@softeria/ms-365-mcp-server 0.63.1 → 0.64.0

package/dist/endpoints.json

@@ -133,6 +133,13 @@
     "scopes": ["Mail.ReadWrite"],
     "llmTip": "Max 3MB. Body requires @odata.type: {\"@odata.type\": \"#microsoft.graph.fileAttachment\", \"name\": \"file.pdf\", \"contentBytes\": \"<base64>\"}."
   },
+  {
+    "pathPattern": "/me/messages/{message-id}/attachments/createUploadSession",
+    "method": "post",
+    "toolName": "create-mail-attachment-upload-session",
+    "scopes": ["Mail.ReadWrite"],
+    "llmTip": "For large attachments (3-150MB). Body: { AttachmentItem: { attachmentType: 'file', name: 'report.pdf', size: 5000000 } }. Returns a pre-authenticated uploadUrl for direct PUT of file bytes."
+  },
   {
     "pathPattern": "/me/messages/{message-id}/attachments",
     "method": "get",
@@ -428,6 +435,13 @@
     "scopes": ["Files.ReadWrite"],
     "llmTip": "Max 4MB. For new files use path format: /items/root:/path/to/file.txt:/content. Overwrites existing files without warning."
   },
+  {
+    "pathPattern": "/drives/{drive-id}/items/{driveItem-id}/createUploadSession",
+    "method": "post",
+    "toolName": "create-upload-session",
+    "scopes": ["Files.ReadWrite"],
+    "llmTip": "For large file uploads (no size limit). Returns a pre-authenticated uploadUrl for direct PUT of file bytes. For new files use path: /items/{parentId}:/{fileName}:/createUploadSession. Body (optional): { item: { '@microsoft.graph.conflictBehavior': 'rename' } }."
+  },
   {
     "pathPattern": "/drives/{drive-id}/items/{driveItem-id}",
     "method": "patch",

package/dist/generated/client.js

@@ -748,6 +748,18 @@ const microsoft_graph_driveItemCollectionResponse = z.object({
   "@odata.nextLink": z.string().nullable(),
   value: z.array(microsoft_graph_driveItem)
 }).partial().passthrough();
+const create_upload_session_Body = z.object({ item: z.object({}).partial().passthrough() }).partial().passthrough();
+const microsoft_graph_uploadSession = z.object({
+  expirationDateTime: z.string().regex(
+    /^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$/
+  ).datetime({ offset: true }).describe(
+    "The date and time in UTC that the upload session expires. The complete file must be uploaded before this expiration time is reached. Each fragment uploaded during the session extends the expiration time."
+  ).nullish(),
+  nextExpectedRanges: z.array(z.string().nullable()).describe(
+    "A collection of byte ranges that the server is missing for the file. These ranges are zero indexed and of the format 'start-end' (for example '0-26' to indicate the first 27 bytes of the file). When uploading files as Outlook attachments, instead of a collection of ranges, this property always indicates a single value '{start}', the location in the file where the next upload should begin."
+  ).optional(),
+  uploadUrl: z.string().describe("The URL endpoint that accepts PUT requests for byte ranges of the file.").nullish()
+}).passthrough();
 const microsoft_graph_workbookIcon = z.object({
   index: z.number().gte(-2147483648).lte(2147483647).describe("The index of the icon in the given set.").optional(),
   set: z.string().describe(
@@ -3865,6 +3877,8 @@ const schemas = {
   microsoft_graph_pendingOperations,
   microsoft_graph_driveItem,
   microsoft_graph_driveItemCollectionResponse,
+  create_upload_session_Body,
+  microsoft_graph_uploadSession,
   microsoft_graph_workbookIcon,
   microsoft_graph_workbookFilterCriteria,
   microsoft_graph_workbookFilter,
@@ -4604,6 +4618,22 @@ const endpoints = makeApi([
     ],
     response: z.void()
   },
+  {
+    method: "post",
+    path: "/drives/:driveId/items/:driveItemId/createUploadSession",
+    alias: "create-upload-session",
+    description: `Invoke action createUploadSession`,
+    requestFormat: "json",
+    parameters: [
+      {
+        name: "body",
+        description: `Action parameters`,
+        type: "Body",
+        schema: create_upload_session_Body
+      }
+    ],
+    response: z.void()
+  },
   {
     method: "get",
     path: "/drives/:driveId/items/:driveItemId/workbook/tables",
@@ -6927,6 +6957,22 @@ resource.`,
     ],
     response: z.void()
   },
+  {
+    method: "post",
+    path: "/me/messages/:messageId/attachments/createUploadSession",
+    alias: "create-mail-attachment-upload-session",
+    description: `Create an upload session that allows an app to iteratively upload ranges of a file, so as to attach the file to the specified Outlook item. The item can be a message or event. Use this approach to attach a file if the file size is between 3 MB and 150 MB. To attach a file that's smaller than 3 MB, do a POST operation on the attachments navigation property of the Outlook item; see how to do this for a message or for an event. As part of the response, this action returns an upload URL that you can use in subsequent sequential PUT queries. Request headers for each PUT operation let you specify the exact range of bytes to be uploaded. This allows transfer to be resumed, in case the network connection is dropped during upload. The following are the steps to attach a file to an Outlook item using an upload session: See attach large files to Outlook messages or events for an example.`,
+    requestFormat: "json",
+    parameters: [
+      {
+        name: "body",
+        description: `Action parameters`,
+        type: "Body",
+        schema: z.object({ AttachmentItem: z.object({}).partial().passthrough() }).partial().passthrough()
+      }
+    ],
+    response: z.void()
+  },
   {
     method: "post",
     path: "/me/messages/:messageId/createForward",

