chore: release v2.4

- Add theme system (Dark/Light palettes, ModernTheme, ThemeManager) - Add InputDialog, Spinner common view - Add DuplicatesCsvExportService - Refresh views, dialogs, and view models across tabs - Update localization strings (en/fr) - Tweak services (transfer, permissions, search, user access, ownership elevation, bulk operations) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-20 11:23:11 +02:00
parent 8f30a60d2a
commit 12dd1de9f2
93 changed files with 8708 additions and 1159 deletions
@@ -15,17 +15,48 @@ public class GraphClientFactory

    /// <summary>
    /// Creates a GraphServiceClient that acquires tokens via the same MSAL PCA
-    /// used for SharePoint auth, but with Graph scopes.
+    /// used for SharePoint auth, but with Graph scopes. Uses the /common authority
+    /// and the <c>.default</c> scope (whatever the client is pre-consented for).
    /// </summary>
-    public async Task<GraphServiceClient> CreateClientAsync(string clientId, CancellationToken ct)
+    public Task<GraphServiceClient> CreateClientAsync(string clientId, CancellationToken ct)
+        => CreateClientAsync(clientId, tenantId: null, scopes: null, ct);
+
+    /// <summary>
+    /// Creates a GraphServiceClient pinned to a specific tenant authority.
+    /// Pass the tenant domain (e.g. "contoso.onmicrosoft.com") or tenant GUID.
+    /// Null <paramref name="tenantId"/> falls back to /common.
+    /// </summary>
+    public Task<GraphServiceClient> CreateClientAsync(string clientId, string? tenantId, CancellationToken ct)
+        => CreateClientAsync(clientId, tenantId, scopes: null, ct);
+
+    /// <summary>
+    /// Creates a GraphServiceClient with explicit Graph delegated scopes.
+    /// Use when <c>.default</c> is insufficient — typically for admin actions that
+    /// need scopes not pre-consented on the bootstrap client (e.g. app registration
+    /// requires <c>Application.ReadWrite.All</c> and
+    /// <c>DelegatedPermissionGrant.ReadWrite.All</c>). Triggers an admin-consent
+    /// prompt on first use if the tenant has not yet consented.
+    /// </summary>
+    public async Task<GraphServiceClient> CreateClientAsync(
+        string clientId,
+        string? tenantId,
+        string[]? scopes,
+        CancellationToken ct)
    {
        var pca = await _msalFactory.GetOrCreateAsync(clientId);
-        var accounts = await pca.GetAccountsAsync();
-        var account = accounts.FirstOrDefault();

-        var graphScopes = new[] { "https://graph.microsoft.com/.default" };
+        // When a tenant is specified we must NOT reuse cached accounts from /common
+        // (or a different tenant) — they route tokens to the wrong authority.
+        IAccount? account = null;
+        if (tenantId is null)
+        {
+            var accounts = await pca.GetAccountsAsync();
+            account = accounts.FirstOrDefault();
+        }

-        var tokenProvider = new MsalTokenProvider(pca, account, graphScopes);
+        var graphScopes = scopes ?? new[] { "https://graph.microsoft.com/.default" };
+
+        var tokenProvider = new MsalTokenProvider(pca, account, graphScopes, tenantId);
        var authProvider = new BaseBearerTokenAuthenticationProvider(tokenProvider);
        return new GraphServiceClient(authProvider);
    }
@@ -39,12 +70,14 @@ internal class MsalTokenProvider : IAccessTokenProvider
    private readonly IPublicClientApplication _pca;
    private readonly IAccount? _account;
    private readonly string[] _scopes;
+    private readonly string? _tenantId;

-    public MsalTokenProvider(IPublicClientApplication pca, IAccount? account, string[] scopes)
+    public MsalTokenProvider(IPublicClientApplication pca, IAccount? account, string[] scopes, string? tenantId = null)
    {
        _pca = pca;
        _account = account;
        _scopes = scopes;
+        _tenantId = tenantId;
    }

    public AllowedHostsValidator AllowedHostsValidator { get; } = new();
@@ -56,15 +89,16 @@ internal class MsalTokenProvider : IAccessTokenProvider
    {
        try
        {
-            var result = await _pca.AcquireTokenSilent(_scopes, _account)
-                .ExecuteAsync(cancellationToken);
+            var silent = _pca.AcquireTokenSilent(_scopes, _account);
+            if (_tenantId is not null) silent = silent.WithTenantId(_tenantId);
+            var result = await silent.ExecuteAsync(cancellationToken);
            return result.AccessToken;
        }
        catch (MsalUiRequiredException)
        {
-            // If silent fails, try interactive
-            var result = await _pca.AcquireTokenInteractive(_scopes)
-                .ExecuteAsync(cancellationToken);
+            var interactive = _pca.AcquireTokenInteractive(_scopes);
+            if (_tenantId is not null) interactive = interactive.WithTenantId(_tenantId);
+            var result = await interactive.ExecuteAsync(cancellationToken);
            return result.AccessToken;
        }
    }