msteams-mcp 0.2.0

package/dist/auth/session-store.d.ts

@@ -0,0 +1,82 @@
+/**
+ * Secure session state storage.
+ *
+ * Handles reading and writing session state with:
+ * - Encryption at rest
+ * - Restricted file permissions
+ * - Automatic migration from plaintext
+ */
+export declare const PROJECT_ROOT: string;
+export declare const USER_DATA_DIR: string;
+export declare const SESSION_STATE_PATH: string;
+export declare const TOKEN_CACHE_PATH: string;
+/** Session state as stored by Playwright. */
+export interface SessionState {
+    cookies: Array<{
+        name: string;
+        value: string;
+        domain?: string;
+        path?: string;
+        expires?: number;
+        httpOnly?: boolean;
+        secure?: boolean;
+        sameSite?: 'Strict' | 'Lax' | 'None';
+    }>;
+    origins: Array<{
+        origin: string;
+        localStorage: Array<{
+            name: string;
+            value: string;
+        }>;
+    }>;
+}
+/** Token cache structure. */
+export interface TokenCache {
+    substrateToken: string;
+    substrateTokenExpiry: number;
+    extractedAt: number;
+}
+/**
+ * Ensures the user data directory exists.
+ */
+export declare function ensureUserDataDir(): void;
+/**
+ * Checks if session state file exists.
+ */
+export declare function hasSessionState(): boolean;
+/**
+ * Reads the session state.
+ */
+export declare function readSessionState(): SessionState | null;
+/**
+ * Writes the session state securely.
+ */
+export declare function writeSessionState(state: SessionState): void;
+/**
+ * Deletes the session state file.
+ */
+export declare function clearSessionState(): void;
+/**
+ * Gets the age of the session state in hours.
+ */
+export declare function getSessionAge(): number | null;
+/**
+ * Checks if session is likely expired (>12 hours old).
+ */
+export declare function isSessionLikelyExpired(): boolean;
+/**
+ * Reads the token cache.
+ */
+export declare function readTokenCache(): TokenCache | null;
+/**
+ * Writes the token cache securely.
+ */
+export declare function writeTokenCache(cache: TokenCache): void;
+/**
+ * Clears the token cache.
+ */
+export declare function clearTokenCache(): void;
+/**
+ * Gets the Teams origin from session state.
+ */
+export declare function getTeamsOrigin(state: SessionState): SessionState['origins'][number] | null;

package/dist/auth/session-store.js

@@ -0,0 +1,136 @@
+/**
+ * Secure session state storage.
+ *
+ * Handles reading and writing session state with:
+ * - Encryption at rest
+ * - Restricted file permissions
+ * - Automatic migration from plaintext
+ */
+import * as fs from 'fs';
+import * as path from 'path';
+import { fileURLToPath } from 'url';
+import { encrypt, decrypt, isEncrypted } from './crypto.js';
+import { SESSION_EXPIRY_HOURS } from '../constants.js';
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+export const PROJECT_ROOT = path.resolve(__dirname, '../..');
+export const USER_DATA_DIR = path.join(PROJECT_ROOT, '.user-data');
+export const SESSION_STATE_PATH = path.join(PROJECT_ROOT, 'session-state.json');
+export const TOKEN_CACHE_PATH = path.join(PROJECT_ROOT, 'token-cache.json');
+/** File permission mode: owner read/write only. */
+const SECURE_FILE_MODE = 0o600;
+/**
+ * Ensures the user data directory exists.
+ */
+export function ensureUserDataDir() {
+    if (!fs.existsSync(USER_DATA_DIR)) {
+        fs.mkdirSync(USER_DATA_DIR, { recursive: true, mode: 0o700 });
+    }
+}
+/**
+ * Writes data securely with encryption and file permissions.
+ */
+function writeSecure(filePath, data) {
+    const json = JSON.stringify(data, null, 2);
+    const encrypted = encrypt(json);
+    fs.writeFileSync(filePath, JSON.stringify(encrypted, null, 2), {
+        mode: SECURE_FILE_MODE,
+        encoding: 'utf8',
+    });
+}
+/**
+ * Reads data securely, handling both encrypted and legacy plaintext.
