npm - ms365-mcp-server - Versions diffs - 1.0.0 → 1.0.1 - Mend

ms365-mcp-server 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md +115 -130
package/dist/index.js +64 -209
package/dist/utils/ms365-auth-enhanced.js +202 -87
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # ✉️ Microsoft 365 MCP Server
-A powerful **Model Context Protocol (MCP) server** that enables seamless Microsoft 365 email integration through natural language interactions. Built for **Claude Desktop**, **LLMs**, and any MCP-compatible application.
+A powerful **Model Context Protocol (MCP) server** that enables seamless Microsoft 365 email integration through natural language interactions. Built for **Claude Desktop**, **LLMs**, and any MCP-compatible application with **enhanced security** and **simplified authentication**.
 This project provides an **MCP (Model Context Protocol) server** that enables **Claude Desktop** to access your **Microsoft 365 email** seamlessly. It acts as a bridge between AI models and email services by exposing mailbox capabilities through a **secure, standardized interface**.
@@ -11,9 +11,9 @@ This project provides an **MCP (Model Context Protocol) server** that enables **
 - **Smart email search** with advanced filtering and criteria support
 - **Email organization** with read/unread marking and folder management
 - **File attachment support** - send and receive attachments seamlessly
-- **Multi-user support** for teams and shared environments
+- **Enhanced security** with simplified single-user authentication model
 - **Contact management** - retrieve and search your contact directory
-- **Secure authentication** with local token storage and automatic refresh
+- **Secure authentication** with OS keychain storage and automatic refresh
 - **Cross-platform compatibility** (macOS, Linux, Windows)
 ## 🛠️ Tools & Capabilities
@@ -31,19 +31,16 @@ This project provides an **MCP (Model Context Protocol) server** that enables **
 - **`get_contacts`** - Retrieve contact list from Microsoft 365
 - **`search_contacts`** - Search contacts by name or email address
-### 🔐 Authentication Tools (10 tools)
-- **`quick_authenticate`** - One-time authentication with auto browser launch (single-user mode)
-- **`get_auth_link`** - Get clickable authentication link for manual control (single-user mode)
-- **`device_code_login`** - Device code authentication flow (no browser auto-open)
+### 🔐 Secure Authentication Tools (7 tools)
+- **`authenticate_with_device_code`** - Complete authentication in one step (RECOMMENDED)
+- **`device_code_login`** - Device code authentication flow (manual code entry)
+- **`check_pending_auth`** - Check for pending device code authentication
 - **`get_device_code`** - Get device code info for manual authentication
-- **`verify_authentication`** - Check current authentication status
-- **`list_authenticated_accounts`** - Show all authenticated accounts
-- **`get_storage_info`** - Display credential storage method information
-- **`logout`** - Clear authentication tokens for current user
-- **`authenticate_user`** - Start authentication flow for new users (multi-user mode)
-- **`get_my_session_info`** - View your own session information (multi-user mode)
+- **`get_auth_link`** - Get authentication link without auto browser launch
+- **`verify_authentication`** - Check current authentication status (secure)
+- **`logout`** - Clear authentication tokens and reset session
-**Total: 21 tools** (11 email operations + 10 authentication tools)
+**Total: 18 tools** (11 email operations + 7 secure authentication tools)
 ## 🌟 Key Feature Highlights
@@ -76,6 +73,23 @@ This project provides an **MCP (Model Context Protocol) server** that enables **
   * Perform smart contact searches
   * Integration with Microsoft 365 address book
+### 🛡️ Enhanced Security Features
+* **Simplified Authentication Model**
+  * Single-user authentication for better security
+  * No account enumeration or information disclosure
+  * Secure credential storage with OS keychain integration
+* **Privacy Protection**
+  * No sensitive system information exposed
+  * User can only see their own authentication status
+  * Secure token management with automatic refresh
+* **Device Code Authentication**
+  * No browser auto-open for better security control
+  * Manual code entry prevents unauthorized access
+  * Built-in Microsoft app requires no Azure registration
 ### 🌟 Advanced Features
 * **Advanced Search Filters**
@@ -130,69 +144,69 @@ Add to your `claude_desktop_config.json`:
 ```
 ### First Time Authentication
-**Option 1: Device Code Flow (Recommended)**
+**Device Code Flow (Recommended & Secure)**
 ```bash
 ms365-mcp-server --login
 # Follow the on-screen instructions - no Azure app registration needed!
 ```
-**Option 2: Interactive Setup**
+**Interactive Setup (Advanced)**
 ```bash
 ms365-mcp-server --setup-auth
 # Choose device code flow (recommended) or custom Azure app
 ```
-## 🔐 **Enhanced Authentication System**
+## 🔐 **Enhanced Security & Authentication**
-Our MS365 MCP Server features a **dual-layer authentication system** inspired by [Softeria's implementation](https://github.com/Softeria/ms-365-mcp-server) with significant enhancements:
+Our MS365 MCP Server features a **security-first authentication system** with simplified single-user model:
-### **🎯 Authentication Methods**
+### **🔒 Security Improvements**
+- **🚫 No Account Enumeration**: Removed tools that could expose user lists
+- **🚫 No System Information Disclosure**: Hidden sensitive storage details
+- **🚫 No Multi-User Complexity**: Simplified to single-user for better security
+- **✅ Secure Credential Storage**: OS Keychain with encrypted file fallback
+- **✅ Privacy Protection**: Users can only see their own information
+- **✅ Token Security**: Automatic refresh with secure MSAL library
+### **🎯 Secure Authentication Flow**
 1. **🔥 Device Code Flow (Recommended)**
    - **No Azure app registration required**
    - **Built-in Microsoft app** for instant setup
-   - **Secure device code authentication**
-   - Perfect for personal use and secure environments
+   - **Manual code entry** prevents unauthorized access
+   - **No local server** required (more secure)
 2. **⚙️ Custom Azure App (Advanced)**
    - **Full control** over permissions and settings
    - **Redirect-based OAuth2** authentication
    - **Custom tenant configuration**
-   - Ideal for enterprise environments
-### **🔒 Secure Credential Storage**
+   - Requires Azure app registration
-- **OS Keychain Integration** (macOS Keychain, Windows Credential Manager, Linux Secret Service)
-- **Encrypted File Fallback** for cross-platform compatibility
-- **Automatic token refresh** with MSAL library
-- **Multi-account support** with isolated storage
-### **⚡ New Authentication Commands**
+### **⚡ Secure Authentication Commands**
 ```bash
-# Device code authentication (easiest)
+# Device code authentication (most secure)
 ms365-mcp-server --login
-# Verify authentication status
+# Verify your authentication status
 ms365-mcp-server --verify-login
-# Logout and clear tokens
+# Secure logout and clear tokens
 ms365-mcp-server --logout
 # Interactive credential setup
 ms365-mcp-server --setup-auth
 ```
-### **🔄 Authentication Flow Comparison**
+### **🔄 Authentication Flow**
 | Feature | Device Code Flow *(Recommended)* | Redirect Flow *(Advanced)* |
 |---------|----------------------------------|----------------------------|
 | **Setup Required** | ❌ None (uses built-in app) | ✅ Azure app registration |
-| **Callback Endpoint** | ❌ Not needed | ✅ `http://localhost:44001/oauth2callback` |
