@rubytech/create-maxy 1.0.762 → 1.0.764

package/payload/platform/plugins/outlook/mcp/dist/__tests__/pkce-flow.test.js

@@ -0,0 +1,213 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { _internals, startPkceFlow } from "../auth/pkce-flow.js";
+const { sameLengthEqual } = _internals;
+// ---------------------------------------------------------------------------
+// sameLengthEqual: timing-safe state comparison
+// ---------------------------------------------------------------------------
+test("sameLengthEqual matches identical strings", () => {
+    assert.equal(sameLengthEqual("abcdef0123456789", "abcdef0123456789"), true);
+});
+test("sameLengthEqual rejects different equal-length strings", () => {
+    assert.equal(sameLengthEqual("abcdef0123456789", "abcdef0123456780"), false);
+});
+test("sameLengthEqual rejects length mismatch without throwing", () => {
+    assert.equal(sameLengthEqual("short", "longerstring"), false);
+});
+function mockFetch(handler) {
+    const calls = [];
+    const original = globalThis.fetch;
+    globalThis.fetch = (async (url, init) => {
+        const urlStr = typeof url === "string" ? url : url instanceof URL ? url.toString() : url.url;
+        // Pass loopback callbacks through to the real fetch — only the upstream
+        // token endpoint is intercepted. Otherwise the test's own callback
+        // request would loop back into the mock and never reach the bound server.
+        if (urlStr.startsWith("http://127.0.0.1:") || urlStr.startsWith("http://localhost:")) {
+            return original(url, init);
+        }
+        calls.push({ url: urlStr, init });
+        return handler(urlStr, init);
+    });
+    return {
+        calls,
+        restore: () => {
+            globalThis.fetch = original;
+        },
+    };
+}
+function tokenSuccess() {
+    return new Response(JSON.stringify({
+        access_token: "test-access",
+        refresh_token: "test-refresh",
+        expires_in: 3600,
+        token_type: "Bearer",
+        scope: "offline_access User.Read Mail.Read Calendars.Read Contacts.Read",
+    }), { status: 200, headers: { "Content-Type": "application/json" } });
+}
+function extractStateFromAuthUrl(authUrl) {
+    const url = new URL(authUrl);
+    const state = url.searchParams.get("state");
+    assert.ok(state, "auth URL must include state param");
+    return state;
+}
+function extractRedirectUriPort(redirectUri) {
+    const url = new URL(redirectUri);
+    return Number(url.port);
+}
+test("PKCE happy path: state matches → tokens exchanged", async () => {
+    const fetchMock = mockFetch(() => tokenSuccess());
+    try {
+        const flow = await startPkceFlow({
+            clientId: "test-client",
+            tenantId: "common",
+            accountId: "acct-pkce-1",
+        });
+        const state = extractStateFromAuthUrl(flow.authUrl);
+        const port = extractRedirectUriPort(flow.redirectUri);
+        // Drive the callback synthetically, as Microsoft would after consent.
+        const callbackResp = await fetch(`http://127.0.0.1:${port}/callback?code=fake-code&state=${state}`);
+        assert.equal(callbackResp.status, 200);
+        const result = await flow.result;
+        assert.equal(result.tokenResponse.access_token, "test-access");
+        assert.equal(result.tokenResponse.refresh_token, "test-refresh");
+        assert.deepEqual(result.scopes.sort(), [
+            "Calendars.Read",
+            "Contacts.Read",
+            "Mail.Read",
+            "User.Read",
+            "offline_access",
+        ].sort());
+        // Token endpoint was called with code + verifier + redirect_uri.
+        assert.equal(fetchMock.calls.length, 1);
+        const body = String(fetchMock.calls[0].init?.body ?? "");
+        assert.match(body, /code=fake-code/);
+        assert.match(body, /code_verifier=/);
+        assert.match(body, /grant_type=authorization_code/);
+    }
+    finally {
+        fetchMock.restore();
+    }
+});
+test("PKCE state mismatch → flow rejects, token endpoint NOT called", async () => {
+    const fetchMock = mockFetch(() => {
+        throw new Error("token endpoint should not be called on state mismatch");
+    });
+    try {
+        const flow = await startPkceFlow({
+            clientId: "test-client",
+            tenantId: "common",
+            accountId: "acct-pkce-2",
+        });
+        // Subscribe BEFORE driving the callback — otherwise the rejection lands
+        // before any handler is attached and Node flags it as unhandled.
