@softeria/ms-365-mcp-server 0.111.0 → 0.112.2

package/dist/cli.js

@@ -47,6 +47,9 @@ program.name("ms-365-mcp-server").description("Microsoft 365 MCP Server").versio
 ).option(
   "--obo",
   "Enable On-Behalf-Of token exchange in HTTP mode. Exchanges the incoming bearer token for a Graph API token using the OBO flow. Requires MS365_MCP_CLIENT_SECRET."
+).option(
+  "--trust-proxy-auth",
+  "In HTTP mode, skip the built-in Bearer-token check on /mcp and ignore any forwarded Authorization header. All callers share the locally cached MSAL identity (same path stdio mode uses). Use only when an upstream reverse proxy has already authenticated the caller."
 ).addOption(
   // DEPRECATED: kept only so existing deployments that set --base-url or
   // MS365_MCP_BASE_URL do not crash at startup. Use --public-url /
@@ -149,6 +152,9 @@ function parseArgs() {
   if (process.env.MS365_MCP_OBO === "true" || process.env.MS365_MCP_OBO === "1") {
     options.obo = true;
   }
+  if (process.env.MS365_MCP_TRUST_PROXY_AUTH === "true" || process.env.MS365_MCP_TRUST_PROXY_AUTH === "1") {
+    options.trustProxyAuth = true;
+  }
   if (options.cloud) {
     process.env.MS365_MCP_CLOUD_TYPE = options.cloud;
   }

package/dist/crash-logging.js

@@ -0,0 +1,41 @@
+function dumpError(reason, depth = 0) {
+  if (depth > 5) {
+    return { truncated: true };
+  }
+  if (reason instanceof Error) {
+    const dump = {
+      name: reason.name,
+      constructor: reason.constructor?.name,
+      message: reason.message,
+      stack: reason.stack
+    };
+    const properties = {};
+    for (const key of Object.getOwnPropertyNames(reason)) {
+      if (key === "name" || key === "message" || key === "stack" || key === "cause") continue;
+      properties[key] = reason[key];
+    }
+    if (Object.keys(properties).length > 0) {
+      dump.properties = properties;
+    }
+    if ("cause" in reason && reason.cause !== void 0) {
+      dump.cause = dumpError(reason.cause, depth + 1);
+    }
+    return dump;
+  }
+  return { type: typeof reason, value: reason };
+}
+function getActiveResources() {
+  const fn = process.getActiveResourcesInfo;
+  if (typeof fn !== "function") {
+    return "unavailable (node < 17.3)";
+  }
+  try {
+    return fn.call(process);
+  } catch (err) {
+    return `error: ${err.message}`;
+  }
+}
+export {
+  dumpError,
+  getActiveResources
+};

