@serve.zone/dcrouter 14.0.0 → 14.1.0

package/ts/email/classes.workapp-mail-manager.ts

@@ -6,6 +6,12 @@ import * as plugins from '../plugins.js';
 import type * as interfaces from '../../ts_interfaces/index.js';
 
 type TSyncRequest = interfaces.requests.IReq_SyncWorkAppMailIdentity['request'];
+type TMailResourceOwner = plugins.servezoneInterfaces.data.IMailResourceOwner;
+type TMailAddressBinding = plugins.servezoneInterfaces.data.IMailAddressBinding;
+type TMailAddressBindingSync = plugins.servezoneInterfaces.requests.mail.TMailAddressBindingSync;
+type TMailAddressBindingSyncResponse = plugins.servezoneInterfaces.requests.mail.IReq_SyncMailAddressBinding['response'];
+type TMailAddressBindingDeleteResponse = plugins.servezoneInterfaces.requests.mail.IReq_DeleteMailAddressBinding['response'];
+type TWorkAppMailBinding = plugins.servezoneInterfaces.data.IWorkAppMailBinding;
 
 interface IStoredWorkAppMailIdentity extends interfaces.data.IWorkAppMailIdentity {
   smtpPassword: string;
@@ -109,6 +115,89 @@ export class WorkAppMailManager {
     return response;
   }
 
+  public async listMailAddressBindings(options: {
+    owner?: Partial<TMailResourceOwner>;
+    domain?: string;
+    address?: string;
+  } = {}): Promise<TMailAddressBinding[]> {
+    const domain = options.domain ? this.normalizeDomain(options.domain) : undefined;
+    const address = options.address ? this.normalizeAddress(options.address) : undefined;
+    const identities = await this.readStoredIdentities();
+
+    return identities
+      .filter((identity) => this.matchesMailOwner(this.toMailOwner(identity.ownership), options.owner))
+      .filter((identity) => domain ? identity.domain === domain : true)
+      .filter((identity) => address ? identity.address === address : true)
+      .map((identity) => this.toMailAddressBinding(identity));
+  }
+
+  public async listWorkAppMailBindings(
+    owner?: Partial<TMailResourceOwner>,
+  ): Promise<TWorkAppMailBinding[]> {
+    const identities = (await this.readStoredIdentities())
+      .filter((identity) => this.matchesMailOwner(this.toMailOwner(identity.ownership), owner));
+    const groups = new Map<string, IStoredWorkAppMailIdentity[]>();
+
+    for (const identity of identities) {
+      const ownerKey = this.buildMailOwnerKey(this.toMailOwner(identity.ownership));
+      const group = groups.get(ownerKey) || [];
+      group.push(identity);
+      groups.set(ownerKey, group);
+    }
+
+    return Array.from(groups.values()).map((group) => this.toWorkAppMailBinding(group));
+  }
+
+  public async syncMailAddressBinding(
+    binding: TMailAddressBindingSync,
+    createdBy: string,
+  ): Promise<TMailAddressBindingSyncResponse> {
+    const ownership = this.normalizeMailResourceOwner(binding.owner);
+    const { localPart, domain } = this.normalizeMailAddressParts(binding);
+    const syncRequest: TSyncRequest = {
+      ownership,
+      localPart,
+      domain,
+      inbound: this.toLegacyInboundRoute(binding.inboundTarget),
+      enabled: binding.enabled,
+    };
+
+    if (binding.outboundIdentityId !== undefined) {
+      syncRequest.smtpEnabled = Boolean(binding.outboundIdentityId);
+    }
+
+    const result = await this.syncMailIdentity(syncRequest, createdBy);
+
+    return {
+      success: result.success,
+      binding: result.identity ? this.toMailAddressBinding(result.identity) : undefined,
+      message: result.message,
+    };
+  }
+
+  public async deleteMailAddressBinding(
+    id: string,
+    createdBy: string,
+  ): Promise<TMailAddressBindingDeleteResponse> {
+    const identities = await this.readStoredIdentities();
+    const identity = identities.find((storedIdentity) => storedIdentity.id === id || storedIdentity.externalKey === id);
+    if (!identity) {
+      return { success: true };
+    }
+
+    const result = await this.syncMailIdentity({
+      ownership: identity.ownership,
+      localPart: identity.localPart,
+      domain: identity.domain,
+      delete: true,
+    }, createdBy);
+
+    return {
+      success: result.success,
+      message: result.message,
+    };
+  }
+
   public async applyStoredIdentitiesToEmailConfig<TConfig extends IUnifiedEmailServerOptions>(
     emailConfig: TConfig,
   ): Promise<TConfig> {
@@ -251,6 +340,63 @@ export class WorkAppMailManager {
     return normalized;
   }
 