+        const rejection = assert.rejects(flow.result, /State mismatch/i);
+        const port = extractRedirectUriPort(flow.redirectUri);
+        const cbResp = await fetch(`http://127.0.0.1:${port}/callback?code=fake-code&state=wrong-state-value`);
+        assert.equal(cbResp.status, 400);
+        await rejection;
+        assert.equal(fetchMock.calls.length, 0, "token endpoint must not be called");
+    }
+    finally {
+        fetchMock.restore();
+    }
+});
+test("PKCE OAuth error in callback → flow rejects, no token call", async () => {
+    const fetchMock = mockFetch(() => {
+        throw new Error("token endpoint should not be called on OAuth error");
+    });
+    try {
+        const flow = await startPkceFlow({
+            clientId: "test-client",
+            tenantId: "common",
+            accountId: "acct-pkce-3",
+        });
+        const rejection = assert.rejects(flow.result, /OAuth error: access_denied/);
+        const state = extractStateFromAuthUrl(flow.authUrl);
+        const port = extractRedirectUriPort(flow.redirectUri);
+        const cbResp = await fetch(`http://127.0.0.1:${port}/callback?error=access_denied&error_description=user%20cancelled&state=${state}`);
+        assert.equal(cbResp.status, 400);
+        await rejection;
+        assert.equal(fetchMock.calls.length, 0);
+    }
+    finally {
+        fetchMock.restore();
+    }
+});
+test("PKCE callback missing code → flow rejects", async () => {
+    const fetchMock = mockFetch(() => {
+        throw new Error("token endpoint should not be called");
+    });
+    try {
+        const flow = await startPkceFlow({
+            clientId: "test-client",
+            tenantId: "common",
+            accountId: "acct-pkce-4",
+        });
+        const rejection = assert.rejects(flow.result, /No authorization code received/);
+        const state = extractStateFromAuthUrl(flow.authUrl);
+        const port = extractRedirectUriPort(flow.redirectUri);
+        const cbResp = await fetch(`http://127.0.0.1:${port}/callback?state=${state}`);
+        assert.equal(cbResp.status, 400);
+        await rejection;
+        assert.equal(fetchMock.calls.length, 0);
+    }
+    finally {
+        fetchMock.restore();
+    }
+});
+test("PKCE auth URL has S256 challenge + correct scopes + prompt=select_account", async () => {
+    // No mock needed — we assert URL structure and abort the flow without
+    // exchanging tokens. Sending an OAuth error in the callback closes the
+    // server and rejects flow.result loudly; we catch it explicitly.
+    const flow = await startPkceFlow({
+        clientId: "client-X",
+        tenantId: "common",
+        accountId: "acct-pkce-5",
+    });
+    const expectedRejection = assert.rejects(flow.result, /OAuth error/);
+    try {
+        const url = new URL(flow.authUrl);
+        assert.equal(url.searchParams.get("client_id"), "client-X");
+        assert.equal(url.searchParams.get("response_type"), "code");
+        assert.equal(url.searchParams.get("code_challenge_method"), "S256");
+        assert.equal(url.searchParams.get("prompt"), "select_account");
+        const challenge = url.searchParams.get("code_challenge");
+        assert.ok(challenge && challenge.length > 30, "challenge should be base64url-encoded SHA-256");
+        const scope = url.searchParams.get("scope") ?? "";
+        assert.match(scope, /offline_access/);
+        assert.match(scope, /User\.Read/);
+        assert.match(scope, /Mail\.Read/);
+        assert.match(scope, /Calendars\.Read/);
+        assert.match(scope, /Contacts\.Read/);
+        // Abort the flow by sending an OAuth error. Server closes; result rejects.