package/dist/generated/client.js

@@ -381,7 +381,9 @@ const microsoft_graph_chat = z.object({
   onlineMeetingInfo: microsoft_graph_teamworkOnlineMeetingInfo.optional(),
   originalCreatedDateTime: z.string().regex(
     /^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$/
-  ).datetime({ offset: true }).nullish(),
+  ).datetime({ offset: true }).describe(
+    "Timestamp of the original creation time for the chat. The value is null if the chat never entered migration mode."
+  ).nullish(),
   tenantId: z.string().describe("The identifier of the tenant in which the chat was created. Read-only.").nullish(),
   topic: z.string().describe("(Optional) Subject or topic for the chat. Only available for group chats.").nullish(),
   viewpoint: microsoft_graph_chatViewpoint.optional(),
@@ -1480,6 +1482,7 @@ const microsoft_graph_group = z.object({
   hideFromOutlookClients: z.boolean().describe(
     "True if the group isn't displayed in Outlook clients, such as Outlook for Windows and Outlook on the web; otherwise, false. The default value is false. Requires $select to retrieve. Supported only on the Get group API (GET /groups/{ID})."
   ).nullish(),
+  infoCatalogs: z.array(z.string()).optional(),
   isArchived: z.boolean().describe(
     "When a group is associated with a team, this property determines whether the team is in read-only mode.To read this property, use the /group/{groupId}/team endpoint or the Get team API. To update this property, use the archiveTeam and unarchiveTeam APIs."
   ).nullish(),
@@ -1504,9 +1507,6 @@ const microsoft_graph_group = z.object({
   ).nullish(),
   membershipRule: z.string().describe(
     "The rule that determines members for this group if the group is a dynamic group (groupTypes contains DynamicMembership). For more information about the syntax of the membership rule, see Membership Rules syntax. Returned by default. Supports $filter (eq, ne, not, ge, le, startsWith)."
-  ).nullish(),
-  membershipRuleProcessingState: z.string().describe(
-    "Indicates whether the dynamic membership processing is on or paused. Possible values are On or Paused. Returned by default. Supports $filter (eq, ne, not, in)."
   ).nullish()
 }).passthrough().passthrough();
 const microsoft_graph_groupCollectionResponse = z.object({
@@ -2759,7 +2759,9 @@ const microsoft_graph_channel = z.lazy(
     migrationMode: microsoft_graph_migrationMode.optional(),
     originalCreatedDateTime: z.string().regex(
       /^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$/
-    ).datetime({ offset: true }).nullish(),
+    ).datetime({ offset: true }).describe(
+      "Timestamp of the original creation time for the channel. The value is null if the channel never entered migration mode."
+    ).nullish(),
     summary: microsoft_graph_channelSummary.optional(),
     tenantId: z.string().describe("The ID of the Microsoft Entra tenant.").nullish(),
     webUrl: z.string().describe(
@@ -2854,7 +2856,7 @@ const microsoft_graph_team = z.lazy(
     ).nullish(),
     allChannels: z.array(microsoft_graph_channel).describe("List of channels either hosted in or shared with the team (incoming channels).").optional(),
     channels: z.array(microsoft_graph_channel).describe("The collection of channels and messages associated with the team.").optional(),
-    group: microsoft_graph_group.describe("[Note: Simplified from 74 properties to 25 most common ones]").optional(),
+    group: microsoft_graph_group.describe("[Note: Simplified from 75 properties to 25 most common ones]").optional(),
     incomingChannels: z.array(microsoft_graph_channel).describe("List of channels shared with the team.").optional(),
     installedApps: z.array(microsoft_graph_teamsAppInstallation).describe("The apps installed in this team.").optional(),
     members: z.array(microsoft_graph_conversationMember).describe("Members and owners of the team.").optional(),
@@ -6675,6 +6677,7 @@ You can search within a folder hierarchy, a whole drive, or files shared with th
           hideFromOutlookClients: z.boolean().describe(
             "True if the group isn't displayed in Outlook clients, such as Outlook for Windows and Outlook on the web; otherwise, false. The default value is false. Requires $select to retrieve. Supported only on the Get group API (GET /groups/{ID})."
           ).nullish(),
+          infoCatalogs: z.array(z.string()).optional(),
           isArchived: z.boolean().describe(
             "When a group is associated with a team, this property determines whether the team is in read-only mode.To read this property, use the /group/{groupId}/team endpoint or the Get team API. To update this property, use the archiveTeam and unarchiveTeam APIs."
           ).nullish(),
@@ -6699,9 +6702,6 @@ You can search within a folder hierarchy, a whole drive, or files shared with th
           ).nullish(),
           membershipRule: z.string().describe(
             "The rule that determines members for this group if the group is a dynamic group (groupTypes contains DynamicMembership). For more information about the syntax of the membership rule, see Membership Rules syntax. Returned by default. Supports $filter (eq, ne, not, ge, le, startsWith)."
-          ).nullish(),
-          membershipRuleProcessingState: z.string().describe(
-            "Indicates whether the dynamic membership processing is on or paused. Possible values are On or Paused. Returned by default. Supports $filter (eq, ne, not, in)."
           ).nullish()
         }).passthrough().passthrough()
       }
@@ -6790,6 +6790,7 @@ You can create or update the following types of group: By default, this operatio
           hideFromOutlookClients: z.boolean().describe(
             "True if the group isn't displayed in Outlook clients, such as Outlook for Windows and Outlook on the web; otherwise, false. The default value is false. Requires $select to retrieve. Supported only on the Get group API (GET /groups/{ID})."
           ).nullish(),
+          infoCatalogs: z.array(z.string()).optional(),
           isArchived: z.boolean().describe(
             "When a group is associated with a team, this property determines whether the team is in read-only mode.To read this property, use the /group/{groupId}/team endpoint or the Get team API. To update this property, use the archiveTeam and unarchiveTeam APIs."
           ).nullish(),
@@ -6814,9 +6815,6 @@ You can create or update the following types of group: By default, this operatio
           ).nullish(),
           membershipRule: z.string().describe(
             "The rule that determines members for this group if the group is a dynamic group (groupTypes contains DynamicMembership). For more information about the syntax of the membership rule, see Membership Rules syntax. Returned by default. Supports $filter (eq, ne, not, ge, le, startsWith)."
-          ).nullish(),
-          membershipRuleProcessingState: z.string().describe(
-            "Indicates whether the dynamic membership processing is on or paused. Possible values are On or Paused. Returned by default. Supports $filter (eq, ne, not, in)."
           ).nullish()
         }).passthrough().passthrough()
       }

