npm - @rubytech/create-maxy - Versions diffs - 1.0.763 → 1.0.765 - Mend

@rubytech/create-maxy 1.0.763 → 1.0.765

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (88) hide show

package/payload/platform/plugins/outlook/mcp/dist/__tests__/token-store.test.js ADDED Viewed

@@ -0,0 +1,130 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync, rmSync, statSync, writeFileSync, readFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { TokenStore } from "../auth/token-store.js";
+function makeAccountsDir() {
+    const dir = mkdtempSync(join(tmpdir(), "outlook-test-"));
+    return {
+        dir,
+        cleanup: () => rmSync(dir, { recursive: true, force: true }),
+    };
+}
+test("TokenStore round-trip preserves the blob", () => {
+    const { dir, cleanup } = makeAccountsDir();
+    try {
+        const store = new TokenStore("acct-A", dir);
+        store.store("access-1", "refresh-1", 3600, {
+            graphUserId: "user-1",
+            scopes: ["Mail.Read", "Calendars.Read"],
+        });
+        const fresh = new TokenStore("acct-A", dir);
+        const blob = fresh.read();
+        assert.ok(blob, "expected blob to exist after round-trip");
+        assert.equal(blob.accessToken, "access-1");
+        assert.equal(blob.refreshToken, "refresh-1");
+        assert.equal(blob.graphUserId, "user-1");
+        assert.deepEqual(blob.scopes, ["Mail.Read", "Calendars.Read"]);
+    }
+    finally {
+        cleanup();
+    }
+});
+test("TokenStore corrupt cipher fails loud", () => {
+    const { dir, cleanup } = makeAccountsDir();
+    try {
+        const store = new TokenStore("acct-X", dir);
+        store.store("access-X", "refresh-X", 3600);
+        // Tamper with the ciphertext on disk.
+        const tokensPath = join(dir, "acct-X", "secrets", "outlook", "tokens.enc");
+        writeFileSync(tokensPath, "garbage-not-a-cipher");
+        const fresh = new TokenStore("acct-X", dir);
+        assert.throws(() => fresh.read(), /token-decrypt-failed|bad decrypt|wrong final block length|invalid|wrong tag/i);
+    }
+    finally {
+        cleanup();
+    }
+});
+test("TokenStore per-account isolation — two stores never decrypt each other", () => {
+    const { dir, cleanup } = makeAccountsDir();
+    try {
+        const storeA = new TokenStore("acct-A", dir);
+        const storeB = new TokenStore("acct-B", dir);
+        storeA.store("access-A", "refresh-A", 3600, { graphUserId: "user-A", scopes: [] });
+        storeB.store("access-B", "refresh-B", 3600, { graphUserId: "user-B", scopes: [] });
+        // Read each independently.
+        const blobA = new TokenStore("acct-A", dir).read();
+        const blobB = new TokenStore("acct-B", dir).read();
+        assert.equal(blobA?.accessToken, "access-A");
+        assert.equal(blobB?.accessToken, "access-B");
+        assert.notEqual(blobA?.accessToken, blobB?.accessToken);
+        // Sentinel: swap the .key files between accounts. The store should now
+        // fail to decrypt — proves keys are genuinely per-account, not shared.