-| **Port Requirements** | ❌ No ports needed | ✅ Port 44001 must be free |
-| **Browser Auto-open** | ❌ Manual code entry | ✅ Automatic browser redirect |
 | **Security** | 🔒 High (no local server) | 🔒 High (local callback) |
-| **Enterprise Support** | ✅ Excellent | ✅ Full control |
+| **Privacy** | 🔒 Manual code entry | 🔒 Browser auto-open |
+| **Ease of Use** | ✅ Simple setup | ⚙️ Advanced configuration |
 **Most users should use Device Code Flow** - it's simpler, more secure, and requires no setup!
@@ -222,11 +236,20 @@ node dist/index.js
 ## 🔑 Authentication Setup
-### Step 1: Azure App Registration *(Optional - Only for Advanced Users)*
+### Step 1: Recommended Setup (No Azure Registration)
+**Most users should use this method:**
+```bash
+# One-command authentication
+ms365-mcp-server --login
+```
-> **💡 Note**: Most users can skip this step! The recommended device code flow uses a built-in Microsoft app and doesn't require Azure app registration.
+This uses a built-in Microsoft app with device code flow - **no Azure registration needed!**
-**Only needed if you want a custom Azure app with redirect-based authentication:**
+### Step 2: Advanced Setup (Custom Azure App)
+> **💡 Note**: Only needed for advanced users who want custom Azure app configuration.
 1. Go to [Azure Portal](https://portal.azure.com)
 2. Navigate to **Azure Active Directory** > **App registrations**
@@ -234,7 +257,7 @@ node dist/index.js
 4. Configure your application:
    - **Name**: MS365 MCP Server (or your preferred name)
    - **Supported account types**: Choose appropriate option
-   - **Redirect URI**: `http://localhost:44001/oauth2callback` *(only needed for redirect flow)*
+   - **Redirect URI**: `http://localhost:44001/oauth2callback` *(only for redirect flow)*
 5. **Grant API permissions** for Microsoft Graph:
    - `Mail.ReadWrite` - Read and write access to user mail
    - `Mail.Send` - Send mail as user
@@ -247,9 +270,9 @@ node dist/index.js
    - **Directory (tenant) ID**
    - **Client secret value**
-### Step 2: Configure Credentials
+### Step 3: Configure Credentials (Advanced Only)
-**Method 1: Environment Variables (Recommended)**
+**Method 1: Environment Variables**
 ```bash
 export MS365_CLIENT_ID="your_client_id_here"
 export MS365_CLIENT_SECRET="your_client_secret_here"
@@ -262,31 +285,6 @@ ms365-mcp-server --setup-auth
 # Follow the prompts to enter your credentials
 ```
-**Method 3: Credentials File**
-```bash
-# Save credentials to ~/.ms365-mcp/credentials.json
-{
-  "clientId": "your_client_id",
-  "clientSecret": "your_client_secret",
-  "tenantId": "your_tenant_id",
-  "redirectUri": "http://localhost:44001/oauth2callback"
-}
-```
-### Step 3: Authentication Modes
-**Single-User Mode (Personal Use)**
-```bash
-ms365-mcp-server
-# Use quick_authenticate or get_auth_link tools
-```
-**Multi-User Mode (Teams/Shared)**
-```bash
-ms365-mcp-server --multi-user
-# Use authenticate_user tool for each user
-```
 ## 📖 Usage Examples
 ### Sending Emails
@@ -322,6 +320,14 @@ ms365-mcp-server --multi-user
 }
 ```
+### Secure Authentication Check
+```javascript
+{
+  "tool": "verify_authentication",
+  "arguments": {}
+}
+```
 ### Contact Search
 ```javascript
 {
@@ -340,17 +346,20 @@ ms365-mcp-server --multi-user
 - `--logout` - Logout and clear stored authentication tokens
 - `--verify-login` - Verify current authentication status
 - `--reset-auth` - Clear stored authentication tokens
-- `--multi-user` - Enable multi-user authentication mode
 - `--debug` - Enable detailed debug logging
 - `--help` - Show help information
+🔒 **Security Note**: Removed `--multi-user` mode for enhanced security and simplicity.
