@slates/oauth-microsoft 1.0.0-rc.1 → 1.0.0-rc.3

package/README.md

@@ -1,3 +1,3 @@
 # @slates/oauth-microsoft
 
-Shared helpers for Microsoft OAuth flows in Slates.
+Shared helpers for Microsoft OAuth and Graph flows in Slates.

package/dist/index.cjs

@@ -20,12 +20,66 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  MICROSOFT_GRAPH_BASE: () => MICROSOFT_GRAPH_BASE,
+  MICROSOFT_LOGIN_BASE: () => MICROSOFT_LOGIN_BASE,
   MICROSOFT_OAUTH_INTEGRATION_KEYS: () => MICROSOFT_OAUTH_INTEGRATION_KEYS,
+  buildMicrosoftGraphUploadBody: () => buildMicrosoftGraphUploadBody,
+  createMicrosoftGraphOauth: () => createMicrosoftGraphOauth,
+  mapAzureDevOpsScopes: () => mapAzureDevOpsScopes,
   normalizeMicrosoftRedirectUri: () => normalizeMicrosoftRedirectUri,
   normalizeMicrosoftRedirectUriForIntegration: () => normalizeMicrosoftRedirectUriForIntegration,
+  resolveMicrosoftTenant: () => resolveMicrosoftTenant,
   usesMicrosoftOAuth: () => usesMicrosoftOAuth
 });
 module.exports = __toCommonJS(index_exports);
+var import_slates = require("slates");
+var MICROSOFT_LOGIN_BASE = "https://login.microsoftonline.com";
+var MICROSOFT_GRAPH_BASE = "https://graph.microsoft.com/v1.0";
+var AZURE_DEVOPS_RESOURCE = "499b84ac-1321-427f-aa17-267ca6975798";
+var SECONDS_TO_MS = 1e3;
+var MICROSOFT_GRAPH_TEXT_LIKE_FILE_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".txt",
+  ".md",
+  ".csv",
+  ".json",
+  ".xml",
+  ".html",
+  ".htm",
+  ".js",
+  ".jsx",
+  ".ts",
+  ".tsx",
+  ".css",
+  ".svg",
+  ".yaml",
+  ".yml"
+]);
+var MICROSOFT_GRAPH_BASE64_PATTERN = /^[A-Za-z0-9+/]+={0,2}$/;
+var getMicrosoftTokenOutput = (data, currentRefreshToken) => ({
+  token: data.access_token,
+  refreshToken: data.refresh_token ?? currentRefreshToken,
+  expiresAt: data.expires_in ? new Date(Date.now() + data.expires_in * SECONDS_TO_MS).toISOString() : void 0
+});
+var hasTextLikeFileExtension = (fileName) => {
+  let dotIndex = fileName.lastIndexOf(".");
+  return dotIndex >= 0 && MICROSOFT_GRAPH_TEXT_LIKE_FILE_EXTENSIONS.has(fileName.slice(dotIndex).toLowerCase());
+};
+var isTextLikeContentType = (contentType) => {
+  if (!contentType) {
+    return false;
+  }
+  let normalized = contentType.toLowerCase();
+  if (normalized.includes("openxmlformats-officedocument")) {
+    return false;
+  }
+  return normalized.startsWith("text/") || ["json", "xml", "javascript", "typescript", "svg", "x-www-form-urlencoded"].some(
+    (fragment) => normalized.includes(fragment)
+  );
+};
+var looksLikeBase64 = (content) => {
+  let normalized = content.replace(/\s+/g, "");
+  return !!normalized && normalized.length % 4 === 0 && MICROSOFT_GRAPH_BASE64_PATTERN.test(normalized);
+};
 var MICROSOFT_OAUTH_INTEGRATION_KEYS = /* @__PURE__ */ new Set([
   "azure-blob-storage",
   "azure-devops",
@@ -52,10 +106,147 @@ var normalizeMicrosoftRedirectUri = (redirectUri) => {
   return url.toString();
 };
 var normalizeMicrosoftRedirectUriForIntegration = (integration, redirectUri) => usesMicrosoftOAuth(integration) ? normalizeMicrosoftRedirectUri(redirectUri) : redirectUri;
+var resolveMicrosoftTenant = (tenantId, defaultTenant) => {
+  if (typeof tenantId !== "string") {
+    return defaultTenant;
+  }
+  let normalizedTenant = tenantId.trim();
+  return normalizedTenant || defaultTenant;
+};
+var mapAzureDevOpsScopes = (scopes) => scopes.map((scope) => `${AZURE_DEVOPS_RESOURCE}/${scope}`);
+var buildMicrosoftGraphUploadBody = (fileName, content, contentType) => {
+  if (isTextLikeContentType(contentType) || hasTextLikeFileExtension(fileName) || !looksLikeBase64(content)) {
+    return content;
+  }
+  return Buffer.from(content.replace(/\s+/g, ""), "base64");
+};
+var defaultGraphProfile = {
+  baseURL: MICROSOFT_GRAPH_BASE,
+  path: "/me",
+  mapProfile: (data) => {
+    let user = data ?? {};
+    return {
+      id: user.id,
+      email: user.mail || user.userPrincipalName,
+      name: user.displayName
+    };
+  }
+};
+var tokenClientCache = /* @__PURE__ */ new Map();