+        const port = extractRedirectUriPort(flow.redirectUri);
+        const state = url.searchParams.get("state");
+        await fetch(`http://127.0.0.1:${port}/callback?error=access_denied&state=${state}`);
+    }
+    finally {
+        await expectedRejection;
+    }
+});
+test("PKCE redirect URI uses ephemeral loopback port (not fixed 49152)", async () => {
+    // No token-exchange mock — abort each flow with an OAuth error so the
+    // server closes without invoking exchangeCode.
+    const flow1 = await startPkceFlow({ clientId: "c", tenantId: "common", accountId: "a1" });
+    const flow2 = await startPkceFlow({ clientId: "c", tenantId: "common", accountId: "a2" });
+    const r1 = assert.rejects(flow1.result, /OAuth error/);
+    const r2 = assert.rejects(flow2.result, /OAuth error/);
+    try {
+        const port1 = extractRedirectUriPort(flow1.redirectUri);
+        const port2 = extractRedirectUriPort(flow2.redirectUri);
+        assert.ok(port1 > 0 && port1 < 65536);
+        assert.ok(port2 > 0 && port2 < 65536);
+        assert.notEqual(port1, port2, "two parallel flows must allocate different ephemeral ports");
+        const s1 = extractStateFromAuthUrl(flow1.authUrl);
+        const s2 = extractStateFromAuthUrl(flow2.authUrl);
+        await fetch(`http://127.0.0.1:${port1}/callback?error=access_denied&state=${s1}`);
+        await fetch(`http://127.0.0.1:${port2}/callback?error=access_denied&state=${s2}`);
+    }
+    finally {
+        await Promise.all([r1, r2]);
+    }
+});
+//# sourceMappingURL=pkce-flow.test.js.map

package/payload/platform/plugins/outlook/mcp/dist/__tests__/pkce-flow.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce-flow.test.js","sourceRoot":"","sources":["../../src/__tests__/pkce-flow.test.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAEjE,MAAM,EAAE,eAAe,EAAE,GAAG,UAAU,CAAC;AAEvC,8EAA8E;AAC9E,gDAAgD;AAChD,8EAA8E;AAE9E,IAAI,CAAC,2CAA2C,EAAE,GAAG,EAAE;IACrD,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,kBAAkB,EAAE,kBAAkB,CAAC,EAAE,IAAI,CAAC,CAAC;AAC9E,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,wDAAwD,EAAE,GAAG,EAAE;IAClE,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,kBAAkB,EAAE,kBAAkB,CAAC,EAAE,KAAK,CAAC,CAAC;AAC/E,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,0DAA0D,EAAE,GAAG,EAAE;IACpE,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,OAAO,EAAE,cAAc,CAAC,EAAE,KAAK,CAAC,CAAC;AAChE,CAAC,CAAC,CAAC;AAiBH,SAAS,SAAS,CAAC,OAA0E;IAI3F,MAAM,KAAK,GAAwB,EAAE,CAAC;IACtC,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC;IAClC,UAAU,CAAC,KAAK,GAAG,CAAC,KAAK,EAAE,GAA2B,EAAE,IAAkB,EAAE,EAAE;QAC5E,MAAM,MAAM,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,YAAY,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;QAC7F,wEAAwE;QACxE,mEAAmE;QACnE,0EAA0E;QAC1E,IAAI,MAAM,CAAC,UAAU,CAAC,mBAAmB,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,mBAAmB,CAAC,EAAE,CAAC;YACrF,OAAO,QAAQ,CAAC,GAAqC,EAAE,IAAI,CAAC,CAAC;QAC/D,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QAClC,OAAO,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAC/B,CAAC,CAAiB,CAAC;IACnB,OAAO;QACL,KAAK;QACL,OAAO,EAAE,GAAG,EAAE;YACZ,UAAU,CAAC,KAAK,GAAG,QAAQ,CAAC;QAC9B,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,YAAY;IACnB,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;QACb,YAAY,EAAE,aAAa;QAC3B,aAAa,EAAE,cAAc;QAC7B,UAAU,EAAE,IAAI;QAChB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,iEAAiE;KACzE,CAAC,EACF,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAAC,OAAe;IAC9C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;IAC7B,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAC5C,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,mCAAmC,CAAC,CAAC;IACtD,OAAO,KAAM,CAAC;AAChB,CAAC;AAED,SAAS,sBAAsB,CAAC,WAAmB;IACjD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IACjC,OAAO,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,IAAI,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;IACnE,MAAM,SAAS,GAAG,SAAS,CAAC,GAAG,EAAE,CAAC,YAAY,EAAE,CAAC,CAAC;IAClD,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC;YAC/B,QAAQ,EAAE,aAAa;YACvB,QAAQ,EAAE,QAAQ;YAClB,SAAS,EAAE,aAAa;SACzB,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpD,MAAM,IAAI,GAAG,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAEtD,sEAAsE;QACtE,MAAM,YAAY,GAAG,MAAM,KAAK,CAC9B,oBAAoB,IAAI,kCAAkC,KAAK,EAAE,CAClE,CAAC;QACF,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAEvC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC;QACjC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,aAAa,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC;QAC/D,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,aAAa,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;QACjE,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE;YACrC,gBAAgB;YAChB,eAAe;YACf,WAAW;YACX,WAAW;YACX,gBAAgB;SACjB,CAAC,IAAI,EAAE,CAAC,CAAC;QAEV,iEAAiE;QACjE,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QACxC,MAAM,IAAI,GAAG,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;QACzD,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;QACrC,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;QACrC,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,+BAA+B,CAAC,CAAC;IACtD,CAAC;YAAS,CAAC;QACT,SAAS,CAAC,OAAO,EAAE,CAAC;IACtB,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;IAC/E,MAAM,SAAS,GAAG,SAAS,CAAC,GAAG,EAAE;QAC/B,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;IACH,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC;YAC/B,QAAQ,EAAE,aAAa;YACvB,QAAQ,EAAE,QAAQ;YAClB,SAAS,EAAE,aAAa;SACzB,CAAC,CAAC;QACH,wEAAwE;QACxE,iEAAiE;QACjE,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;QACjE,MAAM,IAAI,GAAG,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACtD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,oBAAoB,IAAI,kDAAkD,CAAC,CAAC;QACvG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACjC,MAAM,SAAS,CAAC;QAChB,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,mCAAmC,CAAC,CAAC;IAC/E,CAAC;YAAS,CAAC;QACT,SAAS,CAAC,OAAO,EAAE,CAAC;IACtB,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,4DAA4D,EAAE,KAAK,IAAI,EAAE;IAC5E,MAAM,SAAS,GAAG,SAAS,CAAC,GAAG,EAAE;QAC/B,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;IACH,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC;YAC/B,QAAQ,EAAE,aAAa;YACvB,QAAQ,EAAE,QAAQ;YAClB,SAAS,EAAE,aAAa;SACzB,CAAC,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,4BAA4B,CAAC,CAAC;QAC5E,MAAM,KAAK,GAAG,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpD,MAAM,IAAI,GAAG,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACtD,MAAM,MAAM,GAAG,MAAM,KAAK,CACxB,oBAAoB,IAAI,0EAA0E,KAAK,EAAE,CAC1G,CAAC;QACF,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACjC,MAAM,SAAS,CAAC;QAChB,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAC1C,CAAC;YAAS,CAAC;QACT,SAAS,CAAC,OAAO,EAAE,CAAC;IACtB,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;IAC3D,MAAM,SAAS,GAAG,SAAS,CAAC,GAAG,EAAE;QAC/B,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IACH,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC;YAC/B,QAAQ,EAAE,aAAa;YACvB,QAAQ,EAAE,QAAQ;YAClB,SAAS,EAAE,aAAa;SACzB,CAAC,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,gCAAgC,CAAC,CAAC;QAChF,MAAM,KAAK,GAAG,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpD,MAAM,IAAI,GAAG,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACtD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,oBAAoB,IAAI,mBAAmB,KAAK,EAAE,CAAC,CAAC;QAC/E,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACjC,MAAM,SAAS,CAAC;QAChB,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAC1C,CAAC;YAAS,CAAC;QACT,SAAS,CAAC,OAAO,EAAE,CAAC;IACtB,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,2EAA2E,EAAE,KAAK,IAAI,EAAE;IAC3F,sEAAsE;IACtE,uEAAuE;IACvE,iEAAiE;IACjE,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC;QAC/B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,aAAa;KACzB,CAAC,CAAC;IACH,MAAM,iBAAiB,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IACrE,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