@realtimex/email-automator 2.1.0

package/api/src/middleware/errorHandler.ts

@@ -0,0 +1,97 @@
+import { Request, Response, NextFunction } from 'express';
+import { createLogger } from '../utils/logger.js';
+import { config } from '../config/index.js';
+
+const logger = createLogger('ErrorHandler');
+
+export class AppError extends Error {
+    statusCode: number;
+    isOperational: boolean;
+    code?: string;
+
+    constructor(message: string, statusCode: number = 500, code?: string) {
+        super(message);
+        this.statusCode = statusCode;
+        this.isOperational = true;
+        this.code = code;
+        Error.captureStackTrace(this, this.constructor);
+    }
+}
+
+export class ValidationError extends AppError {
+    constructor(message: string) {
+        super(message, 400, 'VALIDATION_ERROR');
+    }
+}
+
+export class AuthenticationError extends AppError {
+    constructor(message: string = 'Authentication required') {
+        super(message, 401, 'AUTHENTICATION_ERROR');
+    }
+}
+
+export class AuthorizationError extends AppError {
+    constructor(message: string = 'Insufficient permissions') {
+        super(message, 403, 'AUTHORIZATION_ERROR');
+    }
+}
+
+export class NotFoundError extends AppError {
+    constructor(resource: string = 'Resource') {
+        super(`${resource} not found`, 404, 'NOT_FOUND');
+    }
+}
+
+export class RateLimitError extends AppError {
+    constructor() {
+        super('Too many requests, please try again later', 429, 'RATE_LIMIT_EXCEEDED');
+    }
+}
+
+export function errorHandler(
+    err: Error | AppError,
+    req: Request,
+    res: Response,
+    _next: NextFunction
+): void {
+    // Default to 500 if not an AppError
+    const statusCode = err instanceof AppError ? err.statusCode : 500;
+    const isOperational = err instanceof AppError ? err.isOperational : false;
+    const code = err instanceof AppError ? err.code : 'INTERNAL_ERROR';
+
+    // Log error
+    if (statusCode >= 500) {
+        logger.error('Server error', err, {
+            method: req.method,
+            path: req.path,
+            statusCode,
+        });
+    } else {
+        logger.warn('Client error', {
+            method: req.method,
+            path: req.path,
+            statusCode,
+            message: err.message,
+        });
+    }
+
+    // Send response
+    res.status(statusCode).json({
+        success: false,
+        error: {
+            code,
+            message: isOperational || !config.isProduction 
+                ? err.message 
+                : 'An unexpected error occurred',
+            ...(config.isProduction ? {} : { stack: err.stack }),
+        },
+    });
+}
+
+export function asyncHandler(
+    fn: (req: Request, res: Response, next: NextFunction) => Promise<any>
+) {
+    return (req: Request, res: Response, next: NextFunction) => {
+        Promise.resolve(fn(req, res, next)).catch(next);
+    };
+}

package/api/src/middleware/index.ts

@@ -0,0 +1,4 @@
+export { errorHandler, asyncHandler, AppError, ValidationError, AuthenticationError, AuthorizationError, NotFoundError, RateLimitError } from './errorHandler.js';
+export { authMiddleware, optionalAuth, requireRole } from './auth.js';
+export { rateLimit, authRateLimit, apiRateLimit, syncRateLimit } from './rateLimit.js';
+export { validateBody, validateQuery, validateParams, schemas } from './validation.js';

