Implement and update readme for new env var ALLOWED_METHODS

src/mcp/README.md

@@ -207,6 +207,8 @@ The configuration of the server is done using environment variables. The followi
 | `REDIRECT_URI` | Redirect URI for interactive authentication (default: `http://localhost:3200`). | No |
 | `ACCESS_TOKEN` | Initial access token for client-provided token mode. | No |
 | `USE_GRAPH_BETA` | Set to "false" to force all Graph API calls to use v1.0 instead of beta (default: true, allows beta). | No |
+| `ALLOWED_METHODS` | Comma-separated list of HTTP methods allowed for the `Lokka-Microsoft` tool (e.g., `get,post,put,patch,delete`). If not set, defaults to all supported methods. | No |
+
 
 ## Contributors
 

src/mcp/build/main.js

@@ -21,11 +21,21 @@ let graphClient = null;
 // Check USE_GRAPH_BETA environment variable
 const useGraphBeta = process.env.USE_GRAPH_BETA !== 'false'; // Default to true unless explicitly set to 'false'
 const defaultGraphApiVersion = getDefaultGraphApiVersion();
+// Get allowed methods from environment variable or use default
+const defaultAllowedMethods = ["get", "post", "put", "patch", "delete"];
+const allowedMethods = (process.env.ALLOWED_METHODS
+    ? process.env.ALLOWED_METHODS.split(",")
+    : defaultAllowedMethods).map(m => m.trim().toLowerCase());
+// Validate allowedMethods: throw error if any method is not in defaultAllowedMethods
+const invalidMethods = allowedMethods.filter(m => !defaultAllowedMethods.includes(m));
+if (invalidMethods.length > 0) {
+    throw new Error(`Invalid HTTP method(s) in ALLOWED_METHODS: ${invalidMethods.join(", ")}. Allowed methods are: ${defaultAllowedMethods.join(", ")}`);
+}
 logger.info(`Graph API default version: ${defaultGraphApiVersion} (USE_GRAPH_BETA=${process.env.USE_GRAPH_BETA || 'undefined'})`);
 server.tool("Lokka-Microsoft", "A versatile tool to interact with Microsoft APIs including Microsoft Graph (Entra) and Azure Resource Management. IMPORTANT: For Graph API GET requests using advanced query parameters ($filter, $count, $search, $orderby), you are ADVISED to set 'consistencyLevel: \"eventual\"'.", {
     apiType: z.enum(["graph", "azure"]).describe("Type of Microsoft API to query. Options: 'graph' for Microsoft Graph (Entra) or 'azure' for Azure Resource Management."),
     path: z.string().describe("The Azure or Graph API URL path to call (e.g. '/users', '/groups', '/subscriptions')"),
-    method: z.enum(["get", "post", "put", "patch", "delete"]).describe("HTTP method to use"),
+    method: z.enum(allowedMethods).describe(`HTTP method to use (allowed methods: ${allowedMethods.join(", ")})`),
     apiVersion: z.string().optional().describe("Azure Resource Management API version (required for apiType Azure)"),
     subscriptionId: z.string().optional().describe("Azure Subscription ID (for Azure Resource Management)."),
     queryParams: z.record(z.string()).optional().describe("Query parameters for the request"),

src/mcp/src/main.ts

@@ -27,6 +27,23 @@ let graphClient: Client | null = null;
 const useGraphBeta = process.env.USE_GRAPH_BETA !== 'false'; // Default to true unless explicitly set to 'false'
 const defaultGraphApiVersion = getDefaultGraphApiVersion();
 
+// Get allowed methods from environment variable or use default
+const defaultAllowedMethods = ["get", "post", "put", "patch", "delete"];
+const allowedMethods: string[] = (process.env.ALLOWED_METHODS
+  ? process.env.ALLOWED_METHODS.split(",")
+  : defaultAllowedMethods
+).map(m => m.trim().toLowerCase());
+// Validate allowedMethods: throw error if any method is not in defaultAllowedMethods
+const invalidMethods = allowedMethods.filter(
+  m => !defaultAllowedMethods.includes(m)
+);
+if (invalidMethods.length > 0) {
+  throw new Error(
+    `Invalid HTTP method(s) in ALLOWED_METHODS: ${invalidMethods.join(", ")}. Allowed methods are: ${defaultAllowedMethods.join(", ")}`
+  );
+}
+
+
 logger.info(`Graph API default version: ${defaultGraphApiVersion} (USE_GRAPH_BETA=${process.env.USE_GRAPH_BETA || 'undefined'})`);
 
 server.tool(
@@ -35,7 +52,7 @@ server.tool(
   {
     apiType: z.enum(["graph", "azure"]).describe("Type of Microsoft API to query. Options: 'graph' for Microsoft Graph (Entra) or 'azure' for Azure Resource Management."),
     path: z.string().describe("The Azure or Graph API URL path to call (e.g. '/users', '/groups', '/subscriptions')"),
-    method: z.enum(["get", "post", "put", "patch", "delete"]).describe("HTTP method to use"),
+    method: z.enum(allowedMethods as ["get", "post", "put", "patch", "delete"]).describe(`HTTP method to use (allowed methods: ${allowedMethods.join(", ")})`),
     apiVersion: z.string().optional().describe("Azure Resource Management API version (required for apiType Azure)"),
     subscriptionId: z.string().optional().describe("Azure Subscription ID (for Azure Resource Management)."),
     queryParams: z.record(z.string()).optional().describe("Query parameters for the request"),