 ## 🔒 Security & Privacy
-- **Local token storage** in `~/.ms365-mcp/token.json`
-- **User isolation** in multi-user mode prevents cross-user data access
+- **Secure token storage** with OS Keychain integration
+- **Encrypted file fallback** for cross-platform compatibility
 - **OAuth2 compliance** with Microsoft MSAL library
 - **No external data transmission** - all data stays local
 - **Automatic token refresh** with secure credential management
+- **Privacy protection** - users can only access their own data
+- **No information disclosure** - system details are protected
 ## 📊 Logging & Debugging
@@ -366,20 +375,20 @@ ms365-mcp-server --debug
 ### Common Issues
 **"MS365 credentials not configured"**
-- Set environment variables or run `--setup-auth`
-- Ensure credentials file exists at correct path
+- Run `ms365-mcp-server --login` for quick setup
+- Use `--setup-auth` for advanced configuration
-**"Access blocked" during OAuth**
-- Verify your app has required Microsoft Graph permissions
-- Ensure redirect URI matches Azure app registration
+**Device code authentication issues**
+- Use `ms365-mcp-server --verify-login` to check status
+- Try `ms365-mcp-server --logout` then `--login` to reset
 **Authentication timeout**
-- Use `--reset-auth` to clear old tokens
-- Check that redirect URI matches Azure app settings
+- Device codes expire in 15 minutes
+- Use `--reset-auth` to clear old tokens and start fresh
 **Permission errors**
-- Verify Microsoft Graph API permissions are granted in Azure Portal
-- Ensure admin consent is provided if required
+- Verify Microsoft Graph API permissions if using custom Azure app
+- Device code flow handles permissions automatically
 ### Reset Authentication
 ```bash
@@ -420,62 +429,38 @@ npm run version-bump major
 - **Research assistance** - Query and analyze email communications
 - **Email productivity** - Automate routine email tasks and responses
-## 🆚 **Enhanced Features vs Softeria's Implementation**
-While inspired by [Softeria's excellent MS365 MCP server](https://github.com/Softeria/ms-365-mcp-server), our implementation focuses on **email specialization** with significant enhancements:
-### **🎯 Our Email-First Advantages**
-| Feature | Our Implementation | Softeria's |
-|---------|-------------------|------------|
-| **Email Tools** | 11 comprehensive email tools | Basic mail operations |
-| **Authentication** | Device code + Redirect flows | Device code only |
-| **Storage Security** | OS Keychain + encrypted file | OS keychain fallback |
-| **Multi-user Support** | ✅ Full user isolation | ❌ Single user only |
-| **Email Search** | Advanced filtering & criteria | Basic search |
-| **Attachment Handling** | Full send/receive support | Basic attachment support |
-| **Documentation** | Comprehensive setup guides | Basic documentation |
-| **CLI Features** | Rich authentication commands | Basic login/logout |
-### **🚀 Unique Email Features**
+## 🆚 **Enhanced Security vs Other Implementations**
-- **Advanced Email Filtering**: Filter by date ranges, attachments, importance, read status
-- **Multi-folder Search**: Search across all mailbox folders simultaneously
-- **Email Organization**: Move emails between folders, mark read/unread status
-- **Contact Integration**: Full contact search and management
-- **Professional Email Composition**: HTML/text emails with attachments and CC/BCC
-- **Seamless Claude Integration**: Purpose-built for AI email assistance
+Our implementation prioritizes **security and simplicity** over feature complexity:
-### **🔄 Migration from Softeria**
+### **🛡️ Our Security-First Advantages**
-If you're currently using Softeria's server and want **enhanced email capabilities**:
+| Feature | Our Implementation | Other Implementations |
+|---------|-------------------|----------------------|
+| **Account Enumeration** | 🚫 Blocked (security risk) | ✅ Often exposed |
+| **System Information** | 🚫 Hidden (privacy protection) | ✅ Often exposed |
+| **Multi-User Complexity** | 🚫 Simplified to single-user | ✅ Complex multi-user |
+| **Authentication Model** | ✅ Secure device code focus | ⚠️ Various approaches |
+| **Information Disclosure** | 🚫 Minimized | ⚠️ Often excessive |
+| **Privacy Protection** | ✅ User sees only own data | ⚠️ Variable |
-```bash
-# Install our server
-npm install -g ms365-mcp-server
+### **🚀 Security Features**
-# Quick authentication (uses built-in app like Softeria)
-ms365-mcp-server --login
+- **Privacy by Design**: Users can only access their own information
+- **Minimal Information Disclosure**: No sensitive system details exposed
+- **Simplified Authentication**: Single-user model reduces attack surface
+- **Secure Token Management**: OS keychain with automatic refresh
+- **Device Code Focus**: More secure than redirect-based flows
-# Update Claude Desktop config
-{
-  "mcpServers": {
-    "ms365": {
-      "command": "ms365-mcp-server",
-      "args": []
-    }
-  }
-}
-```
+### **🔄 Migration Considerations**
-**Why Choose Our Implementation?**
-- **Email-specialized tools** for comprehensive mailbox management
-- **Multi-user support** for teams and shared environments
-- **Enhanced security** with OS keychain + encrypted file fallback
-- **Professional documentation** and troubleshooting guides
-- **Active development** focused on email productivity
+**Enhanced Security Benefits:**
+- **Reduced Attack Surface**: Fewer tools mean less potential vulnerabilities
+- **Privacy Protection**: No account enumeration or system information disclosure
+- **Simplified Model**: Single-user approach is more secure and easier to audit
+- **Security Transparency**: Clear notices about what information is protected
-Both implementations are excellent - choose ours for **deep email functionality** or Softeria's for **broad Microsoft 365 integration**.
+Choose our implementation for **maximum security and privacy protection** in your Microsoft 365 integrations.