+        const keyA = readFileSync(join(dir, "acct-A", "secrets", "outlook", ".key"), "utf-8");
+        const keyB = readFileSync(join(dir, "acct-B", "secrets", "outlook", ".key"), "utf-8");
+        assert.notEqual(keyA, keyB, "keys must differ across accounts");
+        writeFileSync(join(dir, "acct-A", "secrets", "outlook", ".key"), keyB);
+        const tampered = new TokenStore("acct-A", dir);
+        assert.throws(() => tampered.read(), /bad decrypt|wrong final|invalid|token-decrypt-failed/i);
+    }
+    finally {
+        cleanup();
+    }
+});
+test("TokenStore directory permissions are 0700, file permissions are 0600", () => {
+    const { dir, cleanup } = makeAccountsDir();
+    try {
+        const store = new TokenStore("acct-mode", dir);
+        store.store("a", "r", 3600);
+        const secretsDir = join(dir, "acct-mode", "secrets", "outlook");
+        const dirMode = statSync(secretsDir).mode & 0o777;
+        assert.equal(dirMode, 0o700, "secrets dir must be 0700");
+        const keyMode = statSync(join(secretsDir, ".key")).mode & 0o777;
+        assert.equal(keyMode, 0o600, "key file must be 0600");
+        const tokensMode = statSync(join(secretsDir, "tokens.enc")).mode & 0o777;
+        assert.equal(tokensMode, 0o600, "tokens file must be 0600");
+    }
+    finally {
+        cleanup();
+    }
+});
+test("TokenStore.needsRefresh returns true within the threshold window", () => {
+    const { dir, cleanup } = makeAccountsDir();
+    try {
+        const store = new TokenStore("acct-r", dir);
+        store.store("a", "r", 60); // 60s expiry — well under the 300s threshold
+        assert.equal(store.needsRefresh(), true);
+    }
+    finally {
+        cleanup();
+    }
+});
+test("TokenStore.needsRefresh returns false outside the threshold window", () => {
+    const { dir, cleanup } = makeAccountsDir();
+    try {
+        const store = new TokenStore("acct-f", dir);
+        store.store("a", "r", 3600); // 1h expiry
+        assert.equal(store.needsRefresh(), false);
+    }
+    finally {
+        cleanup();
+    }
+});
+test("TokenStore.clear removes the token blob but leaves the key", () => {
+    const { dir, cleanup } = makeAccountsDir();
+    try {
+        const store = new TokenStore("acct-c", dir);
+        store.store("a", "r", 3600);
+        store.clear();
+        assert.equal(store.read(), null);
+        // Key file still present — re-register reuses it.
+        const fresh = new TokenStore("acct-c", dir);
+        fresh.store("a2", "r2", 3600);
+        assert.equal(fresh.read()?.accessToken, "a2");
+    }
+    finally {
+        cleanup();
+    }
+});
+//# sourceMappingURL=token-store.test.js.map

package/payload/platform/plugins/outlook/mcp/dist/__tests__/token-store.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"token-store.test.js","sourceRoot":"","sources":["../../src/__tests__/token-store.test.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,MAAM,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACrF,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAEpD,SAAS,eAAe;IACtB,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,eAAe,CAAC,CAAC,CAAC;IACzD,OAAO;QACL,GAAG;QACH,OAAO,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;KAC7D,CAAC;AACJ,CAAC;AAED,IAAI,CAAC,0CAA0C,EAAE,GAAG,EAAE;IACpD,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,eAAe,EAAE,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5C,KAAK,CAAC,KAAK,CAAC,UAAU,EAAE,WAAW,EAAE,IAAI,EAAE;YACzC,WAAW,EAAE,QAAQ;YACrB,MAAM,EAAE,CAAC,WAAW,EAAE,gBAAgB,CAAC;SACxC,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5C,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAC1B,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE,yCAAyC,CAAC,CAAC;QAC3D,MAAM,CAAC,KAAK,CAAC,IAAK,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;QAC5C,MAAM,CAAC,KAAK,CAAC,IAAK,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;QAC9C,MAAM,CAAC,KAAK,CAAC,IAAK,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC1C,MAAM,CAAC,SAAS,CAAC,IAAK,CAAC,MAAM,EAAE,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC,CAAC;IAClE,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,sCAAsC,EAAE,GAAG,EAAE;IAChD,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,eAAe,EAAE,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5C,KAAK,CAAC,KAAK,CAAC,UAAU,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;QAE3C,sCAAsC;QACtC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;QAC3E,aAAa,CAAC,UAAU,EAAE,sBAAsB,CAAC,CAAC;QAElD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,8EAA8E,CAAC,CAAC;IACpH,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,wEAAwE,EAAE,GAAG,EAAE;IAClF,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,eAAe,EAAE,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC7C,MAAM,CAAC,KAAK,CAAC,UAAU,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;QACnF,MAAM,CAAC,KAAK,CAAC,UAAU,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;QAEnF,2BAA2B;QAC3B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;QAC7C,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;QAC7C,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,CAAC,CAAC;QAExD,uEAAuE;QACvE,uEAAuE;QACvE,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC;QACtF,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC;QACtF,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,EAAE,kCAAkC,CAAC,CAAC;QAChE,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC;QAEvE,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC/C,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,uDAAuD,CAAC,CAAC;IAChG,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,sEAAsE,EAAE,GAAG,EAAE;IAChF,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,eAAe,EAAE,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;QAC/C,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QAE5B,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAChE,MAAM,OAAO,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC;QAClD,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,0BAA0B,CAAC,CAAC;QAEzD,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC;QAChE,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,uBAAuB,CAAC,CAAC;QAEtD,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC;QACzE,MAAM,CAAC,KAAK,CAAC,UAAU,EAAE,KAAK,EAAE,0BAA0B,CAAC,CAAC;IAC9D,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,kEAAkE,EAAE,GAAG,EAAE;IAC5E,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,eAAe,EAAE,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5C,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,6CAA6C;QACxE,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,EAAE,IAAI,CAAC,CAAC;IAC3C,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,oEAAoE,EAAE,GAAG,EAAE;IAC9E,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,eAAe,EAAE,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5C,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,YAAY;QACzC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,EAAE,KAAK,CAAC,CAAC;IAC5C,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAI,CAAC,4DAA4D,EAAE,GAAG,EAAE;IACtE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,eAAe,EAAE,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5C,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;QAC5B,KAAK,CAAC,KAAK,EAAE,CAAC;QACd,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,IAAI,CAAC,CAAC;QACjC,kDAAkD;QAClD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5C,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QAC9B,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;IAChD,CAAC;YAAS,CAAC;QACT,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CAAC"}

package/payload/platform/plugins/outlook/mcp/dist/auth/pkce-flow.d.ts ADDED Viewed

@@ -0,0 +1,65 @@
+/**
+ * OAuth 2.0 Authorization Code + PKCE flow for Microsoft Identity Platform.