+  private normalizeAddress(address: string): string {
+    const normalized = address?.trim().toLowerCase();
+    const [localPart, domain, extra] = normalized?.split('@') || [];
+    if (!localPart || !domain || extra) {
+      throw new Error(`Invalid email address: ${address}`);
+    }
+    return `${this.normalizeLocalPart(localPart)}@${this.normalizeDomain(domain)}`;
+  }
+
+  private normalizeMailResourceOwner(owner: TMailResourceOwner): interfaces.data.IWorkAppMailOwnership {
+    const gatewayClientType = owner.gatewayClientType;
+    const gatewayClientId = owner.gatewayClientId?.trim();
+    const appInstanceId = owner.appInstanceId?.trim();
+
+    if (gatewayClientType !== 'onebox' && gatewayClientType !== 'cloudly' && gatewayClientType !== 'custom') {
+      throw new Error(`Invalid gateway client type: ${gatewayClientType}`);
+    }
+    if (!gatewayClientId) throw new Error('gatewayClientId is required');
+    if (!appInstanceId) throw new Error('appInstanceId is required');
+
+    return {
+      workHosterType: gatewayClientType as interfaces.data.TGatewayClientType,
+      workHosterId: gatewayClientId,
+      workAppId: appInstanceId,
+    };
+  }
+
+  private normalizeMailAddressParts(binding: TMailAddressBindingSync): {
+    localPart: string;
+    domain: string;
+  } {
+    const localPart = this.normalizeLocalPart(binding.localPart);
+    const domain = this.normalizeDomain(binding.domain);
+    const address = this.normalizeAddress(binding.address);
+    if (address !== `${localPart}@${domain}`) {
+      throw new Error('mail address, localPart, and domain do not match');
+    }
+    return { localPart, domain };
+  }
+
+  private toLegacyInboundRoute(
+    inboundTarget?: TMailAddressBinding['inboundTarget'],
+  ): interfaces.data.IWorkAppMailInboundRoute | undefined {
+    if (!inboundTarget) return undefined;
+    if (inboundTarget.type !== 'smtpForward' || !inboundTarget.smtpForward) {
+      throw new Error(`Unsupported WorkApp mail inbound target: ${inboundTarget.type}`);
+    }
+
+    return this.normalizeInboundRoute({
+      enabled: true,
+      targetHost: inboundTarget.smtpForward.host,
+      targetPort: inboundTarget.smtpForward.port,
+      preserveHeaders: inboundTarget.smtpForward.preserveHeaders,
+      addHeaders: inboundTarget.smtpForward.addHeaders,
+    });
+  }
+
   private normalizeInboundRoute(
     inbound?: interfaces.data.IWorkAppMailInboundRoute,
   ): interfaces.data.IWorkAppMailInboundRoute | undefined {
@@ -282,6 +428,17 @@ export class WorkAppMailManager {
     return true;
   }
 
+  private matchesMailOwner(
+    owner: TMailResourceOwner,
+    filter?: Partial<TMailResourceOwner>,
+  ): boolean {
+    if (!filter) return true;
+    if (filter.gatewayClientType && filter.gatewayClientType !== owner.gatewayClientType) return false;
+    if (filter.gatewayClientId && filter.gatewayClientId !== owner.gatewayClientId) return false;
+    if (filter.appInstanceId && filter.appInstanceId !== owner.appInstanceId) return false;
+    return true;
+  }
+
   private buildExternalKey(
     ownership: interfaces.data.IWorkAppMailOwnership,
     address: string,
@@ -298,6 +455,14 @@ export class WorkAppMailManager {
     return `workapp-${this.hashExternalKey(externalKey).slice(0, 24)}`;
   }
 
+  private buildMailOwnerKey(owner: TMailResourceOwner): string {
+    return [
+      owner.gatewayClientType,
+      owner.gatewayClientId,
+      owner.appInstanceId,
+    ].join(':');
+  }
+
   private buildRouteName(externalKey: string): string {
     return `workapp-mail-${this.hashExternalKey(externalKey).slice(0, 32)}`;
   }
@@ -334,6 +499,75 @@ export class WorkAppMailManager {
     };
   }
 