package/api/src/middleware/rateLimit.ts

@@ -0,0 +1,87 @@
+import { Request, Response, NextFunction } from 'express';
+import { RateLimitError } from './errorHandler.js';
+import { config } from '../config/index.js';
+
+interface RateLimitEntry {
+    count: number;
+    resetAt: number;
+}
+
+// In-memory store (use Redis in production for multi-instance deployments)
+const rateLimitStore = new Map<string, RateLimitEntry>();
+
+// Cleanup old entries periodically
+setInterval(() => {
+    const now = Date.now();
+    for (const [key, entry] of rateLimitStore.entries()) {
+        if (entry.resetAt < now) {
+            rateLimitStore.delete(key);
+        }
+    }
+}, 60000); // Cleanup every minute
+
+export interface RateLimitOptions {
+    windowMs?: number;
+    max?: number;
+    keyGenerator?: (req: Request) => string;
+    skip?: (req: Request) => boolean;
+}
+
+export function rateLimit(options: RateLimitOptions = {}) {
+    const {
+        windowMs = config.security.rateLimitWindowMs,
+        max = config.security.rateLimitMax,
+        keyGenerator = (req) => req.ip || req.headers['x-forwarded-for']?.toString() || 'unknown',
+        skip = () => false,
+    } = options;
+
+    return (req: Request, res: Response, next: NextFunction): void => {
+        if (skip(req)) {
+            return next();
+        }
+
+        const key = keyGenerator(req);
+        const now = Date.now();
+        
+        let entry = rateLimitStore.get(key);
+        
+        if (!entry || entry.resetAt < now) {
+            entry = {
+                count: 1,
+                resetAt: now + windowMs,
+            };
+            rateLimitStore.set(key, entry);
+        } else {
+            entry.count++;
+        }
+
+        // Set rate limit headers
+        res.setHeader('X-RateLimit-Limit', max);
+        res.setHeader('X-RateLimit-Remaining', Math.max(0, max - entry.count));
+        res.setHeader('X-RateLimit-Reset', Math.ceil(entry.resetAt / 1000));
+
+        if (entry.count > max) {
+            return next(new RateLimitError());
+        }
+
+        next();
+    };
+}
+
+// Stricter rate limit for auth endpoints
+export const authRateLimit = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 10, // 10 attempts per 15 minutes
+});
+
+// Standard API rate limit
+export const apiRateLimit = rateLimit({
+    windowMs: 60 * 1000, // 1 minute
+    max: 60, // 60 requests per minute
+});
+
+// Sync rate limit (expensive operation)
+export const syncRateLimit = rateLimit({
+    windowMs: 60 * 1000, // 1 minute
+    max: 5, // 5 sync requests per minute
+});

package/api/src/middleware/validation.ts

@@ -0,0 +1,118 @@
+import { Request, Response, NextFunction } from 'express';
+import { z, ZodSchema, ZodError } from 'zod';
+import { ValidationError } from './errorHandler.js';
+
+export function validateBody<T>(schema: ZodSchema<T>) {
+    return (req: Request, _res: Response, next: NextFunction): void => {
+        try {
+            req.body = schema.parse(req.body);
+            next();
+        } catch (error) {
+            if (error instanceof ZodError) {
+                const messages = error.errors.map(e => `${e.path.join('.')}: ${e.message}`).join(', ');
+                next(new ValidationError(messages));
+            } else {
+                next(error);
+            }
+        }
+    };
+}
+