package/dist/index.js

@@ -10,7 +10,27 @@ import {
   shouldUseLocalAuthStorage
 } from "./startup-pinning.js";
 import { createTokenCacheStorage } from "./token-cache-storage.js";
+import { dumpError, getActiveResources } from "./crash-logging.js";
 import { version } from "./version.js";
+process.on("unhandledRejection", (reason) => {
+  const dump = {
+    kind: "unhandledRejection",
+    reason: dumpError(reason),
+    activeResources: getActiveResources()
+  };
+  console.error("[ms365-mcp] unhandledRejection", JSON.stringify(dump));
+  logger.error("unhandledRejection", dump);
+});
+process.on("uncaughtException", (err, origin) => {
+  const dump = {
+    kind: "uncaughtException",
+    origin,
+    error: dumpError(err),
+    activeResources: getActiveResources()
+  };
+  console.error("[ms365-mcp] uncaughtException", JSON.stringify(dump));
+  logger.error("uncaughtException", dump);
+});
 async function main() {
   try {
     const args = parseArgs();

package/dist/lib/microsoft-auth.js

@@ -17,7 +17,11 @@ function isJwtExpired(token) {
     return false;
   }
 }
-const microsoftBearerTokenAuthMiddleware = (req, res, next) => {
+const microsoftBearerTokenAuthMiddleware = (opts = {}) => (req, res, next) => {
+  if (opts.trustProxyAuth) {
+    next();
+    return;
+  }
   const authHeader = req.headers.authorization;
   if (!authHeader || !authHeader.startsWith("Bearer ")) {
     res.status(401).set(
@@ -40,6 +44,43 @@ const microsoftBearerTokenAuthMiddleware = (req, res, next) => {
   req.microsoftAuth = { accessToken };
   next();
 };
+class OAuthUpstreamError extends Error {
+  constructor(status, raw, body) {
+    const suffix = body.error_description ? ` - ${body.error_description}` : "";
+    super(`OAuth upstream error: ${body.error}${suffix}`);
+    this.name = "OAuthUpstreamError";
+    this.status = status;
+    this.body = body;
+    this.raw = raw;
+  }
+}
+function parseUpstreamOAuthError(raw) {
+  try {
+    const json = JSON.parse(raw);
+    if (json !== null && typeof json === "object" && typeof json.error === "string") {
+      return json;
+    }
+  } catch {
+  }
+  return null;
+}
+function toOAuthErrorResponse(error) {
+  if (error instanceof OAuthUpstreamError) {
+    const body = {
+      error: error.body.error
+    };
+    if (error.body.error_description) body.error_description = error.body.error_description;
+    if (error.body.suberror) body.suberror = error.body.suberror;
+    return { status: 400, body };
+  }
+  return {
+    status: 500,
+    body: {
+      error: "server_error",
+      error_description: "Internal server error during token exchange"
+    }
+  };
+}
 async function exchangeCodeForToken(code, redirectUri, clientId, clientSecret, tenantId = "common", codeVerifier, cloudType = "global") {
   const cloudEndpoints = getCloudEndpoints(cloudType);
   const params = new URLSearchParams({
@@ -62,9 +103,20 @@ async function exchangeCodeForToken(code, redirectUri, clientId, clientSecret, t
     body: params
   });
   if (!response.ok) {
-    const error = await response.text();
-    logger.error(`Failed to exchange code for token: ${error}`);
-    throw new Error(`Failed to exchange code for token: ${error}`);
+    const raw = await response.text();
+    const parsed = parseUpstreamOAuthError(raw);
+    if (parsed) {
+      logger.warn(`Token endpoint upstream OAuth error: ${parsed.error}`, {
+        status: response.status,
+        error: parsed.error,
+        suberror: parsed.suberror,
+        error_codes: parsed.error_codes,
+        correlation_id: parsed.correlation_id
+      });
+      throw new OAuthUpstreamError(response.status, raw, parsed);
+    }
+    logger.error(`Failed to exchange code for token: ${raw}`);
+    throw new Error(`Failed to exchange code for token: ${raw}`);
   }
   return response.json();
 }
@@ -86,14 +138,27 @@ async function refreshAccessToken(refreshToken, clientId, clientSecret, tenantId
     body: params
   });
   if (!response.ok) {
-    const error = await response.text();
-    logger.error(`Failed to refresh token: ${error}`);
-    throw new Error(`Failed to refresh token: ${error}`);
+    const raw = await response.text();
+    const parsed = parseUpstreamOAuthError(raw);
+    if (parsed) {
+      logger.warn(`Token endpoint upstream OAuth error: ${parsed.error}`, {
+        status: response.status,
+        error: parsed.error,
+        suberror: parsed.suberror,
+        error_codes: parsed.error_codes,
+        correlation_id: parsed.correlation_id
+      });
+      throw new OAuthUpstreamError(response.status, raw, parsed);
+    }
+    logger.error(`Failed to refresh token: ${raw}`);
+    throw new Error(`Failed to refresh token: ${raw}`);
   }
   return response.json();
 }
 export {
+  OAuthUpstreamError,
   exchangeCodeForToken,
   microsoftBearerTokenAuthMiddleware,
-  refreshAccessToken
+  refreshAccessToken,
+  toOAuthErrorResponse
 };