+ *
+ * Adapted from nsakki55/outlook-mcp@e49d8e68ac8d69db653c25803127dc3b98626cda
+ * (MIT). Adaptations:
+ *   - Ephemeral loopback port via `server.listen(0)` (upstream uses fixed
+ *     49152). The Entra app is registered with `http://localhost` (no port);
+ *     Microsoft Identity Platform treats native-app loopback redirects with
+ *     port-flexible matching.
+ *   - No `xdg-open` browser auto-launch; the auth URL is logged to stderr
+ *     and returned to the caller for the operator to open in the VNC browser.
+ *   - Tool handler awaits the full PKCE flow synchronously (5-min timeout)
+ *     instead of upstream's background-promise + immediate-error pattern.
+ */
+export interface PkceFlowConfig {
+    clientId: string;
+    tenantId: string;
+    accountId: string;
+}
+export interface TokenResponse {
+    access_token: string;
+    refresh_token?: string;
+    expires_in: number;
+    token_type: string;
+    scope?: string;
+}
+export interface PkceFlowResult {
+    tokenResponse: TokenResponse;
+    scopes: string[];
+}
+export interface PkceFlowStart {
+    authUrl: string;
+    redirectUri: string;
+    result: Promise<PkceFlowResult>;
+}
+/**
+ * Start the PKCE flow:
+ *   1. Generate code_verifier + code_challenge (S256) + state.
+ *   2. Bind a one-shot HTTP server on an ephemeral loopback port.
+ *   3. Build the authorize URL with the actual port; return it to the caller.
+ *   4. The returned `result` promise resolves when the callback arrives (or
+ *      rejects on state mismatch / OAuth error / timeout) and tokens are
+ *      exchanged.
+ *
+ * The caller (the outlook-account-register tool) prints the auth URL,
+ * returns it in the tool response, and awaits `result`.
+ */
+export declare function startPkceFlow(config: PkceFlowConfig): Promise<PkceFlowStart>;
+export declare function refreshAccessToken(args: {
+    clientId: string;
+    tenantId: string;
+    refreshToken: string;
+}): Promise<TokenResponse>;
+/**
+ * Constant-time equality on equal-length strings. Returns false (not throws)
+ * for length mismatch so the caller can branch without leaking length via
+ * timing. State comparison MUST go through this helper, not `!==`.
+ */
+declare function sameLengthEqual(a: string, b: string): boolean;
+export declare const _internals: {
+    SCOPES: string[];
+    sameLengthEqual: typeof sameLengthEqual;
+};
+export {};
+//# sourceMappingURL=pkce-flow.d.ts.map

package/payload/platform/plugins/outlook/mcp/dist/auth/pkce-flow.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"pkce-flow.d.ts","sourceRoot":"","sources":["../../src/auth/pkce-flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AA8BH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,cAAc;IAC7B,aAAa,EAAE,aAAa,CAAC;IAC7B,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;CACjC;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC,CAsDlF;AAgJD,wBAAsB,kBAAkB,CAAC,IAAI,EAAE;IAC7C,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;CACtB,GAAG,OAAO,CAAC,aAAa,CAAC,CAmBzB;AAuBD;;;;GAIG;AACH,iBAAS,eAAe,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAKtD;AAED,eAAO,MAAM,UAAU;;;CAA8B,CAAC"}

package/payload/platform/plugins/outlook/mcp/dist/auth/pkce-flow.js ADDED Viewed

@@ -0,0 +1,261 @@
+/**
+ * OAuth 2.0 Authorization Code + PKCE flow for Microsoft Identity Platform.
