@realtimex/email-automator 2.1.0

package/src/main.tsx

@@ -0,0 +1,10 @@
+import React from 'react';
+import ReactDOM from 'react-dom/client';
+import App from './App';
+import './index.css';
+
+ReactDOM.createRoot(document.getElementById('root')!).render(
+    <React.StrictMode>
+        <App />
+    </React.StrictMode>
+);

package/supabase/.env.example

@@ -0,0 +1,15 @@
+# Edge Functions Environment Variables
+# Copy this to Supabase Dashboard > Project Settings > Edge Functions
+
+# Token Encryption (Required)
+TOKEN_ENCRYPTION_KEY=your-32-character-encryption-key-here
+
+# Gmail OAuth (Required for Gmail integration)
+GMAIL_CLIENT_ID=your-gmail-client-id
+GMAIL_CLIENT_SECRET=your-gmail-client-secret
+GMAIL_REDIRECT_URI=urn:ietf:wg:oauth:2.0:oob
+
+# Microsoft Graph OAuth (Required for Outlook integration)
+MS_GRAPH_CLIENT_ID=your-ms-graph-client-id
+MS_GRAPH_CLIENT_SECRET=your-ms-graph-client-secret
+MS_GRAPH_TENANT_ID=common

package/supabase/.temp/cli-latest

@@ -0,0 +1 @@
+v2.72.7

package/supabase/.temp/gotrue-version

@@ -0,0 +1 @@
+v2.185.0

package/supabase/.temp/pooler-url

@@ -0,0 +1 @@
+postgresql://postgres.dphtysocoxwtohdsdbom@aws-1-us-east-2.pooler.supabase.com:5432/postgres

package/supabase/.temp/postgres-version

@@ -0,0 +1 @@
+17.6.1.063

package/supabase/.temp/project-ref

@@ -0,0 +1 @@
+dphtysocoxwtohdsdbom

package/supabase/.temp/rest-version

@@ -0,0 +1 @@
+v14.1

package/supabase/.temp/storage-migration

@@ -0,0 +1 @@
+buckets-objects-grants-postgres

package/supabase/.temp/storage-version

@@ -0,0 +1 @@
+v1.33.0

package/supabase/config.toml

@@ -0,0 +1,95 @@
+# Supabase Configuration
+
+[api]
+enabled = true
+port = 54321
+schemas = ["public", "storage", "graphql_public"]
+extra_search_path = ["public", "extensions"]
+max_rows = 1000
+
+[db]
+port = 54322
+major_version = 15
+
+[studio]
+enabled = true
+port = 54323
+
+[storage]
+enabled = true
+file_size_limit = "50MiB"
+
+[auth]
+enabled = true
+# The base URL of your website. Used as an allow-list for redirects and for constructing URLs used
+# in emails.
+site_url = "http://localhost:5173"
+# A list of *exact* URLs that auth providers are permitted to redirect to post authentication.
+additional_redirect_urls = ["http://localhost:3000"]
+# How long tokens are valid for, in seconds. Defaults to 3600 (1 hour), maximum 604,800 (1 week).
+jwt_expiry = 3600
+# If disabled, the refresh token will never expire.
+enable_refresh_token_rotation = true
+# Allows refresh tokens to be reused after expiry, up to the specified interval in seconds.
+# Requires enable_refresh_token_rotation = true.
+refresh_token_reuse_interval = 10
+# Allow/disallow new user signups to your project.
+enable_signup = true
+# Allow/disallow anonymous sign-ins to your project.
+enable_anonymous_sign_ins = false
+# Allow/disallow testing manual linking of accounts
+enable_manual_linking = false
+# Passwords shorter than this value will be rejected as weak. Minimum 6, recommended 8 or more.
+minimum_password_length = 6
+# Passwords that do not meet the following requirements will be rejected as weak. Supported values
+# are: `letters_digits`, `lower_upper_letters_digits`, `lower_upper_letters_digits_symbols`
+password_requirements = ""
+
+[auth.email]
+# Allow/disallow new user signups via email to your project.
+enable_signup = true
+# If enabled, a user will be required to confirm any email change on both the old, and new email
+# addresses. If disabled, only the new email is required to confirm.
+double_confirm_changes = true
+# If enabled, users need to confirm their email address before signing in.
+enable_confirmations = false
+# If enabled, users will need to reauthenticate or have logged in recently to change their password.
+secure_password_change = false
+# Controls the minimum amount of time that must pass before sending another signup confirmation or password reset email.
+max_frequency = "1s"
+# Number of characters used in the email OTP.
+otp_length = 6
+# Number of seconds before the email OTP expires (defaults to 1 hour).
+otp_expiry = 3600
+
+[auth.email.template.invite]
+subject = "You have been invited to Email Automator"
+content_path = "supabase/templates/invite.html"
+
+[auth.email.template.confirmation]
+subject = "Confirm your Email Automator account"
+content_path = "supabase/templates/confirmation.html"
+
+[auth.email.template.recovery]
+subject = "Reset your Email Automator password"
+content_path = "supabase/templates/recovery.html"
+
+[auth.email.template.magic_link]
+subject = "Login to Email Automator"
+content_path = "supabase/templates/magic-link.html"
+
+[auth.email.template.email_change]
+subject = "Confirm your new email for Email Automator"
+content_path = "supabase/templates/email-change.html"
+
+[functions]
+# Required environment variables for Edge Functions
+# These should be set in Supabase Dashboard > Project Settings > Edge Functions
+#
+# TOKEN_ENCRYPTION_KEY - 32-character encryption key for OAuth tokens
+# GMAIL_CLIENT_ID - Gmail OAuth Client ID
+# GMAIL_CLIENT_SECRET - Gmail OAuth Client Secret
+# GMAIL_REDIRECT_URI - Gmail OAuth Redirect URI (default: urn:ietf:wg:oauth:2.0:oob)
+# MS_GRAPH_CLIENT_ID - Microsoft Graph Client ID
+# MS_GRAPH_CLIENT_SECRET - Microsoft Graph Client Secret (optional)
+# MS_GRAPH_TENANT_ID - Microsoft Tenant ID (default: common)

