npm - @softeria/ms-365-mcp-server - Versions diffs - 0.118.1 → 0.119.0 - Mend

@softeria/ms-365-mcp-server 0.118.1 → 0.119.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +1 -1
package/dist/auth.js +20 -4
package/dist/cli.js +6 -0
package/dist/lib/microsoft-auth.js +20 -0
package/dist/server.js +2 -1
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -584,7 +584,7 @@ Environment variables:
 - `SILENT=true|1`: Disable console output
 - `MS365_MCP_REDACT_PII=true|1`: Scrub JWTs, Bearer headers, OAuth token fields, and email addresses from log messages before they are written (default: disabled). Useful when logs are shipped to a central store or shared host.
 - `MS365_MCP_CLIENT_ID`: Custom Azure app client ID (defaults to built-in app)
-- `MS365_MCP_TENANT_ID`: Custom tenant ID (defaults to 'common' for multi-tenant)
+- `MS365_MCP_TENANT_ID`: Custom tenant ID (defaults to 'common' for multi-tenant). **Personal Microsoft accounts should set this to `consumers`** - as of June 2026, refresh tokens issued via the default 'common' authority are rejected at the first refresh, so sessions die roughly an hour after login
 - `MS365_MCP_OAUTH_TOKEN`: Pre-existing OAuth token for Microsoft Graph API (BYOT method)
 - `MS365_MCP_KEYVAULT_URL`: Azure Key Vault URL for secrets management (see Azure Key Vault section)
 - `MS365_MCP_TOKEN_CACHE_PATH`: Custom file path for MSAL token cache (see Token Storage below)

package/dist/auth.js CHANGED Viewed

@@ -243,6 +243,13 @@ function describeAuthError(error) {
   }
   return error.message;
 }
+const MSA_HOME_TENANT_ID = "9188040d-6c67-4c5b-b112-36a304b66dad";
+function consumersAuthorityHint(error, account, authority) {
+  if (error instanceof AuthError && error.errorCode === "invalid_grant" && account?.tenantId === MSA_HOME_TENANT_ID && (!authority || /\/common\/?$/i.test(authority))) {
+    return `This looks like a known issue (June 2026) where Microsoft rejects refresh tokens issued to personal accounts via the default 'common' authority. If this server is used only with personal accounts, set MS365_MCP_TENANT_ID=consumers and re-login with: --login`;
+  }
+  return null;
+}
 class AuthManager {
   constructor(config, scopes = [], expectedAccount, storage) {
     logger.info(`And scopes are ${scopes.join(", ")}`, scopes);
@@ -459,8 +466,13 @@ class AuthManager {
         await this.saveTokenCache();
         return this.accessToken;
       } catch (error) {
-        logger.error(`Silent token acquisition failed: ${describeAuthError(error)}`);
-        throw new Error("Silent token acquisition failed");
+        const hint = consumersAuthorityHint(error, currentAccount, this.config.auth.authority);
+        logger.error(
+          `Silent token acquisition failed: ${describeAuthError(error)}${hint ? ` ${hint}` : ""}`
+        );
+        throw new Error(
+          hint ? `Silent token acquisition failed. ${hint}` : "Silent token acquisition failed"
+        );
       }
     }
     throw new Error("No valid token found");
@@ -774,9 +786,12 @@ class AuthManager {
       await this.saveTokenCache();
       return response.accessToken;
     } catch (error) {
-      logger.error(`Silent token acquisition failed: ${describeAuthError(error)}`);
+      const hint = consumersAuthorityHint(error, targetAccount, this.config.auth.authority);
+      logger.error(
+        `Silent token acquisition failed: ${describeAuthError(error)}${hint ? ` ${hint}` : ""}`
+      );
       throw new Error(
-        `Failed to acquire token for account '${targetAccount.username || targetAccount.name || "unknown"}'. The token may have expired. Please re-login with: --login`
+        `Failed to acquire token for account '${targetAccount.username || targetAccount.name || "unknown"}'. ` + (hint ?? "The token may have expired. Please re-login with: --login")
       );
     }
   }
@@ -787,6 +802,7 @@ export {
   buildScopeDiagnostics,
   buildScopesFromEndpoints,
   collapseScopeHierarchy,
+  consumersAuthorityHint,
   auth_default as default,
   describeAuthError,
   getEndpointRequiredScopes,