+var getCachedTokenClient = (resolvedTenant) => {
+  let cached = tokenClientCache.get(resolvedTenant);
+  if (cached) return cached;
+  let client = (0, import_slates.createAxios)({
+    baseURL: `${MICROSOFT_LOGIN_BASE}/${resolvedTenant}/oauth2/v2.0`
+  });
+  tokenClientCache.set(resolvedTenant, client);
+  return client;
+};
+var createMicrosoftGraphOauth = ({
+  name,
+  key,
+  tenant,
+  scopes,
+  allowTenantInput = false,
+  missingRefreshTokenMessage = "No refresh token available. Ensure offline_access scope is requested.",
+  normalizeRedirectUri: shouldNormalizeRedirectUri = false,
+  scopeMapper,
+  extraScopes,
+  onMissingRefreshToken = "throw",
+  profile = defaultGraphProfile
+}) => {
+  let profileAxios = (0, import_slates.createAxios)({ baseURL: profile.baseURL });
+  let getTenant = (ctx) => allowTenantInput ? resolveMicrosoftTenant(ctx.input?.tenantId, tenant) : tenant;
+  let getRedirectUri = (redirectUri) => shouldNormalizeRedirectUri ? normalizeMicrosoftRedirectUri(redirectUri) : redirectUri;
+  let buildScopeParam = (rawScopes) => {
+    let mapped = scopeMapper ? scopeMapper(rawScopes) : rawScopes;
+    return extraScopes ? [...mapped, ...extraScopes].join(" ") : mapped.join(" ");
+  };
+  return {
+    type: "auth.oauth",
+    name,
+    key,
+    scopes,
+    getAuthorizationUrl: async (ctx) => {
+      let resolvedTenant = getTenant(ctx);
+      let params = new URLSearchParams({
+        client_id: ctx.clientId,
+        response_type: "code",
+        redirect_uri: getRedirectUri(ctx.redirectUri),
+        scope: buildScopeParam(ctx.scopes),
+        state: ctx.state,
+        response_mode: "query"
+      });
+      return {
+        url: `${MICROSOFT_LOGIN_BASE}/${resolvedTenant}/oauth2/v2.0/authorize?${params.toString()}`
+      };
+    },
+    handleCallback: async (ctx) => {
+      let tokenClient = getCachedTokenClient(getTenant(ctx));
+      let response = await tokenClient.post(
+        "/token",
+        new URLSearchParams({
+          client_id: ctx.clientId,
+          client_secret: ctx.clientSecret,
+          code: ctx.code,
+          redirect_uri: getRedirectUri(ctx.redirectUri),
+          grant_type: "authorization_code",
+          scope: buildScopeParam(ctx.scopes)
+        }).toString(),
+        {
+          headers: { "Content-Type": "application/x-www-form-urlencoded" }
+        }
+      );
+      return {
+        output: getMicrosoftTokenOutput(response.data)
+      };
+    },
+    handleTokenRefresh: async (ctx) => {
+      if (!ctx.output.refreshToken) {
+        if (onMissingRefreshToken === "preserve") {
+          return { output: ctx.output };
+        }
+        throw new Error(missingRefreshTokenMessage);
+      }
+      let tokenClient = getCachedTokenClient(getTenant(ctx));
+      let response = await tokenClient.post(
+        "/token",
+        new URLSearchParams({
+          client_id: ctx.clientId,
+          client_secret: ctx.clientSecret,
+          refresh_token: ctx.output.refreshToken,
+          grant_type: "refresh_token",
+          scope: buildScopeParam(ctx.scopes)
+        }).toString(),
+        {
+          headers: { "Content-Type": "application/x-www-form-urlencoded" }
+        }
+      );
+      return {
+        output: getMicrosoftTokenOutput(
+          response.data,
+          ctx.output.refreshToken
+        )
+      };
+    },
+    getProfile: async (ctx) => {
+      let response = await profileAxios.get(profile.path, {
+        headers: { Authorization: `Bearer ${ctx.output.token}` }
+      });
+      return { profile: profile.mapProfile(response.data) };
+    }
+  };
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  MICROSOFT_GRAPH_BASE,
+  MICROSOFT_LOGIN_BASE,
   MICROSOFT_OAUTH_INTEGRATION_KEYS,
+  buildMicrosoftGraphUploadBody,
+  createMicrosoftGraphOauth,
+  mapAzureDevOpsScopes,
   normalizeMicrosoftRedirectUri,
   normalizeMicrosoftRedirectUriForIntegration,
+  resolveMicrosoftTenant,
   usesMicrosoftOAuth
 });