package/supabase/functions/_shared/auth-helper.ts

@@ -0,0 +1,76 @@
+import { supabaseAdmin } from './supabaseAdmin.ts';
+
+export interface OAuthCredentials {
+    clientId: string;
+    clientSecret: string;
+    // Optional extras
+    tenantId?: string;
+    redirectUri?: string;
+}
+
+/**
+ * Fetch credentials for a specific provider.
+ * Priority: 
+ * 1. integrations table (for the given user)
+ * 2. Deno.env (server-side secrets)
+ */
+export async function getProviderCredentials(
+    userId: string,
+    provider: 'google' | 'microsoft'
+): Promise<OAuthCredentials> {
+    // 1. Try to fetch from integrations
+    const { data: integration } = await supabaseAdmin
+        .from('integrations')
+        .select('credentials')
+        .eq('user_id', userId)
+        .eq('provider', provider)
+        .maybeSingle();
+
+    if (integration?.credentials) {
+        const creds = integration.credentials as any;
+        
+        if (provider === 'google' && creds.client_id && creds.client_secret) {
+            return {
+                clientId: creds.client_id,
+                clientSecret: creds.client_secret,
+                redirectUri: Deno.env.get('GMAIL_REDIRECT_URI') 
+            };
+        }
+
+        if (provider === 'microsoft' && creds.client_id) {
+            return {
+                clientId: creds.client_id,
+                clientSecret: creds.client_secret || Deno.env.get('MS_GRAPH_CLIENT_SECRET') || '',
+                tenantId: creds.tenant_id || Deno.env.get('MS_GRAPH_TENANT_ID') || 'common'
+            };
+        }
+    }
+
+    // 2. Fallback to Env Vars
+    if (provider === 'google') {
+        const clientId = Deno.env.get('GMAIL_CLIENT_ID');
+        const clientSecret = Deno.env.get('GMAIL_CLIENT_SECRET');
+        if (!clientId || !clientSecret) {
+            throw new Error('Gmail OAuth credentials not configured (Database or Env)');
+        }
+        return {
+            clientId,
+            clientSecret,
+            redirectUri: Deno.env.get('GMAIL_REDIRECT_URI')
+        };
+    }
+
+    if (provider === 'microsoft') {
+        const clientId = Deno.env.get('MS_GRAPH_CLIENT_ID');
+        if (!clientId) {
+            throw new Error('Microsoft OAuth credentials not configured (Database or Env)');
+        }
+        return {
+            clientId,
+            clientSecret: Deno.env.get('MS_GRAPH_CLIENT_SECRET') || '',
+            tenantId: Deno.env.get('MS_GRAPH_TENANT_ID') || 'common'
+        };
+    }
+
+    throw new Error(`Unknown provider: ${provider}`);
+}

package/supabase/functions/_shared/auth.ts

@@ -0,0 +1,33 @@
+import { createClient } from 'jsr:@supabase/supabase-js@2';
+
+// Verify user from authorization header
+export async function verifyUser(req: Request) {
+  const authHeader = req.headers.get('Authorization');
+
+  if (!authHeader?.startsWith('Bearer ')) {
+    return { user: null, error: 'Missing or invalid authorization header' };
+  }
+
+  const token = authHeader.substring(7);
+
+  // Create client to verify token
+  const supabase = createClient(
+    Deno.env.get('SUPABASE_URL') ?? '',
+    Deno.env.get('SUPABASE_ANON_KEY') ?? '',
+    {
+      global: {
+        headers: {
+          Authorization: `Bearer ${token}`,
+        },
+      },
+    }
+  );
+
+  const { data: { user }, error } = await supabase.auth.getUser();
+
+  if (error || !user) {
+    return { user: null, error: 'Invalid or expired token' };
+  }
+
+  return { user, error: null };
+}

