Add Microsoft 365 community app (plugins/omi-ms365-app)

[snyfer]

Add Microsoft 365 community app (plugins/omi-ms365-app)

This PR adds a self-contained Microsoft 365 integration as a new app under plugins/, following the same convention as sibling apps in this folder (omi-google-calendar-app, omi-notion-app, omi-slack-app, etc.).

Supersedes #6865, which was closed because it used the older community-plugins.json entry format. This new version follows the documented Open Source Your App structure: a fully self-contained, runnable folder under plugins/.

What it does

A FastAPI app that brings the Microsoft 365 surface into Omi:

• Outlook Mail — list, search, read, send
• Outlook Calendar — list upcoming events, create events (optionally as Teams meetings), find free slots
• Microsoft Teams — list chats, send chat messages, list teams, create standalone online meetings
• OneDrive / SharePoint — list recent files, search, upload text, read content
• Profile — Who am I? / /me

OAuth 2.0 with Microsoft Entra ID via MSAL. Token caching in Redis with in-memory fallback. Throttling-aware Graph client with exponential backoff. The omi-tools.json manifest is auto-served at /.well-known/omi-tools.json.

Layout

Mirrors the structure of omi-google-calendar-app:

• main.py — FastAPI + tool dispatcher (16 tools)
• config.py — Settings + Graph scopes
• omi-tools.json — Tool manifest Omi reads
• services/ — auth, storage, graph_client, profile, mail, calendar, teams, sharepoint
• requirements.txt, Procfile, railway.toml, .env.example

Verified

• App is live on Render with a real Azure App Registration and full OAuth flow tested
• All 16 tools dispatched via /tools/{name} return valid responses
• /setup_check and /webhook/memory endpoints align with Omi's setup-completion contract
• No secrets in the diff — .env.example only contains placeholder values; real credentials live in the deploy environment

Local test

cd plugins/omi-ms365-app
cp .env.example .env  # fill MICROSOFT_CLIENT_ID, MICROSOFT_CLIENT_SECRET, SESSION_SECRET
pip install -r requirements.txt
uvicorn main:app --reload --port 8080
# open http://localhost:8080/setup/ms365?uid=test-user

Full setup walkthrough (Azure app registration, Graph permissions, deploy, Omi app config) is in the README.

[greptile-apps]

Greptile Summary

This PR adds a new self-contained Microsoft 365 community plugin under plugins/omi-ms365-app, mirroring the structure of sibling plugins. It integrates Outlook Mail, Calendar, Teams, OneDrive/SharePoint, and user profile via Microsoft Graph API with MSAL OAuth 2.0 and Redis-backed token caching.

Two issues need attention before merge:

• OData injection in search_files: the query argument is interpolated directly into the URL path, bypassing httpx encoding and breaking on any input containing '.
• KeyError masking in tool dispatch: any KeyError thrown inside a tool handler is silently converted to 404 Unknown tool, hiding real internal errors.

Confidence Score: 3/5

Not safe to merge until OData injection in search_files and KeyError masking in tool dispatch are fixed.

Two P1 bugs are present: a path-level OData injection in sharepoint search that breaks on any query containing a single quote and is exploitable for OData operator injection, and incorrect KeyError swallowing in the tool dispatcher that masks all internal errors as 404s. These affect the primary user paths for file search and all tool invocations.

plugins/omi-ms365-app/services/sharepoint.py (OData injection), plugins/omi-ms365-app/main.py (KeyError masking)

Security Review

• OData path injection (services/sharepoint.py line 30): user-controlled query is embedded in the URL path as an OData string literal without escaping; single quotes break the request and can inject OData operators.
• Weak session_secret default (config.py line 41): a placeholder default is used if SESSION_SECRET is not set, allowing forged OAuth state parameters.

