Add Outlook login with NextAuth

[Francisca105]

This PR introduces Outlook login integration using NextAuth.

Notes:

• This is the first step toward supporting Outlook authentication.
• The implementation follows the initial approach discussed in Outlook #463, introducing Outlook as an auth provider via a dedicated route.

Related Issue:

• Related to Outlook #463
• See also Create email provider adapter layer (for Outlook) #273 and Setup Microsoft OAuth integration with NextAuth (Outlook) #271

Summary by CodeRabbit

• New Features
  • Added Microsoft Entra ID as a new sign-in option alongside Google, allowing users to authenticate with their Microsoft accounts.
  • Expanded authentication and token management to support both Google and Microsoft providers.
• Documentation
  • Updated setup instructions in the documentation to include detailed steps for configuring Microsoft OAuth credentials.
• Chores
  • Added Microsoft authentication environment variables to configuration files.
  • Centralized Microsoft Outlook API scopes for easier management and configuration.
• Bug Fixes
  • Disabled a redirect that was causing repeated redirects when no rule was found for an email account.

[vercel]

@WhiteSoxx is attempting to deploy a commit to the Inbox Zero Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Walkthrough

The changes introduce Microsoft Entra ID (Azure) as an additional authentication provider alongside Google. This includes updates to authentication logic, environment configuration, documentation, and login UI. Microsoft OAuth scopes are centralized, and database/account handling is extended to support multiple providers. Redirect logic in one page is temporarily disabled.

Changes

File(s)	Change Summary
README.md	Added detailed Azure OAuth setup instructions and improved formatting for Google OAuth section.
apps/web/.env.example	Added placeholders for Microsoft OAuth environment variables.
apps/web/env.ts	Added Microsoft OAuth variables to environment schema with validation and defaults.
apps/web/utils/auth.ts	Added Microsoft Entra ID as an OAuth provider, provider-aware logic for profile fetching, token refresh, and DB.
apps/web/utils/outlook/scopes.ts	New module exporting Microsoft OAuth scopes array, conditionally including contacts scope.
apps/web/app/(landing)/login/LoginForm.tsx	Added Microsoft sign-in dialog with provider-specific consent and callback logic.
apps/web/app/(app)/[emailAccountId]/assistant/page.tsx	Disabled redirect to onboarding page due to redirect loop issue; original logic commented out.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant LoginForm
    participant AuthProvider (Google/Microsoft)
    participant Backend
    participant Database

    User->>LoginForm: Click "Sign in with Microsoft"
    LoginForm->>AuthProvider: Initiate OAuth flow (Microsoft)
    AuthProvider->>LoginForm: Return OAuth code/token
    LoginForm->>Backend: Send code/token for authentication
    Backend->>AuthProvider: Exchange code for tokens
    AuthProvider->>Backend: Return access/refresh tokens
    Backend->>Database: Save tokens (provider-aware)
    Backend-->>User: Complete login

Loading

Poem

In the warren of code, a new path appears,
Microsoft joins Google—let’s give three cheers!
Tokens and scopes, all tidy and neat,
With Azure credentials, the login’s complete.
A rabbit hops in, with a wink and a grin,
“Now more friends can join—let’s all hop in!”
🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d34b915 and 7ec84c5.

📒 Files selected for processing (1)

• apps/web/.env.example (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• apps/web/.env.example

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Jit Security
• GitHub Check: test

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[jit-ci]

Hi, I’m Jit, a friendly security platform designed to help developers build secure applications from day zero with an MVS (Minimal viable security) mindset.

In case there are security findings, they will be communicated to you as a comment inside the PR.

Hope you’ll enjoy using Jit.

Questions? Comments? Want to learn more? Get in touch with us.

[coderabbitai]

Actionable comments posted: 3

🔭 Outside diff range comments (1)

apps/web/app/(landing)/login/LoginForm.tsx (1)

22-23: ⚠️ Potential issue

Fix shared loading state between Google and Microsoft sign-in dialogs.

Both dialogs share the same loading state, which will cause both buttons to show loading when either is clicked. Each dialog should have its own loading state.