+ */
+function readSecure(filePath) {
+    if (!fs.existsSync(filePath)) {
+        return null;
+    }
+    try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const parsed = JSON.parse(content);
+        // Check if this is encrypted data
+        if (isEncrypted(parsed)) {
+            const decrypted = decrypt(parsed);
+            return JSON.parse(decrypted);
+        }
+        // Legacy plaintext - migrate to encrypted
+        writeSecure(filePath, parsed);
+        return parsed;
+    }
+    catch (error) {
+        // If decryption fails (different machine, corrupted), return null
+        console.error(`Failed to read ${filePath}:`, error instanceof Error ? error.message : error);
+        return null;
+    }
+}
+/**
+ * Checks if session state file exists.
+ */
+export function hasSessionState() {
+    return fs.existsSync(SESSION_STATE_PATH);
+}
+/**
+ * Reads the session state.
+ */
+export function readSessionState() {
+    return readSecure(SESSION_STATE_PATH);
+}
+/**
+ * Writes the session state securely.
+ */
+export function writeSessionState(state) {
+    writeSecure(SESSION_STATE_PATH, state);
+}
+/**
+ * Deletes the session state file.
+ */
+export function clearSessionState() {
+    if (fs.existsSync(SESSION_STATE_PATH)) {
+        fs.unlinkSync(SESSION_STATE_PATH);
+    }
+}
+/**
+ * Gets the age of the session state in hours.
+ */
+export function getSessionAge() {
+    if (!hasSessionState()) {
+        return null;
+    }
+    const stats = fs.statSync(SESSION_STATE_PATH);
+    const ageMs = Date.now() - stats.mtimeMs;
+    return ageMs / (1000 * 60 * 60);
+}
+/**
+ * Checks if session is likely expired (>12 hours old).
+ */
+export function isSessionLikelyExpired() {
+    const age = getSessionAge();
+    if (age === null)
+        return true;
+    return age > SESSION_EXPIRY_HOURS;
+}
+/**
+ * Reads the token cache.
+ */
+export function readTokenCache() {
+    return readSecure(TOKEN_CACHE_PATH);
+}
+/**
+ * Writes the token cache securely.
+ */
+export function writeTokenCache(cache) {
+    writeSecure(TOKEN_CACHE_PATH, cache);
+}
+/**
+ * Clears the token cache.
+ */
+export function clearTokenCache() {
+    if (fs.existsSync(TOKEN_CACHE_PATH)) {
+        fs.unlinkSync(TOKEN_CACHE_PATH);
+    }
+}
+/**
+ * Gets the Teams origin from session state.
+ */
+export function getTeamsOrigin(state) {
+    return state.origins?.find(o => o.origin === 'https://teams.microsoft.com') ?? null;
+}

package/dist/auth/token-extractor.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Token extraction from session state.
+ *
+ * Extracts various authentication tokens from Playwright's saved session state.
+ */
+import { clearTokenCache, type SessionState } from './session-store.js';
+import { type UserProfile } from '../utils/parsers.js';
+/** Substrate search token information. */
+export interface SubstrateTokenInfo {
+    token: string;
+    expiry: Date;
+}
+/** Teams API token information. */
+export interface TeamsTokenInfo {
+    token: string;
+    expiry: Date;
+    userMri: string;
+}
+/** Message authentication information (cookies). */
+export interface MessageAuthInfo {
+    skypeToken: string;
+    authToken: string;
+    userMri: string;
+}
+/**
+ * Extracts the Substrate search token from session state.
+ */
+export declare function extractSubstrateToken(state?: SessionState): SubstrateTokenInfo | null;
+/**
+ * Gets a valid Substrate token, either from cache or by extracting from session.
+ */
+export declare function getValidSubstrateToken(): string | null;
+/**
+ * Checks if we have a valid Substrate token.
+ */
+export declare function hasValidSubstrateToken(): boolean;
+/**
+ * Gets Substrate token status for diagnostics.
+ */
+export declare function getSubstrateTokenStatus(): {
+    hasToken: boolean;
+    expiresAt?: string;
+    minutesRemaining?: number;
+};
+/**
+ * Extracts the Teams chat API token from session state.