+ *
+ * Adapted from nsakki55/outlook-mcp@e49d8e68ac8d69db653c25803127dc3b98626cda
+ * (MIT). Adaptations:
+ *   - Ephemeral loopback port via `server.listen(0)` (upstream uses fixed
+ *     49152). The Entra app is registered with `http://localhost` (no port);
+ *     Microsoft Identity Platform treats native-app loopback redirects with
+ *     port-flexible matching.
+ *   - No `xdg-open` browser auto-launch; the auth URL is logged to stderr
+ *     and returned to the caller for the operator to open in the VNC browser.
+ *   - Tool handler awaits the full PKCE flow synchronously (5-min timeout)
+ *     instead of upstream's background-promise + immediate-error pattern.
+ */
+import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
+import { createServer } from "node:http";
+import { URL } from "node:url";
+import { log, challengePrefix } from "../lib/log.js";
+const FLOW_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
+const SCOPES = [
+    "offline_access",
+    "User.Read",
+    "Mail.Read",
+    "Calendars.Read",
+    "Contacts.Read",
+];
+function buildUrls(tenantId) {
+    const tenant = tenantId || "common";
+    return {
+        authorizeUrl: `https://login.microsoftonline.com/${tenant}/oauth2/v2.0/authorize`,
+        tokenUrl: `https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token`,
+    };
+}
+/**
+ * Start the PKCE flow:
+ *   1. Generate code_verifier + code_challenge (S256) + state.
+ *   2. Bind a one-shot HTTP server on an ephemeral loopback port.
+ *   3. Build the authorize URL with the actual port; return it to the caller.
+ *   4. The returned `result` promise resolves when the callback arrives (or
+ *      rejects on state mismatch / OAuth error / timeout) and tokens are
+ *      exchanged.
+ *
+ * The caller (the outlook-account-register tool) prints the auth URL,
+ * returns it in the tool response, and awaits `result`.
+ */
+export async function startPkceFlow(config) {
+    const codeVerifier = randomBytes(32).toString("base64url");
+    const codeChallenge = createHash("sha256").update(codeVerifier).digest("base64url");
+    const state = randomBytes(16).toString("hex");
+    const bound = await bindCallbackServer(state);
+    const redirectUri = `http://localhost:${bound.port}/callback`;
+    const { authorizeUrl, tokenUrl } = buildUrls(config.tenantId);
+    const authUrl = new URL(authorizeUrl);
+    authUrl.searchParams.set("client_id", config.clientId);
+    authUrl.searchParams.set("response_type", "code");
+    authUrl.searchParams.set("redirect_uri", redirectUri);
+    authUrl.searchParams.set("scope", SCOPES.join(" "));
+    authUrl.searchParams.set("state", state);
+    authUrl.searchParams.set("code_challenge", codeChallenge);
+    authUrl.searchParams.set("code_challenge_method", "S256");
+    authUrl.searchParams.set("prompt", "select_account");
+    log({
+        event: "auth-init",
+        account: config.accountId,
+        codeChallenge: challengePrefix(codeChallenge),
+        redirectPath: `/callback (port ${bound.port})`,
+    });
+    const result = (async () => {
+        const startMs = Date.now();
+        try {
+            const code = await bound.codePromise;
+            log({
+                event: "auth-callback",
+                account: config.accountId,
+                elapsedMs: Date.now() - startMs,
+            });
+            const tokenResponse = await exchangeCode({
+                code,
+                codeVerifier,
+                redirectUri,
+                clientId: config.clientId,
+                tokenUrl,
+            });
+            const scopes = (tokenResponse.scope ?? SCOPES.join(" ")).split(/\s+/);
+            return { tokenResponse, scopes };
+        }
+        finally {
+            bound.close();
+        }
+    })();
+    return {
+        authUrl: authUrl.toString(),
+        redirectUri,
+        result,
+    };
+}
+function bindCallbackServer(expectedState) {
+    return new Promise((resolveBind, rejectBind) => {
+        let resolved = false;
+        let codeResolve = null;
+        let codeReject = null;
+        const codePromise = new Promise((resolve, reject) => {
+            codeResolve = resolve;
+            codeReject = reject;
+        });
+        let timer = null;
+        const server = createServer((req, res) => {
+            if (!req.url) {
+                res.writeHead(400);
+                res.end();
+                return;
+            }
+            const parsed = new URL(req.url, "http://localhost");
+            if (parsed.pathname !== "/callback") {
+                res.writeHead(404, { "Content-Type": "text/plain" });
+                res.end("not found");
+                return;
+            }
+            const code = parsed.searchParams.get("code");
+            const returnedState = parsed.searchParams.get("state");
+            const error = parsed.searchParams.get("error");
+            const errorDescription = parsed.searchParams.get("error_description");
+            // Reject Host header rebinding (RFC 6749 native-client guidance).