package/dist/index.d.cts

@@ -1,6 +1,100 @@
+declare let MICROSOFT_LOGIN_BASE: string;
+declare let MICROSOFT_GRAPH_BASE: string;
+type MicrosoftOauthScope = {
+    title: string;
+    description: string;
+    scope: string;
+    defaultChecked?: boolean;
+};
+type MicrosoftGraphProfile = {
+    id?: string;
+    email?: string;
+    name?: string;
+    imageUrl?: string;
+};
+type MicrosoftGraphProfileOptions = {
+    baseURL: string;
+    path: string;
+    mapProfile: (data: unknown) => MicrosoftGraphProfile;
+};
+type MicrosoftGraphOauthOptions = {
+    name: string;
+    key: string;
+    tenant: string;
+    scopes: MicrosoftOauthScope[];
+    allowTenantInput?: boolean;
+    missingRefreshTokenMessage?: string;
+    /** Normalize loopback redirect URIs for Microsoft app registration compatibility. */
+    normalizeRedirectUri?: boolean;
+    /** Transforms the raw scope list before it is sent to the token endpoint. */
+    scopeMapper?: (scopes: string[]) => string[];
+    /** Scopes appended after mapping (e.g. `offline_access` for Azure DevOps). */
+    extraScopes?: string[];
+    /** When no refresh token is stored, throw (default) or preserve the existing output. */
+    onMissingRefreshToken?: 'throw' | 'preserve';
+    /** Custom profile endpoint. Defaults to Microsoft Graph `/me`. */
+    profile?: MicrosoftGraphProfileOptions;
+};
+type MicrosoftGraphOauthInput = {
+    tenantId?: unknown;
+};
+type MicrosoftGraphAuthorizationUrlContext = {
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    scopes: string[];
+    state: string;
+    input?: MicrosoftGraphOauthInput;
+};
+type MicrosoftGraphCallbackContext = {
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    scopes: string[];
+    code: string;
+    input?: MicrosoftGraphOauthInput;
+};
+type MicrosoftGraphOauthOutput = {
+    token: string;
+    refreshToken?: string;
+    expiresAt?: string;
+};
+type MicrosoftGraphTokenRefreshContext = {
+    clientId: string;
+    clientSecret: string;
+    scopes: string[];
+    input?: MicrosoftGraphOauthInput;
+    output: MicrosoftGraphOauthOutput;
+};
+type MicrosoftGraphProfileContext = {
+    output: {
+        token: string;
+    };
+};
 declare let MICROSOFT_OAUTH_INTEGRATION_KEYS: Set<string>;
 declare let usesMicrosoftOAuth: (integration: string) => boolean;
 declare let normalizeMicrosoftRedirectUri: (redirectUri: string) => string;
 declare let normalizeMicrosoftRedirectUriForIntegration: (integration: string, redirectUri: string) => string;
+declare let resolveMicrosoftTenant: (tenantId: unknown, defaultTenant: string) => string;
+declare let mapAzureDevOpsScopes: (scopes: string[]) => string[];
+declare let buildMicrosoftGraphUploadBody: (fileName: string, content: string, contentType?: string) => string | Buffer<ArrayBuffer>;
+declare let createMicrosoftGraphOauth: ({ name, key, tenant, scopes, allowTenantInput, missingRefreshTokenMessage, normalizeRedirectUri: shouldNormalizeRedirectUri, scopeMapper, extraScopes, onMissingRefreshToken, profile }: MicrosoftGraphOauthOptions) => {
+    type: "auth.oauth";
+    name: string;
+    key: string;
+    scopes: MicrosoftOauthScope[];
+    getAuthorizationUrl: (ctx: MicrosoftGraphAuthorizationUrlContext) => Promise<{
+        url: string;
+    }>;
+    handleCallback: (ctx: MicrosoftGraphCallbackContext) => Promise<{
+        output: MicrosoftGraphOauthOutput;
+    }>;
+    handleTokenRefresh: (ctx: MicrosoftGraphTokenRefreshContext) => Promise<{
+        output: MicrosoftGraphOauthOutput;
+    }>;
+    getProfile: (ctx: MicrosoftGraphProfileContext) => Promise<{
+        profile: MicrosoftGraphProfile;
+    }>;
+};
 
-export { MICROSOFT_OAUTH_INTEGRATION_KEYS, normalizeMicrosoftRedirectUri, normalizeMicrosoftRedirectUriForIntegration, usesMicrosoftOAuth };
+export { MICROSOFT_GRAPH_BASE, MICROSOFT_LOGIN_BASE, MICROSOFT_OAUTH_INTEGRATION_KEYS, type MicrosoftGraphAuthorizationUrlContext, type MicrosoftGraphCallbackContext, type MicrosoftGraphOauthInput, type MicrosoftGraphOauthOptions, type MicrosoftGraphOauthOutput, type MicrosoftGraphProfile, type MicrosoftGraphProfileContext, type MicrosoftGraphProfileOptions, type MicrosoftGraphTokenRefreshContext, type MicrosoftOauthScope, buildMicrosoftGraphUploadBody, createMicrosoftGraphOauth, mapAzureDevOpsScopes, normalizeMicrosoftRedirectUri, normalizeMicrosoftRedirectUriForIntegration, resolveMicrosoftTenant, usesMicrosoftOAuth };

package/dist/index.d.ts

@@ -1,6 +1,100 @@
+declare let MICROSOFT_LOGIN_BASE: string;
+declare let MICROSOFT_GRAPH_BASE: string;
+type MicrosoftOauthScope = {
+    title: string;
+    description: string;
+    scope: string;
+    defaultChecked?: boolean;
+};
+type MicrosoftGraphProfile = {
+    id?: string;
+    email?: string;
+    name?: string;
+    imageUrl?: string;
+};
+type MicrosoftGraphProfileOptions = {
+    baseURL: string;
+    path: string;
+    mapProfile: (data: unknown) => MicrosoftGraphProfile;
+};
+type MicrosoftGraphOauthOptions = {
+    name: string;
+    key: string;
+    tenant: string;
+    scopes: MicrosoftOauthScope[];
+    allowTenantInput?: boolean;
+    missingRefreshTokenMessage?: string;
+    /** Normalize loopback redirect URIs for Microsoft app registration compatibility. */
+    normalizeRedirectUri?: boolean;
+    /** Transforms the raw scope list before it is sent to the token endpoint. */
+    scopeMapper?: (scopes: string[]) => string[];
+    /** Scopes appended after mapping (e.g. `offline_access` for Azure DevOps). */
+    extraScopes?: string[];
+    /** When no refresh token is stored, throw (default) or preserve the existing output. */
+    onMissingRefreshToken?: 'throw' | 'preserve';
+    /** Custom profile endpoint. Defaults to Microsoft Graph `/me`. */
+    profile?: MicrosoftGraphProfileOptions;
+};
+type MicrosoftGraphOauthInput = {
+    tenantId?: unknown;
+};
+type MicrosoftGraphAuthorizationUrlContext = {
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    scopes: string[];
+    state: string;
+    input?: MicrosoftGraphOauthInput;
+};
+type MicrosoftGraphCallbackContext = {
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    scopes: string[];
+    code: string;
+    input?: MicrosoftGraphOauthInput;
+};
+type MicrosoftGraphOauthOutput = {
+    token: string;
+    refreshToken?: string;
+    expiresAt?: string;
+};
+type MicrosoftGraphTokenRefreshContext = {
+    clientId: string;
+    clientSecret: string;
+    scopes: string[];
+    input?: MicrosoftGraphOauthInput;
+    output: MicrosoftGraphOauthOutput;
+};
+type MicrosoftGraphProfileContext = {
+    output: {
+        token: string;
+    };
+};
 declare let MICROSOFT_OAUTH_INTEGRATION_KEYS: Set<string>;
 declare let usesMicrosoftOAuth: (integration: string) => boolean;
 declare let normalizeMicrosoftRedirectUri: (redirectUri: string) => string;
 declare let normalizeMicrosoftRedirectUriForIntegration: (integration: string, redirectUri: string) => string;
+declare let resolveMicrosoftTenant: (tenantId: unknown, defaultTenant: string) => string;
+declare let mapAzureDevOpsScopes: (scopes: string[]) => string[];
+declare let buildMicrosoftGraphUploadBody: (fileName: string, content: string, contentType?: string) => string | Buffer<ArrayBuffer>;
+declare let createMicrosoftGraphOauth: ({ name, key, tenant, scopes, allowTenantInput, missingRefreshTokenMessage, normalizeRedirectUri: shouldNormalizeRedirectUri, scopeMapper, extraScopes, onMissingRefreshToken, profile }: MicrosoftGraphOauthOptions) => {
+    type: "auth.oauth";
+    name: string;
+    key: string;
+    scopes: MicrosoftOauthScope[];
+    getAuthorizationUrl: (ctx: MicrosoftGraphAuthorizationUrlContext) => Promise<{
+        url: string;
+    }>;
+    handleCallback: (ctx: MicrosoftGraphCallbackContext) => Promise<{
+        output: MicrosoftGraphOauthOutput;
+    }>;
+    handleTokenRefresh: (ctx: MicrosoftGraphTokenRefreshContext) => Promise<{
+        output: MicrosoftGraphOauthOutput;
+    }>;
+    getProfile: (ctx: MicrosoftGraphProfileContext) => Promise<{
+        profile: MicrosoftGraphProfile;
+    }>;
+};
 