+ */
+export declare function extractTeamsToken(state?: SessionState): TeamsTokenInfo | null;
+/**
+ * Extracts authentication info needed for messaging API (uses cookies).
+ */
+export declare function extractMessageAuth(state?: SessionState): MessageAuthInfo | null;
+/**
+ * Extracts the CSA token for the conversationFolders API.
+ */
+export declare function extractCsaToken(state?: SessionState): string | null;
+/**
+ * Gets the current user's profile from cached JWT tokens.
+ */
+export declare function getUserProfile(state?: SessionState): UserProfile | null;
+/**
+ * Gets user's display name from session state.
+ */
+export declare function getUserDisplayName(state?: SessionState): string | null;
+/**
+ * Checks if tokens in session state are expired.
+ */
+export declare function areTokensExpired(state?: SessionState): boolean;
+export { clearTokenCache };

package/dist/auth/token-extractor.js

@@ -0,0 +1,330 @@
+/**
+ * Token extraction from session state.
+ *
+ * Extracts various authentication tokens from Playwright's saved session state.
+ */
+import { readSessionState, readTokenCache, writeTokenCache, clearTokenCache, getTeamsOrigin, } from './session-store.js';
+import { parseJwtProfile } from '../utils/parsers.js';
+/**
+ * Extracts the Substrate search token from session state.
+ */
+export function extractSubstrateToken(state) {
+    const sessionState = state ?? readSessionState();
+    if (!sessionState)
+        return null;
+    const teamsOrigin = getTeamsOrigin(sessionState);
+    if (!teamsOrigin)
+        return null;
+    for (const item of teamsOrigin.localStorage) {
+        try {
+            const val = JSON.parse(item.value);
+            if (val.target?.includes('substrate.office.com/search/SubstrateSearch')) {
+                const token = val.secret;
+                if (!token || typeof token !== 'string')
+                    continue;
+                const parts = token.split('.');
+                if (parts.length === 3) {
+                    const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
+                    const expiry = new Date(payload.exp * 1000);
+                    return { token, expiry };
+                }
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    return null;
+}
+/**
+ * Gets a valid Substrate token, either from cache or by extracting from session.
+ */
+export function getValidSubstrateToken() {
+    // Try cache first
+    const cache = readTokenCache();
+    if (cache && cache.substrateTokenExpiry > Date.now()) {
+        return cache.substrateToken;
+    }
+    // Extract from session
+    const extracted = extractSubstrateToken();
+    if (!extracted)
+        return null;
+    // Check if not expired
+    if (extracted.expiry.getTime() <= Date.now()) {
+        return null;
+    }
+    // Cache the token
+    const newCache = {
+        substrateToken: extracted.token,
+        substrateTokenExpiry: extracted.expiry.getTime(),
+        extractedAt: Date.now(),
+    };
+    writeTokenCache(newCache);
+    return extracted.token;
+}
+/**
+ * Checks if we have a valid Substrate token.
+ */
+export function hasValidSubstrateToken() {
+    return getValidSubstrateToken() !== null;
+}
+/**
+ * Gets Substrate token status for diagnostics.
+ */
+export function getSubstrateTokenStatus() {
+    const extracted = extractSubstrateToken();
+    if (!extracted) {
+        return { hasToken: false };
+    }
+    const now = Date.now();
+    const expiryMs = extracted.expiry.getTime();
+    return {
+        hasToken: expiryMs > now,
+        expiresAt: extracted.expiry.toISOString(),
+        minutesRemaining: Math.max(0, Math.round((expiryMs - now) / 1000 / 60)),
+    };
+}
+/**
+ * Extracts the Teams chat API token from session state.
