@softeria/ms-365-mcp-server 0.106.2 → 0.107.1

package/dist/endpoints.json

@@ -106,6 +106,27 @@
     "toolName": "create-shared-mailbox-draft",
     "workScopes": ["Mail.ReadWrite.Shared"]
   },
+  {
+    "pathPattern": "/users/{user-id}/messages/{message-id}/reply",
+    "method": "post",
+    "toolName": "reply-shared-mailbox-mail",
+    "workScopes": ["Mail.Send.Shared"],
+    "llmTip": "Reply to a message from a shared mailbox preserving full HTML formatting and conversation thread. The 'user-id' is the shared mailbox email address (e.g. support@contoso.com). The 'comment' field is your reply text. Do NOT reconstruct the email manually. Requires Send As permission on the shared mailbox in Exchange."
+  },
+  {
+    "pathPattern": "/users/{user-id}/messages/{message-id}/replyAll",
+    "method": "post",
+    "toolName": "reply-all-shared-mailbox-mail",
+    "workScopes": ["Mail.Send.Shared"],
+    "llmTip": "Reply-all to a message from a shared mailbox preserving full HTML formatting and conversation thread. The 'user-id' is the shared mailbox email address. The 'comment' field is your reply text. Requires Send As permission on the shared mailbox in Exchange."
+  },
+  {
+    "pathPattern": "/users/{user-id}/messages/{message-id}/forward",
+    "method": "post",
+    "toolName": "forward-shared-mailbox-mail",
+    "workScopes": ["Mail.Send.Shared"],
+    "llmTip": "Forward a message from a shared mailbox preserving full HTML formatting and attachments. The 'user-id' is the shared mailbox email address. 'toRecipients' is required. The 'comment' field adds text above the forwarded content. Requires Send As permission on the shared mailbox in Exchange."
+  },
   {
     "pathPattern": "/users",
     "method": "get",

package/dist/generated/client.js

@@ -14465,6 +14465,66 @@ To monitor future changes, call the delta API by using the @odata.deltaLink in t
     ],
     response: z.void()
   },
+  {
+    method: "post",
+    path: "/users/:userId/messages/:messageId/forward",
+    alias: "forward-shared-mailbox-mail",
+    description: `Forward a message using either JSON or MIME format. When using JSON format, you can:
+- Specify either a comment or the body property of the message parameter. Specifying both will return an HTTP 400 Bad Request error.
+- Specify either the toRecipients parameter or the toRecipients property of the message parameter. Specifying both or specifying neither will return an HTTP 400 Bad Request error. When using MIME format:
+- Provide the applicable Internet message headers and the MIME content, all encoded in base64 format in the request body.
+- Add any attachments and S/MIME properties to the MIME content. This method saves the message in the Sent Items folder. Alternatively, create a draft to forward a message, and send it later.`,
+    requestFormat: "json",
+    parameters: [
+      {
+        name: "body",
+        description: `Action parameters`,
+        type: "Body",
+        schema: create_forward_draft_Body
+      }
+    ],
+    response: z.void()
+  },
+  {
+    method: "post",
+    path: "/users/:userId/messages/:messageId/reply",
+    alias: "reply-shared-mailbox-mail",
+    description: `Reply to the sender of a message using either JSON or MIME format. When using JSON format:
+* Specify either a comment or the body property of the message parameter. Specifying both will return an HTTP 400 Bad Request error.
+* If the original message specifies a recipient in the replyTo property, per Internet Message Format (RFC 2822), send the reply to the recipients in replyTo and not the recipient in the from property. When using MIME format:
+- Provide the applicable Internet message headers and the MIME content, all encoded in base64 format in the request body.
+- Add any attachments and S/MIME properties to the MIME content. This method saves the message in the Sent Items folder. Alternatively, create a draft to reply to an existing message and send it later.`,
+    requestFormat: "json",
+    parameters: [
+      {
+        name: "body",
+        description: `Action parameters`,
+        type: "Body",
+        schema: create_reply_draft_Body
+      }
+    ],
+    response: z.void()
+  },
+  {
+    method: "post",
+    path: "/users/:userId/messages/:messageId/replyAll",
+    alias: "reply-all-shared-mailbox-mail",
+    description: `Reply to all recipients of a message using either JSON or MIME format. When using JSON format:
+- Specify either a comment or the body property of the message parameter. Specifying both will return an HTTP 400 Bad Request error.
+- If the original message specifies a recipient in the replyTo property, per Internet Message Format (RFC 2822), send the reply to the recipients in replyTo and not the recipient in the from property. When using MIME format:
+- Provide the applicable Internet message headers and the MIME content, all encoded in base64 format in the request body.
+- Add any attachments and S/MIME properties to the MIME content. This method saves the message in the Sent Items folder. Alternatively, create a draft to reply-all to a message and send it later.`,
+    requestFormat: "json",
+    parameters: [
+      {
+        name: "body",
+        description: `Action parameters`,
+        type: "Body",
+        schema: create_reply_draft_Body
+      }
+    ],
+    response: z.void()
+  },
   {
     method: "get",
     path: "/users/:userId/presence",