,UAAU,CAAC,CAAC;QAC5D,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC,CAAC;QAC5D,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,CAAC,EAAE,MAAM,CAAC,CAAC;QACpE,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,gBAAgB,CAAC,CAAC;QAC/D,MAAM,SAAS,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;QACzD,MAAM,CAAC,EAAE,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,GAAG,EAAE,EAAE,+CAA+C,CAAC,CAAC;QAC/F,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClD,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACtC,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,iBAAiB,CAAC,CAAC;QACvC,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QAEtC,2EAA2E;QAC3E,MAAM,IAAI,GAAG,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACtD,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAE,CAAC;QAC7C,MAAM,KAAK,CAAC,oBAAoB,IAAI,uCAAuC,KAAK,EAAE,CAAC,CAAC;IACtF,CAAC;YAAS,CAAC;QACT,MAAM,iBAAiB,CAAC;IAC1B,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;IAClF,sEAAsE;IACtE,+CAA+C;IAC/C,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1F,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1F,MAAM,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IACvD,MAAM,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IACvD,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,sBAAsB,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACxD,MAAM,KAAK,GAAG,sBAAsB,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACxD,MAAM,CAAC,EAAE,CAAC,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,KAAK,CAAC,CAAC;QACtC,MAAM,CAAC,EAAE,CAAC,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,KAAK,CAAC,CAAC;QACtC,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,KAAK,EAAE,4DAA4D,CAAC,CAAC;QAE5F,MAAM,EAAE,GAAG,uBAAuB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAClD,MAAM,EAAE,GAAG,uBAAuB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAClD,MAAM,KAAK,CAAC,oBAAoB,KAAK,uCAAuC,EAAE,EAAE,CAAC,CAAC;QAClF,MAAM,KAAK,CAAC,oBAAoB,KAAK,uCAAuC,EAAE,EAAE,CAAC,CAAC;IACpF,CAAC;YAAS,CAAC;QACT,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IAC9B,CAAC;AACH,CAAC,CAAC,CAAC"}

package/payload/platform/plugins/outlook/mcp/dist/__tests__/token-store.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=token-store.test.d.ts.map

package/payload/platform/plugins/outlook/mcp/dist/__tests__/token-store.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/token-store.test.ts"],"names":[],"mappings":""}

package/payload/platform/plugins/outlook/mcp/dist/__tests__/token-store.test.js

@@ -0,0 +1,130 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync, rmSync, statSync, writeFileSync, readFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { TokenStore } from "../auth/token-store.js";
+function makeAccountsDir() {
+    const dir = mkdtempSync(join(tmpdir(), "outlook-test-"));
+    return {
+        dir,
+        cleanup: () => rmSync(dir, { recursive: true, force: true }),
+    };
+}
+test("TokenStore round-trip preserves the blob", () => {
+    const { dir, cleanup } = makeAccountsDir();
+    try {
+        const store = new TokenStore("acct-A", dir);
+        store.store("access-1", "refresh-1", 3600, {
+            graphUserId: "user-1",
+            scopes: ["Mail.Read", "Calendars.Read"],
+        });
+        const fresh = new TokenStore("acct-A", dir);
+        const blob = fresh.read();
+        assert.ok(blob, "expected blob to exist after round-trip");
+        assert.equal(blob.accessToken, "access-1");
+        assert.equal(blob.refreshToken, "refresh-1");
+        assert.equal(blob.graphUserId, "user-1");
+        assert.deepEqual(blob.scopes, ["Mail.Read", "Calendars.Read"]);
+    }
+    finally {
+        cleanup();
+    }
+});
+test("TokenStore corrupt cipher fails loud", () => {
+    const { dir, cleanup } = makeAccountsDir();
+    try {
+        const store = new TokenStore("acct-X", dir);
+        store.store("access-X", "refresh-X", 3600);
+        // Tamper with the ciphertext on disk.