+ */
+export function extractTeamsToken(state) {
+    const sessionState = state ?? readSessionState();
+    if (!sessionState)
+        return null;
+    const teamsOrigin = getTeamsOrigin(sessionState);
+    if (!teamsOrigin)
+        return null;
+    let chatToken = null;
+    let chatTokenExpiry = null;
+    let skypeToken = null;
+    let skypeTokenExpiry = null;
+    let userMri = null;
+    for (const item of teamsOrigin.localStorage) {
+        try {
+            const val = JSON.parse(item.value);
+            if (!val.target || !val.secret)
+                continue;
+            const secret = val.secret;
+            if (typeof secret !== 'string' || !secret.startsWith('ey'))
+                continue;
+            const parts = secret.split('.');
+            if (parts.length !== 3)
+                continue;
+            const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
+            const tokenExpiry = new Date(payload.exp * 1000);
+            // Extract user MRI from any token
+            if (payload.oid && !userMri) {
+                userMri = `8:orgid:${payload.oid}`;
+            }
+            // Prefer chatsvcagg.teams.microsoft.com token
+            if (val.target.includes('chatsvcagg.teams.microsoft.com')) {
+                if (!chatTokenExpiry || tokenExpiry > chatTokenExpiry) {
+                    chatToken = secret;
+                    chatTokenExpiry = tokenExpiry;
+                }
+            }
+            // Fallback to api.spaces.skype.com token
+            if (val.target.includes('api.spaces.skype.com')) {
+                if (!skypeTokenExpiry || tokenExpiry > skypeTokenExpiry) {
+                    skypeToken = secret;
+                    skypeTokenExpiry = tokenExpiry;
+                }
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    // If we still don't have userMri, try to get it from the Substrate token
+    if (!userMri) {
+        const substrateInfo = extractSubstrateToken(sessionState);
+        if (substrateInfo) {
+            try {
+                const parts = substrateInfo.token.split('.');
+                if (parts.length === 3) {
+                    const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
+                    if (payload.oid) {
+                        userMri = `8:orgid:${payload.oid}`;
+                    }
+                }
+            }
+            catch {
+                // Ignore
+            }
+        }
+    }
+    // Prefer chatsvc token, fallback to skype token
+    const token = chatToken || skypeToken;
+    const expiry = chatToken ? chatTokenExpiry : skypeTokenExpiry;
+    if (token && expiry && userMri && expiry.getTime() > Date.now()) {
+        return { token, expiry, userMri };
+    }
+    return null;
+}
+/**
+ * Extracts authentication info needed for messaging API (uses cookies).
+ */
+export function extractMessageAuth(state) {
+    const sessionState = state ?? readSessionState();
+    if (!sessionState)
+        return null;
+    let skypeToken = null;
+    let authToken = null;
+    let userMri = null;
+    // Extract tokens from cookies
+    for (const cookie of sessionState.cookies || []) {
+        if (cookie.name === 'skypetoken_asm' && cookie.domain?.includes('teams.microsoft.com')) {
+            skypeToken = cookie.value;
+        }
+        if (cookie.name === 'authtoken' && cookie.domain?.includes('teams.microsoft.com')) {
+            authToken = decodeURIComponent(cookie.value);
+            if (authToken.startsWith('Bearer=')) {
+                authToken = authToken.substring(7);
+            }
+        }
+    }
+    // Get userMri from skypeToken payload
+    if (skypeToken) {
+        try {
+            const parts = skypeToken.split('.');
+            if (parts.length >= 2) {
+                const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
+                if (payload.skypeid) {
+                    userMri = payload.skypeid;
+                }
+            }
+        }
+        catch {
+            // Not a JWT format, that's fine
+        }
+    }
+    // Fallback to extracting userMri from authToken
+    if (!userMri && authToken) {
+        try {
+            const parts = authToken.split('.');
+            if (parts.length === 3) {
+                const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
+                if (payload.oid) {
+                    userMri = `8:orgid:${payload.oid}`;
+                }
+            }
+        }
+        catch {
+            // Ignore
+        }
+    }
+    if (skypeToken && authToken && userMri) {
+        return { skypeToken, authToken, userMri };
+    }
+    return null;
+}
+/**
+ * Extracts the CSA token for the conversationFolders API.
+ */
+export function extractCsaToken(state) {
+    const sessionState = state ?? readSessionState();
+    if (!sessionState)
+        return null;
+    for (const origin of sessionState.origins || []) {
+        for (const item of origin.localStorage || []) {
+            if (item.name.includes('chatsvcagg.teams.microsoft.com') && !item.name.startsWith('tmp.')) {
+                try {
+                    const data = JSON.parse(item.value);
+                    if (data.secret) {
+                        return data.secret;
+                    }
+                }
+                catch {
+                    // Ignore parse errors
+                }
+            }
+        }
+    }
+    return null;
+}
+/**
+ * Gets the current user's profile from cached JWT tokens.