-const [loading, setLoading] = useState(false);
+const [googleLoading, setGoogleLoading] = useState(false);
+const [microsoftLoading, setMicrosoftLoading] = useState(false);

Then update the Google dialog:

-loading={loading}
+loading={googleLoading}
onClick={() => {
-  setLoading(true);
+  setGoogleLoading(true);

And the Microsoft dialog:

-loading={loading}
+loading={microsoftLoading}
onClick={() => {
-  setLoading(true);
+  setMicrosoftLoading(true);

Also applies to: 58-60, 111-113

🧹 Nitpick comments (4)

apps/web/app/(app)/[emailAccountId]/assistant/page.tsx (1)

31-34: Good temporary fix for the redirect loop issue.

Commenting out the problematic redirect logic prevents the "redirected too many times" error. Consider investigating the root cause of the infinite redirect to properly resolve this in the future, possibly by adding additional conditions or redirect guards.

README.md (1)

175-175: Remove trailing punctuation from heading.

-### Updating .env file with Azure credentials:
+### Updating .env file with Azure credentials

🧰 Tools

🪛 markdownlint-cli2 (0.17.2)

175-175: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)

apps/web/app/(landing)/login/LoginForm.tsx (1)

78-78: Address or remove the TODO comment.

This TODO suggests incomplete implementation. Please either implement the waitlist filtering or remove the comment if it's no longer needed.

Do you want me to help implement the waitlist user filtering logic or create an issue to track this task?

apps/web/utils/auth.ts (1)

133-133: Simplify template literal to regular string.

-primaryPhotoUrl = profile.photo
-  ? `https://graph.microsoft.com/v1.0/me/photo/$value`
-  : null;
+primaryPhotoUrl = profile.photo
+  ? "https://graph.microsoft.com/v1.0/me/photo/$value"
+  : null;

🧰 Tools

🪛 Biome (1.9.4)

[error] 133-133: Do not use template literals if interpolation and special-character handling are not needed.

Unsafe fix: Replace with string literal

(lint/style/noUnusedTemplateLiteral)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7c17c3b and d34b915.

⛔ Files ignored due to path filters (1)

• apps/web/public/images/microsoft.svg is excluded by !**/*.svg

📒 Files selected for processing (8)

• README.md (2 hunks)
• apps/web/.env.example (1 hunks)
• apps/web/app/(app)/[emailAccountId]/assistant/page.tsx (1 hunks)
• apps/web/app/(landing)/login/LoginForm.tsx (1 hunks)
• apps/web/env.ts (1 hunks)
• apps/web/package.json (1 hunks)
• apps/web/utils/auth.ts (11 hunks)
• apps/web/utils/outlook/scopes.ts (1 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (3)

apps/web/utils/outlook/scopes.ts (1)

apps/web/env.ts (1)

• env (5-206)

apps/web/app/(landing)/login/LoginForm.tsx (1)

apps/web/components/Typography.tsx (1)

• SectionDescription (114-114)

apps/web/utils/auth.ts (1)

apps/web/env.ts (1)

• env (5-206)

🪛 LanguageTool

README.md

[uncategorized] ~134-~134: Possible missing preposition found.
Context: ...4. Enter your contact information 5. Agree to the User Data policy and then click ...

(AI_HYDRA_LEO_MISSING_TO)

---

[duplication] ~140-~140: Possible typo: you repeated a word.
Context: ...Client ID. 2. In Application Type, Choose Web application 3. Choose a name for your web client 4. In Aut...

(ENGLISH_WORD_REPEAT_RULE)

---

[grammar] ~156-~156: Did you mean “Copy and paste”?
Context: ... 2. Click Add or remove scopes 3. Copy paste the below into the `Manually add scopes...

(COPY_PASTE)

---

[duplication] ~166-~166: Possible typo: you repeated a word.
Context: ...gleapis.com/auth/contacts ``` 4. Click Update 5. Click `Save` in the Data Access page. 5. Add...

(ENGLISH_WORD_REPEAT_RULE)

---

[uncategorized] ~167-~167: The preposition “on” seems more likely in this position than the preposition “in”.
Context: ... 4. Click Update 5. Click Save in the Data Access page. 5. Add yourself ...

(AI_EN_LECTOR_REPLACEMENT_PREPOSITION_IN_ON)

---

[style] ~209-~209: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...f the client secret you just created. - Set MICROSOFT_ISSUER to your **Directory ...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

🪛 markdownlint-cli2 (0.17.2)

README.md

175-175: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)

🪛 Biome (1.9.4)

apps/web/utils/auth.ts

[error] 133-133: Do not use template literals if interpolation and special-character handling are not needed.