 ## 📝 License
@@ -494,4 +479,4 @@ For issues and questions:
 ---
-**Built with ❤️ for the AI and productivity community**
+**Built with 🔒 Security and ❤️ for the AI and productivity community**

package/dist/index.js CHANGED Viewed

@@ -55,7 +55,7 @@ function parseArgs() {
 }
 const server = new Server({
     name: "ms365-mcp-server",
-    version: "1.0.0"
+    version: "1.0.1"
 }, {
     capabilities: {
         resources: {
@@ -453,21 +453,6 @@ server.setRequestHandler(ListToolsRequestSchema, async () => {
                 additionalProperties: false
             }
         },
-        {
-            name: "get_my_session_info",
-            description: "Get information about your own authentication session (user-specific, secure).",
-            inputSchema: {
-                type: "object",
-                properties: {
-                    userId: {
-                        type: "string",
-                        description: "Your User ID to get information for"
-                    }
-                },
-                required: ["userId"],
-                additionalProperties: false
-            }
-        },
         {
             name: "remove_my_session",
             description: "Remove your own authentication session (user-specific, secure).",
@@ -487,47 +472,38 @@ server.setRequestHandler(ListToolsRequestSchema, async () => {
     // Add one-time authentication tool for single-user mode
     const oneTimeAuthTools = [
         {
-            name: "quick_authenticate",
-            description: "One-time Microsoft 365 authentication for immediate access. Opens browser automatically and completes authentication flow.",
+            name: "get_auth_link",
+            description: "Get a clickable Microsoft 365 authentication link without auto-opening browser. Perfect for manual authentication control.",
             inputSchema: {
                 type: "object",
                 properties: {
                     force: {
                         type: "boolean",
-                        description: "Force re-authentication even if already authenticated (default: false)",
+                        description: "Force new authentication link even if already authenticated (default: false)",
                         default: false
                     }
                 },
                 additionalProperties: false
             }
-        },
+        }
+    ];
+    // Enhanced authentication tools with device code flow
+    const enhancedAuthTools = [
         {
-            name: "get_auth_link",
-            description: "Get a clickable Microsoft 365 authentication link without auto-opening browser. Perfect for manual authentication control.",
+            name: "authenticate_with_device_code",
+            description: "Complete device code authentication in MCP. First call shows device code, second call (after browser auth) completes the process. RECOMMENDED method.",
             inputSchema: {
                 type: "object",
                 properties: {
                     force: {
                         type: "boolean",
-                        description: "Force new authentication link even if already authenticated (default: false)",
+                        description: "Force new authentication even if already authenticated (default: false)",
                         default: false
                     }
                 },
                 additionalProperties: false
             }
         },
-        {
-            name: "check_quick_auth_status",
-            description: "Check if quick authentication has completed successfully. Use this after using quick_authenticate to see if you're now authenticated.",
-            inputSchema: {
-                type: "object",
-                properties: {},
-                additionalProperties: false
-            }
-        }
-    ];
-    // Enhanced authentication tools with device code flow
-    const enhancedAuthTools = [
         {
             name: "device_code_login",
             description: "Start device code authentication flow and get the URL/code to enter. Shows authentication details immediately in the UI.",
@@ -543,15 +519,6 @@ server.setRequestHandler(ListToolsRequestSchema, async () => {
                 additionalProperties: false
             }
         },
-        {
-            name: "complete_device_code_auth",
-            description: "Check if device code authentication has completed after visiting the URL and entering the code. This is a quick status check - authentication happens automatically in the background.",
-            inputSchema: {
-                type: "object",
-                properties: {},
-                additionalProperties: false
-            }
-        },
         {
             name: "check_pending_auth",
             description: "Check if there's a pending device code authentication and get the URL/code again if needed.",
@@ -579,24 +546,6 @@ server.setRequestHandler(ListToolsRequestSchema, async () => {
                 additionalProperties: false
             }
         },
-        {
-            name: "list_authenticated_accounts",
-            description: "List all authenticated Microsoft 365 accounts stored securely. Shows which accounts are available for use.",
-            inputSchema: {
-                type: "object",
-                properties: {},
-                additionalProperties: false
-            }
-        },
-        {
-            name: "get_storage_info",
-            description: "Get information about how credentials are stored (OS Keychain vs encrypted file). Useful for security auditing.",
-            inputSchema: {
-                type: "object",
-                properties: {},
-                additionalProperties: false
-            }
-        },
         {
             name: "logout",
             description: "Log out and clear stored authentication tokens for the current user. This will require re-authentication.",
@@ -633,26 +582,54 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
     try {
         switch (name) {
             // ============ ENHANCED AUTHENTICATION TOOLS ============
-            case "quick_authenticate":
-                if (!await enhancedMS365Auth.isAuthenticated() || args?.force) {
-                    // Use the enhanced device code flow for better UI experience
-                    const deviceCodeInfo = await enhancedMS365Auth.startDeviceCodeAuth();
-                    // Return device code info immediately, user will need to complete manually
+            case "authenticate_with_device_code":
+                try {
+                    // Check if already authenticated
+                    if (await enhancedMS365Auth.isAuthenticated() && !args?.force) {
+                        return {
+                            content: [
+                                {
+                                    type: "text",
+                                    text: `✅ Already authenticated with Microsoft 365! Use force: true to re-authenticate.`
+                                }
+                            ]
+                        };
+                    }
+                    // First, try to complete any existing pending authentication
+                    const existingResult = await enhancedMS365Auth.completeDeviceCodeAuth();
+                    if (existingResult) {
+                        const currentUser = await enhancedMS365Auth.getCurrentUser();
+                        return {
+                            content: [
+                                {
+                                    type: "text",
+                                    text: `✅ Device code authentication completed successfully!\n\n👤 User: ${currentUser || 'authenticated-user'}\n🔐 Status: Valid\n\n🚀 You can now use all Microsoft 365 email features!`
+                                }
+                            ]
+                        };
+                    }
+                    // Check if there's already a pending device code
+                    let deviceCodeInfo = await enhancedMS365Auth.getPendingDeviceCodeInfo();
+                    if (!deviceCodeInfo || args?.force) {
+                        // No pending code or force new one, start fresh
+                        deviceCodeInfo = await enhancedMS365Auth.startDeviceCodeAuth();
+                    }
+                    // Return device code information immediately (MCP pattern)
                     return {
                         content: [
                             {
                                 type: "text",
-                                text: `🔐 Microsoft 365 Authentication Required!\n\n📱 Please visit: ${deviceCodeInfo.verificationUri}\n🔑 Enter this code: ${deviceCodeInfo.userCode}\n\n⏳ Authentication is in progress. The system will automatically complete once you enter the code.\n\n💡 This code expires in 15 minutes.`
+                                text: `🔐 Microsoft 365 Device Code Authentication\n\n📱 Visit: ${deviceCodeInfo.verificationUri}\n🔑 Enter this code: ${deviceCodeInfo.userCode}\n\n⏳ After completing authentication in your browser, call this tool again to finish the process.\n\n💡 This code will expire in 15 minutes.`
                             }
                         ]
                     };
                 }
-                else {
+                catch (error) {
                     return {
                         content: [
                             {
                                 type: "text",
-                                text: "✅ Already authenticated with Microsoft 365. Use force: true to re-authenticate."