-export { MICROSOFT_OAUTH_INTEGRATION_KEYS, normalizeMicrosoftRedirectUri, normalizeMicrosoftRedirectUriForIntegration, usesMicrosoftOAuth };
+export { MICROSOFT_GRAPH_BASE, MICROSOFT_LOGIN_BASE, MICROSOFT_OAUTH_INTEGRATION_KEYS, type MicrosoftGraphAuthorizationUrlContext, type MicrosoftGraphCallbackContext, type MicrosoftGraphOauthInput, type MicrosoftGraphOauthOptions, type MicrosoftGraphOauthOutput, type MicrosoftGraphProfile, type MicrosoftGraphProfileContext, type MicrosoftGraphProfileOptions, type MicrosoftGraphTokenRefreshContext, type MicrosoftOauthScope, buildMicrosoftGraphUploadBody, createMicrosoftGraphOauth, mapAzureDevOpsScopes, normalizeMicrosoftRedirectUri, normalizeMicrosoftRedirectUriForIntegration, resolveMicrosoftTenant, usesMicrosoftOAuth };

package/dist/index.module.js

@@ -1,4 +1,52 @@
 // src/index.ts
+import { createAxios } from "slates";
+var MICROSOFT_LOGIN_BASE = "https://login.microsoftonline.com";
+var MICROSOFT_GRAPH_BASE = "https://graph.microsoft.com/v1.0";
+var AZURE_DEVOPS_RESOURCE = "499b84ac-1321-427f-aa17-267ca6975798";
+var SECONDS_TO_MS = 1e3;
+var MICROSOFT_GRAPH_TEXT_LIKE_FILE_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".txt",
+  ".md",
+  ".csv",
+  ".json",
+  ".xml",
+  ".html",
+  ".htm",
+  ".js",
+  ".jsx",
+  ".ts",
+  ".tsx",
+  ".css",
+  ".svg",
+  ".yaml",
+  ".yml"
+]);
+var MICROSOFT_GRAPH_BASE64_PATTERN = /^[A-Za-z0-9+/]+={0,2}$/;
+var getMicrosoftTokenOutput = (data, currentRefreshToken) => ({
+  token: data.access_token,
+  refreshToken: data.refresh_token ?? currentRefreshToken,
+  expiresAt: data.expires_in ? new Date(Date.now() + data.expires_in * SECONDS_TO_MS).toISOString() : void 0
+});
+var hasTextLikeFileExtension = (fileName) => {
+  let dotIndex = fileName.lastIndexOf(".");
+  return dotIndex >= 0 && MICROSOFT_GRAPH_TEXT_LIKE_FILE_EXTENSIONS.has(fileName.slice(dotIndex).toLowerCase());
+};
+var isTextLikeContentType = (contentType) => {
+  if (!contentType) {
+    return false;
+  }
+  let normalized = contentType.toLowerCase();
+  if (normalized.includes("openxmlformats-officedocument")) {
+    return false;
+  }
+  return normalized.startsWith("text/") || ["json", "xml", "javascript", "typescript", "svg", "x-www-form-urlencoded"].some(
+    (fragment) => normalized.includes(fragment)
+  );
+};
+var looksLikeBase64 = (content) => {
+  let normalized = content.replace(/\s+/g, "");
+  return !!normalized && normalized.length % 4 === 0 && MICROSOFT_GRAPH_BASE64_PATTERN.test(normalized);
+};
 var MICROSOFT_OAUTH_INTEGRATION_KEYS = /* @__PURE__ */ new Set([
   "azure-blob-storage",
   "azure-devops",
@@ -25,9 +73,146 @@ var normalizeMicrosoftRedirectUri = (redirectUri) => {
   return url.toString();
 };
 var normalizeMicrosoftRedirectUriForIntegration = (integration, redirectUri) => usesMicrosoftOAuth(integration) ? normalizeMicrosoftRedirectUri(redirectUri) : redirectUri;
+var resolveMicrosoftTenant = (tenantId, defaultTenant) => {
+  if (typeof tenantId !== "string") {
+    return defaultTenant;
+  }
+  let normalizedTenant = tenantId.trim();
+  return normalizedTenant || defaultTenant;
+};
+var mapAzureDevOpsScopes = (scopes) => scopes.map((scope) => `${AZURE_DEVOPS_RESOURCE}/${scope}`);
+var buildMicrosoftGraphUploadBody = (fileName, content, contentType) => {
+  if (isTextLikeContentType(contentType) || hasTextLikeFileExtension(fileName) || !looksLikeBase64(content)) {
+    return content;
+  }
+  return Buffer.from(content.replace(/\s+/g, ""), "base64");
+};
+var defaultGraphProfile = {
+  baseURL: MICROSOFT_GRAPH_BASE,
+  path: "/me",
+  mapProfile: (data) => {
+    let user = data ?? {};
+    return {
+      id: user.id,
+      email: user.mail || user.userPrincipalName,
+      name: user.displayName
+    };
+  }
+};
+var tokenClientCache = /* @__PURE__ */ new Map();
+var getCachedTokenClient = (resolvedTenant) => {
+  let cached = tokenClientCache.get(resolvedTenant);
+  if (cached) return cached;
+  let client = createAxios({
+    baseURL: `${MICROSOFT_LOGIN_BASE}/${resolvedTenant}/oauth2/v2.0`
+  });
+  tokenClientCache.set(resolvedTenant, client);
+  return client;
+};