+export function validateQuery<T>(schema: ZodSchema<T>) {
+    return (req: Request, _res: Response, next: NextFunction): void => {
+        try {
+            req.query = schema.parse(req.query) as any;
+            next();
+        } catch (error) {
+            if (error instanceof ZodError) {
+                const messages = error.errors.map(e => `${e.path.join('.')}: ${e.message}`).join(', ');
+                next(new ValidationError(messages));
+            } else {
+                next(error);
+            }
+        }
+    };
+}
+
+export function validateParams<T>(schema: ZodSchema<T>) {
+    return (req: Request, _res: Response, next: NextFunction): void => {
+        try {
+            req.params = schema.parse(req.params) as any;
+            next();
+        } catch (error) {
+            if (error instanceof ZodError) {
+                const messages = error.errors.map(e => `${e.path.join('.')}: ${e.message}`).join(', ');
+                next(new ValidationError(messages));
+            } else {
+                next(error);
+            }
+        }
+    };
+}
+
+// Common validation schemas
+export const schemas = {
+    uuid: z.string().uuid(),
+    email: z.string().email(),
+
+    // Auth schemas
+    gmailCallback: z.object({
+        code: z.string().min(1, 'Authorization code is required'),
+    }),
+
+    deviceFlow: z.object({
+        device_code: z.string().min(1, 'Device code is required'),
+    }),
+
+    // Sync schemas
+    syncRequest: z.object({
+        accountId: z.string().uuid('Invalid account ID'),
+    }),
+
+    // Action schemas
+    executeAction: z.object({
+        emailId: z.string().uuid('Invalid email ID'),
+        action: z.enum(['delete', 'archive', 'draft', 'flag', 'none']),
+        draftContent: z.string().optional(),
+    }),
+
+    // Migration schemas
+    migrate: z.object({
+        projectRef: z.string().min(1, 'Project reference is required'),
+        dbPassword: z.string().optional(),
+        accessToken: z.string().optional(),
+    }),
+
+    // Rule schemas
+    createRule: z.object({
+        name: z.string().min(1).max(100),
+        condition: z.record(z.unknown()),
+        action: z.enum(['delete', 'archive', 'draft', 'star', 'read']),
+        instructions: z.string().optional(),
+        is_enabled: z.boolean().default(true),
+    }),
+
+    updateRule: z.object({
+        name: z.string().min(1).max(100).optional(),
+        condition: z.record(z.unknown()).optional(),
+        action: z.enum(['delete', 'archive', 'draft', 'star', 'read']).optional(),
+        instructions: z.string().optional(),
+        is_enabled: z.boolean().optional(),
+    }),
+
+    // Settings schemas
+    updateSettings: z.object({
+        llm_model: z.string().optional(),
+        llm_base_url: z.string().url().optional().or(z.literal('')),
+        llm_api_key: z.string().optional(),
+        auto_trash_spam: z.boolean().optional(),
+        smart_drafts: z.boolean().optional(),
+        sync_interval_minutes: z.number().min(1).max(60).optional(),
+        // BYOK Credentials (transient, moved to integrations)
+        google_client_id: z.string().optional(),
+        google_client_secret: z.string().optional(),
+        microsoft_client_id: z.string().optional(),
+        microsoft_client_secret: z.string().optional(),
+        microsoft_tenant_id: z.string().optional(),
+    }),
+};