package/dist/server.js

@@ -17,6 +17,7 @@ import {
 import { getSecrets } from "./secrets.js";
 import { getCloudEndpoints } from "./cloud-config.js";
 import { requestContext } from "./request-context.js";
+import crypto from "node:crypto";
 function parseHttpOption(httpOption) {
   if (typeof httpOption === "boolean") {
     return { host: void 0, port: 3e3 };
@@ -36,6 +37,8 @@ class MicrosoftGraphServer {
     this.version = "0.0.0";
     this.multiAccount = false;
     this.accountNames = [];
+    // Two-leg PKCE: stores client's code_challenge and server's code_verifier, keyed by OAuth state
+    this.pkceStore = /* @__PURE__ */ new Map();
     this.authManager = authManager;
     this.options = options;
     this.graphClient = null;
@@ -189,14 +192,15 @@ class MicrosoftGraphServer {
         const microsoftAuthUrl = new URL(
           `${cloudEndpoints.authority}/${tenantId}/oauth2/v2.0/authorize`
         );
+        const clientCodeChallenge = url.searchParams.get("code_challenge");
+        const clientCodeChallengeMethod = url.searchParams.get("code_challenge_method");
+        const state = url.searchParams.get("state");
         const allowedParams = [
           "response_type",
           "redirect_uri",
           "scope",
           "state",
           "response_mode",
-          "code_challenge",
-          "code_challenge_method",
           "prompt",
           "login_hint",
           "domain_hint"
@@ -207,6 +211,32 @@ class MicrosoftGraphServer {
             microsoftAuthUrl.searchParams.set(param, value);
           }
         });
+        if (clientCodeChallenge && state) {
+          const serverCodeVerifier = crypto.randomBytes(32).toString("base64url");
+          const serverCodeChallenge = crypto.createHash("sha256").update(serverCodeVerifier).digest("base64url");
+          this.pkceStore.set(state, {
+            clientCodeChallenge,
+            clientCodeChallengeMethod: clientCodeChallengeMethod || "S256",
+            serverCodeVerifier,
+            createdAt: Date.now()
+          });
+          const now = Date.now();
+          for (const [key, value] of this.pkceStore) {
+            if (now - value.createdAt > 10 * 60 * 1e3) {
+              this.pkceStore.delete(key);
+            }
+          }
+          microsoftAuthUrl.searchParams.set("code_challenge", serverCodeChallenge);
+          microsoftAuthUrl.searchParams.set("code_challenge_method", "S256");
+          logger.info("Two-leg PKCE: stored client challenge, generated server challenge", {
+            state: state.substring(0, 8) + "..."
+          });
+        } else if (clientCodeChallenge) {
+          microsoftAuthUrl.searchParams.set("code_challenge", clientCodeChallenge);
+          if (clientCodeChallengeMethod) {
+            microsoftAuthUrl.searchParams.set("code_challenge_method", clientCodeChallengeMethod);
+          }
+        }
         microsoftAuthUrl.searchParams.set("client_id", clientId);
         if (!microsoftAuthUrl.searchParams.get("scope")) {
           microsoftAuthUrl.searchParams.set("scope", "User.Read Files.Read Mail.Read");
@@ -250,13 +280,28 @@ class MicrosoftGraphServer {
               tenantId,
               hasClientSecret: !!clientSecret
             });
+            let serverCodeVerifier;
+            if (body.code_verifier) {
+              const clientVerifier = body.code_verifier;
+              const clientChallengeComputed = crypto.createHash("sha256").update(clientVerifier).digest("base64url");
+              for (const [state, pkceData] of this.pkceStore) {
+                if (pkceData.clientCodeChallenge === clientChallengeComputed) {
+                  serverCodeVerifier = pkceData.serverCodeVerifier;
+                  this.pkceStore.delete(state);
+                  logger.info("Two-leg PKCE: matched client verifier, using server verifier", {
+                    state: state.substring(0, 8) + "..."
+                  });
+                  break;
+                }
+              }
+            }
             const result = await exchangeCodeForToken(
               body.code,
               body.redirect_uri,
               clientId,
               clientSecret,
               tenantId,
-              body.code_verifier,
+              serverCodeVerifier || body.code_verifier,
               this.secrets.cloudType
             );
             res.json(result);