+            const host = req.headers.host ?? "";
+            if (!/^(localhost|127\.0\.0\.1)(:\d+)?$/.test(host)) {
+                respondHtml(res, 400, "Invalid host", "Loopback callback rejected non-localhost host header.");
+                finish();
+                codeReject?.(new Error(`Loopback callback received unexpected host header: ${host}`));
+                return;
+            }
+            if (error) {
+                respondHtml(res, 400, "Authentication error", `${error}: ${errorDescription ?? ""}`);
+                finish();
+                codeReject?.(new Error(`OAuth error: ${error} - ${errorDescription ?? ""}`));
+                return;
+            }
+            if (!returnedState || !sameLengthEqual(returnedState, expectedState)) {
+                respondHtml(res, 400, "State mismatch", "Authorization state did not match. Possible CSRF; retry register.");
+                finish();
+                codeReject?.(new Error("State mismatch — possible CSRF"));
+                return;
+            }
+            if (!code) {
+                respondHtml(res, 400, "No authorization code", "The authorization callback did not include a code.");
+                finish();
+                codeReject?.(new Error("No authorization code received"));
+                return;
+            }
+            respondHtml(res, 200, "Outlook authorized", "You may close this window. Return to admin chat to continue.");
+            finish();
+            codeResolve?.(code);
+        });
+        server.on("error", (err) => {
+            finish();
+            // If we never resolved bind, fail bind; otherwise fail the code wait.
+            if (!resolvedBind)
+                rejectBind(err);
+            codeReject?.(err);
+        });
+        let resolvedBind = false;
+        server.listen(0, "127.0.0.1", () => {
+            const address = server.address();
+            if (!address || typeof address !== "object") {
+                rejectBind(new Error("Loopback bind failed: address unavailable"));
+                return;
+            }
+            resolvedBind = true;
+            timer = setTimeout(() => {
+                finish();
+                codeReject?.(new Error("Authentication timeout (5 minutes)"));
+            }, FLOW_TIMEOUT_MS);
+            resolveBind({
+                port: address.port,
+                codePromise,
+                close: finish,
+            });
+        });
+        function finish() {
+            if (resolved)
+                return;
+            resolved = true;
+            if (timer)
+                clearTimeout(timer);
+            timer = null;
+            try {
+                server.close();
+            }
+            catch {
+                // best-effort
+            }
+        }
+    });
+}
+async function exchangeCode(args) {
+    const params = new URLSearchParams({
+        client_id: args.clientId,
+        scope: SCOPES.join(" "),
+        code: args.code,
+        redirect_uri: args.redirectUri,
+        grant_type: "authorization_code",
+        code_verifier: args.codeVerifier,
+    });
+    const response = await fetch(args.tokenUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: params.toString(),
+    });
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Token exchange failed (${response.status}): ${text}`);
+    }
+    return (await response.json());
+}
+export async function refreshAccessToken(args) {
+    const { tokenUrl } = buildUrls(args.tenantId);
+    const params = new URLSearchParams({
+        client_id: args.clientId,
+        scope: SCOPES.join(" "),
+        refresh_token: args.refreshToken,
+        grant_type: "refresh_token",
+    });
+    const response = await fetch(tokenUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: params.toString(),
+    });
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`Token refresh failed (${response.status}): ${text}`);
+    }
+    return (await response.json());
+}
+function respondHtml(res, status, title, message) {
+    const color = status === 200 ? "#107c10" : "#d83b01";
+    const body = `<!DOCTYPE html>
+<html lang="en"><head><meta charset="UTF-8"><title>${title}</title>
+<style>
+body{font-family:'Segoe UI',sans-serif;text-align:center;padding:60px;background:#f3f2f1;}
+.card{background:white;border-radius:8px;padding:40px;max-width:480px;margin:0 auto;
+  box-shadow:0 2px 8px rgba(0,0,0,0.1);}
+h1{color:${color};margin:0 0 16px;}
+p{color:#605e5c;margin:0;line-height:1.5;}
+</style></head>
+<body><div class="card"><h1>${title}</h1><p>${message}</p></div></body></html>`;
+    res.writeHead(status, { "Content-Type": "text/html; charset=utf-8" });
+    res.end(body);
+}
+/**
+ * Constant-time equality on equal-length strings. Returns false (not throws)
+ * for length mismatch so the caller can branch without leaking length via
+ * timing. State comparison MUST go through this helper, not `!==`.