+                                text: `❌ Authentication failed: ${error.message}\n\n💡 Try again or use CLI: node dist/index.js --login`
                             }
                         ]
                     };
@@ -679,40 +656,6 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
                         ]
                     };
                 }
-            case "check_quick_auth_status":
-                const isCurrentlyAuthenticated = await enhancedMS365Auth.isAuthenticated();
-                const hasPending = enhancedMS365Auth.hasPendingAuth();
-                if (isCurrentlyAuthenticated) {
-                    return {
-                        content: [
-                            {
-                                type: "text",
-                                text: "✅ Quick authentication completed successfully! You can now use all Microsoft 365 email features."
-                            }
-                        ]
-                    };
-                }
-                else if (hasPending) {
-                    const pendingInfo = enhancedMS365Auth.getPendingDeviceCodeInfo();
-                    return {
-                        content: [
-                            {
-                                type: "text",
-                                text: `⏳ Authentication still pending.\n\n📱 Please visit: ${pendingInfo?.verificationUri}\n🔑 Enter code: ${pendingInfo?.userCode}\n\n💡 Check again after entering the code in your browser. Authentication completes automatically - no need to wait or use additional tools.`
-                            }
-                        ]
-                    };
-                }
-                else {
-                    return {
-                        content: [
-                            {
-                                type: "text",
-                                text: "❌ No authentication found. Please use quick_authenticate to start the authentication process."
-                            }
-                        ]
-                    };
-                }
             case "device_code_login":
                 if (!await enhancedMS365Auth.isAuthenticated() || args?.force) {
                     const deviceCodeInfo = await enhancedMS365Auth.startDeviceCodeAuth();
@@ -720,7 +663,7 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
                         content: [
                             {
                                 type: "text",
-                                text: `🔐 Microsoft 365 Device Code Authentication Started!\n\n📱 Visit: ${deviceCodeInfo.verificationUri}\n🔑 Enter this code: ${deviceCodeInfo.userCode}\n\n⏳ After entering the code, use the "complete_device_code_auth" tool to finish authentication.\n\n💡 This code will expire in 15 minutes.`
+                                text: `🔐 Microsoft 365 Device Code Authentication Started!\n\n📱 Visit: ${deviceCodeInfo.verificationUri}\n🔑 Enter this code: ${deviceCodeInfo.userCode}\n\n⏳ After entering the code, use the "authenticate_with_device_code" tool to complete authentication.\n\n💡 This code will expire in 15 minutes.`
                             }
                         ]
                     };
@@ -735,53 +678,18 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
                         ]
                     };
                 }
-            case "complete_device_code_auth":
-                if (!enhancedMS365Auth.hasPendingAuth()) {
-                    return {
-                        content: [
-                            {
-                                type: "text",
-                                text: "❌ No pending device code authentication found. Use 'device_code_login' first to start the authentication process."
-                            }
-                        ]
-                    };
-                }
-                // Check if authentication has already completed (non-blocking)
-                const isNowAuthenticated = await enhancedMS365Auth.isAuthenticated();
-                if (isNowAuthenticated) {
+            case "check_pending_auth":
+                const pendingDeviceCodeState = await enhancedMS365Auth.getPendingDeviceCodeInfo();
+                if (pendingDeviceCodeState) {
                     return {
                         content: [
                             {
                                 type: "text",
-                                text: "✅ Device code authentication completed successfully! You can now use all Microsoft 365 email features."
+                                text: `⏳ Pending Device Code Authentication\n\n📱 Visit: ${pendingDeviceCodeState.verificationUri}\n🔑 Enter this code: ${pendingDeviceCodeState.userCode}\n\n💡 Use 'authenticate_with_device_code' to finish authentication after entering the code.`
                             }
                         ]
                     };
                 }
-                // If still pending, return status with instructions
-                const pendingInfo = enhancedMS365Auth.getPendingDeviceCodeInfo();
-                return {
-                    content: [
-                        {
-                            type: "text",
-                            text: `⏳ Device code authentication still in progress.\n\n📱 Please visit: ${pendingInfo?.verificationUri}\n🔑 Enter code: ${pendingInfo?.userCode}\n\n💡 Try this tool again after completing the authentication in your browser.\n\nNote: Authentication completes automatically once you enter the code - no need to wait.`
-                        }
-                    ]
-                };
-            case "check_pending_auth":
-                if (enhancedMS365Auth.hasPendingAuth()) {
-                    const pendingInfo = enhancedMS365Auth.getPendingDeviceCodeInfo();
-                    if (pendingInfo) {
-                        return {
-                            content: [
-                                {
-                                    type: "text",
-                                    text: `⏳ Pending Device Code Authentication\n\n📱 Visit: ${pendingInfo.verificationUri}\n🔑 Enter this code: ${pendingInfo.userCode}\n\n💡 Use 'complete_device_code_auth' to finish authentication after entering the code.`
-                                }
-                            ]
-                        };
-                    }
-                }
                 return {
                     content: [
                         {
@@ -802,64 +710,30 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
                 };
             case "verify_authentication":
                 const isAuthenticated = await enhancedMS365Auth.isAuthenticated();
-                const accounts = await enhancedMS365Auth.listAuthenticatedAccounts();
+                const currentUser = await enhancedMS365Auth.getCurrentUser();
                 const storageInfo = enhancedMS365Auth.getStorageInfo();
                 return {
                     content: [
                         {
                             type: "text",
-                            text: `📊 Microsoft 365 Authentication Status\n\n🔐 Authentication: ${isAuthenticated ? '✅ Valid' : '❌ Not authenticated'}\n💾 Storage method: ${storageInfo.method}\n📁 Storage location: ${storageInfo.location}\n👥 Authenticated accounts: ${accounts.length > 0 ? accounts.join(', ') : 'None'}`
+                            text: `📊 Microsoft 365 Authentication Status\n\n🔐 Authentication: ${isAuthenticated ? '✅ Valid' : '❌ Not authenticated'}\n👤 Current User: ${currentUser || 'None'}\n💾 Storage method: ${storageInfo.method}\n📁 Storage location: ${storageInfo.location}`
                         }
                     ]
                 };
-            case "list_authenticated_accounts":
-                const authenticatedAccounts = await enhancedMS365Auth.listAuthenticatedAccounts();
-                return {
-                    content: [
-                        {
-                            type: "text",
-                            text: `👥 Authenticated Microsoft 365 Accounts:\n\n${authenticatedAccounts.length > 0 ? authenticatedAccounts.map(account => `• ${account}`).join('\n') : 'No authenticated accounts found'}`
-                        }
-                    ]
-                };
-            case "get_storage_info":
-                const storage = enhancedMS365Auth.getStorageInfo();
+            case "logout":
+                const accountKey = args?.accountKey;
+                const wasAuthenticated = await enhancedMS365Auth.isAuthenticated();
+                await enhancedMS365Auth.resetAuth();
                 return {
                     content: [
                         {
                             type: "text",
-                            text: `🔒 Credential Storage Information\n\n💾 Method: ${storage.method}\n📁 Location: ${storage.location}\n🔐 Keychain Available: ${storage.method === 'OS Keychain' ? 'Yes' : 'No'}`
+                            text: wasAuthenticated ?