package/logs/mcp-server.log

@@ -1,10 +1,10 @@
-2026-04-05 08:41:23 INFO: [GRAPH CLIENT] Final URL being sent to Microsoft: https://graph.microsoft.com/v1.0/me
-2026-04-05 08:41:23 INFO: [GRAPH CLIENT] Final URL being sent to Microsoft: https://graph.microsoft.com/v1.0/me
-2026-04-05 08:41:23 INFO: [GRAPH CLIENT] Final URL being sent to Microsoft: https://graph.microsoft.com/v1.0/me
-2026-04-05 08:41:23 INFO: [GRAPH CLIENT] Final URL being sent to Microsoft: https://graph.microsoft.com/v1.0/me/messages
-2026-04-05 08:41:23 INFO: [GRAPH CLIENT] Final URL being sent to Microsoft: https://graph.microsoft.com/v1.0/me/calendar
-2026-04-05 08:41:25 INFO: Using environment variables for secrets
-2026-04-05 08:41:25 INFO: Using environment variables for secrets
-2026-04-05 08:41:25 INFO: Using environment variables for secrets
-2026-04-05 08:41:25 INFO: Using environment variables for secrets
-2026-04-05 08:41:25 INFO: Using environment variables for secrets
+2026-04-05 09:28:30 INFO: [GRAPH CLIENT] Final URL being sent to Microsoft: https://graph.microsoft.com/v1.0/me
+2026-04-05 09:28:30 INFO: [GRAPH CLIENT] Final URL being sent to Microsoft: https://graph.microsoft.com/v1.0/me
+2026-04-05 09:28:30 INFO: [GRAPH CLIENT] Final URL being sent to Microsoft: https://graph.microsoft.com/v1.0/me
+2026-04-05 09:28:30 INFO: [GRAPH CLIENT] Final URL being sent to Microsoft: https://graph.microsoft.com/v1.0/me/messages
+2026-04-05 09:28:30 INFO: [GRAPH CLIENT] Final URL being sent to Microsoft: https://graph.microsoft.com/v1.0/me/calendar
+2026-04-05 09:28:32 INFO: Using environment variables for secrets
+2026-04-05 09:28:32 INFO: Using environment variables for secrets
+2026-04-05 09:28:32 INFO: Using environment variables for secrets
+2026-04-05 09:28:32 INFO: Using environment variables for secrets
+2026-04-05 09:28:32 INFO: Using environment variables for secrets

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@softeria/ms-365-mcp-server",
-  "version": "0.63.1",
+  "version": "0.64.0",
   "description": " A Model Context Protocol (MCP) server for interacting with Microsoft 365 and Office services through the Graph API",
   "type": "module",
   "main": "dist/index.js",

package/src/endpoints.json

@@ -133,6 +133,13 @@
     "scopes": ["Mail.ReadWrite"],
     "llmTip": "Max 3MB. Body requires @odata.type: {\"@odata.type\": \"#microsoft.graph.fileAttachment\", \"name\": \"file.pdf\", \"contentBytes\": \"<base64>\"}."
   },
+  {
+    "pathPattern": "/me/messages/{message-id}/attachments/createUploadSession",
+    "method": "post",
+    "toolName": "create-mail-attachment-upload-session",
+    "scopes": ["Mail.ReadWrite"],
+    "llmTip": "For large attachments (3-150MB). Body: { AttachmentItem: { attachmentType: 'file', name: 'report.pdf', size: 5000000 } }. Returns a pre-authenticated uploadUrl for direct PUT of file bytes."
+  },
   {
     "pathPattern": "/me/messages/{message-id}/attachments",
     "method": "get",
@@ -428,6 +435,13 @@
     "scopes": ["Files.ReadWrite"],
     "llmTip": "Max 4MB. For new files use path format: /items/root:/path/to/file.txt:/content. Overwrites existing files without warning."
   },
+  {
+    "pathPattern": "/drives/{drive-id}/items/{driveItem-id}/createUploadSession",
+    "method": "post",
+    "toolName": "create-upload-session",
+    "scopes": ["Files.ReadWrite"],
+    "llmTip": "For large file uploads (no size limit). Returns a pre-authenticated uploadUrl for direct PUT of file bytes. For new files use path: /items/{parentId}:/{fileName}:/createUploadSession. Body (optional): { item: { '@microsoft.graph.conflictBehavior': 'rename' } }."
+  },
   {
     "pathPattern": "/drives/{drive-id}/items/{driveItem-id}",
     "method": "patch",