+        const tokensPath = join(dir, "acct-X", "secrets", "outlook", "tokens.enc");
+        writeFileSync(tokensPath, "garbage-not-a-cipher");
+        const fresh = new TokenStore("acct-X", dir);
+        assert.throws(() => fresh.read(), /token-decrypt-failed|bad decrypt|wrong final block length|invalid|wrong tag/i);
+    }
+    finally {
+        cleanup();
+    }
+});
+test("TokenStore per-account isolation — two stores never decrypt each other", () => {
+    const { dir, cleanup } = makeAccountsDir();
+    try {
+        const storeA = new TokenStore("acct-A", dir);
+        const storeB = new TokenStore("acct-B", dir);
+        storeA.store("access-A", "refresh-A", 3600, { graphUserId: "user-A", scopes: [] });
+        storeB.store("access-B", "refresh-B", 3600, { graphUserId: "user-B", scopes: [] });
+        // Read each independently.
+        const blobA = new TokenStore("acct-A", dir).read();
+        const blobB = new TokenStore("acct-B", dir).read();
+        assert.equal(blobA?.accessToken, "access-A");
+        assert.equal(blobB?.accessToken, "access-B");
+        assert.notEqual(blobA?.accessToken, blobB?.accessToken);
+        // Sentinel: swap the .key files between accounts. The store should now
+        // fail to decrypt — proves keys are genuinely per-account, not shared.
+        const keyA = readFileSync(join(dir, "acct-A", "secrets", "outlook", ".key"), "utf-8");
+        const keyB = readFileSync(join(dir, "acct-B", "secrets", "outlook", ".key"), "utf-8");
+        assert.notEqual(keyA, keyB, "keys must differ across accounts");
+        writeFileSync(join(dir, "acct-A", "secrets", "outlook", ".key"), keyB);
+        const tampered = new TokenStore("acct-A", dir);
+        assert.throws(() => tampered.read(), /bad decrypt|wrong final|invalid|token-decrypt-failed/i);
+    }
+    finally {
+        cleanup();
+    }
+});
+test("TokenStore directory permissions are 0700, file permissions are 0600", () => {
+    const { dir, cleanup } = makeAccountsDir();
+    try {
+        const store = new TokenStore("acct-mode", dir);
+        store.store("a", "r", 3600);
+        const secretsDir = join(dir, "acct-mode", "secrets", "outlook");
+        const dirMode = statSync(secretsDir).mode & 0o777;
+        assert.equal(dirMode, 0o700, "secrets dir must be 0700");
+        const keyMode = statSync(join(secretsDir, ".key")).mode & 0o777;
+        assert.equal(keyMode, 0o600, "key file must be 0600");
+        const tokensMode = statSync(join(secretsDir, "tokens.enc")).mode & 0o777;
+        assert.equal(tokensMode, 0o600, "tokens file must be 0600");
+    }
+    finally {
+        cleanup();
+    }
+});
+test("TokenStore.needsRefresh returns true within the threshold window", () => {
+    const { dir, cleanup } = makeAccountsDir();
+    try {
+        const store = new TokenStore("acct-r", dir);
+        store.store("a", "r", 60); // 60s expiry — well under the 300s threshold
+        assert.equal(store.needsRefresh(), true);
+    }
+    finally {
+        cleanup();
+    }
+});
+test("TokenStore.needsRefresh returns false outside the threshold window", () => {
+    const { dir, cleanup } = makeAccountsDir();
+    try {
+        const store = new TokenStore("acct-f", dir);
+        store.store("a", "r", 3600); // 1h expiry
+        assert.equal(store.needsRefresh(), false);
+    }
+    finally {
+        cleanup();
+    }
+});
+test("TokenStore.clear removes the token blob but leaves the key", () => {
+    const { dir, cleanup } = makeAccountsDir();
+    try {
+        const store = new TokenStore("acct-c", dir);
+        store.store("a", "r", 3600);
+        store.clear();
+        assert.equal(store.read(), null);
+        // Key file still present — re-register reuses it.