+var createMicrosoftGraphOauth = ({
+  name,
+  key,
+  tenant,
+  scopes,
+  allowTenantInput = false,
+  missingRefreshTokenMessage = "No refresh token available. Ensure offline_access scope is requested.",
+  normalizeRedirectUri: shouldNormalizeRedirectUri = false,
+  scopeMapper,
+  extraScopes,
+  onMissingRefreshToken = "throw",
+  profile = defaultGraphProfile
+}) => {
+  let profileAxios = createAxios({ baseURL: profile.baseURL });
+  let getTenant = (ctx) => allowTenantInput ? resolveMicrosoftTenant(ctx.input?.tenantId, tenant) : tenant;
+  let getRedirectUri = (redirectUri) => shouldNormalizeRedirectUri ? normalizeMicrosoftRedirectUri(redirectUri) : redirectUri;
+  let buildScopeParam = (rawScopes) => {
+    let mapped = scopeMapper ? scopeMapper(rawScopes) : rawScopes;
+    return extraScopes ? [...mapped, ...extraScopes].join(" ") : mapped.join(" ");
+  };
+  return {
+    type: "auth.oauth",
+    name,
+    key,
+    scopes,
+    getAuthorizationUrl: async (ctx) => {
+      let resolvedTenant = getTenant(ctx);
+      let params = new URLSearchParams({
+        client_id: ctx.clientId,
+        response_type: "code",
+        redirect_uri: getRedirectUri(ctx.redirectUri),
+        scope: buildScopeParam(ctx.scopes),
+        state: ctx.state,
+        response_mode: "query"
+      });
+      return {
+        url: `${MICROSOFT_LOGIN_BASE}/${resolvedTenant}/oauth2/v2.0/authorize?${params.toString()}`
+      };
+    },
+    handleCallback: async (ctx) => {
+      let tokenClient = getCachedTokenClient(getTenant(ctx));
+      let response = await tokenClient.post(
+        "/token",
+        new URLSearchParams({
+          client_id: ctx.clientId,
+          client_secret: ctx.clientSecret,
+          code: ctx.code,
+          redirect_uri: getRedirectUri(ctx.redirectUri),
+          grant_type: "authorization_code",
+          scope: buildScopeParam(ctx.scopes)
+        }).toString(),
+        {
+          headers: { "Content-Type": "application/x-www-form-urlencoded" }
+        }
+      );
+      return {
+        output: getMicrosoftTokenOutput(response.data)
+      };
+    },
+    handleTokenRefresh: async (ctx) => {
+      if (!ctx.output.refreshToken) {
+        if (onMissingRefreshToken === "preserve") {
+          return { output: ctx.output };
+        }
+        throw new Error(missingRefreshTokenMessage);
+      }
+      let tokenClient = getCachedTokenClient(getTenant(ctx));
+      let response = await tokenClient.post(
+        "/token",
+        new URLSearchParams({
+          client_id: ctx.clientId,
+          client_secret: ctx.clientSecret,
+          refresh_token: ctx.output.refreshToken,
+          grant_type: "refresh_token",
+          scope: buildScopeParam(ctx.scopes)
+        }).toString(),
+        {
+          headers: { "Content-Type": "application/x-www-form-urlencoded" }
+        }
+      );
+      return {
+        output: getMicrosoftTokenOutput(
+          response.data,
+          ctx.output.refreshToken
+        )
+      };
+    },
+    getProfile: async (ctx) => {
+      let response = await profileAxios.get(profile.path, {
+        headers: { Authorization: `Bearer ${ctx.output.token}` }
+      });
+      return { profile: profile.mapProfile(response.data) };
+    }
+  };
+};
 export {
+  MICROSOFT_GRAPH_BASE,
+  MICROSOFT_LOGIN_BASE,
   MICROSOFT_OAUTH_INTEGRATION_KEYS,
+  buildMicrosoftGraphUploadBody,
+  createMicrosoftGraphOauth,
+  mapAzureDevOpsScopes,
   normalizeMicrosoftRedirectUri,
   normalizeMicrosoftRedirectUriForIntegration,
+  resolveMicrosoftTenant,
   usesMicrosoftOAuth
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@slates/oauth-microsoft",
-  "version": "1.0.0-rc.1",
+  "version": "1.0.0-rc.3",
   "publishConfig": {
     "access": "public"
   },
@@ -30,7 +30,11 @@
     "build": "tsup --config ../../tsup.packages.config.ts --external async_hooks",
     "typecheck": "tsc --noEmit"
   },
+  "dependencies": {
+    "slates": "1.0.0-rc.11"
+  },
   "devDependencies": {
+    "@types/node": "^20",
     "@slates/tsconfig": "1.0.0-rc.1",
     "typescript": "5.8.2",
     "vitest": "^3.1.2"