+ */
+function sameLengthEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    const aBuf = Buffer.from(a, "utf8");
+    const bBuf = Buffer.from(b, "utf8");
+    return timingSafeEqual(aBuf, bBuf);
+}
+export const _internals = { SCOPES, sameLengthEqual };
+//# sourceMappingURL=pkce-flow.js.map

package/payload/platform/plugins/outlook/mcp/dist/auth/pkce-flow.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"pkce-flow.js","sourceRoot":"","sources":["../../src/auth/pkce-flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACvE,OAAO,EAAE,YAAY,EAAe,MAAM,WAAW,CAAC;AAEtD,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAC/B,OAAO,EAAE,GAAG,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAErD,MAAM,eAAe,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;AACnD,MAAM,MAAM,GAAG;IACb,gBAAgB;IAChB,WAAW;IACX,WAAW;IACX,gBAAgB;IAChB,eAAe;CAChB,CAAC;AAOF,SAAS,SAAS,CAAC,QAAgB;IACjC,MAAM,MAAM,GAAG,QAAQ,IAAI,QAAQ,CAAC;IACpC,OAAO;QACL,YAAY,EAAE,qCAAqC,MAAM,wBAAwB;QACjF,QAAQ,EAAE,qCAAqC,MAAM,oBAAoB;KAC1E,CAAC;AACJ,CAAC;AA2BD;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,MAAsB;IACxD,MAAM,YAAY,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC3D,MAAM,aAAa,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACpF,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAE9C,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC9C,MAAM,WAAW,GAAG,oBAAoB,KAAK,CAAC,IAAI,WAAW,CAAC;IAC9D,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAE9D,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC;IACtC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACvD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAClD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IACtD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACpD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACzC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC;IAErD,GAAG,CAAC;QACF,KAAK,EAAE,WAAW;QAClB,OAAO,EAAE,MAAM,CAAC,SAAS;QACzB,aAAa,EAAE,eAAe,CAAC,aAAa,CAAC;QAC7C,YAAY,EAAE,mBAAmB,KAAK,CAAC,IAAI,GAAG;KAC/C,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,CAAC,KAAK,IAAI,EAAE;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC;YACrC,GAAG,CAAC;gBACF,KAAK,EAAE,eAAe;gBACtB,OAAO,EAAE,MAAM,CAAC,SAAS;gBACzB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO;aAChC,CAAC,CAAC;YACH,MAAM,aAAa,GAAG,MAAM,YAAY,CAAC;gBACvC,IAAI;gBACJ,YAAY;gBACZ,WAAW;gBACX,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,QAAQ;aACT,CAAC,CAAC;YACH,MAAM,MAAM,GAAG,CAAC,aAAa,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YACtE,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC;QACnC,CAAC;gBAAS,CAAC;YACT,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,OAAO;QACL,OAAO,EAAE,OAAO,CAAC,QAAQ,EAAE;QAC3B,WAAW;QACX,MAAM;KACP,CAAC;AACJ,CAAC;AAQD,SAAS,kBAAkB,CAAC,aAAqB;IAC/C,OAAO,IAAI,OAAO,CAAC,CAAC,WAAW,EAAE,UAAU,EAAE,EAAE;QAC7C,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,IAAI,WAAW,GAAqC,IAAI,CAAC;QACzD,IAAI,UAAU,GAAqC,IAAI,CAAC;QACxD,MAAM,WAAW,GAAG,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1D,WAAW,GAAG,OAAO,CAAC;YACtB,UAAU,GAAG,MAAM,CAAC;QACtB,CAAC,CAAC,CAAC;QAEH,IAAI,KAAK,GAA0B,IAAI,CAAC;QAExC,MAAM,MAAM,GAAW,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YAC/C,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;gBACb,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACnB,GAAG,CAAC,GAAG,EAAE,CAAC;gBACV,OAAO;YACT,CAAC;YACD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;YACpD,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;gBACpC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAC;gBACrD,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBACrB,OAAO;YACT,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAC7C,MAAM,aAAa,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACvD,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC/C,MAAM,gBAAgB,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;YAEtE,kEAAkE;YAClE,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC;YACpC,IAAI,CAAC,mCAAmC