@softeria/ms-365-mcp-server 0.82.0 → 0.83.0

package/dist/graph-client.js

@@ -1,5 +1,4 @@
 import logger from "./logger.js";
-import { refreshAccessToken } from "./lib/microsoft-auth.js";
 import { encode as toonEncode } from "@toon-format/toon";
 import { getCloudEndpoints } from "./cloud-config.js";
 import { getRequestTokens } from "./request-context.js";
@@ -33,18 +32,12 @@ class GraphClient {
   }
   async makeRequest(endpoint, options = {}) {
     const contextTokens = getRequestTokens();
-    let accessToken = options.accessToken ?? contextTokens?.accessToken ?? await this.authManager.getToken();
-    const refreshToken = options.refreshToken ?? contextTokens?.refreshToken;
+    const accessToken = options.accessToken ?? contextTokens?.accessToken ?? await this.authManager.getToken();
     if (!accessToken) {
       throw new Error("No access token available");
     }
     try {
-      let response = await this.performRequest(endpoint, accessToken, options);
-      if (response.status === 401 && refreshToken) {
-        const newTokens = await this.refreshAccessToken(refreshToken);
-        accessToken = newTokens.accessToken;
-        response = await this.performRequest(endpoint, accessToken, options);
-      }
+      const response = await this.performRequest(endpoint, accessToken, options);
       if (response.status === 403) {
         const errorText = await response.text();
         if (errorText.includes("scope") || errorText.includes("permission")) {
@@ -100,27 +93,6 @@ class GraphClient {
       throw error;
     }
   }
-  async refreshAccessToken(refreshToken) {
-    const tenantId = this.secrets.tenantId || "common";
-    const clientId = this.secrets.clientId;
-    const clientSecret = this.secrets.clientSecret;
-    if (clientSecret) {
-      logger.info("GraphClient: Refreshing token with confidential client");
-    } else {
-      logger.info("GraphClient: Refreshing token with public client");
-    }
-    const response = await refreshAccessToken(
-      refreshToken,
-      clientId,
-      clientSecret,
-      tenantId,
-      this.secrets.cloudType
-    );
-    return {
-      accessToken: response.access_token,
-      refreshToken: response.refresh_token
-    };
-  }
   async performRequest(endpoint, accessToken, options) {
     const cloudEndpoints = getCloudEndpoints(this.secrets.cloudType);
     const url = `${cloudEndpoints.graphApi}/v1.0${endpoint}`;

package/dist/lib/microsoft-auth.js

@@ -1,17 +1,43 @@
 import logger from "../logger.js";
 import { getCloudEndpoints } from "../cloud-config.js";
+function buildWwwAuthenticate(req, error, description) {
+  const protocol = req.secure ? "https" : "http";
+  const origin = `${protocol}://${req.get("host")}`;
+  const resourceMetadata = `${origin}/.well-known/oauth-protected-resource`;
+  return `Bearer resource_metadata="${resourceMetadata}", error="${error}", error_description="${description}"`;
+}
+function isJwtExpired(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3) return false;
+  try {
+    const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString("utf-8"));
+    if (typeof payload.exp !== "number") return false;
+    return payload.exp * 1e3 < Date.now();
+  } catch {
+    return false;
+  }
+}
 const microsoftBearerTokenAuthMiddleware = (req, res, next) => {
   const authHeader = req.headers.authorization;
   if (!authHeader || !authHeader.startsWith("Bearer ")) {
-    res.status(401).json({ error: "Missing or invalid access token" });
+    res.status(401).set(
+      "WWW-Authenticate",
+      buildWwwAuthenticate(req, "invalid_token", "Missing or malformed Authorization header")
+    ).json({
+      error: "invalid_token",
+      error_description: "Missing or malformed Authorization header"
+    });
     return;
   }
   const accessToken = authHeader.substring(7);
-  const refreshToken = req.headers["x-microsoft-refresh-token"] || "";
-  req.microsoftAuth = {
-    accessToken,
-    refreshToken
-  };
+  if (isJwtExpired(accessToken)) {
+    res.status(401).set(
+      "WWW-Authenticate",
+      buildWwwAuthenticate(req, "invalid_token", "The access token has expired")
+    ).json({ error: "invalid_token", error_description: "The access token has expired" });
+    return;
+  }
+  req.microsoftAuth = { accessToken };
   next();
 };
 async function exchangeCodeForToken(code, redirectUri, clientId, clientSecret, tenantId = "common", codeVerifier, cloudType = "global") {

package/dist/server.js

@@ -388,13 +388,7 @@ class MicrosoftGraphServer {
           };
           try {
             if (req.microsoftAuth) {
-              await requestContext.run(
-                {
-                  accessToken: req.microsoftAuth.accessToken,
-                  refreshToken: req.microsoftAuth.refreshToken
-                },
-                handler
-              );
+              await requestContext.run({ accessToken: req.microsoftAuth.accessToken }, handler);
             } else {
               await handler();
             }
@@ -432,13 +426,7 @@ class MicrosoftGraphServer {
           };
           try {
             if (req.microsoftAuth) {
-              await requestContext.run(
-                {
-                  accessToken: req.microsoftAuth.accessToken,
-                  refreshToken: req.microsoftAuth.refreshToken
-                },
-                handler
-              );
+              await requestContext.run({ accessToken: req.microsoftAuth.accessToken }, handler);
             } else {
               await handler();
             }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@softeria/ms-365-mcp-server",
-  "version": "0.82.0",
+  "version": "0.83.0",
   "description": " A Model Context Protocol (MCP) server for interacting with Microsoft 365 and Office services through the Graph API",
   "type": "module",
   "main": "dist/index.js",