+                                `✅ Successfully logged out from Microsoft 365.` :
+                                `ℹ️ No active authentication found.`
                         }
                     ]
                 };
-            case "logout":
-                const accountKey = args?.accountKey;
-                // Get list of authenticated accounts before logout for better feedback
-                const authenticatedAccountsBefore = await enhancedMS365Auth.listAuthenticatedAccounts();
-                await enhancedMS365Auth.resetAuth(accountKey);
-                // Check what was actually logged out
-                const authenticatedAccountsAfter = await enhancedMS365Auth.listAuthenticatedAccounts();
-                const loggedOutAccounts = authenticatedAccountsBefore.filter(account => !authenticatedAccountsAfter.includes(account));
-                if (accountKey) {
-                    return {
-                        content: [
-                            {
-                                type: "text",
-                                text: `✅ Successfully logged out from Microsoft 365. Account: ${accountKey}`
-                            }
-                        ]
-                    };
-                }
-                else {
-                    return {
-                        content: [
-                            {
-                                type: "text",
-                                text: `✅ Successfully logged out from Microsoft 365.\n${loggedOutAccounts.length > 0 ? `Logged out accounts: ${loggedOutAccounts.join(', ')}` : 'No accounts found to logout'}`
-                            }
-                        ]
-                    };
-                }
             // ============ MULTI-USER AUTHENTICATION TOOLS ============
             case "authenticate_user":
                 if (!ms365Config.multiUser) {
@@ -874,25 +748,6 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
                         }
                     ]
                 };
-            case "get_my_session_info":
-                if (!ms365Config.multiUser) {
-                    throw new Error("Multi-user mode not enabled. Start server with --multi-user flag.");
-                }
-                if (!args?.userId) {
-                    throw new Error("User ID is required");
-                }
-                const session = multiUserMS365Auth.getUserSession(args.userId);
-                if (!session) {
-                    throw new Error(`User session not found: ${args.userId}`);
-                }
-                return {
-                    content: [
-                        {
-                            type: "text",
-                            text: `👤 Session Information\n\n🆔 User ID: ${session.userId}\n📧 Email: ${session.userEmail || 'Unknown'}\n🔐 Authenticated: ${session.authenticated ? 'Yes' : 'No'}\n⏰ Expires: ${new Date(session.expiresOn).toLocaleString()}`
-                        }
-                    ]
-                };
             case "remove_my_session":
                 if (!ms365Config.multiUser) {
                     throw new Error("Multi-user mode not enabled. Start server with --multi-user flag.");
@@ -1218,13 +1073,13 @@ async function main() {
     if (ms365Config.verifyLogin) {
         try {
             const isAuthenticated = await enhancedMS365Auth.isAuthenticated();
-            const accounts = await enhancedMS365Auth.listAuthenticatedAccounts();
+            const currentUser = await enhancedMS365Auth.getCurrentUser();
             const storageInfo = enhancedMS365Auth.getStorageInfo();
             console.log('\n📊 MS365 Authentication Status\n');
             console.log(`Authentication: ${isAuthenticated ? '✅ Valid' : '❌ Not authenticated'}`);
+            console.log(`Current User: ${currentUser || 'None'}`);
             console.log(`Storage method: ${storageInfo.method}`);
-            console.log(`Storage location: ${storageInfo.location}`);
-            console.log(`Authenticated accounts: ${accounts.length > 0 ? accounts.join(', ') : 'None'}\n`);
+            console.log(`Storage location: ${storageInfo.location}\n`);
             process.exit(isAuthenticated ? 0 : 1);
         }
         catch (error) {

package/dist/utils/ms365-auth-enhanced.js CHANGED Viewed

@@ -23,6 +23,7 @@ const DEFAULT_TENANT_ID = "common";
 // Configuration directory and file paths
 const CONFIG_DIR = path.join(os.homedir(), '.ms365-mcp');
 const CREDENTIALS_FILE = path.join(CONFIG_DIR, 'credentials.json');
+const DEVICE_CODE_FILE = path.join(CONFIG_DIR, 'device-code.json');
 /**
  * Enhanced Microsoft 365 authentication manager with device code flow support
  */
@@ -259,7 +260,7 @@ export class EnhancedMS365Auth {
         return 'device';
     }
     /**
-     * Save token using secure credential store
+     * Save token using secure credential store (simplified single account)
      */
     async saveToken(token, authType) {
         try {
@@ -270,8 +271,8 @@ export class EnhancedMS365Auth {
                 account: token.account,
                 authType: authType
             };
-            const accountKey = token.account?.username || 'default-user';
-            await credentialStore.setCredentials(accountKey, tokenData);
+            // Always use a single account key for simplicity
+            await credentialStore.setCredentials('ms365-user', tokenData);
             logger.log('Saved MS365 access token securely');
         }
         catch (error) {
@@ -279,11 +280,11 @@ export class EnhancedMS365Auth {
         }
     }
     /**
-     * Load stored token using secure credential store
+     * Load stored token using secure credential store (simplified single account)
      */
-    async loadStoredToken(accountKey = 'default-user') {
+    async loadStoredToken() {
         try {
-            return await credentialStore.getCredentials(accountKey);
+            return await credentialStore.getCredentials('ms365-user');
         }
         catch (error) {
             logger.error('Error loading stored token:', error);
@@ -329,22 +330,14 @@ export class EnhancedMS365Auth {
     /**
      * Get authenticated Microsoft Graph client
      */
-    async getGraphClient(accountKey) {
-        // If no specific account key provided, use the first available account
-        if (!accountKey) {
-            const accounts = await this.listAuthenticatedAccounts();
-            if (accounts.length === 0) {
-                throw new Error('No authenticated accounts found. Please authenticate first.');
-            }
-            accountKey = accounts[0];
-        }
-        const storedToken = await this.loadStoredToken(accountKey);
+    async getGraphClient() {
+        const storedToken = await this.loadStoredToken();
         if (!storedToken) {
             throw new Error('No stored token found. Please authenticate first.');
         }
         // Check if token is expired
         if (storedToken.expiresOn < Date.now()) {
-            await this.refreshToken(accountKey);
+            await this.refreshToken();
         }
         const client = Client.init({
             authProvider: (done) => {
@@ -356,8 +349,8 @@ export class EnhancedMS365Auth {