Unsafe fix: Replace with string literal

(lint/style/noUnusedTemplateLiteral)

---

[error] 393-393: This variable implicitly has the any type.

Variable declarations without type annotation and initialization implicitly have the any type. Declare a type or initialize the variable with some value.

(lint/suspicious/noImplicitAnyLet)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Static Code Analysis Js
• GitHub Check: Jit Security

🔇 Additional comments (4)

apps/web/package.json (1)

37-37:

Details

✅ Verification successful

Verify the Microsoft Graph client package version.

The dependency addition looks good for Microsoft authentication support. Please ensure you're using the latest stable version of the package for security and feature updates.

---

🌐 Web query:

What is the latest version of @microsoft/microsoft-graph-client package?

💡 Result:

The latest stable version of the @microsoft/microsoft-graph-client package is 3.0.7, released on September 19, 2023. (github.com) This version is available on npm. (npmjs.com)

Additionally, there is a preview version 4.0.0-RestPreview.1 available. (socket.dev)

To install the latest stable version, you can use the following npm command:

npm install @microsoft/microsoft-graph-client@3.0.7

For more details, you can visit the npm package page. (npmjs.com)

Citations:

• 1: https://github.com/microsoftgraph/msgraph-sdk-javascript/releases?utm_source=openai
• 2: https://www.npmjs.com/package/%40microsoft/microsoft-graph-client?utm_source=openai
• 3: https://socket.dev/npm/package/%40microsoft/microsoft-graph-client?utm_source=openai
• 4: https://www.npmjs.com/package/%40microsoft/microsoft-graph-client?utm_source=openai

---

Microsoft Graph Client Version Confirmed

The dependency in apps/web/package.json (line 37) uses “^3.0.7”, which is the latest stable release (3.0.7, Sep 19 2023). No update required.

apps/web/.env.example (1)

13-15: Environment variables look good for Microsoft authentication setup.

The Microsoft authentication environment variables are properly added to the example file. These will help users configure their Azure OAuth credentials correctly.

apps/web/utils/outlook/scopes.ts (1)

1-16: LGTM! Well-structured Microsoft OAuth scopes configuration.

The scopes are appropriately selected for an email client application, and the conditional inclusion of Contacts.ReadWrite based on the environment variable is implemented correctly.

apps/web/utils/auth.ts (1)

484-485: Great implementation of multi-provider support with backward compatibility!

The addition of the provider field with a default of "google" ensures existing data continues to work while supporting the new Microsoft provider.

Also applies to: 511-512, 541-542

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Address inconsistency between environment variable names.

There's a naming inconsistency: .env.example defines MICROSOFT_TENANT_ID but the validation schema uses MICROSOFT_ISSUER. This could confuse users during setup.

Please clarify:

1. Should both files use the same variable name?
2. Is MICROSOFT_ISSUER with default "common" intended for multi-tenant support?

---

🏁 Script executed:

#!/bin/bash
# Check for Microsoft environment variable usage across the codebase
echo "Searching for Microsoft environment variable usage..."
rg -A 2 -B 2 "MICROSOFT_(CLIENT_ID|CLIENT_SECRET|TENANT_ID|ISSUER)"

Length of output: 2859

---

🏁 Script executed:

#!/bin/bash
# Locate .env.example files and check for MICROSOFT_TENANT_ID usage
echo "Locating .env.example files..."
find . -type f -name ".env.example"
echo

echo "Searching for MICROSOFT_TENANT_ID in .env.example files..."
for file in $(find . -type f -name ".env.example"); do
  echo "File: $file"
  grep -n "MICROSOFT_TENANT_ID" "$file" || echo "  → No occurrences found in $file"
done

Length of output: 1224

---

Standardize Microsoft tenant environment variable naming

There’s an inconsistency between your validation schema and example files:

• apps/web/env.ts expects MICROSOFT_ISSUER (with a default of "common")
• apps/web/.env.example defines MICROSOFT_TENANT_ID

This can confuse users setting up Azure credentials. Please align the names across all references.

Affected locations:

• apps/web/env.ts (lines ~11–13)
• apps/web/.env.example (line 15)
• README.md (all mentions of MICROSOFT_TENANT_ID or MICROSOFT_ISSUER)

Suggested diff for .env.example:

- MICROSOFT_TENANT_ID=
+ MICROSOFT_ISSUER=

And update the README so it consistently describes MICROSOFT_ISSUER (e.g. “Set MICROSOFT_ISSUER to your Directory (tenant) ID or leave as common for multi-tenant”).