package/dist/lib/redirect-uri-validation.js

@@ -0,0 +1,33 @@
+const LOOPBACK_HOSTS = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "[::1]", "::1"]);
+function isLoopbackHost(host) {
+  return LOOPBACK_HOSTS.has(host.toLowerCase());
+}
+function parseAllowlist(raw) {
+  if (!raw) return null;
+  const list = raw.split(",").map((s) => s.trim()).filter(Boolean);
+  return list.length > 0 ? list : null;
+}
+function isAllowedRedirectUri(value, allowlist) {
+  if (typeof value !== "string" || value.length === 0) return false;
+  let url;
+  try {
+    url = new URL(value);
+  } catch {
+    return false;
+  }
+  if (url.protocol !== "http:" && url.protocol !== "https:") {
+    return false;
+  }
+  if (allowlist && allowlist.length > 0) {
+    return allowlist.includes(value);
+  }
+  if (url.protocol === "http:") {
+    return isLoopbackHost(url.hostname);
+  }
+  return true;
+}
+export {
+  isAllowedRedirectUri,
+  isLoopbackHost,
+  parseAllowlist
+};

package/dist/server.js

@@ -15,6 +15,7 @@ import {
   microsoftBearerTokenAuthMiddleware,
   refreshAccessToken
 } from "./lib/microsoft-auth.js";
+import { isAllowedRedirectUri, parseAllowlist } from "./lib/redirect-uri-validation.js";
 import { getSecrets } from "./secrets.js";
 import { getCloudEndpoints } from "./cloud-config.js";
 import { requestContext } from "./request-context.js";
@@ -226,6 +227,20 @@ class MicrosoftGraphServer {
         const clientCodeChallenge = url.searchParams.get("code_challenge");
         const clientCodeChallengeMethod = url.searchParams.get("code_challenge_method");
         const state = url.searchParams.get("state");
+        const redirectUriParam = url.searchParams.get("redirect_uri");
+        if (redirectUriParam) {
+          const allowlist = parseAllowlist(process.env.MS365_MCP_ALLOWED_REDIRECT_URIS);
+          if (!isAllowedRedirectUri(redirectUriParam, allowlist)) {
+            logger.warn("Rejected /authorize request with disallowed redirect_uri", {
+              redirect_uri: redirectUriParam
+            });
+            res.status(400).json({
+              error: "invalid_request",
+              error_description: "redirect_uri is not allowed"
+            });
+            return;
+          }
+        }
         const allowedParams = [
           "response_type",
           "redirect_uri",

package/docs/deployment.md

@@ -130,6 +130,28 @@ When deploying for an organization, create a dedicated app registration instead
 