package/src/index.test.ts

@@ -1,7 +1,11 @@
 import { describe, expect, it } from 'vitest';
 import {
+  buildMicrosoftGraphUploadBody,
+  createMicrosoftGraphOauth,
+  mapAzureDevOpsScopes,
   normalizeMicrosoftRedirectUri,
   normalizeMicrosoftRedirectUriForIntegration,
+  resolveMicrosoftTenant,
   usesMicrosoftOAuth
 } from './index';
 
@@ -25,16 +29,111 @@ describe('@slates/oauth-microsoft', () => {
 
   it('only normalizes redirect URIs for Microsoft OAuth integrations', () => {
     expect(
-      normalizeMicrosoftRedirectUriForIntegration(
-        'outlook',
-        'http://127.0.0.1:45873/callback'
-      )
+      normalizeMicrosoftRedirectUriForIntegration('outlook', 'http://127.0.0.1:45873/callback')
     ).toBe('http://localhost:45873/callback');
     expect(
-      normalizeMicrosoftRedirectUriForIntegration(
-        'github',
-        'http://127.0.0.1:45873/callback'
-      )
+      normalizeMicrosoftRedirectUriForIntegration('github', 'http://127.0.0.1:45873/callback')
     ).toBe('http://127.0.0.1:45873/callback');
   });
+
+  it('can normalize redirect URIs in the OAuth factory', async () => {
+    let oauth = createMicrosoftGraphOauth({
+      name: 'SharePoint',
+      key: 'oauth',
+      tenant: 'common',
+      scopes: [],
+      normalizeRedirectUri: true
+    });
+
+    let { url } = await oauth.getAuthorizationUrl({
+      clientId: 'client-id',
+      clientSecret: 'client-secret',
+      redirectUri: 'http://127.0.0.1:45873/callback',
+      scopes: [],
+      state: 'state'
+    });
+
+    expect(new URL(url).searchParams.get('redirect_uri')).toBe(
+      'http://localhost:45873/callback'
+    );
+  });
+
+  it('uses the default tenant when the input tenant is missing or blank', () => {
+    expect(resolveMicrosoftTenant(undefined, 'common')).toBe('common');
+    expect(resolveMicrosoftTenant('   ', 'organizations')).toBe('organizations');
+  });
+
+  it('uses a trimmed tenant override when provided', () => {
+    expect(resolveMicrosoftTenant(' tenants/foo ', 'common')).toBe('tenants/foo');
+  });
+
+  it('builds Azure DevOps resource-qualified scopes with offline access', async () => {
+    let oauth = createMicrosoftGraphOauth({
+      name: 'Azure DevOps',
+      key: 'oauth',
+      tenant: 'organizations',
+      scopes: [
+        {
+          title: 'Profile',
+          description: 'Read Azure DevOps profile information',
+          scope: 'vso.profile'
+        }
+      ],
+      scopeMapper: mapAzureDevOpsScopes,
+      extraScopes: ['offline_access']
+    });
+
+    let { url } = await oauth.getAuthorizationUrl({
+      clientId: 'client-id',
+      clientSecret: 'client-secret',
+      redirectUri: 'http://localhost/callback',
+      scopes: ['vso.profile'],
+      state: 'state'
+    });
+
+    let parsed = new URL(url);
+    expect(`${parsed.origin}${parsed.pathname}`).toBe(
+      'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize'
+    );
+    expect(parsed.searchParams.get('scope')).toBe(
+      '499b84ac-1321-427f-aa17-267ca6975798/vso.profile offline_access'
+    );
+  });
+
+  it('can preserve OAuth output when a refresh token is missing', async () => {
+    let oauth = createMicrosoftGraphOauth({
+      name: 'Azure DevOps',
+      key: 'oauth',
+      tenant: 'organizations',
+      scopes: [],
+      onMissingRefreshToken: 'preserve'
+    });
+    let output = { token: 'existing-token' };
+
+    await expect(
+      oauth.handleTokenRefresh({
+        clientId: 'client-id',
+        clientSecret: 'client-secret',
+        scopes: [],
+        output
+      })
+    ).resolves.toEqual({ output });
+  });
+
+  it('decodes binary-looking base64 uploads for non-text files', () => {
+    let body = buildMicrosoftGraphUploadBody(
+      'report.docx',
+      'SGVsbG8=',
+      'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
+    );
+
+    expect(Buffer.isBuffer(body)).toBe(true);
+    expect(body.toString('utf8')).toBe('Hello');
+  });
+
+  it('preserves text uploads even when the content looks like base64', () => {
+    let body = buildMicrosoftGraphUploadBody('notes.txt', 'SGVsbG8=', 'text/plain');
+
+    expect(body).toBe('SGVsbG8=');
+  });
 });