package/supabase/functions/_shared/cors.ts

@@ -0,0 +1,45 @@
+// CORS headers for Edge Functions
+export const corsHeaders = {
+  'Access-Control-Allow-Origin': '*',
+  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
+  'Access-Control-Allow-Methods': 'GET, POST, PUT, PATCH, DELETE, OPTIONS',
+};
+
+// Handle CORS preflight
+export function handleCors(req: Request): Response | null {
+  if (req.method === 'OPTIONS') {
+    return new Response(null, {
+      status: 204,
+      headers: corsHeaders,
+    });
+  }
+  return null;
+}
+
+// Create error response with CORS
+export function createErrorResponse(status: number, message: string): Response {
+  return new Response(
+    JSON.stringify({ error: message }),
+    {
+      status,
+      headers: {
+        ...corsHeaders,
+        'Content-Type': 'application/json',
+      },
+    }
+  );
+}
+
+// Create success response with CORS
+export function createSuccessResponse(data: any, status = 200): Response {
+  return new Response(
+    JSON.stringify(data),
+    {
+      status,
+      headers: {
+        ...corsHeaders,
+        'Content-Type': 'application/json',
+      },
+    }
+  );
+}

package/supabase/functions/_shared/encryption.ts

@@ -0,0 +1,70 @@
+// Token encryption utilities for securing OAuth credentials
+// Uses Web Crypto API available in Deno
+
+const ALGORITHM = 'AES-GCM';
+const KEY_LENGTH = 256;
+const IV_LENGTH = 12;
+
+// Get encryption key from environment
+function getEncryptionKey(): string {
+  const key = Deno.env.get('TOKEN_ENCRYPTION_KEY');
+  if (!key) {
+    throw new Error('TOKEN_ENCRYPTION_KEY environment variable not set');
+  }
+  return key;
+}
+
+// Convert string key to CryptoKey
+async function getKey(): Promise<CryptoKey> {
+  const keyString = getEncryptionKey();
+  const keyData = new TextEncoder().encode(keyString.padEnd(32, '0').slice(0, 32));
+
+  return await crypto.subtle.importKey(
+    'raw',
+    keyData,
+    { name: ALGORITHM },
+    false,
+    ['encrypt', 'decrypt']
+  );
+}
+
+// Encrypt data
+export async function encrypt(plaintext: string): Promise<string> {
+  const key = await getKey();
+  const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+  const encoded = new TextEncoder().encode(plaintext);
+
+  const ciphertext = await crypto.subtle.encrypt(
+    { name: ALGORITHM, iv },
+    key,
+    encoded
+  );
+
+  // Combine IV and ciphertext
+  const combined = new Uint8Array(iv.length + ciphertext.byteLength);
+  combined.set(iv);
+  combined.set(new Uint8Array(ciphertext), iv.length);
+
+  // Convert to base64
+  return btoa(String.fromCharCode(...combined));
+}
+
+// Decrypt data
+export async function decrypt(ciphertext: string): Promise<string> {
+  const key = await getKey();
+
+  // Convert from base64
+  const combined = Uint8Array.from(atob(ciphertext), c => c.charCodeAt(0));
+
+  // Extract IV and ciphertext
+  const iv = combined.slice(0, IV_LENGTH);
+  const encrypted = combined.slice(IV_LENGTH);
+
+  const decrypted = await crypto.subtle.decrypt(
+    { name: ALGORITHM, iv },
+    key,
+    encrypted
+  );
+
+  return new TextDecoder().decode(decrypted);
+}

package/supabase/functions/_shared/supabaseAdmin.ts

@@ -0,0 +1,14 @@
+import { createClient } from 'jsr:@supabase/supabase-js@2';
+
+// Create a Supabase client with the service role key
+// This client bypasses Row Level Security (RLS)
+export const supabaseAdmin = createClient(
+  Deno.env.get('SUPABASE_URL') ?? '',
+  Deno.env.get('SUPABASE_SERVICE_ROLE_KEY') ?? '',
+  {
+    auth: {
+      autoRefreshToken: false,
+      persistSession: false,
+    },
+  }
+);