 5. **Store credentials** in Key Vault (see [Azure Key Vault Integration](../README.md#azure-key-vault-integration))
 
+## Redirect URI Validation
+
+The /authorize endpoint defensively validates client-supplied `redirect_uri` values before forwarding them to Microsoft Entra (CWE-601, Open Redirect). Microsoft Entra also validates the URI against your app registration, but this server-side check rejects obviously dangerous schemes (`javascript:`, `data:`, `file:`, …) and arbitrary remote `http://` origins before the request leaves the server.
+
+Default behaviour (no explicit allowlist):
+
+- Only `http:` and `https:` schemes are accepted.
+- `http:` is only allowed for loopback hosts (`localhost`, `127.0.0.1`, `::1`).
+- All other `https://` origins are accepted (Entra still has the final say).
+
+For production deployments, configure an explicit allowlist via the `MS365_MCP_ALLOWED_REDIRECT_URIS` environment variable. It takes a comma-separated list of exact URIs; only exact string matches pass validation:
+
+```bash
+# Single redirect URI
+MS365_MCP_ALLOWED_REDIRECT_URIS=https://mcp.example.com/auth/callback
+
+# Multiple URIs (comma-separated, no spaces required)
+MS365_MCP_ALLOWED_REDIRECT_URIS=https://mcp.example.com/auth/callback,https://staging.example.com/auth/callback
+```
+
+The list should mirror the redirect URIs registered on your Azure AD app registration. Leaving the variable unset falls back to the default behaviour above, which is appropriate for local development but not recommended for shared/production deployments.
+
 ## Reverse Proxy / Custom Domain
 
 When running behind a reverse proxy, set `MS365_MCP_PUBLIC_URL` so that the OAuth authorize URL handed back to the user's browser is resolvable from outside the server's network:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@softeria/ms-365-mcp-server",
-  "version": "0.106.2",
+  "version": "0.107.1",
   "description": " A Model Context Protocol (MCP) server for interacting with Microsoft 365 and Office services through the Graph API",
   "type": "module",
   "main": "dist/index.js",

package/src/endpoints.json

@@ -106,6 +106,27 @@
     "toolName": "create-shared-mailbox-draft",
     "workScopes": ["Mail.ReadWrite.Shared"]
   },
+  {
+    "pathPattern": "/users/{user-id}/messages/{message-id}/reply",
+    "method": "post",
+    "toolName": "reply-shared-mailbox-mail",
+    "workScopes": ["Mail.Send.Shared"],
+    "llmTip": "Reply to a message from a shared mailbox preserving full HTML formatting and conversation thread. The 'user-id' is the shared mailbox email address (e.g. support@contoso.com). The 'comment' field is your reply text. Do NOT reconstruct the email manually. Requires Send As permission on the shared mailbox in Exchange."
+  },
+  {
+    "pathPattern": "/users/{user-id}/messages/{message-id}/replyAll",
+    "method": "post",
+    "toolName": "reply-all-shared-mailbox-mail",
+    "workScopes": ["Mail.Send.Shared"],
+    "llmTip": "Reply-all to a message from a shared mailbox preserving full HTML formatting and conversation thread. The 'user-id' is the shared mailbox email address. The 'comment' field is your reply text. Requires Send As permission on the shared mailbox in Exchange."
+  },
+  {
+    "pathPattern": "/users/{user-id}/messages/{message-id}/forward",
+    "method": "post",
+    "toolName": "forward-shared-mailbox-mail",
+    "workScopes": ["Mail.Send.Shared"],
+    "llmTip": "Forward a message from a shared mailbox preserving full HTML formatting and attachments. The 'user-id' is the shared mailbox email address. 'toRecipients' is required. The 'comment' field adds text above the forwarded content. Requires Send As permission on the shared mailbox in Exchange."
+  },
   {
     "pathPattern": "/users",
     "method": "get",