outlook-mcp

The server correctly uses environment variables (MS_CLIENT_ID, MS_CLIENT_SECRET, OUTLOOK_CLIENT_ID, OUTLOOK_CLIENT_SECRET) for sensitive credentials, avoiding hardcoded secrets in the main application logic. Tokens are stored locally in the user's home directory (`~/.outlook-mcp-tokens.json`), which is a common practice for local applications. The OAuth authentication flow uses a localhost callback, mitigating some network risks. However, utility scripts (`find-folder-ids.js`, `move-github-emails.js`, `create-notifications-rule.js`) contain hardcoded folder IDs, which, while not a direct server vulnerability, is poor practice and could lead to misconfiguration or data targeting issues if those scripts are reused blindly. The `outlook-auth-server.js` uses a simple `Date.now().toString()` for the OAuth `state` parameter, and the `oauth-server.js` includes a mandatory check for the *presence* of the state parameter but explicitly notes that full state *validation* (comparing the received state value to a stored one for CSRF protection) is the responsibility of the integrating application, as this module does not manage sessions. This means the integrating application needs to correctly implement CSRF protection. Debug logs using `console.error` in `auth/token-manager.js` may expose token details if not handled carefully in production.