+  private toMailOwner(ownership: interfaces.data.IWorkAppMailOwnership): TMailResourceOwner & { appInstanceId: string } {
+    return {
+      gatewayClientType: ownership.workHosterType,
+      gatewayClientId: ownership.workHosterId,
+      appInstanceId: ownership.workAppId,
+    };
+  }
+
+  private toMailInboundTarget(
+    inbound?: interfaces.data.IWorkAppMailInboundRoute,
+  ): TMailAddressBinding['inboundTarget'] {
+    if (!inbound?.enabled) return undefined;
+    return {
+      type: 'smtpForward',
+      smtpForward: {
+        host: inbound.targetHost,
+        port: inbound.targetPort,
+        preserveHeaders: inbound.preserveHeaders,
+        addHeaders: inbound.addHeaders,
+      },
+    };
+  }
+
+  private toMailAddressBinding(
+    identity: interfaces.data.IWorkAppMailIdentity,
+  ): TMailAddressBinding {
+    return {
+      id: identity.id,
+      owner: this.toMailOwner(identity.ownership),
+      address: identity.address,
+      localPart: identity.localPart,
+      domain: identity.domain,
+      enabled: identity.enabled,
+      status: identity.enabled ? 'active' : 'disabled',
+      inboundTarget: this.toMailInboundTarget(identity.inbound),
+      outboundIdentityId: identity.smtp.enabled ? identity.smtp.username : undefined,
+      recipientPolicy: {
+        mode: 'staticList',
+        staticRecipients: [identity.address],
+      },
+      createdAt: identity.createdAt,
+      updatedAt: identity.updatedAt,
+      createdBy: identity.createdBy,
+    };
+  }
+
+  private toWorkAppMailBinding(
+    identities: IStoredWorkAppMailIdentity[],
+  ): TWorkAppMailBinding {
+    const [firstIdentity] = identities;
+    const owner = this.toMailOwner(firstIdentity.ownership);
+    const enabledIdentities = identities.filter((identity) => identity.enabled);
+    const smtpIdentities = identities.filter((identity) => identity.smtp.enabled);
+
+    return {
+      id: `workapp-mail-${this.hashExternalKey(this.buildMailOwnerKey(owner)).slice(0, 32)}`,
+      owner,
+      enabled: enabledIdentities.length > 0,
+      status: enabledIdentities.length > 0 ? 'active' : 'disabled',
+      addressBindingIds: identities.map((identity) => identity.id),
+      outboundIdentityIds: smtpIdentities.map((identity) => identity.smtp.username),
+      defaultFrom: enabledIdentities[0]?.address || firstIdentity.address,
+      inboundTarget: identities.length === 1 ? this.toMailInboundTarget(firstIdentity.inbound) : undefined,
+      createdAt: Math.min(...identities.map((identity) => identity.createdAt)),
+      updatedAt: Math.max(...identities.map((identity) => identity.updatedAt)),
+      createdBy: firstIdentity.createdBy,
+    };
+  }
+
   private toPublicIdentity(
     identity: IStoredWorkAppMailIdentity,
   ): interfaces.data.IWorkAppMailIdentity {

package/ts/opsserver/handlers/config.handler.ts

@@ -39,14 +39,7 @@ export class ConfigHandler {
       ? 'custom'
       : 'filesystem';
 
-    // Resolve proxy IPs: fall back to SmartProxy's runtime proxyIPs if not in opts
-    let proxyIps = opts.proxyIps || [];
-    if (proxyIps.length === 0 && dcRouter.smartProxy) {
-      const spSettings = (dcRouter.smartProxy as any).settings;
-      if (spSettings?.proxyIPs?.length > 0) {
-        proxyIps = spSettings.proxyIPs;
-      }
-    }
+    const proxyIps = opts.proxyIps || [];
 
     const system: interfaces.requests.IConfigData['system'] = {
       baseDir: resolvedPaths.dcrouterHomeDir,