package/supabase/functions/api-v1-accounts/index.ts

@@ -0,0 +1,133 @@
+import 'jsr:@supabase/functions-js/edge-runtime.d.ts';
+import { supabaseAdmin } from '../_shared/supabaseAdmin.ts';
+import { handleCors, createErrorResponse, createSuccessResponse } from '../_shared/cors.ts';
+import { verifyUser } from '../_shared/auth.ts';
+
+/**
+ * Email Accounts API
+ *
+ * GET /api-v1-accounts - List all accounts for the authenticated user
+ * DELETE /api-v1-accounts/:id - Disconnect an account
+ */
+
+Deno.serve(async (req) => {
+  // Handle CORS preflight
+  const corsResponse = handleCors(req);
+  if (corsResponse) return corsResponse;
+
+  // Verify user authentication
+  const { user, error: authError } = await verifyUser(req);
+  if (authError || !user) {
+    return createErrorResponse(401, authError || 'Unauthorized');
+  }
+
+  try {
+    const url = new URL(req.url);
+    const pathParts = url.pathname.split('/').filter(Boolean);
+
+    // GET /api-v1-accounts - List accounts
+    if (req.method === 'GET' && pathParts.length === 1) {
+      const { data, error } = await supabaseAdmin
+        .from('email_accounts')
+        .select('id, provider, email_address, is_active, last_sync_checkpoint, sync_start_date, sync_max_emails_per_run, last_sync_at, last_sync_status, last_sync_error, created_at, updated_at')
+        .eq('user_id', user.id)
+        .order('created_at', { ascending: false });
+
+      if (error) {
+        console.error('Database error:', error);
+        return createErrorResponse(500, 'Failed to fetch accounts');
+      }
+
+      return createSuccessResponse({ accounts: data || [] });
+    }
+
+    // PATCH /api-v1-accounts/:id - Update account settings
+    if (req.method === 'PATCH' && pathParts.length === 2) {
+      const accountId = pathParts[1];
+      const updates = await req.json();
+
+      // Fetch current state to check if we are moving the start date backwards
+      const { data: currentAccount } = await supabaseAdmin
+        .from('email_accounts')
+        .select('sync_start_date, last_sync_checkpoint')
+        .eq('id', accountId)
+        .eq('user_id', user.id)
+        .single();
+
+      // Only allow updating specific fields
+      const allowedUpdates: Record<string, any> = {};
+      if (updates.sync_start_date !== undefined) {
+        allowedUpdates.sync_start_date = updates.sync_start_date;
+        
+        // If moving start date backwards, reset checkpoint to force backfill
+        if (currentAccount && updates.sync_start_date) {
+          const newDate = new Date(updates.sync_start_date).getTime();
+          const oldDate = currentAccount.sync_start_date ? new Date(currentAccount.sync_start_date).getTime() : Infinity;
+          
+          if (newDate < oldDate) {
+            console.log('Sync start date moved backwards, resetting checkpoint for account:', accountId);
+            allowedUpdates.last_sync_checkpoint = null;
+          }
+        }
+      }
+      if (updates.sync_max_emails_per_run !== undefined) allowedUpdates.sync_max_emails_per_run = updates.sync_max_emails_per_run;
+      if (updates.is_active !== undefined) allowedUpdates.is_active = updates.is_active;
+      if (updates.last_sync_checkpoint !== undefined) allowedUpdates.last_sync_checkpoint = updates.last_sync_checkpoint;
+
+      const { data, error } = await supabaseAdmin
+        .from('email_accounts')
+        .update(allowedUpdates)
+        .eq('id', accountId)
+        .eq('user_id', user.id)
+        .select()
+        .single();
+
+      if (error) {
+        console.error('Database error:', error);
+        return createErrorResponse(500, 'Failed to update account');
+      }
+
+      if (!data) {
+        return createErrorResponse(404, 'Account not found');
+      }
+
+      return createSuccessResponse({ account: data });
+    }
+
+    // DELETE /api-v1-accounts/:id - Disconnect account
+    if (req.method === 'DELETE' && pathParts.length === 2) {
+      const accountId = pathParts[1];
+
+      // Verify account ownership
+      const { data: account } = await supabaseAdmin
+        .from('email_accounts')
+        .select('id')
+        .eq('id', accountId)
+        .eq('user_id', user.id)
+        .single();
+
+      if (!account) {
+        return createErrorResponse(404, 'Account not found');
+      }
+
+      // Delete account
+      const { error } = await supabaseAdmin
+        .from('email_accounts')
+        .delete()
+        .eq('id', accountId)
+        .eq('user_id', user.id);
+
+      if (error) {
+        console.error('Database error:', error);
+        return createErrorResponse(500, 'Failed to delete account');
+      }
+
+      return createSuccessResponse({ success: true });
+    }
+
+    return createErrorResponse(405, 'Method not allowed');
+  } catch (error) {
+    console.error('Request error:', error);
+    return createErrorResponse(500, 'Internal server error');
+  }
+});