+        const fresh = new TokenStore("acct-c", dir);
+        fresh.store("a2", "r2", 3600);
+        assert.equal(fresh.read()?.accessToken, "a2");
+    }
+    finally {
+        cleanup();
+    }
+});
+//# sourceMappingURL=token-store.test.js.map

package/payload/platform/plugins/outlook/mcp/dist/__tests__/token-store.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.test.js","sourceRoot":"","sources":["../../src/__tests__/token-store.test.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACrF,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAEpD,SAAS,eAAe;IACtB,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,eAAe,CAAC,CAAC,CAAC;IACzD,OAAO;QACL,GAAG;QACH,OAAO,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;KAC7D,CAAC;AACJ,CAAC;AAED,IAAI,CAAC,0CAA0C,EAAE,GAAG,EAAE;IACpD,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,eAAe,EAAE,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5C,KAAK,CAAC,KAAK,CAAC,UAAU,EAAE,WAAW,EAAE,IAAI,EAAE;YACzC,WAAW,EAAE,QAAQ;YACrB,MAAM,EAAE,CAAC,WAAW,EAAE,gBAAgB,CAAC;SACxC,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5C,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAC1B,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE,yCAAyC,CAAC,CAAC;QAC3D,MAAM,CAAC,KAAK,CAAC,IAAK,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;QAC5C,MAAM,CAAC,KAAK,CAAC,IAAK,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;QAC9C,MAAM,CAAC,KAAK,CAAC,IAAK,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC1C,MAAM,CAAC,SAAS,CAAC,IAAK,CAAC,MAAM,EAAE,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC,CAAC;IAClE,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,sCAAsC,EAAE,GAAG,EAAE;IAChD,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,eAAe,EAAE,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5C,KAAK,CAAC,KAAK,CAAC,UAAU,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;QAE3C,sCAAsC;QACtC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;QAC3E,aAAa,CAAC,UAAU,EAAE,sBAAsB,CAAC,CAAC;QAElD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,8EAA8E,CAAC,CAAC;IACpH,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,wEAAwE,EAAE,GAAG,EAAE;IAClF,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,eAAe,EAAE,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC7C,MAAM,CAAC,KAAK,CAAC,UAAU,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;QACnF,MAAM,CAAC,KAAK,CAAC,UAAU,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;QAEnF,2BAA2B;QAC3B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;QAC7C,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;QAC7C,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,CAAC,CAAC;QAExD,uEAAuE;QACvE,uEAAuE;QACvE,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC;QACtF,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC;QACtF,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,EAAE,kCAAkC,CAAC,CAAC;QAChE,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC;QAEvE,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC/C,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,uDAAuD,CAAC,CAAC;IAChG,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,sEAAsE,EAAE,GAAG,EAAE;IAChF,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,eAAe,EAAE,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;QAC/C,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QAE5B,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAChE,MAAM,OAAO,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC;QAClD,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,0BAA0B,CAAC,CAAC;QAEzD,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC;QAChE,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,uBAAuB,CAAC,CAAC;QAEtD,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC;QACzE,MAAM,CAAC,KAAK,CAAC,UAAU,EAAE,KAAK,EAAE,0BAA0B,CAAC,CAAC;IAC9D,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,kEAAkE,EAAE,GAAG,EAAE;IAC5E,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,eAAe,EAAE,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5C,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,6CAA6C;QACxE,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,EAAE,IAAI,CAAC,CAAC;IAC3C,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,oEAAoE,EAAE,GAAG,EAAE;IAC9E,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,eAAe,EAAE,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5C,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,YAAY;QACzC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,EAAE,KAAK,CAAC,CAAC;IAC5C,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,4DAA4D,EAAE,GAAG,EAAE;IACtE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,eAAe,EAAE,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5C,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QAC5B,KAAK,CAAC,KAAK,EAAE,CAAC;QACd,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,IAAI,CAAC,CAAC;QACjC,kDAAkD;QAClD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5C,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QAC9B,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;IAChD,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CAAC"}

package/payload/platform/plugins/outlook/mcp/dist/auth/pkce-flow.d.ts

@@ -0,0 +1,65 @@
+/**
+ * OAuth 2.0 Authorization Code + PKCE flow for Microsoft Identity Platform.