+ */
+export function getUserProfile(state) {
+    const sessionState = state ?? readSessionState();
+    if (!sessionState)
+        return null;
+    const teamsOrigin = getTeamsOrigin(sessionState);
+    if (!teamsOrigin)
+        return null;
+    // Look through localStorage for any JWT with user info
+    for (const item of teamsOrigin.localStorage) {
+        try {
+            const val = JSON.parse(item.value);
+            if (!val.secret || typeof val.secret !== 'string')
+                continue;
+            if (!val.secret.startsWith('ey'))
+                continue;
+            const parts = val.secret.split('.');
+            if (parts.length !== 3)
+                continue;
+            const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
+            const profile = parseJwtProfile(payload);
+            if (profile) {
+                return profile;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    return null;
+}
+/**
+ * Gets user's display name from session state.
+ */
+export function getUserDisplayName(state) {
+    const sessionState = state ?? readSessionState();
+    if (!sessionState)
+        return null;
+    const teamsOrigin = getTeamsOrigin(sessionState);
+    if (!teamsOrigin)
+        return null;
+    for (const item of teamsOrigin.localStorage) {
+        try {
+            if (item.value?.includes('displayName') || item.value?.includes('givenName')) {
+                const val = JSON.parse(item.value);
+                if (val.displayName)
+                    return val.displayName;
+                if (val.name?.displayName)
+                    return val.name.displayName;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    // Try to get from token
+    const teamsToken = extractTeamsToken(sessionState);
+    if (teamsToken) {
+        try {
+            const parts = teamsToken.token.split('.');
+            if (parts.length === 3) {
+                const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
+                if (payload.name)
+                    return payload.name;
+            }
+        }
+        catch {
+            // Ignore
+        }
+    }
+    return null;
+}
+/**
+ * Checks if tokens in session state are expired.
+ */
+export function areTokensExpired(state) {
+    const sessionState = state ?? readSessionState();
+    if (!sessionState)
+        return true;
+    const substrate = extractSubstrateToken(sessionState);
+    return !substrate || substrate.expiry.getTime() <= Date.now();
+}
+// Re-export clearTokenCache for convenience
+export { clearTokenCache };

package/dist/browser/auth.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Authentication handling for Microsoft Teams.
+ * Manages login detection and manual authentication flows.
+ */
+import type { Page, BrowserContext } from 'playwright';
+export interface AuthStatus {
+    isAuthenticated: boolean;
+    isOnLoginPage: boolean;
+    currentUrl: string;
+}
+/**
+ * Gets the current authentication status.
+ */
+export declare function getAuthStatus(page: Page): Promise<AuthStatus>;
+/**
+ * Navigates to Teams and checks authentication status.
+ */
+export declare function navigateToTeams(page: Page): Promise<AuthStatus>;
+/**
+ * Waits for the user to complete manual authentication.
+ * Returns when authenticated or throws after timeout.
+ *
+ * @param page - The page to monitor
+ * @param context - Browser context for saving session
+ * @param timeoutMs - Maximum time to wait (default: 5 minutes)
+ * @param onProgress - Callback for progress updates
+ */
+export declare function waitForManualLogin(page: Page, context: BrowserContext, timeoutMs?: number, onProgress?: (message: string) => void): Promise<void>;
+/**
+ * Performs a full authentication flow:
+ * 1. Navigate to Teams
+ * 2. Check if already authenticated
+ * 3. If not, wait for manual login
+ *
+ * @param page - The page to use
+ * @param context - Browser context for session management
+ * @param onProgress - Callback for progress updates
+ */
+export declare function ensureAuthenticated(page: Page, context: BrowserContext, onProgress?: (message: string) => void): Promise<void>;
+/**
+ * Forces a new login by clearing session and navigating to Teams.
+ */
+export declare function forceNewLogin(page: Page, context: BrowserContext, onProgress?: (message: string) => void): Promise<void>;