package/src/index.ts

@@ -1,3 +1,167 @@
+import { createAxios } from 'slates';
+
+export let MICROSOFT_LOGIN_BASE = 'https://login.microsoftonline.com';
+export let MICROSOFT_GRAPH_BASE = 'https://graph.microsoft.com/v1.0';
+
+// Microsoft documents this as the Azure DevOps resource ID used when issuing
+// Entra access tokens.
+// https://learn.microsoft.com/en-us/azure/devops/cli/entra-tokens?view=azure-devops
+let AZURE_DEVOPS_RESOURCE = '499b84ac-1321-427f-aa17-267ca6975798';
+let SECONDS_TO_MS = 1000;
+
+export type MicrosoftOauthScope = {
+  title: string;
+  description: string;
+  scope: string;
+  defaultChecked?: boolean;
+};
+
+export type MicrosoftGraphProfile = {
+  id?: string;
+  email?: string;
+  name?: string;
+  imageUrl?: string;
+};
+
+export type MicrosoftGraphProfileOptions = {
+  baseURL: string;
+  path: string;
+  mapProfile: (data: unknown) => MicrosoftGraphProfile;
+};
+
+export type MicrosoftGraphOauthOptions = {
+  name: string;
+  key: string;
+  tenant: string;
+  scopes: MicrosoftOauthScope[];
+  allowTenantInput?: boolean;
+  missingRefreshTokenMessage?: string;
+  /** Normalize loopback redirect URIs for Microsoft app registration compatibility. */
+  normalizeRedirectUri?: boolean;
+  /** Transforms the raw scope list before it is sent to the token endpoint. */
+  scopeMapper?: (scopes: string[]) => string[];
+  /** Scopes appended after mapping (e.g. `offline_access` for Azure DevOps). */
+  extraScopes?: string[];
+  /** When no refresh token is stored, throw (default) or preserve the existing output. */
+  onMissingRefreshToken?: 'throw' | 'preserve';
+  /** Custom profile endpoint. Defaults to Microsoft Graph `/me`. */
+  profile?: MicrosoftGraphProfileOptions;
+};
+
+export type MicrosoftGraphOauthInput = {
+  tenantId?: unknown;
+};
+
+export type MicrosoftGraphAuthorizationUrlContext = {
+  clientId: string;
+  clientSecret: string;
+  redirectUri: string;
+  scopes: string[];
+  state: string;
+  input?: MicrosoftGraphOauthInput;
+};
+
+export type MicrosoftGraphCallbackContext = {
+  clientId: string;
+  clientSecret: string;
+  redirectUri: string;
+  scopes: string[];
+  code: string;
+  input?: MicrosoftGraphOauthInput;
+};
+
+export type MicrosoftGraphOauthOutput = {
+  token: string;
+  refreshToken?: string;
+  expiresAt?: string;
+};
+
+export type MicrosoftGraphTokenRefreshContext = {
+  clientId: string;
+  clientSecret: string;
+  scopes: string[];
+  input?: MicrosoftGraphOauthInput;
+  output: MicrosoftGraphOauthOutput;
+};
+
+export type MicrosoftGraphProfileContext = {
+  output: {
+    token: string;
+  };
+};
+
+type MicrosoftTokenResponse = {
+  access_token: string;
+  refresh_token?: string;
+  expires_in?: number;
+};
+
+let MICROSOFT_GRAPH_TEXT_LIKE_FILE_EXTENSIONS = new Set([
+  '.txt',
+  '.md',
+  '.csv',
+  '.json',
+  '.xml',
+  '.html',
+  '.htm',
+  '.js',
+  '.jsx',
+  '.ts',
+  '.tsx',
+  '.css',
+  '.svg',
+  '.yaml',
+  '.yml'
+]);
+
+let MICROSOFT_GRAPH_BASE64_PATTERN = /^[A-Za-z0-9+/]+={0,2}$/;
+
+let getMicrosoftTokenOutput = (
+  data: MicrosoftTokenResponse,
+  currentRefreshToken?: string
+): MicrosoftGraphOauthOutput => ({
+  token: data.access_token,
+  refreshToken: data.refresh_token ?? currentRefreshToken,
+  expiresAt: data.expires_in
+    ? new Date(Date.now() + data.expires_in * SECONDS_TO_MS).toISOString()
+    : undefined
+});
+
+let hasTextLikeFileExtension = (fileName: string) => {
+  let dotIndex = fileName.lastIndexOf('.');
+  return (
+    dotIndex >= 0 &&
+    MICROSOFT_GRAPH_TEXT_LIKE_FILE_EXTENSIONS.has(fileName.slice(dotIndex).toLowerCase())
+  );
+};
+
+let isTextLikeContentType = (contentType?: string) => {
+  if (!contentType) {
+    return false;
+  }
+
+  let normalized = contentType.toLowerCase();
+  if (normalized.includes('openxmlformats-officedocument')) {
+    return false;
+  }
+
+  return (
+    normalized.startsWith('text/') ||
+    ['json', 'xml', 'javascript', 'typescript', 'svg', 'x-www-form-urlencoded'].some(
+      fragment => normalized.includes(fragment)
+    )
+  );
+};
+
+let looksLikeBase64 = (content: string) => {
+  let normalized = content.replace(/\s+/g, '');
+  return (
+    !!normalized &&
+    normalized.length % 4 === 0 &&
+    MICROSOFT_GRAPH_BASE64_PATTERN.test(normalized)
+  );
+};
+
 export let MICROSOFT_OAUTH_INTEGRATION_KEYS = new Set([
   'azure-blob-storage',
   'azure-devops',
@@ -31,4 +195,175 @@ export let normalizeMicrosoftRedirectUri = (redirectUri: string) => {
 export let normalizeMicrosoftRedirectUriForIntegration = (
   integration: string,
   redirectUri: string
-) => (usesMicrosoftOAuth(integration) ? normalizeMicrosoftRedirectUri(redirectUri) : redirectUri);
+) =>
+  usesMicrosoftOAuth(integration) ? normalizeMicrosoftRedirectUri(redirectUri) : redirectUri;
+
+export let resolveMicrosoftTenant = (tenantId: unknown, defaultTenant: string) => {
+  if (typeof tenantId !== 'string') {
+    return defaultTenant;
+  }
+