package/api/src/routes/actions.ts

@@ -0,0 +1,214 @@
+import { Router } from 'express';
+import { asyncHandler, NotFoundError } from '../middleware/errorHandler.js';
+import { authMiddleware } from '../middleware/auth.js';
+import { apiRateLimit } from '../middleware/rateLimit.js';
+import { validateBody, schemas } from '../middleware/validation.js';
+import { getGmailService } from '../services/gmail.js';
+import { getMicrosoftService } from '../services/microsoft.js';
+import { getIntelligenceService } from '../services/intelligence.js';
+import { createLogger } from '../utils/logger.js';
+
+const router = Router();
+const logger = createLogger('ActionRoutes');
+
+// Execute action on email
+router.post('/execute',
+    apiRateLimit,
+    authMiddleware,
+    validateBody(schemas.executeAction),
+    asyncHandler(async (req, res) => {
+        const { emailId, action, draftContent } = req.body;
+        const userId = req.user!.id;
+
+        // Fetch email with account info
+        const { data: email, error } = await req.supabase!
+            .from('emails')
+            .select('*, email_accounts(*)')
+            .eq('id', emailId)
+            .single();
+
+        if (error || !email) {
+            throw new NotFoundError('Email');
+        }
+
+        // Verify ownership
+        if (email.email_accounts.user_id !== userId) {
+            throw new NotFoundError('Email');
+        }
+
+        const account = email.email_accounts;
+        let actionResult = { success: true, details: '' };
+
+        if (action === 'none') {
+            // Just mark as reviewed
+            await req.supabase!
+                .from('emails')
+                .update({ action_taken: 'none' })
+                .eq('id', emailId);
+        } else if (account.provider === 'gmail') {
+            const gmailService = getGmailService();
+            
+            if (action === 'delete') {
+                await gmailService.trashMessage(account, email.external_id);
+            } else if (action === 'archive') {
+                await gmailService.archiveMessage(account, email.external_id);
+            } else if (action === 'draft') {
+                const content = draftContent || email.ai_analysis?.draft_response || '';
+                if (content) {
+                    const draftId = await gmailService.createDraft(account, email.external_id, content);
+                    actionResult.details = `Draft created: ${draftId}`;
+                }
+            } else if (action === 'flag') {
+                await gmailService.addLabel(account, email.external_id, ['STARRED']);
+            }
+
+            await req.supabase!
+                .from('emails')
+                .update({ action_taken: action })
+                .eq('id', emailId);
+        } else if (account.provider === 'outlook') {
+            const microsoftService = getMicrosoftService();
+            
+            if (action === 'delete') {
+                await microsoftService.trashMessage(account, email.external_id);
+            } else if (action === 'archive') {
+                await microsoftService.archiveMessage(account, email.external_id);
+            } else if (action === 'draft') {
+                const content = draftContent || email.ai_analysis?.draft_response || '';
+                if (content) {
+                    const draftId = await microsoftService.createDraft(account, email.external_id, content);
+                    actionResult.details = `Draft created: ${draftId}`;
+                }
+            }
+
+            await req.supabase!
+                .from('emails')
+                .update({ action_taken: action })
+                .eq('id', emailId);
+        }
+
+        logger.info('Action executed', { emailId, action, userId });
+
+        res.json(actionResult);
+    })
+);
+
+// Generate AI draft for an email
+router.post('/draft/:emailId',
+    apiRateLimit,
+    authMiddleware,
+    asyncHandler(async (req, res) => {
+        const { emailId } = req.params;
+        const { instructions } = req.body;
+        const userId = req.user!.id;
+
+        // Fetch email
+        const { data: email, error } = await req.supabase!
+            .from('emails')
+            .select('*, email_accounts(user_id)')
+            .eq('id', emailId)
+            .single();
+
+        if (error || !email) {
+            throw new NotFoundError('Email');
+        }
+
+        if (email.email_accounts.user_id !== userId) {
+            throw new NotFoundError('Email');
+        }
+
+        // Get user settings for LLM config
+        const { data: settings } = await req.supabase!
+            .from('user_settings')
+            .select('llm_model, llm_base_url')
+            .eq('user_id', userId)
+            .single();
+
+        const intelligenceService = getIntelligenceService(
+            settings ? { model: settings.llm_model, baseUrl: settings.llm_base_url } : undefined
+        );
+
+        const draft = await intelligenceService.generateDraftReply(
+            {
+                subject: email.subject,
+                sender: email.sender,
+                body: email.body_snippet,
+            },
+            instructions
+        );
+
+        if (!draft) {
+            return res.status(500).json({ error: 'Failed to generate draft' });
+        }
+
+        res.json({ draft });
+    })
+);
+
+// Bulk actions
+router.post('/bulk',
+    apiRateLimit,
+    authMiddleware,
+    asyncHandler(async (req, res) => {
+        const { emailIds, action } = req.body;
+        const userId = req.user!.id;
+
+        if (!Array.isArray(emailIds) || emailIds.length === 0) {
+            return res.status(400).json({ error: 'emailIds must be a non-empty array' });
+        }
+
+        if (!['delete', 'archive', 'none'].includes(action)) {
+            return res.status(400).json({ error: 'Invalid action for bulk operation' });
+        }
+
+        const results = { success: 0, failed: 0 };
+
+        for (const emailId of emailIds) {
+            try {
+                // Fetch email
+                const { data: email } = await req.supabase!
+                    .from('emails')
+                    .select('*, email_accounts(*)')
+                    .eq('id', emailId)
+                    .single();
+
+                if (!email || email.email_accounts.user_id !== userId) {
+                    results.failed++;
+                    continue;
+                }
+
+                const account = email.email_accounts;
+
+                if (account.provider === 'gmail') {
+                    const gmailService = getGmailService();
+                    if (action === 'delete') {
+                        await gmailService.trashMessage(account, email.external_id);
+                    } else if (action === 'archive') {
+                        await gmailService.archiveMessage(account, email.external_id);
+                    }
+                } else if (account.provider === 'outlook') {
+                    const microsoftService = getMicrosoftService();
+                    if (action === 'delete') {
+                        await microsoftService.trashMessage(account, email.external_id);
+                    } else if (action === 'archive') {
+                        await microsoftService.archiveMessage(account, email.external_id);
+                    }
+                }
+
+                await req.supabase!
+                    .from('emails')
+                    .update({ action_taken: action })
+                    .eq('id', emailId);
+
+                results.success++;
+            } catch (err) {
+                logger.error('Bulk action failed for email', err, { emailId });
+                results.failed++;
+            }
+        }
+
+        res.json(results);
+    })
+);
+
+export default router;