Important Files Changed

Filename	Overview
plugins/omi-ms365-app/services/sharepoint.py	OData injection via unescaped query in search_files; in-function imports and second httpx client in read_file_text bypass GraphClient retry logic.
plugins/omi-ms365-app/main.py	FastAPI entrypoint; KeyError from tool internals incorrectly caught as Unknown tool 404; in-function import json.
plugins/omi-ms365-app/config.py	pydantic-settings config; session_secret has weak insecure default that should be required.
plugins/omi-ms365-app/services/auth.py	MSAL OAuth flow with per-user token cache via TokenStore; clean silent refresh and error handling.
plugins/omi-ms365-app/services/graph_client.py	Async Graph API client with 429/5xx retry and exponential backoff; well-structured context manager.
plugins/omi-ms365-app/services/storage.py	Redis-backed token store with in-memory fallback; clean protocol abstraction and 90-day TTL.
plugins/omi-ms365-app/services/calendar.py	Calendar list/create/free-slots; hardcoded Europe/Vienna timezone default will affect non-Austrian users.
plugins/omi-ms365-app/services/mail.py	Outlook mail list/search/read/send via GraphClient; clean implementation.
plugins/omi-ms365-app/services/teams.py	Teams chats, messages, joined teams, online meetings; straightforward Graph API calls.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Omi App] -->|POST tools/tool_name| B[FastAPI Dispatcher]
    B -->|get_access_token uid| C[MSAL Auth]
    C -->|load cache| D[(TokenStore)]
    C -->|silent refresh| E[Microsoft Entra ID]
    E -->|updated cache| D
    C -->|valid header| B
    B -->|Graph API call| F[Microsoft Graph]
    F -->|JSON response| B
    B -->|tool result| A
    G[Browser] -->|OAuth flow| H[setup + auth endpoints]
    H -->|acquire tokens| E
    E -->|cache blob| D

Loading

_{Reviews (1): Last reviewed commit: "Add Microsoft 365 community app (plugins..." | Re-trigger Greptile}

[greptile-apps]

OData path injection via unescaped query string

query is interpolated directly into the URL path segment as f"/me/drive/root/search(q='{query}')". Because this is a path — not a query param — httpx will not percent-encode it. A single ' in the search term terminates the OData string literal (e.g. it's → /me/drive/root/search(q='it's')), producing a malformed request. Malicious input can further inject OData operators.

Move the search term to a $search query parameter instead.

[greptile-apps]

KeyError from tool internals masked as "Unknown tool" 404

The except KeyError block wraps the entire await _TOOLS[tool_name](uid, **args) call. Any KeyError raised inside a tool (e.g. a missing key in a Graph response) is caught here and surfaced as 404 Unknown tool: <name> rather than a 500, permanently hiding real errors. Separate the dict lookup from the invocation so only the lookup can produce the KeyError.

[greptile-apps]

In-function imports should be moved to module level

import httpx and from services.auth import get_access_token are defined inside read_file_text. Move them to the top of the file. Additionally, this function bypasses GraphClient's throttling/retry logic by creating a second bare httpx.AsyncClient.

Context Used: Backend Python import rules - no in-function impor... (source)

[greptile-apps]

import json inside a function

import json is a standard-library import that should live at the top of the module, not inside _load_manifest. The in-function form is inconsistent with the rest of the file and is flagged by linters.

Context Used: Backend Python import rules - no in-function impor... (source)

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

Hardcoded locale-specific timezone default

timezone_str: str = "Europe/Vienna" is the plugin author's local timezone and will silently create events in the wrong timezone for all other users. A neutral default ("UTC") or one derived from the user's mailbox settings (MailboxSettings.Read is already in scope) would be more appropriate.

[greptile-apps]

Insecure default for session_secret

The field has a weak placeholder default. If SESSION_SECRET is not set in the environment it is used silently — an attacker who knows the default can forge signed OAuth states. Making the field required (removing the default) causes the app to fail at startup rather than running insecurely.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5432523d4c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Default event timezone to user context, not Europe/Vienna

create_event hard-codes timezone_str to Europe/Vienna, so any call that omits the timezone (which is common for tool invocations relying on defaults) will schedule events in CET/CEST rather than the user’s actual locale. This silently creates meetings at the wrong wall-clock time for most users outside that region; the default should come from the mailbox/user profile (or require an explicit timezone) instead of a fixed city.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Respect Retry-After instead of capping below server request

The retry delay uses min(retry_after, 2 ** attempt + 1), which can sleep less than the Retry-After value (for example retrying after 2s when Graph asked for 30s), causing repeated throttling and premature failure under load. Backoff should honor the server minimum (typically max(...) or direct retry_after) so 429 recovery is reliable.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Escape OneDrive search text before embedding in OData path

The search endpoint interpolates raw user text into search(q='...'); queries containing a single quote (for example Bob's notes) produce an invalid OData expression and the request fails with 4xx. User input should be escaped/encoded for OData string literals before constructing the path.

Useful? React with 👍 / 👎.