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In apps/web/env.ts around lines 11 to 13, the environment variable name
MICROSOFT_ISSUER is inconsistent with MICROSOFT_TENANT_ID used in
apps/web/.env.example and README.md. To fix this, rename MICROSOFT_ISSUER to
MICROSOFT_TENANT_ID in env.ts and set its default to "common" if multi-tenant
support is intended. Then, update apps/web/.env.example and README.md to
consistently use MICROSOFT_TENANT_ID, clarifying in the README that it can be
set to the Directory (tenant) ID or left as "common" for multi-tenant scenarios.

[coderabbitai]

⚠️ Potential issue

Fix copy-paste error: These should reference Microsoft/Azure, not Google.

These environment variable descriptions incorrectly reference "Google OAuth" when they should reference "Microsoft" or "Azure".

-- `MICROSOFT_CLIENT_ID` -- Google OAuth client ID. More info [here](https://authjs.dev/getting-started/providers/microsoft-entra-id)
-- `MICROSOFT_CLIENT_SECRET` -- Google OAuth client secret. More info [here](https://authjs.dev/getting-started/providers/microsoft-entra-id)
-- `MICROSOFT_ISSUER` -- Google OAuth client secret. More info [here](https://authjs.dev/getting-started/providers/microsoft-entra-id)
+- `MICROSOFT_CLIENT_ID` -- Microsoft OAuth client ID. More info [here](https://authjs.dev/getting-started/providers/microsoft-entra-id)
+- `MICROSOFT_CLIENT_SECRET` -- Microsoft OAuth client secret. More info [here](https://authjs.dev/getting-started/providers/microsoft-entra-id)
+- `MICROSOFT_ISSUER` -- Microsoft tenant ID or issuer. More info [here](https://authjs.dev/getting-started/providers/microsoft-entra-id)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- `MICROSOFT_CLIENT_ID` -- Google OAuth client ID. More info [here](https://authjs.dev/getting-started/providers/microsoft-entra-id)
	- `MICROSOFT_CLIENT_SECRET` -- Google OAuth client secret. More info [here](https://authjs.dev/getting-started/providers/microsoft-entra-id)
	- `MICROSOFT_ISSUER` -- Google OAuth client secret. More info [here](https://authjs.dev/getting-started/providers/microsoft-entra-id)
	- `MICROSOFT_CLIENT_ID` -- Microsoft OAuth client ID. More info [here](https://authjs.dev/getting-started/providers/microsoft-entra-id)
	- `MICROSOFT_CLIENT_SECRET` -- Microsoft OAuth client secret. More info [here](https://authjs.dev/getting-started/providers/microsoft-entra-id)
	- `MICROSOFT_ISSUER` -- Microsoft tenant ID or issuer. More info [here](https://authjs.dev/getting-started/providers/microsoft-entra-id)

🤖 Prompt for AI Agents

In README.md around lines 177 to 179, the descriptions for MICROSOFT_CLIENT_ID,
MICROSOFT_CLIENT_SECRET, and MICROSOFT_ISSUER incorrectly mention "Google OAuth"
instead of "Microsoft" or "Azure". Update these descriptions to correctly
reference Microsoft or Azure OAuth to accurately reflect the environment
variables' purpose.

[coderabbitai]

🛠️ Refactor suggestion

Add explicit type annotation for response variable.

-let response;
+let response: Response;

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	let response;
	let response: Response;

🧰 Tools

🪛 Biome (1.9.4)

[error] 393-393: This variable implicitly has the any type.

Variable declarations without type annotation and initialization implicitly have the any type. Declare a type or initialize the variable with some value.

(lint/suspicious/noImplicitAnyLet)

🤖 Prompt for AI Agents

In apps/web/utils/auth.ts at line 393, the variable 'response' is declared
without an explicit type annotation. Add an explicit type annotation to the
'response' variable declaration to clearly specify its expected type, improving
code readability and type safety.

[elie222]

Thanks!
We have 2 PRs being worked on at the same time:
#493

I'll ask the other one to check over this if there's anything worth adding from it.

[elie222]

outlook support will go live soon via the other pr