+  let normalizedTenant = tenantId.trim();
+  return normalizedTenant || defaultTenant;
+};
+
+export let mapAzureDevOpsScopes = (scopes: string[]) =>
+  scopes.map(scope => `${AZURE_DEVOPS_RESOURCE}/${scope}`);
+
+export let buildMicrosoftGraphUploadBody = (
+  fileName: string,
+  content: string,
+  contentType?: string
+) => {
+  if (
+    isTextLikeContentType(contentType) ||
+    hasTextLikeFileExtension(fileName) ||
+    !looksLikeBase64(content)
+  ) {
+    return content;
+  }
+
+  return Buffer.from(content.replace(/\s+/g, ''), 'base64');
+};
+
+let defaultGraphProfile: MicrosoftGraphProfileOptions = {
+  baseURL: MICROSOFT_GRAPH_BASE,
+  path: '/me',
+  mapProfile: data => {
+    let user = (data ?? {}) as {
+      id?: string;
+      mail?: string;
+      userPrincipalName?: string;
+      displayName?: string;
+    };
+
+    return {
+      id: user.id,
+      email: user.mail || user.userPrincipalName,
+      name: user.displayName
+    };
+  }
+};
+
+let tokenClientCache = new Map<string, ReturnType<typeof createAxios>>();
+let getCachedTokenClient = (resolvedTenant: string) => {
+  let cached = tokenClientCache.get(resolvedTenant);
+  if (cached) return cached;
+
+  let client = createAxios({
+    baseURL: `${MICROSOFT_LOGIN_BASE}/${resolvedTenant}/oauth2/v2.0`
+  });
+  tokenClientCache.set(resolvedTenant, client);
+  return client;
+};
+
+export let createMicrosoftGraphOauth = ({
+  name,
+  key,
+  tenant,
+  scopes,
+  allowTenantInput = false,
+  missingRefreshTokenMessage = 'No refresh token available. Ensure offline_access scope is requested.',
+  normalizeRedirectUri: shouldNormalizeRedirectUri = false,
+  scopeMapper,
+  extraScopes,
+  onMissingRefreshToken = 'throw',
+  profile = defaultGraphProfile
+}: MicrosoftGraphOauthOptions) => {
+  let profileAxios = createAxios({ baseURL: profile.baseURL });
+
+  let getTenant = (ctx: { input?: MicrosoftGraphOauthInput }) =>
+    allowTenantInput ? resolveMicrosoftTenant(ctx.input?.tenantId, tenant) : tenant;
+
+  let getRedirectUri = (redirectUri: string) =>
+    shouldNormalizeRedirectUri ? normalizeMicrosoftRedirectUri(redirectUri) : redirectUri;
+
+  let buildScopeParam = (rawScopes: string[]) => {
+    let mapped = scopeMapper ? scopeMapper(rawScopes) : rawScopes;
+    return extraScopes ? [...mapped, ...extraScopes].join(' ') : mapped.join(' ');
+  };
+
+  return {
+    type: 'auth.oauth' as const,
+    name,
+    key,
+    scopes,
+
+    getAuthorizationUrl: async (ctx: MicrosoftGraphAuthorizationUrlContext) => {
+      let resolvedTenant = getTenant(ctx);
+      let params = new URLSearchParams({
+        client_id: ctx.clientId,
+        response_type: 'code',
+        redirect_uri: getRedirectUri(ctx.redirectUri),
+        scope: buildScopeParam(ctx.scopes),
+        state: ctx.state,
+        response_mode: 'query'
+      });
+
+      return {
+        url: `${MICROSOFT_LOGIN_BASE}/${resolvedTenant}/oauth2/v2.0/authorize?${params.toString()}`
+      };
+    },
+
+    handleCallback: async (ctx: MicrosoftGraphCallbackContext) => {
+      let tokenClient = getCachedTokenClient(getTenant(ctx));
+      let response = await tokenClient.post(
+        '/token',
+        new URLSearchParams({
+          client_id: ctx.clientId,
+          client_secret: ctx.clientSecret,
+          code: ctx.code,
+          redirect_uri: getRedirectUri(ctx.redirectUri),
+          grant_type: 'authorization_code',
+          scope: buildScopeParam(ctx.scopes)
+        }).toString(),
+        {
+          headers: { 'Content-Type': 'application/x-www-form-urlencoded' }
+        }
+      );
+
+      return {
+        output: getMicrosoftTokenOutput(response.data as MicrosoftTokenResponse)
+      };
+    },
+
+    handleTokenRefresh: async (ctx: MicrosoftGraphTokenRefreshContext) => {
+      if (!ctx.output.refreshToken) {
+        if (onMissingRefreshToken === 'preserve') {
+          return { output: ctx.output };
+        }
+        throw new Error(missingRefreshTokenMessage);
+      }
+
+      let tokenClient = getCachedTokenClient(getTenant(ctx));
+      let response = await tokenClient.post(
+        '/token',
+        new URLSearchParams({
+          client_id: ctx.clientId,
+          client_secret: ctx.clientSecret,
+          refresh_token: ctx.output.refreshToken,
+          grant_type: 'refresh_token',
+          scope: buildScopeParam(ctx.scopes)
+        }).toString(),
+        {
+          headers: { 'Content-Type': 'application/x-www-form-urlencoded' }
+        }
+      );
+
+      return {
+        output: getMicrosoftTokenOutput(
+          response.data as MicrosoftTokenResponse,
+          ctx.output.refreshToken
+        )
+      };
+    },
+
+    getProfile: async (ctx: MicrosoftGraphProfileContext) => {
+      let response = await profileAxios.get(profile.path, {
+        headers: { Authorization: `Bearer ${ctx.output.token}` }
+      });
+
+      return { profile: profile.mapProfile(response.data) };
+    }
+  };
+};