fix: OAuth scope filtering to respect enabled tools filter (#153)

* fix: only add scopes of enabled tools

* refac: formatting

---------

Co-authored-by: Cagri Canbol <[email protected]>

Author: ctcanbol

src/auth.ts

@@ -50,10 +50,31 @@ const SCOPE_HIERARCHY: ScopeHierarchy = {
   'Contacts.ReadWrite': ['Contacts.Read'],
 };
 
-function buildScopesFromEndpoints(includeWorkAccountScopes: boolean = false): string[] {
+function buildScopesFromEndpoints(
+  includeWorkAccountScopes: boolean = false,
+  enabledToolsPattern?: string
+): string[] {
   const scopesSet = new Set<string>();
 
+  // Create regex for tool filtering if pattern is provided
+  let enabledToolsRegex: RegExp | undefined;
+  if (enabledToolsPattern) {
+    try {
+      enabledToolsRegex = new RegExp(enabledToolsPattern, 'i');
+      logger.info(`Building scopes with tool filter pattern: ${enabledToolsPattern}`);
+    } catch (error) {
+      logger.error(
+        `Invalid tool filter regex pattern: ${enabledToolsPattern}. Building scopes without filter.`
+      );
+    }
+  }
+
   endpoints.default.forEach((endpoint) => {
+    // Skip endpoints that don't match the tool filter
+    if (enabledToolsRegex && !enabledToolsRegex.test(endpoint.toolName)) {
+      return;
+    }
+
     // Skip endpoints that only have workScopes if not in work mode
     if (!includeWorkAccountScopes && !endpoint.scopes && endpoint.workScopes) {
       return;
@@ -77,7 +98,12 @@ function buildScopesFromEndpoints(includeWorkAccountScopes: boolean = false): st
     }
   });
 
-  return Array.from(scopesSet);
+  const scopes = Array.from(scopesSet);
+  if (enabledToolsPattern) {
+    logger.info(`Built ${scopes.length} scopes for filtered tools: ${scopes.join(', ')}`);
+  }
+
+  return scopes;
 }
 
 interface LoginTestResult {

src/index.ts

@@ -16,7 +16,7 @@ async function main(): Promise<void> {
       logger.info('Organization mode enabled - including work account scopes');
     }
 
-    const scopes = buildScopesFromEndpoints(includeWorkScopes);
+    const scopes = buildScopesFromEndpoints(includeWorkScopes, args.enabledTools);
     const authManager = new AuthManager(undefined, scopes);
     await authManager.loadTokenCache();
 

src/server.ts

@@ -120,7 +120,7 @@ class MicrosoftGraphServer {
         const protocol = req.secure ? 'https' : 'http';
         const url = new URL(`${protocol}://${req.get('host')}`);
 
-        const scopes = buildScopesFromEndpoints(this.options.orgMode);
+        const scopes = buildScopesFromEndpoints(this.options.orgMode, this.options.enabledTools);
 
         res.json({
           issuer: url.origin,
@@ -141,7 +141,7 @@ class MicrosoftGraphServer {
         const protocol = req.secure ? 'https' : 'http';
         const url = new URL(`${protocol}://${req.get('host')}`);
 
-        const scopes = buildScopesFromEndpoints(this.options.orgMode);
+        const scopes = buildScopesFromEndpoints(this.options.orgMode, this.options.enabledTools);
 
         res.json({
           resource: `${url.origin}/mcp`,