@softeria/ms-365-mcp-server 0.116.0 → 0.117.0

package/README.md

@@ -575,8 +575,10 @@ Environment variables:
 - `MS365_MCP_MAX_TOP=<n>`: Hard cap for Graph `$top` / `top` on list requests (positive integer). When the model passes a larger value, the server clamps it to `n` so responses stay smaller. Example: `MS365_MCP_MAX_TOP=15`
 - `MS365_MCP_MAX_PAGES=<n>`: Maximum number of pages followed when a tool is called with `fetchAllPages: true` (positive integer, default `100`). Bounds memory and latency for large result sets.
 - `MS365_MCP_MAX_ITEMS=<n>`: Maximum number of items accumulated when `fetchAllPages: true` (positive integer, default `10000`). Pagination stops and the response is truncated once this many items are collected.
-- `MS365_MCP_ALLOW_PAGINATION=0|false|no`: Disable multi-page following entirely. When set, `fetchAllPages: true` returns only the first page (default: pagination enabled).
+- `MS365_MCP_ALLOW_PAGINATION=0|false|no`: Disable multi-page following entirely. When set, the `fetchAllPages` parameter is not advertised on tools, and any request that still passes it returns only the first page (default: pagination enabled).
 - `MS365_MCP_BODY_FORMAT=html`: Return email bodies as HTML instead of plain text (default: text)
+- `MS365_MCP_RATE_LIMIT_DISABLED=true|1`: Disable per-IP rate limiting in HTTP mode (default: enabled — 30 req/min on `/authorize`, `/token`, `/register`; 120 req/min on `/mcp`)
+- `MS365_MCP_TRUST_PROXY_HOPS=<n>`: Number of trusted reverse-proxy hops in HTTP mode (default `1`). Accurate per-IP rate limiting depends on this matching your deployment — set to the number of proxies in front of the server, `0` to use the raw socket peer IP, or a comma-separated subnet list
 - `MS365_MCP_CLOUD_TYPE=global|china`: Microsoft cloud environment (alternative to --cloud flag)
 - `LOG_LEVEL`: Set logging level (default: 'info')
 - `SILENT=true|1`: Disable console output

package/dist/__tests__/graph-tools.test.js

@@ -252,6 +252,26 @@ describe("graph-tools", () => {
         registerGraphTools(server, graphClient);
         await server.tools.get("test-tool").handler({ fetchAllPages: true });
         expect(graphClient.graphRequest).toHaveBeenCalledTimes(1);
+        expect(server.tools.get("test-tool").schema.fetchAllPages).toBeUndefined();
+      });
+      it("should advertise fetchAllPages when pagination is enabled", async () => {
+        delete process.env.MS365_MCP_ALLOW_PAGINATION;
+        mockEndpoints.push(makeEndpoint());
+        mockEndpointsJson = [makeConfig()];
+        const server = createMockServer();
+        const { registerGraphTools } = await loadModule();
+        registerGraphTools(server, createMockGraphClient());
+        expect(server.tools.get("test-tool").schema.fetchAllPages).toBeDefined();
+      });
+      it("should reflect MS365_MCP_MAX_PAGES in the fetchAllPages description", async () => {
+        process.env.MS365_MCP_MAX_PAGES = "7";
+        mockEndpoints.push(makeEndpoint());
+        mockEndpointsJson = [makeConfig()];
+        const server = createMockServer();
+        const { registerGraphTools } = await loadModule();
+        registerGraphTools(server, createMockGraphClient());
+        const schema = server.tools.get("test-tool").schema.fetchAllPages;
+        expect(schema.description).toContain("up to 7 pages");
       });
     });
   });

