await findAvailablePort();
+        callbackPath = DEFAULT_CALLBACK_PATH;
+        redirectUri = `http://localhost:${port}${callbackPath}`;
+    }
     const state = randomBytes(16).toString('hex');
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = generateCodeChallenge(codeVerifier);
     const authUrl = new URL(`https://login.microsoftonline.com/${config.tenantId}/oauth2/v2.0/authorize`);
     authUrl.searchParams.set('client_id', config.clientId);
     authUrl.searchParams.set('response_type', 'code');
     authUrl.searchParams.set('redirect_uri', redirectUri);
     authUrl.searchParams.set('scope', SCOPES.join(' '));
     authUrl.searchParams.set('state', state);
+    authUrl.searchParams.set('code_challenge', codeChallenge);
+    authUrl.searchParams.set('code_challenge_method', 'S256');
     process.stderr.write('Opening browser for Microsoft 365 sign-in...\n');
     openBrowser(authUrl.toString());
-    const { promise } = waitForAuthCallback(port, state);
+    const { promise } = waitForAuthCallback(port, state, AUTH_TIMEOUT_MS, callbackPath);
     const code = await promise;
-    const tokenData = await exchangeCodeForTokens(config, code, redirectUri);
+    const tokenData = await exchangeCodeForTokens(config, code, redirectUri, codeVerifier);
     saveTokens(tokenData);
     return tokenData;
 }
@@ -277,16 +318,26 @@ export async function startAuthFlow(config) {
  */
 export async function refreshAccessToken(config, refreshToken) {
     const tokenUrl = `https://login.microsoftonline.com/${config.tenantId}/oauth2/v2.0/token`;
-    const body = new URLSearchParams({
+    const params = {
         grant_type: 'refresh_token',
         client_id: config.clientId,
-        client_secret: config.clientSecret,
         refresh_token: refreshToken,
-    });
+    };
+    if (config.clientSecret) {
+        params['client_secret'] = config.clientSecret;
+    }
+    const body = new URLSearchParams(params);
     try {
+        const refreshHeaders = {
+            'Content-Type': 'application/x-www-form-urlencoded',
+        };
+        const redirectUrl = process.env['MS365_MCP_REDIRECT_URL'];
+        if (redirectUrl) {
+            refreshHeaders['Origin'] = new URL(redirectUrl).origin;
+        }
         const response = await fetch(tokenUrl, {
             method: 'POST',
-            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            headers: refreshHeaders,
             body: body.toString(),
         });
         if (!response.ok) {

package/dist/types/tokens.d.ts

@@ -6,6 +6,6 @@ export interface TokenData {
 }
 export interface AuthConfig {
     clientId: string;
-    clientSecret: string;
+    clientSecret?: string;
     tenantId: string;
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@masonator/m365-mcp",
   "scope": "@masonator",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "MCP server implementation for Microsoft 365 via Microsoft Graph API",
   "type": "module",
   "main": "./dist/index.js",