msteams-mcp 0.2.1

package/dist/auth/token-refresh.js

@@ -0,0 +1,85 @@
+/**
+ * Token refresh via headless browser.
+ *
+ * Teams uses SPA OAuth2 which restricts refresh tokens to browser-based CORS
+ * requests. We open a headless browser with saved session state, let MSAL
+ * silently refresh tokens, then save the updated state. Seamless to the user.
+ */
+import { TOKEN_REFRESH_THRESHOLD_MS } from '../constants.js';
+import { ErrorCode, createError } from '../types/errors.js';
+import { ok, err } from '../types/result.js';
+import { extractSubstrateToken, clearTokenCache, } from './token-extractor.js';
+import { hasSessionState, isSessionLikelyExpired, } from './session-store.js';
+/**
+ * Refreshes tokens by opening a headless browser with saved session state.
+ * MSAL only refreshes tokens when an API call requires them, so we trigger
+ * a search via ensureAuthenticated to force token acquisition.
+ */
+export async function refreshTokensViaBrowser() {
+    // Check we have a session to work with
+    if (!hasSessionState()) {
+        return err(createError(ErrorCode.AUTH_REQUIRED, 'No session state available. Please run teams_login to authenticate.', { suggestions: ['Call teams_login to authenticate'] }));
+    }
+    if (isSessionLikelyExpired()) {
+        return err(createError(ErrorCode.AUTH_EXPIRED, 'Session is too old and likely expired. Please re-authenticate.', { suggestions: ['Call teams_login to re-authenticate'] }));
+    }
+    // Get current token expiry for comparison
+    const beforeToken = extractSubstrateToken();
+    if (!beforeToken) {
+        return err(createError(ErrorCode.AUTH_REQUIRED, 'No token found in session. Please run teams_login to authenticate.', { suggestions: ['Call teams_login to authenticate'] }));
+    }
+    const previousExpiry = beforeToken.expiry;
+    // Import browser functions dynamically to avoid circular dependencies
+    const { createBrowserContext, closeBrowser } = await import('../browser/context.js');
+    let manager = null;
+    try {
+        // Open headless browser with saved session
+        manager = await createBrowserContext({ headless: true });
+        // Import auth functions
+        const { ensureAuthenticated } = await import('../browser/auth.js');
+        // Use the same auth flow that works for login - this triggers token acquisition
+        // showOverlay: false since headless browser has no visible window
+        // headless: true to fail fast if user interaction is required
+        await ensureAuthenticated(manager.page, manager.context, (msg) => {
+            // Silent logging for headless refresh
+            console.log(`[token-refresh] ${msg}`);
+        }, false, true);
+        // Close browser (ensureAuthenticated already saved the session)
+        await closeBrowser(manager, false);
+        manager = null;
+        // Clear our token cache to force re-extraction from the new session
+        clearTokenCache();
+        // Extract the new token to verify we still have valid tokens
+        const afterToken = extractSubstrateToken();
+        if (!afterToken) {
+            return err(createError(ErrorCode.AUTH_EXPIRED, 'Token refresh failed - no token found after refresh attempt.', { suggestions: ['Call teams_login to re-authenticate'] }));
+        }
+        const newExpiry = afterToken.expiry;
+        const minutesGained = Math.round((newExpiry.getTime() - previousExpiry.getTime()) / 1000 / 60);
+        // Check if the token was close to expiry and needed refresh
+        const wasCloseToExpiry = previousExpiry.getTime() - Date.now() < TOKEN_REFRESH_THRESHOLD_MS;
+        // If we needed a refresh but didn't get one, that's an error
+        if (wasCloseToExpiry && newExpiry.getTime() <= previousExpiry.getTime()) {
+            return err(createError(ErrorCode.AUTH_EXPIRED, 'Token was not refreshed despite being close to expiry. Session may need re-authentication.', { suggestions: ['Call teams_login to re-authenticate'] }));
+        }
+        return ok({
+            newExpiry,
+            previousExpiry,
+            minutesGained,
+            refreshNeeded: wasCloseToExpiry,
+        });
+    }
+    catch (error) {
+        // Clean up browser if still open
+        if (manager) {
+            try {
+                await closeBrowser(manager, false);
+            }
+            catch {
+                // Ignore cleanup errors
+            }
+        }
+        const message = error instanceof Error ? error.message : 'Unknown error';
+        return err(createError(ErrorCode.UNKNOWN, `Token refresh via browser failed: ${message}`, { suggestions: ['Call teams_login to re-authenticate'] }));
+    }
+}

package/dist/browser/auth.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Authentication handling for Microsoft Teams.
+ * Manages login detection and manual authentication flows.
+ */
+import type { Page, BrowserContext } from 'playwright';
+export interface AuthStatus {
+    isAuthenticated: boolean;
+    isOnLoginPage: boolean;
+    currentUrl: string;
+}
+/**
+ * Gets the current authentication status.
+ */
+export declare function getAuthStatus(page: Page): Promise<AuthStatus>;
+/**
+ * Navigates to Teams and checks authentication status.
+ *
+ * Uses a fast redirect-based detection: if we're not redirected to a login
+ * page within a few seconds, the session is valid. This is much faster than
+ * waiting for the full Teams SPA to render (which can take 30+ seconds).
+ *
+ * Returns isAuthenticated: false if we can't confirm we're on Teams, to avoid
+ * silently failing with an invisible browser stuck on an unexpected page.
+ */
+export declare function navigateToTeams(page: Page): Promise<AuthStatus>;
+/**
+ * Waits for the user to complete manual authentication.
+ * Returns when authenticated or throws after timeout.
+ *
+ * @param page - The page to monitor
+ * @param context - Browser context for saving session
+ * @param timeoutMs - Maximum time to wait (default: 5 minutes)
+ * @param onProgress - Callback for progress updates
+ * @param showOverlay - Whether to show progress overlay (default: true for visible browsers)
+ */
+export declare function waitForManualLogin(page: Page, context: BrowserContext, timeoutMs?: number, onProgress?: (message: string) => void, showOverlay?: boolean): Promise<void>;
+/**
+ * Performs a full authentication flow:
+ * 1. Navigate to Teams
+ * 2. Check if already authenticated
+ * 3. If not, wait for manual login (or throw if headless)
+ *
+ * @param page - The page to use
+ * @param context - Browser context for session management
+ * @param onProgress - Callback for progress updates
+ * @param showOverlay - Whether to show progress overlay (default: true for visible browsers)
+ * @param headless - If true, throw immediately if user interaction is required (default: false)
+ */
+export declare function ensureAuthenticated(page: Page, context: BrowserContext, onProgress?: (message: string) => void, showOverlay?: boolean, headless?: boolean): Promise<void>;
+/**
+ * Forces a new login by clearing session and navigating to Teams.
+ */
+export declare function forceNewLogin(page: Page, context: BrowserContext, onProgress?: (message: string) => void): Promise<void>;