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACpD,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,cAAc,EAAE,uDAAuD,CAAC,CAAC;gBAC/F,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC,IAAI,KAAK,CAAC,sDAAsD,IAAI,EAAE,CAAC,CAAC,CAAC;gBACtF,OAAO;YACT,CAAC;YAED,IAAI,KAAK,EAAE,CAAC;gBACV,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,sBAAsB,EAAE,GAAG,KAAK,KAAK,gBAAgB,IAAI,EAAE,EAAE,CAAC,CAAC;gBACrF,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC,IAAI,KAAK,CAAC,gBAAgB,KAAK,MAAM,gBAAgB,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;gBAC7E,OAAO;YACT,CAAC;YAED,IAAI,CAAC,aAAa,IAAI,CAAC,eAAe,CAAC,aAAa,EAAE,aAAa,CAAC,EAAE,CAAC;gBACrE,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,gBAAgB,EAAE,mEAAmE,CAAC,CAAC;gBAC7G,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC,CAAC;gBAC1D,OAAO;YACT,CAAC;YAED,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,uBAAuB,EAAE,oDAAoD,CAAC,CAAC;gBACrG,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC,CAAC;gBAC1D,OAAO;YACT,CAAC;YAED,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,oBAAoB,EAAE,8DAA8D,CAAC,CAAC;YAC5G,MAAM,EAAE,CAAC;YACT,WAAW,EAAE,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,MAAM,EAAE,CAAC;YACT,sEAAsE;YACtE,IAAI,CAAC,YAAY;gBAAE,UAAU,CAAC,GAAG,CAAC,CAAC;YACnC,UAAU,EAAE,CAAC,GAAG,CAAC,CAAC;QACpB,CAAC,CAAC,CAAC;QAEH,IAAI,YAAY,GAAG,KAAK,CAAC;QACzB,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;YACjC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAAwB,CAAC;YACvD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAC5C,UAAU,CAAC,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC,CAAC;gBACnE,OAAO;YACT,CAAC;YACD,YAAY,GAAG,IAAI,CAAC;YACpB,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;gBACtB,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC,CAAC;YAChE,CAAC,EAAE,eAAe,CAAC,CAAC;YACpB,WAAW,CAAC;gBACV,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,WAAW;gBACX,KAAK,EAAE,MAAM;aACd,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,SAAS,MAAM;YACb,IAAI,QAAQ;gBAAE,OAAO;YACrB,QAAQ,GAAG,IAAI,CAAC;YAChB,IAAI,KAAK;gBAAE,YAAY,CAAC,KAAK,CAAC,CAAC;YAC/B,KAAK,GAAG,IAAI,CAAC;YACb,IAAI,CAAC;gBACH,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,CAAC;YAAC,MAAM,CAAC;gBACP,cAAc;YAChB,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAUD,KAAK,UAAU,YAAY,CAAC,IAAkB;IAC5C,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,SAAS,EAAE,IAAI,CAAC,QAAQ;QACxB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;QACvB,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,YAAY,EAAE,IAAI,CAAC,WAAW;QAC9B,UAAU,EAAE,oBAAoB;QAChC,aAAa,EAAE,IAAI,CAAC,YAAY;KACjC,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE;QAC1C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;KACxB,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;AAClD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,IAIxC;IACC,MAAM,EAAE,QAAQ,EAAE,GAAG,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,SAAS,EAAE,IAAI,CAAC,QAAQ;QACxB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;QACvB,aAAa,EAAE,IAAI,CAAC,YAAY;QAChC,UAAU,EAAE,eAAe;KAC5B,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;QACrC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;KACxB,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IACxE,CAAC;IACD,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;AAClD,CAAC;AAED,SAAS,WAAW,CAClB,GAAuC,EACvC,MAAc,EACd,KAAa,EACb,OAAe;IAEf,MAAM,KAAK,GAAG,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;IACrD,MAAM,IAAI,GAAG;qDACsC,KAAK;;;;;WAK/C,KAAK;;;8BAGc,KAAK,WAAW,OAAO,0BAA0B,CAAC;IAC9E,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE,CAAC,CAAC;IACtE,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,SAAS,eAAe,CAAC,CAAS,EAAE,CAAS;IAC3C,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,CAAC,MAAM,UAAU,GAAG,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC"}

package/payload/platform/plugins/outlook/mcp/dist/auth/token-store.d.ts ADDED Viewed

@@ -0,0 +1,61 @@
+/**
+ * Per-account encrypted token store for Outlook OAuth credentials.