package/dist/cli.js CHANGED Viewed

@@ -50,6 +50,9 @@ program.name("ms-365-mcp-server").description("Microsoft 365 MCP Server").versio
 ).option(
   "--trust-proxy-auth",
   "In HTTP mode, skip the built-in Bearer-token check on /mcp and ignore any forwarded Authorization header. All callers share the locally cached MSAL identity (same path stdio mode uses). Use only when an upstream reverse proxy has already authenticated the caller."
+).option(
+  "--allow-unauthenticated-discovery",
+  "In HTTP mode, allow MCP discovery requests (initialize, tools/list, prompts/list, resources/list, ping) without a bearer token, so a gateway can enumerate the tool catalog before any user has authenticated. Non-discovery requests (e.g. tools/call) still require a token. Off by default."
 ).addOption(
   // DEPRECATED: kept only so existing deployments that set --base-url or
   // MS365_MCP_BASE_URL do not crash at startup. Use --public-url /
@@ -155,6 +158,9 @@ function parseArgs() {
   if (process.env.MS365_MCP_TRUST_PROXY_AUTH === "true" || process.env.MS365_MCP_TRUST_PROXY_AUTH === "1") {
     options.trustProxyAuth = true;
   }
+  if (process.env.MS365_MCP_ALLOW_UNAUTHENTICATED_DISCOVERY === "true" || process.env.MS365_MCP_ALLOW_UNAUTHENTICATED_DISCOVERY === "1") {
+    options.allowUnauthenticatedDiscovery = true;
+  }
   if (options.cloud) {
     process.env.MS365_MCP_CLOUD_TYPE = options.cloud;
   }

package/dist/lib/microsoft-auth.js CHANGED Viewed

@@ -17,6 +17,22 @@ function isJwtExpired(token) {
     return false;
   }
 }
+const DISCOVERY_METHODS = /* @__PURE__ */ new Set([
+  "initialize",
+  "notifications/initialized",
+  "tools/list",
+  "prompts/list",
+  "resources/list",
+  "ping"
+]);
+function isDiscoveryRequest(req) {
+  if (req.method !== "POST" || !req.body) return false;
+  const body = req.body;
+  if (Array.isArray(body)) {
+    return body.every((item) => DISCOVERY_METHODS.has(item?.method));
+  }
+  return DISCOVERY_METHODS.has(body?.method);
+}
 const microsoftBearerTokenAuthMiddleware = (opts = {}) => (req, res, next) => {
   if (opts.trustProxyAuth) {
     next();
@@ -24,6 +40,10 @@ const microsoftBearerTokenAuthMiddleware = (opts = {}) => (req, res, next) => {
   }
   const authHeader = req.headers.authorization;
   if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    if (opts.allowUnauthenticatedDiscovery && isDiscoveryRequest(req)) {
+      next();
+      return;
+    }
     res.status(401).set(
       "WWW-Authenticate",
       buildWwwAuthenticate(req, "invalid_token", "Missing or malformed Authorization header")

package/dist/server.js CHANGED Viewed

@@ -469,7 +469,8 @@ class MicrosoftGraphServer {
         })
       );
       const mcpAuth = microsoftBearerTokenAuthMiddleware({
-        trustProxyAuth: this.options.trustProxyAuth
+        trustProxyAuth: this.options.trustProxyAuth,
+        allowUnauthenticatedDiscovery: this.options.allowUnauthenticatedDiscovery
       });
       app.get(
         "/mcp",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@softeria/ms-365-mcp-server",
-  "version": "0.118.1",
+  "version": "0.119.0",
   "description": " A Model Context Protocol (MCP) server for interacting with Microsoft 365 and Office services through the Graph API",
   "type": "module",
   "main": "dist/index.js",