package/dist/server.js

@@ -17,12 +17,15 @@ import { MicrosoftOAuthProvider } from "./oauth-provider.js";
 import {
   exchangeCodeForToken,
   microsoftBearerTokenAuthMiddleware,
-  refreshAccessToken
+  OAuthUpstreamError,
+  refreshAccessToken,
+  toOAuthErrorResponse
 } from "./lib/microsoft-auth.js";
 import { isAllowedRedirectUri, parseAllowlist } from "./lib/redirect-uri-validation.js";
 import { getSecrets } from "./secrets.js";
 import { getCloudEndpoints } from "./cloud-config.js";
 import { requestContext } from "./request-context.js";
+import { dumpError } from "./crash-logging.js";
 import crypto from "node:crypto";
 import OboClient from "./obo-client.js";
 function parseHttpOption(httpOption) {
@@ -123,6 +126,11 @@ class MicrosoftGraphServer {
           "--obo requires MS365_MCP_CLIENT_SECRET to be set (confidential client required for On-Behalf-Of flow)."
         );
       }
+      if (this.options.trustProxyAuth) {
+        throw new Error(
+          "--obo cannot be combined with --trust-proxy-auth: the proxy-auth pass-through skips the incoming bearer token that OBO would exchange."
+        );
+      }
       this.oboClient = new OboClient(this.secrets);
       logger.info("On-Behalf-Of (OBO) flow enabled");
     }
@@ -399,11 +407,18 @@ class MicrosoftGraphServer {
             });
           }
         } catch (error) {
-          logger.error("Token endpoint error:", error);
-          res.status(500).json({
-            error: "server_error",
-            error_description: "Internal server error during token exchange"
-          });
+          if (error instanceof OAuthUpstreamError) {
+            logger.warn("Token endpoint: upstream OAuth error surfaced to client", {
+              upstream_status: error.status,
+              error: error.body.error,
+              suberror: error.body.suberror,
+              error_codes: error.body.error_codes
+            });
+          } else {
+            logger.error("Token endpoint error:", error);
+          }
+          const { status, body } = toOAuthErrorResponse(error);
+          res.status(status).json(body);
         }
       });
       app.use(
@@ -412,9 +427,12 @@ class MicrosoftGraphServer {
           issuerUrl: new URL(publicBase ?? `http://localhost:${port}`)
         })
       );
+      const mcpAuth = microsoftBearerTokenAuthMiddleware({
+        trustProxyAuth: this.options.trustProxyAuth
+      });
       app.get(
         "/mcp",
-        microsoftBearerTokenAuthMiddleware,
+        mcpAuth,
         async (req, res) => {
           const handler = async () => {
             const server = this.createMcpServer();
@@ -456,7 +474,7 @@ class MicrosoftGraphServer {
       );
       app.post(
         "/mcp",
-        microsoftBearerTokenAuthMiddleware,
+        mcpAuth,
         async (req, res) => {
           const handler = async () => {
             const server = this.createMcpServer();
@@ -520,6 +538,9 @@ class MicrosoftGraphServer {
       }
     } else {
       const transport = new StdioServerTransport();
+      transport.onerror = (error) => {
+        logger.error("Stdio transport error", { error: dumpError(error) });
+      };
       await this.server.connect(transport);
       logger.info("Server connected to stdio transport");
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@softeria/ms-365-mcp-server",
-  "version": "0.111.0",
+  "version": "0.112.2",
   "description": " A Model Context Protocol (MCP) server for interacting with Microsoft 365 and Office services through the Graph API",
   "type": "module",
   "main": "dist/index.js",
@@ -33,7 +33,7 @@
     "access": "public"
   },
   "dependencies": {
-    "@azure/msal-node": "^3.8.0",
+    "@azure/msal-node": "^5.2.2",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "@toon-format/toon": "^0.8.0",
     "commander": "^11.1.0",
@@ -76,6 +76,6 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/softeria/ms-365-mcp-server.git"
+    "url": "https://github.com/Softeria/ms-365-mcp-server.git"
   }
 }