+ *
+ * Adapted from nsakki55/outlook-mcp@e49d8e68ac8d69db653c25803127dc3b98626cda
+ * (MIT). Adaptations:
+ *   - Per-account paths under {ACCOUNTS_DIR}/{accountId}/secrets/outlook/
+ *   - keytar fallback removed (Pi runs headless, no Secret Service)
+ *   - node-persist removed; single JSON blob written atomically (temp + rename)
+ *
+ *   tokens.enc      AES-256-CBC ciphertext "<iv-hex>:<cipher-hex>" of the JSON blob
+ *   .key            32 random bytes, base64, mode 0600 (the AES key)
+ *
+ * The JSON blob shape is {accessToken, refreshToken, accessTokenExpiry,
+ * refreshTokenExpiry, lastRefresh, graphUserId, scopes}.
+ *
+ * Rationale: per CLAUDE.md doctrine, account scope is absolute. Each account
+ * holds its own AES key — compromising account A's keyfile cannot decrypt
+ * account B's tokens.
+ */
+export interface TokenBlob {
+    accessToken: string;
+    refreshToken: string | null;
+    accessTokenExpiry: number;
+    refreshTokenExpiry: number;
+    lastRefresh: number;
+    graphUserId: string | null;
+    scopes: string[];
+}
+export declare class TokenStore {
+    readonly accountId: string;
+    private cachedBlob;
+    private encryptionKey;
+    private readonly secretsDir;
+    private readonly tokensPath;
+    private readonly keyPath;
+    constructor(accountId: string, accountsDir: string);
+    /** Load (or create) the AES key. Idempotent and TOCTOU-safe via wx flag. */
+    private loadKey;
+    private encrypt;
+    private decrypt;
+    /** Atomic write — temp + rename. Either old or new tokens, never partial. */
+    private writeBlob;
+    /** Read and decrypt the blob from disk; cached after first read. */
+    read(): TokenBlob | null;
+    store(accessToken: string, refreshToken: string | null, expiresInSeconds: number, extras?: {
+        graphUserId?: string | null;
+        scopes?: string[];
+    }): TokenBlob;
+    private tryReadSilent;
+    /**
+     * Whether the access token is within the refresh threshold of expiry. Caller
+     * should refresh before next Graph call when this is true.
+     */
+    needsRefresh(): boolean;
+    hasTokens(): boolean;
+    refreshTokenExpired(): boolean;
+    clear(): void;
+}
+/** Exported for tests + the mailbox-info tool. */
+export declare const refreshThresholdMs: number;
+//# sourceMappingURL=token-store.d.ts.map

package/payload/platform/plugins/outlook/mcp/dist/auth/token-store.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"token-store.d.ts","sourceRoot":"","sources":["../../src/auth/token-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAkBH,MAAM,WAAW,SAAS;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,qBAAa,UAAU;aAQH,SAAS,EAAE,MAAM;IAPnC,OAAO,CAAC,UAAU,CAA0B;IAC5C,OAAO,CAAC,aAAa,CAAuB;IAC5C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;gBAGf,SAAS,EAAE,MAAM,EACjC,WAAW,EAAE,MAAM;IAOrB,4EAA4E;IAC5E,OAAO,CAAC,OAAO;IAuCf,OAAO,CAAC,OAAO;IASf,OAAO,CAAC,OAAO;IAaf,6EAA6E;IAC7E,OAAO,CAAC,SAAS;IASjB,oEAAoE;IACpE,IAAI,IAAI,SAAS,GAAG,IAAI;IAWxB,KAAK,CACH,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,GAAG,IAAI,EAC3B,gBAAgB,EAAE,MAAM,EACxB,MAAM,GAAE;QAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;KAAO,GAC9D,SAAS;IAkBZ,OAAO,CAAC,aAAa;IAQrB;;;OAGG;IACH,YAAY,IAAI,OAAO;IAMvB,SAAS,IAAI,OAAO;IAIpB,mBAAmB,IAAI,OAAO;IAM9B,KAAK,IAAI,IAAI;CAId;AAED,kDAAkD;AAClD,eAAO,MAAM,kBAAkB,QAAuB,CAAC"}