166 lines
5.5 KiB
TypeScript
166 lines
5.5 KiB
TypeScript
import axios from 'axios';
|
|
import { logger } from '@/lib/logger';
|
|
|
|
// Get tenant ID from env var or use a default
|
|
const tenantId = process.env.MICROSOFT_TENANT_ID || 'common'; // Use 'organizations' or actual tenant ID
|
|
|
|
// Microsoft OAuth URLs with configurable tenant
|
|
const MICROSOFT_AUTHORIZE_URL = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`;
|
|
const MICROSOFT_TOKEN_URL = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
|
|
|
|
// Client configuration from environment variables
|
|
const clientId = process.env.MICROSOFT_CLIENT_ID;
|
|
const clientSecret = process.env.MICROSOFT_CLIENT_SECRET;
|
|
const redirectUri = process.env.MICROSOFT_REDIRECT_URI;
|
|
|
|
// NOTE: In production we do not log Microsoft OAuth configuration to avoid noise and potential leakage.
|
|
|
|
// Required scopes for Microsoft Graph API (Mail and Calendar)
|
|
// All scopes use the same resource (graph.microsoft.com) to avoid multi-resource errors
|
|
const REQUIRED_SCOPES = [
|
|
'offline_access',
|
|
'https://graph.microsoft.com/Mail.Read', // Read mail via Graph API
|
|
'https://graph.microsoft.com/Mail.Send', // Send mail via Graph API
|
|
'https://graph.microsoft.com/Calendars.Read', // Read calendars via Graph API
|
|
'https://graph.microsoft.com/Calendars.ReadWrite', // Read and write calendars via Graph API (for updates/deletes)
|
|
].join(' ');
|
|
|
|
/**
|
|
* Generates the authorization URL for Microsoft OAuth
|
|
*/
|
|
export function getMicrosoftAuthUrl(state: string): string {
|
|
const params = new URLSearchParams({
|
|
client_id: clientId!,
|
|
response_type: 'code',
|
|
redirect_uri: redirectUri!,
|
|
scope: REQUIRED_SCOPES,
|
|
state,
|
|
response_mode: 'query'
|
|
});
|
|
|
|
return `${MICROSOFT_AUTHORIZE_URL}?${params.toString()}`;
|
|
}
|
|
|
|
/**
|
|
* Exchange authorization code for tokens
|
|
*/
|
|
export async function exchangeCodeForTokens(code: string): Promise<{
|
|
access_token: string;
|
|
refresh_token: string;
|
|
expires_in: number;
|
|
}> {
|
|
const params = new URLSearchParams({
|
|
client_id: clientId!,
|
|
client_secret: clientSecret!,
|
|
code,
|
|
redirect_uri: redirectUri!,
|
|
grant_type: 'authorization_code',
|
|
scope: REQUIRED_SCOPES // Include scopes in token exchange
|
|
});
|
|
|
|
try {
|
|
logger.debug('[MICROSOFT_OAUTH] Exchanging code for tokens', { url: MICROSOFT_TOKEN_URL });
|
|
|
|
const response = await axios.post(MICROSOFT_TOKEN_URL, params.toString(), {
|
|
headers: {
|
|
'Content-Type': 'application/x-www-form-urlencoded'
|
|
}
|
|
});
|
|
|
|
logger.debug('[MICROSOFT_OAUTH] Token exchange successful');
|
|
return {
|
|
access_token: response.data.access_token,
|
|
refresh_token: response.data.refresh_token,
|
|
expires_in: response.data.expires_in
|
|
};
|
|
} catch (error: any) {
|
|
logger.error('[MICROSOFT_OAUTH] Error exchanging code for tokens', {
|
|
error: error instanceof Error ? error.message : String(error)
|
|
});
|
|
|
|
// Enhanced error logging
|
|
if (error.response) {
|
|
logger.error('[MICROSOFT_OAUTH] Response details', {
|
|
data: error.response.data,
|
|
status: error.response.status,
|
|
headers: error.response.headers
|
|
});
|
|
|
|
// Extract the error message from Microsoft's response format
|
|
const errorData = error.response.data;
|
|
if (errorData && errorData.error_description) {
|
|
throw new Error(`Token exchange failed: ${errorData.error_description}`);
|
|
}
|
|
}
|
|
|
|
throw new Error('Failed to exchange authorization code for tokens');
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Refresh an access token using a refresh token
|
|
*/
|
|
export async function refreshAccessToken(refreshToken: string): Promise<{
|
|
access_token: string;
|
|
refresh_token?: string;
|
|
expires_in: number;
|
|
}> {
|
|
const params = new URLSearchParams({
|
|
client_id: clientId!,
|
|
client_secret: clientSecret!,
|
|
refresh_token: refreshToken,
|
|
grant_type: 'refresh_token',
|
|
scope: REQUIRED_SCOPES
|
|
});
|
|
|
|
try {
|
|
logger.debug('[MICROSOFT_OAUTH] Refreshing access token', { url: MICROSOFT_TOKEN_URL });
|
|
|
|
const response = await axios.post(MICROSOFT_TOKEN_URL, params.toString(), {
|
|
headers: {
|
|
'Content-Type': 'application/x-www-form-urlencoded'
|
|
}
|
|
});
|
|
|
|
logger.debug('[MICROSOFT_OAUTH] Token refresh successful');
|
|
return {
|
|
access_token: response.data.access_token,
|
|
refresh_token: response.data.refresh_token,
|
|
expires_in: response.data.expires_in
|
|
};
|
|
} catch (error: any) {
|
|
logger.error('[MICROSOFT_OAUTH] Error refreshing token', {
|
|
error: error instanceof Error ? error.message : String(error)
|
|
});
|
|
|
|
// Enhanced error logging
|
|
if (error.response) {
|
|
logger.error('[MICROSOFT_OAUTH] Response details', {
|
|
data: error.response.data,
|
|
status: error.response.status,
|
|
headers: error.response.headers
|
|
});
|
|
|
|
// Extract the error message from Microsoft's response format
|
|
const errorData = error.response.data;
|
|
if (errorData && errorData.error_description) {
|
|
throw new Error(`Token refresh failed: ${errorData.error_description}`);
|
|
}
|
|
}
|
|
|
|
throw new Error('Failed to refresh access token');
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Create special XOAUTH2 string for IMAP authentication
|
|
*/
|
|
export function createXOAuth2Token(email: string, accessToken: string): string {
|
|
// This creates the XOAUTH2 token in the required format for ImapFlow
|
|
// Format: user=<email>\x01auth=Bearer <token>\x01\x01
|
|
const auth = `user=${email}\x01auth=Bearer ${accessToken}\x01\x01`;
|
|
const base64Auth = Buffer.from(auth).toString('base64');
|
|
|
|
logger.debug('[MICROSOFT_OAUTH] Generated XOAUTH2 token', { length: base64Auth.length });
|
|
return base64Auth;
|
|
}
|