Replace custom MSAL cache plugin with msal-node-extensions#7398
Open
waldekmastykarz wants to merge 7 commits into
Open
Replace custom MSAL cache plugin with msal-node-extensions#7398waldekmastykarz wants to merge 7 commits into
waldekmastykarz wants to merge 7 commits into
Conversation
Replace the custom ICachePlugin implementation that stored tokens as plain JSON files (~/.cli-m365-msal.json) with @azure/msal-node-extensions PersistenceCachePlugin, which stores tokens in the OS-specific credential store (macOS Keychain, Windows DPAPI, Linux libsecret with plaintext fallback). Key changes: - msalCachePlugin.ts: replaced custom beforeCacheAccess/afterCacheAccess with PersistenceCreator.createPersistence() and PersistenceCachePlugin - Auth.ts: use async getCachePlugin() and clearMsalCache() from the new module - FileTokenStorage.ts: removed msalCacheFilePath() (no longer needed for MSAL cache; still used for connection info storage) - Updated all tests to use the new stubbable object pattern Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
On upgrade, the old ~/.cli-m365-msal.json may contain plaintext tokens (especially on macOS where the new persistence uses Keychain). Delete the file during initialization if it contains valid JSON, indicating it's a legacy plaintext cache rather than new persistence-managed content. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Update persisting-connection.mdx to document that the MSAL token cache is now stored in the OS-specific credential store (macOS Keychain, Windows DPAPI, Linux libsecret) instead of a plaintext JSON file. Also fix the connection file names to match current code (.cli-m365-connection and .cli-m365-all-connections). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
On Linux without libsecret installed, PersistenceCreator.createPersistence() fails because the keytar native module cannot load libsecret-1.so.0. The usePlaintextFileOnLinux fallback in PersistenceCreator only handles verification failures, not module load failures. Catch the error in createPersistence() and fall back to FilePersistence directly, ensuring the CLI works on Linux environments without libsecret (CI, containers, headless servers). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace createPersistence/createPlugin seams with a single createNativePersistence method that wraps the entire dynamic import of @azure/msal-node-extensions in a try/catch. When the barrel export fails to load (e.g. Linux without libsecret installed), fall back to a built-in FileCachePlugin that reads/writes tokens to a plain JSON file, matching the original custom cache plugin behavior. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Extract importMsalExtensions and createFileFallback as separate stubbable seams so createNativePersistence body can be tested via mocks. Add test that calls real importMsalExtensions (covers line 52 even when the import throws on Linux without libsecret). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What's in this PR
Replaces the custom
ICachePluginimplementation that stored MSAL tokens as plaintext JSON files (~/.cli-m365-msal.json) with@azure/msal-node-extensionsPersistenceCachePlugin, which uses the OS-specific credential store:Changes
src/auth/msalCachePlugin.ts: Replaced custombeforeCacheAccess/afterCacheAccesswithPersistenceCreator.createPersistence()andPersistenceCachePlugin. Exposed stubbablecreatePersistence/createPluginseams for testability. AddedremoveLegacyCache()to clean up old plaintext cache files on upgrade.src/Auth.ts: Updated to use asyncgetCachePlugin()andclearMsalCache()from the new module. RemovedgetMsalCacheStorage()method.src/auth/FileTokenStorage.ts: RemovedmsalCacheFilePath()(no longer needed for MSAL cache; connection storage unchanged).package.json: Added@azure/msal-node-extensionsdependency.docs/docs/concepts/persisting-connection.mdx: Updated to document OS credential store usage and corrected connection file names.msalCachePlugin.spec.ts,Auth.spec.ts,FileTokenStorage.spec.ts).Migration
On first run after upgrade,
removeLegacyCache()detects and deletes any old plaintext~/.cli-m365-msal.jsonfile. Users will need to re-authenticate, as the new credential store starts empty.Multi-account support
Unchanged — MSAL internally manages multiple accounts within a single cache. Connection metadata (
~/.cli-m365-connection.json,~/.cli-m365-all-connections.json) remains inFileTokenStorage.