npm - @softeria/ms-365-mcp-server - Versions diffs - 0.118.2 → 0.119.0 - Mend

@softeria/ms-365-mcp-server 0.118.2 → 0.119.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/cli.js +6 -0
package/dist/lib/microsoft-auth.js +20 -0
package/dist/server.js +2 -1
package/package.json +1 -1

package/dist/cli.js CHANGED Viewed

@@ -50,6 +50,9 @@ program.name("ms-365-mcp-server").description("Microsoft 365 MCP Server").versio
 ).option(
   "--trust-proxy-auth",
   "In HTTP mode, skip the built-in Bearer-token check on /mcp and ignore any forwarded Authorization header. All callers share the locally cached MSAL identity (same path stdio mode uses). Use only when an upstream reverse proxy has already authenticated the caller."
+).option(
+  "--allow-unauthenticated-discovery",
+  "In HTTP mode, allow MCP discovery requests (initialize, tools/list, prompts/list, resources/list, ping) without a bearer token, so a gateway can enumerate the tool catalog before any user has authenticated. Non-discovery requests (e.g. tools/call) still require a token. Off by default."
 ).addOption(
   // DEPRECATED: kept only so existing deployments that set --base-url or
   // MS365_MCP_BASE_URL do not crash at startup. Use --public-url /
@@ -155,6 +158,9 @@ function parseArgs() {
   if (process.env.MS365_MCP_TRUST_PROXY_AUTH === "true" || process.env.MS365_MCP_TRUST_PROXY_AUTH === "1") {
     options.trustProxyAuth = true;
   }
+  if (process.env.MS365_MCP_ALLOW_UNAUTHENTICATED_DISCOVERY === "true" || process.env.MS365_MCP_ALLOW_UNAUTHENTICATED_DISCOVERY === "1") {
+    options.allowUnauthenticatedDiscovery = true;
+  }
   if (options.cloud) {
     process.env.MS365_MCP_CLOUD_TYPE = options.cloud;
   }

package/dist/lib/microsoft-auth.js CHANGED Viewed

@@ -17,6 +17,22 @@ function isJwtExpired(token) {
     return false;
   }
 }
+const DISCOVERY_METHODS = /* @__PURE__ */ new Set([
+  "initialize",
+  "notifications/initialized",
+  "tools/list",
+  "prompts/list",
+  "resources/list",
+  "ping"
+]);
+function isDiscoveryRequest(req) {
+  if (req.method !== "POST" || !req.body) return false;
+  const body = req.body;
+  if (Array.isArray(body)) {
+    return body.every((item) => DISCOVERY_METHODS.has(item?.method));
+  }
+  return DISCOVERY_METHODS.has(body?.method);
+}
 const microsoftBearerTokenAuthMiddleware = (opts = {}) => (req, res, next) => {
   if (opts.trustProxyAuth) {
     next();
@@ -24,6 +40,10 @@ const microsoftBearerTokenAuthMiddleware = (opts = {}) => (req, res, next) => {
   }
   const authHeader = req.headers.authorization;
   if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    if (opts.allowUnauthenticatedDiscovery && isDiscoveryRequest(req)) {
+      next();
+      return;
+    }
     res.status(401).set(
       "WWW-Authenticate",
       buildWwwAuthenticate(req, "invalid_token", "Missing or malformed Authorization header")

package/dist/server.js CHANGED Viewed

@@ -469,7 +469,8 @@ class MicrosoftGraphServer {
         })
       );
       const mcpAuth = microsoftBearerTokenAuthMiddleware({
-        trustProxyAuth: this.options.trustProxyAuth
+        trustProxyAuth: this.options.trustProxyAuth,
+        allowUnauthenticatedDiscovery: this.options.allowUnauthenticatedDiscovery
       });
       app.get(
         "/mcp",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@softeria/ms-365-mcp-server",
-  "version": "0.118.2",
+  "version": "0.119.0",
   "description": " A Model Context Protocol (MCP) server for interacting with Microsoft 365 and Office services through the Graph API",
   "type": "module",
   "main": "dist/index.js",