+ *
+ * Adapted from nsakki55/outlook-mcp@e49d8e68ac8d69db653c25803127dc3b98626cda
+ * (MIT). Adaptations:
+ *   - Ephemeral loopback port via `server.listen(0)` (upstream uses fixed
+ *     49152). The Entra app is registered with `http://localhost` (no port);
+ *     Microsoft Identity Platform treats native-app loopback redirects with
+ *     port-flexible matching.
+ *   - No `xdg-open` browser auto-launch; the auth URL is logged to stderr
+ *     and returned to the caller for the operator to open in the VNC browser.
+ *   - Tool handler awaits the full PKCE flow synchronously (5-min timeout)
+ *     instead of upstream's background-promise + immediate-error pattern.
+ */
+export interface PkceFlowConfig {
+    clientId: string;
+    tenantId: string;
+    accountId: string;
+}
+export interface TokenResponse {
+    access_token: string;
+    refresh_token?: string;
+    expires_in: number;
+    token_type: string;
+    scope?: string;
+}
+export interface PkceFlowResult {
+    tokenResponse: TokenResponse;
+    scopes: string[];
+}
+export interface PkceFlowStart {
+    authUrl: string;
+    redirectUri: string;
+    result: Promise<PkceFlowResult>;
+}
+/**
+ * Start the PKCE flow:
+ *   1. Generate code_verifier + code_challenge (S256) + state.
+ *   2. Bind a one-shot HTTP server on an ephemeral loopback port.
+ *   3. Build the authorize URL with the actual port; return it to the caller.
+ *   4. The returned `result` promise resolves when the callback arrives (or
+ *      rejects on state mismatch / OAuth error / timeout) and tokens are
+ *      exchanged.
+ *
+ * The caller (the outlook-account-register tool) prints the auth URL,
+ * returns it in the tool response, and awaits `result`.
+ */
+export declare function startPkceFlow(config: PkceFlowConfig): Promise<PkceFlowStart>;
+export declare function refreshAccessToken(args: {
+    clientId: string;
+    tenantId: string;
+    refreshToken: string;
+}): Promise<TokenResponse>;
+/**
+ * Constant-time equality on equal-length strings. Returns false (not throws)
+ * for length mismatch so the caller can branch without leaking length via
+ * timing. State comparison MUST go through this helper, not `!==`.
+ */
+declare function sameLengthEqual(a: string, b: string): boolean;
+export declare const _internals: {
+    SCOPES: string[];
+    sameLengthEqual: typeof sameLengthEqual;
+};
+export {};
+//# sourceMappingURL=pkce-flow.d.ts.map

package/payload/platform/plugins/outlook/mcp/dist/auth/pkce-flow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce-flow.d.ts","sourceRoot":"","sources":["../../src/auth/pkce-flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AA8BH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,cAAc;IAC7B,aAAa,EAAE,aAAa,CAAC;IAC7B,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;CACjC;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC,CAsDlF;AAgJD,wBAAsB,kBAAkB,CAAC,IAAI,EAAE;IAC7C,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;CACtB,GAAG,OAAO,CAAC,aAAa,CAAC,CAmBzB;AAuBD;;;;GAIG;AACH,iBAAS,eAAe,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAKtD;AAED,eAAO,MAAM,UAAU;;;CAA8B,CAAC"}