     /**
      * Refresh access token
      */
-    async refreshToken(accountKey = 'default-user') {
-        const storedToken = await this.loadStoredToken(accountKey);
+    async refreshToken() {
+        const storedToken = await this.loadStoredToken();
         if (!storedToken?.account) {
             throw new Error('No account information available. Please re-authenticate.');
         }
@@ -384,29 +377,15 @@ export class EnhancedMS365Auth {
     /**
      * Check if user is authenticated
      */
-    async isAuthenticated(accountKey) {
-        // If no specific account key provided, check all available accounts
-        if (!accountKey) {
-            const accounts = await this.listAuthenticatedAccounts();
-            if (accounts.length === 0) {
-                return false;
-            }
-            // Check if any account has valid authentication
-            for (const account of accounts) {
-                if (await this.isAuthenticated(account)) {
-                    return true;
-                }
-            }
-            return false;
-        }
-        const storedToken = await this.loadStoredToken(accountKey);
+    async isAuthenticated() {
+        const storedToken = await this.loadStoredToken();
         if (!storedToken) {
             return false;
         }
         // If token is expired, try to refresh
         if (storedToken.expiresOn < Date.now()) {
             try {
-                await this.refreshToken(accountKey);
+                await this.refreshToken();
                 return true;
             }
             catch (error) {
@@ -425,33 +404,160 @@ export class EnhancedMS365Auth {
     /**
      * Clear stored authentication data
      */
-    async resetAuth(accountKey) {
+    async resetAuth() {
+        try {
+            await credentialStore.deleteCredentials('ms365-user');
+            await this.clearDeviceCodeState();
+            logger.log('Cleared stored authentication tokens');
+        }
+        catch (error) {
+            logger.error('Error clearing authentication data:', error);
+        }
+    }
+    /**
+     * Save device code state to file
+     */
+    async saveDeviceCodeState(state) {
+        try {
+            fs.writeFileSync(DEVICE_CODE_FILE, JSON.stringify(state, null, 2));
+            logger.log('Saved device code state to file');
+        }
+        catch (error) {
+            logger.error('Error saving device code state:', error);
+            throw new Error('Failed to save device code state');
+        }
+    }
+    /**
+     * Load device code state from file
+     */
+    async loadDeviceCodeState() {
         try {
-            if (accountKey) {
-                // Delete specific account
-                await credentialStore.deleteCredentials(accountKey);
-                logger.log(`Cleared stored authentication tokens for account: ${accountKey}`);
+            if (!fs.existsSync(DEVICE_CODE_FILE)) {
+                return null;
             }
-            else {
-                // Delete all authenticated accounts
-                const authenticatedAccounts = await this.listAuthenticatedAccounts();
-                if (authenticatedAccounts.length === 0) {
-                    // If no accounts found by listing, try deleting the default-user key as fallback
-                    await credentialStore.deleteCredentials('default-user');
-                    logger.log('Cleared stored authentication tokens (fallback to default-user)');
-                }
-                else {
-                    // Delete all found accounts
-                    for (const account of authenticatedAccounts) {
-                        await credentialStore.deleteCredentials(account);
-                        logger.log(`Cleared stored authentication tokens for account: ${account}`);
+            const stateData = fs.readFileSync(DEVICE_CODE_FILE, 'utf8');
+            const state = JSON.parse(stateData);
+            // Check if device code has expired
+            const now = Date.now();
+            const elapsed = (now - state.startTime) / 1000;
+            if (elapsed > state.expiresIn) {
+                // Device code has expired, clean up
+                await this.clearDeviceCodeState();
+                return null;
+            }
+            return state;
+        }
+        catch (error) {
+            logger.error('Error loading device code state:', error);
+            return null;
+        }
+    }
+    /**
+     * Clear device code state file
+     */
+    async clearDeviceCodeState() {
+        try {
+            if (fs.existsSync(DEVICE_CODE_FILE)) {
+                fs.unlinkSync(DEVICE_CODE_FILE);
+                logger.log('Cleared device code state file');
+            }
+        }
+        catch (error) {
+            logger.error('Error clearing device code state:', error);
+        }
+    }
+    /**
+     * Complete device code authentication using saved state
+     */
+    async completeDeviceCodeAuth() {
+        const deviceCodeState = await this.loadDeviceCodeState();
+        if (!deviceCodeState) {
+            return false; // No pending device code authentication
+        }
+        if (!await this.loadCredentials()) {
+            throw new Error('MS365 credentials not configured');
+        }
+        try {
+            // Use the raw MSAL token endpoint to check if authentication completed
+            const tokenUrl = `https://login.microsoftonline.com/${this.credentials.tenantId}/oauth2/v2.0/token`;
+            const response = await fetch(tokenUrl, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                },
+                body: new URLSearchParams({
+                    grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+                    device_code: deviceCodeState.deviceCode,
+                    client_id: this.credentials.clientId,
+                }),
+            });
+            const result = await response.json();
+            if (response.ok && result.access_token) {
+                // Authentication completed successfully
+                // Microsoft's token response doesn't include account info, so we need to get it from the token
+                let username = 'authenticated-user';
+                try {
+                    // Try to decode the access token to get user info
+                    const tokenParts = result.access_token.split('.');
+                    if (tokenParts.length >= 2) {
+                        const payload = JSON.parse(Buffer.from(tokenParts[1], 'base64').toString());
+                        username = payload.upn || payload.unique_name || payload.preferred_username || 'authenticated-user';
                     }
                 }
+                catch (decodeError) {
+                    logger.log('Could not decode token for username, using default');
+                }
+                const tokenResponse = {
+                    accessToken: result.access_token,
+                    refreshToken: result.refresh_token || '',
+                    expiresOn: new Date(Date.now() + (result.expires_in * 1000)),
+                    account: {
+                        username: username,