package/api/src/routes/auth.ts

@@ -0,0 +1,157 @@
+import { Router } from 'express';
+import { asyncHandler, ValidationError } from '../middleware/errorHandler.js';
+import { authMiddleware } from '../middleware/auth.js';
+import { authRateLimit } from '../middleware/rateLimit.js';
+import { validateBody, schemas } from '../middleware/validation.js';
+import { getGmailService } from '../services/gmail.js';
+import { getMicrosoftService } from '../services/microsoft.js';
+import { createLogger } from '../utils/logger.js';
+
+const router = Router();
+const logger = createLogger('AuthRoutes');
+
+// Gmail OAuth
+router.get('/gmail/url', authRateLimit, asyncHandler(async (req, res) => {
+    const gmailService = getGmailService();
+    const url = gmailService.getAuthUrl();
+    logger.info('Gmail auth URL generated');
+    res.json({ url });
+}));
+
+router.post('/gmail/callback', 
+    authRateLimit,
+    authMiddleware,
+    validateBody(schemas.gmailCallback),
+    asyncHandler(async (req, res) => {
+        const { code } = req.body;
+        const gmailService = getGmailService();
+        
+        // Exchange code for tokens
+        const tokens = await gmailService.exchangeCode(code);
+        
+        if (!tokens.access_token) {
+            throw new ValidationError('Failed to obtain access token');
+        }
+
+        // Get email address from Gmail profile
+        const tempAccount = {
+            id: '',
+            user_id: req.user!.id,
+            provider: 'gmail' as const,
+            email_address: '',
+            access_token: tokens.access_token,
+            refresh_token: tokens.refresh_token || null,
+            token_expires_at: tokens.expiry_date ? new Date(tokens.expiry_date).toISOString() : null,
+            scopes: tokens.scope?.split(' ') || [],
+            is_active: true,
+            created_at: '',
+            updated_at: '',
+        };
+        
+        const profile = await gmailService.getProfile(tempAccount);
+        
+        // Save account
+        const account = await gmailService.saveAccount(
+            req.supabase!,
+            req.user!.id,
+            profile.emailAddress,
+            tokens
+        );
+
+        logger.info('Gmail account connected', { 
+            userId: req.user!.id, 
+            email: profile.emailAddress 
+        });
+
+        res.json({ 
+            success: true, 
+            account: {
+                id: account.id,
+                email_address: account.email_address,
+                provider: account.provider,
+            }
+        });
+    })
+);
+
+// Microsoft OAuth (Device Code Flow)
+router.post('/microsoft/device-flow',
+    authRateLimit,
+    authMiddleware,
+    asyncHandler(async (req, res) => {
+        const microsoftService = getMicrosoftService();
+        
+        // Start device code flow
+        const result = await microsoftService.acquireTokenByDeviceCode((response) => {
+            // This callback is called when the device code is ready
+            res.json({
+                userCode: response.userCode,
+                verificationUri: response.verificationUri,
+                message: response.message,
+            });
+        });
+
+        // If we get here, the user completed the flow
+        if (result) {
+            const account = await microsoftService.saveAccount(
+                req.supabase!,
+                req.user!.id,
+                result.account?.username || '',
+                result
+            );
+
+            logger.info('Microsoft account connected', {
+                userId: req.user!.id,
+                email: account.email_address,
+            });
+        }
+    })
+);
+
+router.post('/microsoft/complete',
+    authRateLimit,
+    authMiddleware,
+    validateBody(schemas.deviceFlow),
+    asyncHandler(async (_req, res) => {
+        // Device flow completion is handled in the device-flow endpoint
+        // This is kept for backwards compatibility
+        res.json({ success: true });
+    })
+);
+
+// Disconnect account
+router.delete('/accounts/:accountId',
+    authMiddleware,
+    asyncHandler(async (req, res) => {
+        const { accountId } = req.params;
+        
+        const { error } = await req.supabase!
+            .from('email_accounts')
+            .delete()
+            .eq('id', accountId)
+            .eq('user_id', req.user!.id);
+
+        if (error) throw error;
+
+        logger.info('Account disconnected', { accountId, userId: req.user!.id });
+        res.json({ success: true });
+    })
+);
+
+// List connected accounts
+router.get('/accounts',
+    authMiddleware,
+    asyncHandler(async (req, res) => {
+        const { data, error } = await req.supabase!
+            .from('email_accounts')
+            .select('id, provider, email_address, is_active, created_at, updated_at')
+            .eq('user_id', req.user!.id)
+            .order('created_at', { ascending: false });
+
+        if (error) throw error;
+
+        res.json({ accounts: data || [] });
+    })
+);
+
+export default router;