npm - @softeria/ms-365-mcp-server - Versions diffs - 0.114.2 → 0.114.4 - Mend

@softeria/ms-365-mcp-server 0.114.2 → 0.114.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/graph-tools.js CHANGED Viewed

@@ -46,6 +46,15 @@ function formatDisabledToolsForLog(disabledTools) {
   const suffix = disabledTools.length > shown.length ? `, ... +${disabledTools.length - shown.length} more` : "";
   return `${shown.join("; ")}${suffix}`;
 }
+async function checkAccountParamInBearerMode(accountParam, authManager) {
+  if (!accountParam || !authManager) return null;
+  const contextToken = getRequestTokens()?.accessToken;
+  if (!contextToken && !authManager.isOAuthModeEnabled()) return null;
+  const bearerToken = contextToken ?? await authManager.getToken().catch(() => null) ?? void 0;
+  const bearerIdentity = getUserIdentityForAudit(bearerToken);
+  if (bearerIdentity && bearerIdentity.toLowerCase() === accountParam.toLowerCase()) return null;
+  return `The 'account' parameter is not supported in HTTP/OAuth mode: every request uses the identity of the connecting client's bearer token` + (bearerIdentity ? ` ('${bearerIdentity}')` : "") + `, so account switching is not possible. To act as '${accountParam}', reconnect the MCP client authenticated as that account, or run the server in stdio mode (or HTTP with --trust-proxy-auth) where cached accounts are available.`;
+}
 const UTILITY_TOOLS = [
   {
     name: "parse-teams-url",
@@ -124,6 +133,13 @@ const UTILITY_TOOLS = [
         };
       }
       try {
+        const accountModeError = await checkAccountParamInBearerMode(accountParam, authManager);
+        if (accountModeError) {
+          return {
+            content: [{ type: "text", text: JSON.stringify({ error: accountModeError }) }],
+            isError: true
+          };
+        }
         let accountAccessToken;
         if (authManager && !authManager.isOAuthModeEnabled() && !getRequestTokens()) {
           accountAccessToken = await authManager.getTokenForAccount(accountParam);
@@ -158,9 +174,16 @@ async function executeGraphTool(tool, config, graphClient, params, authManager)
   const upn = getUserIdentityForAudit(getRequestTokens()?.accessToken);
   const httpMethod = tool.method.toUpperCase();
   try {
+    const accountParam = params.account;
+    const accountModeError = await checkAccountParamInBearerMode(accountParam, authManager);
+    if (accountModeError) {
+      return {
+        content: [{ type: "text", text: JSON.stringify({ error: accountModeError }) }],
+        isError: true
+      };
+    }
     let accountAccessToken;
     if (authManager && !authManager.isOAuthModeEnabled() && !getRequestTokens()) {
-      const accountParam = params.account;
       try {
         accountAccessToken = await authManager.getTokenForAccount(accountParam);
       } catch (err) {

package/dist/server.js CHANGED Viewed

@@ -105,17 +105,24 @@ class MicrosoftGraphServer {
   async initialize(version) {
     this.secrets = await getSecrets();
     this.version = version;
-    try {
-      this.multiAccount = await this.authManager.isMultiAccount();
-      if (this.multiAccount) {
-        const accounts = await this.authManager.listAccounts();
-        this.accountNames = accounts.map((a) => a.username).filter((u) => !!u);
-        logger.info(
-          `Multi-account mode detected (${this.accountNames.length} accounts): "account" parameter will be injected into all tool schemas`
-        );
+    const accountRoutingAvailable = (!this.options.http || this.options.trustProxyAuth) && !this.authManager.isOAuthModeEnabled();
+    if (accountRoutingAvailable) {
+      try {
+        this.multiAccount = await this.authManager.isMultiAccount();
+        if (this.multiAccount) {
+          const accounts = await this.authManager.listAccounts();
+          this.accountNames = accounts.map((a) => a.username).filter((u) => !!u);
+          logger.info(
+            `Multi-account mode detected (${this.accountNames.length} accounts): "account" parameter will be injected into all tool schemas`
+          );
+        }
+      } catch (err) {
+        logger.warn(`Failed to detect multi-account mode: ${err.message}`);
       }
-    } catch (err) {
-      logger.warn(`Failed to detect multi-account mode: ${err.message}`);
+    } else {
+      logger.info(
+        'Account routing disabled: requests use the OAuth bearer identity, so the "account" parameter is not injected into tool schemas'
+      );
     }
     if (this.options.obo) {
       if (!this.options.http) {