+                        homeAccountId: `${username}.${this.credentials.tenantId}`,
+                        environment: 'login.microsoftonline.com',
+                        tenantId: this.credentials.tenantId,
+                        localAccountId: username
+                    }
+                };
+                await this.saveToken(tokenResponse, 'device');
+                await this.clearDeviceCodeState();
+                logger.log('MS365 device code authentication completed successfully');
+                return true;
+            }
+            else if (result.error === 'authorization_pending') {
+                // Still waiting for user to complete authentication
+                return false;
+            }
+            else if (result.error === 'expired_token') {
+                // Device code has expired
+                await this.clearDeviceCodeState();
+                return false;
+            }
+            else {
+                // Other error - don't clear device code state, just return false
+                logger.error('Device code authentication error:', result);
+                return false;
             }
         }
         catch (error) {
-            logger.error('Error clearing authentication data:', error);
+            logger.error('Error completing device code authentication:', error);
+            // Don't clear device code state on network/other errors
+            return false;
+        }
+    }
+    /**
+     * Get pending device code info from saved state
+     */
+    async getPendingDeviceCodeInfo() {
+        const deviceCodeState = await this.loadDeviceCodeState();
+        if (!deviceCodeState) {
+            return null;
         }
+        return {
+            verificationUri: deviceCodeState.verificationUri,
+            userCode: deviceCodeState.userCode,
+            message: deviceCodeState.message
+        };
     }
     /**
      * Get authentication URL for device code flow
@@ -487,36 +593,47 @@ export class EnhancedMS365Auth {
         return new Promise((resolve, reject) => {
             const deviceCodeRequest = {
                 scopes: SCOPES,
-                deviceCodeCallback: (response) => {
+                deviceCodeCallback: async (response) => {
                     const deviceCodeInfo = {
                         verificationUri: response.verificationUri,
                         userCode: response.userCode,
                         message: response.message
                     };
-                    // Store the pending auth promise
-                    const authPromise = msalClient.acquireTokenByDeviceCode(deviceCodeRequest)
-                        .then(async (tokenResponse) => {
-                        if (!tokenResponse) {
-                            throw new Error('Failed to acquire token via device code');
-                        }
-                        await this.saveToken(tokenResponse, 'device');
-                        logger.log('MS365 device code authentication successful');
-                        this.pendingAuth = null; // Clear pending auth
-                        return tokenResponse;
-                    })
-                        .catch((error) => {
-                        this.pendingAuth = null; // Clear pending auth on error
-                        throw error;
-                    });
-                    this.pendingAuth = { authPromise, deviceCodeInfo };
-                    logger.log(`Device code authentication: ${response.verificationUri} - ${response.userCode}`);
-                    // Return device code info immediately
-                    resolve(deviceCodeInfo);
+                    // Save device code state for later completion
+                    const deviceCodeState = {
+                        deviceCode: response.deviceCode,
+                        userCode: response.userCode,
+                        verificationUri: response.verificationUri,
+                        expiresIn: response.expiresIn,
+                        startTime: Date.now(),
+                        message: response.message
+                    };
+                    try {
+                        await this.saveDeviceCodeState(deviceCodeState);
+                        logger.log(`Device code authentication started: ${response.verificationUri} - ${response.userCode}`);
+                        // Return device code info immediately
+                        resolve(deviceCodeInfo);
+                    }
+                    catch (error) {
+                        reject(error);
+                    }
                 }
             };
-            // This will never complete, but will call the callback immediately
-            msalClient.acquireTokenByDeviceCode(deviceCodeRequest).catch(() => {
-                // Ignore the error from this call since we're handling it in the stored promise
+            // Start the device code flow - we need this to run to get the device code
+            // The callback will resolve our promise, and we'll handle the auth later
+            msalClient.acquireTokenByDeviceCode(deviceCodeRequest).then((result) => {
+                // If this completes immediately (unlikely but possible), save the token
+                if (result) {
+                    this.saveToken(result, 'device').catch(() => {
+                        // Ignore save errors here since we primarily care about getting the device code
+                    });
+                }
+            }).catch((error) => {
+                // Only reject if we haven't already resolved with device code info
+                // The most common case is that the user hasn't completed auth yet
+                if (error.errorCode !== 'user_cancelled' && error.errorCode !== 'authorization_pending') {
+                    logger.error('Device code flow error:', error);
+                }
             });
         });
     }
@@ -535,12 +652,6 @@ export class EnhancedMS365Auth {
     hasPendingAuth() {
         return this.pendingAuth !== null;
     }
-    /**
-     * Get pending device code info
-     */
-    getPendingDeviceCodeInfo() {
-        return this.pendingAuth?.deviceCodeInfo || null;
-    }
     /**
      * Setup credentials interactively
      */
@@ -612,10 +723,14 @@ export class EnhancedMS365Auth {
         };
     }
     /**
-     * List all authenticated accounts
+     * Get current authenticated user (secure - only your own info)
      */
-    async listAuthenticatedAccounts() {
-        return await credentialStore.listAccounts();
+    async getCurrentUser() {
+        const storedToken = await this.loadStoredToken();
+        if (storedToken && storedToken.expiresOn > Date.now()) {
+            return storedToken.account?.username || 'authenticated-user';
+        }
+        return null;
     }
     /**
      * Get authentication URL without opening browser (redirect flow)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "ms365-mcp-server",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Microsoft 365 MCP Server for managing Microsoft 365 email through natural language interactions with full OAuth2 authentication support",
   "main": "dist/index.js",
   "type": "module",