package/dist/graph-tools.js

@@ -542,9 +542,10 @@ function registerGraphTools(server, graphClient, readOnly = false, enabledToolsP
         paramSchema[pathParamName] = z.string().describe(`Path parameter: ${pathParamName}`);
       }
     }
-    if (tool.method.toUpperCase() === "GET" && tool.path.includes("/")) {
+    if (tool.method.toUpperCase() === "GET" && tool.path.includes("/") && paginationAllowed()) {
+      const maxPages = positiveIntFromEnv("MS365_MCP_MAX_PAGES", DEFAULT_MAX_PAGES);
       paramSchema["fetchAllPages"] = z.boolean().describe(
-        "Follow @odata.nextLink and merge up to 100 pages into one response. Can return enormous payloads\u2014only when the user explicitly needs a full export. Prefer a small $top first, then paginate or narrow with $filter/$search."
+        `Follow @odata.nextLink and merge up to ${maxPages} pages into one response. Can return enormous payloads\u2014only when the user explicitly needs a full export. Prefer a small $top first, then paginate or narrow with $filter/$search.`
       ).optional();
     }
     if (paramSchema["filter"] !== void 0 || paramSchema["$filter"] !== void 0) {

package/dist/server.js

@@ -3,6 +3,8 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
 import express from "express";
+import helmet from "helmet";
+import rateLimit from "express-rate-limit";
 import logger, { enableConsoleLogging } from "./logger.js";
 import { registerAuthTools } from "./auth-tools.js";
 import { registerGraphTools, registerDiscoveryTools } from "./graph-tools.js";
@@ -167,7 +169,20 @@ class MicrosoftGraphServer {
     if (this.options.http) {
       const { host, port } = parseHttpOption(this.options.http);
       const app = express();
-      app.set("trust proxy", true);
+      const trustProxyEnv = process.env.MS365_MCP_TRUST_PROXY_HOPS;
+      if (trustProxyEnv !== void 0 && trustProxyEnv !== "") {
+        const asNum = Number(trustProxyEnv);
+        app.set("trust proxy", Number.isFinite(asNum) ? asNum : trustProxyEnv);
+      } else {
+        app.set("trust proxy", 1);
+      }
+      app.use(
+        helmet({
+          contentSecurityPolicy: false,
+          crossOriginEmbedderPolicy: false,
+          hsts: { maxAge: 31536e3, includeSubDomains: true, preload: true }
+        })
+      );
       app.use(express.json());
       app.use(express.urlencoded({ extended: true }));
       const corsOrigin = process.env.MS365_MCP_CORS_ORIGIN || "http://localhost:3000";
@@ -184,6 +199,25 @@ class MicrosoftGraphServer {
         }
         next();
       });
+      const rateLimitDisabled = process.env.MS365_MCP_RATE_LIMIT_DISABLED === "true" || process.env.MS365_MCP_RATE_LIMIT_DISABLED === "1";
+      if (!rateLimitDisabled) {
+        const authLimiter = rateLimit({
+          windowMs: 6e4,
+          max: 30,
+          standardHeaders: "draft-7",
+          legacyHeaders: false
+        });
+        const mcpLimiter = rateLimit({
+          windowMs: 6e4,
+          max: 120,
+          standardHeaders: "draft-7",
+          legacyHeaders: false
+        });
+        app.use("/authorize", authLimiter);
+        app.use("/token", authLimiter);
+        app.use("/register", authLimiter);
+        app.use("/mcp", mcpLimiter);
+      }
       const oauthProvider = new MicrosoftOAuthProvider(this.authManager, this.secrets);
       const publicUrlRaw = this.options.publicUrl || process.env.MS365_MCP_PUBLIC_URL || this.options.baseUrl || process.env.MS365_MCP_BASE_URL || null;
       const publicBase = publicUrlRaw ? new URL(publicUrlRaw).href.replace(/\/$/, "") : null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@softeria/ms-365-mcp-server",
-  "version": "0.116.0",
+  "version": "0.117.0",
   "description": " A Model Context Protocol (MCP) server for interacting with Microsoft 365 and Office services through the Graph API",
   "type": "module",
   "main": "dist/index.js",
@@ -39,6 +39,8 @@
     "commander": "^11.1.0",
     "dotenv": "^17.0.1",
     "express": "^5.2.1",
+    "express-rate-limit": "^7.5.1",
+    "helmet": "^8.1.0",
     "js-yaml": "^4.1.0",
     "open": "^11.0.0",
     "winston": "^3.17.0",