package/dist/tool-categories.js CHANGED Viewed

@@ -1,61 +1,74 @@
-const TOOL_CATEGORIES = {
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import path from "path";
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const endpointEntries = JSON.parse(
+  readFileSync(path.join(__dirname, "endpoints.json"), "utf8")
+);
+const PRESET_META = {
   mail: {
-    name: "mail",
-    pattern: /mail|attachment|draft|download-bytes/i,
     description: "Email operations (read, send, manage folders, attachments)"
   },
   calendar: {
-    name: "calendar",
-    pattern: /calendar|event|schedule|meeting/i,
     description: "Calendar and event management"
   },
   files: {
-    name: "files",
-    pattern: /drive|file|upload|download|folder|item/i,
     description: "OneDrive file and folder operations"
   },
   personal: {
-    name: "personal",
-    pattern: /mail|calendar|drive|contact|todo|onenote|attachment|draft|event|file|folder|search|query|download-bytes|parse-teams-url/i,
     description: "Personal productivity tools (mail, calendar, files, contacts, tasks, notes, search)"
   },
   work: {
-    name: "work",
-    pattern: /team|channel|chat|sharepoint|planner|site|list|shared|search|query|download-bytes|schedule|meeting/i,
     description: "Organization/work tools (Teams, SharePoint, shared mailboxes, search)",
     requiresOrgMode: true
   },
   excel: {
-    name: "excel",
-    pattern: /excel|worksheet|workbook|range|chart/i,
     description: "Excel spreadsheet operations"
   },
   contacts: {
-    name: "contacts",
-    pattern: /contact/i,
     description: "Outlook contacts management"
   },
   tasks: {
-    name: "tasks",
-    pattern: /todo|planner|task/i,
     description: "Task and planning tools (To Do, Planner)"
   },
   onenote: {
-    name: "onenote",
-    pattern: /onenote|notebook|section|page/i,
     description: "OneNote notebook operations"
   },
   search: {
-    name: "search",
-    pattern: /search|query/i,
     description: "Microsoft Search capabilities"
   },
   users: {
-    name: "users",
-    pattern: /user|list-users|download-bytes/i,
     description: "User directory access",
     requiresOrgMode: true
   },
+  outlook: {
+    description: "Outlook app only: mail, calendar and contacts"
+  },
+  onedrive: {
+    description: "OneDrive app only: drive and file operations, excluding Excel"
+  },
+  teams: {
+    description: "Teams app only: chats, channels, meetings and presence",
+    requiresOrgMode: true
+  }
+};
+function presetPattern(preset) {
+  const names = [
+    ...new Set(endpointEntries.filter((e) => e.presets?.includes(preset)).map((e) => e.toolName))
+  ];
+  if (names.length === 0) {
+    throw new Error(`Preset "${preset}" matches no endpoints in endpoints.json`);
+  }
+  return new RegExp(`^(?:${names.join("|")})$`);
+}
+const TOOL_CATEGORIES = {
+  ...Object.fromEntries(
+    Object.entries(PRESET_META).map(([name, meta]) => [
+      name,
+      { name, pattern: presetPattern(name), ...meta }
+    ])
+  ),
   all: {
     name: "all",
     pattern: /.*/,

package/docs/deployment.md CHANGED Viewed

@@ -123,7 +123,11 @@ When deploying for an organization, create a dedicated app registration instead
 1. **Create the app** in [Azure Portal](https://portal.azure.com) > App registrations > New registration
    - Name: `MS365 MCP Server`
    - Supported account types: **Accounts in this organizational directory only** (single tenant)
-   - Redirect URI: your server's callback URL
+   - Redirect URI (platform type **Web**): the **MCP client's** OAuth callback URL, not the server's own domain. The server proxies the OAuth flow and forwards the client's `redirect_uri` to Microsoft Entra, so Entra delivers the authorization code directly to the client. Register one redirect URI per MCP client you want to support, for example:
+     - Claude (claude.ai, Desktop, Cowork): `https://claude.ai/api/mcp/auth_callback`
+     - Other clients: check the `redirect_uri` query parameter your client sends to the server's `/authorize` endpoint (visible in the server logs)
+   > **Common pitfall**: registering `https://your-server-domain/callback` here breaks sign-in with `AADSTS50011` (redirect URI mismatch) after the user authenticates. The server has no callback endpoint of its own; the authorization code always goes to the MCP client.
 2. **Add API permissions** > Microsoft Graph > Delegated permissions
    Run `npx @softeria/ms-365-mcp-server --org-mode --list-permissions` to print the exact list of permissions required for your enabled tools.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@softeria/ms-365-mcp-server",
-  "version": "0.114.2",
+  "version": "0.114.4",
   "description": " A Model Context Protocol (MCP) server for interacting with Microsoft 365 and Office services through the Graph API",
   "type": "module",
   "main": "dist/index.js",