package/ts/opsserver/handlers/workhoster.handler.ts

@@ -257,6 +257,83 @@ export class WorkHosterHandler {
         },
       ),
     );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.servezoneInterfaces.requests.mail.IReq_ListMailAddressBindings>(
+        'listMailAddressBindings',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg.auth || {}, 'gateway-clients:read');
+          const manager = this.opsServerRef.dcRouterRef.workAppMailManager;
+          if (!manager) return { bindings: [] };
+          return {
+            bindings: await manager.listMailAddressBindings({
+              owner: this.resolveMailOwnerFilter(auth, dataArg.owner),
+              domain: dataArg.domain,
+              address: dataArg.address,
+            }),
+          };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.servezoneInterfaces.requests.mail.IReq_SyncMailAddressBinding>(
+        'syncMailAddressBinding',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg.auth || {}, 'gateway-clients:write');
+          this.assertCapability(auth, 'syncRoutes');
+          const manager = this.opsServerRef.dcRouterRef.workAppMailManager;
+          if (!manager) {
+            return { success: false, message: 'WorkApp mail manager not initialized' };
+          }
+          try {
+            const binding = {
+              ...dataArg.binding,
+              owner: this.resolveMailOwner(auth, dataArg.binding.owner),
+            };
+            this.assertMailForwardTargetAllowed(auth, binding.inboundTarget);
+            return await manager.syncMailAddressBinding(binding, auth.userId);
+          } catch (error) {
+            return { success: false, message: (error as Error).message };
+          }
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.servezoneInterfaces.requests.mail.IReq_DeleteMailAddressBinding>(
+        'deleteMailAddressBinding',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg.auth || {}, 'gateway-clients:write');
+          this.assertCapability(auth, 'syncRoutes');
+          const manager = this.opsServerRef.dcRouterRef.workAppMailManager;
+          if (!manager) {
+            return { success: false, message: 'WorkApp mail manager not initialized' };
+          }
+          if (auth.token?.policy?.role === 'gatewayClient') {
+            const bindings = await manager.listMailAddressBindings({
+              owner: this.resolveMailOwnerFilter(auth),
+            });
+            const binding = bindings.find((candidate) => candidate.id === dataArg.id);
+            if (!binding) return { success: true };
+            return await manager.deleteMailAddressBinding(binding.id, auth.userId);
+          }
+          return await manager.deleteMailAddressBinding(dataArg.id, auth.userId);
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.servezoneInterfaces.requests.mail.IReq_ListWorkAppMailBindings>(
+        'listWorkAppMailBindings',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg.auth || {}, 'gateway-clients:read');
+          const manager = this.opsServerRef.dcRouterRef.workAppMailManager;
+          if (!manager) return { bindings: [] };
+          return { bindings: await manager.listWorkAppMailBindings(this.resolveMailOwnerFilter(auth, dataArg.owner)) };
+        },
+      ),
+    );
   }
 
   private getGatewayCapabilities(): interfaces.data.IGatewayCapabilities {
@@ -335,7 +412,7 @@ export class WorkHosterHandler {
     const policy = auth.token?.policy;
     if (!policy || policy.role !== 'gatewayClient') return;
     if (policy.capabilities?.[capability] === true) return;
-    throw new plugins.typedrequest.TypedResponseError(`token capability missing: ${capability}`);
+    throw new plugins.typedrequest.TypedResponseError(`token capability missing: ${String(capability)}`);
   }
 
   private resolveGatewayClientId(auth: TAuthContext, requestedId?: string): string | undefined {
@@ -376,6 +453,39 @@ export class WorkHosterHandler {
     return ownership as Required<interfaces.data.IGatewayClientOwnership>;
   }
 
+  private resolveMailOwnerFilter(
+    auth: TAuthContext,
+    owner?: Partial<plugins.servezoneInterfaces.data.IMailResourceOwner>,
+  ): Partial<plugins.servezoneInterfaces.data.IMailResourceOwner> | undefined {
+    const policy = auth.token?.policy;
+    if (policy?.role !== 'gatewayClient') return owner;
+    if (!policy.gatewayClient) {
+      throw new plugins.typedrequest.TypedResponseError('gateway client token is missing gatewayClient binding');
+    }
+    if (owner?.gatewayClientType && owner.gatewayClientType !== policy.gatewayClient.type) {
+      throw new plugins.typedrequest.TypedResponseError('gateway client token cannot act for this ownership');
+    }
+    if (owner?.gatewayClientId && owner.gatewayClientId !== policy.gatewayClient.id) {
+      throw new plugins.typedrequest.TypedResponseError('gateway client token cannot act for this ownership');
+    }
+    return {
+      ...owner,
+      gatewayClientType: policy.gatewayClient.type,
+      gatewayClientId: policy.gatewayClient.id,
+    };
+  }
+
+  private resolveMailOwner(
+    auth: TAuthContext,
+    owner: plugins.servezoneInterfaces.data.IMailResourceOwner,
+  ): plugins.servezoneInterfaces.data.IMailResourceOwner {
+    const resolvedOwner = this.resolveMailOwnerFilter(auth, owner);
+    if (!resolvedOwner?.gatewayClientType || !resolvedOwner.gatewayClientId) {
+      throw new plugins.typedrequest.TypedResponseError('mail owner is missing gateway client type or id');
+    }
+    return resolvedOwner as plugins.servezoneInterfaces.data.IMailResourceOwner;
+  }
+
   private assertGatewayClientOwnership(auth: TAuthContext, ownership: Required<interfaces.data.IGatewayClientOwnership>): void {
     const policy = auth.token?.policy;
     if (!policy || policy.role !== 'gatewayClient') return;
@@ -404,6 +514,26 @@ export class WorkHosterHandler {
     }
   }
 
+  private assertMailForwardTargetAllowed(
+    auth: TAuthContext,
+    target?: plugins.servezoneInterfaces.data.IMailInboundTarget,
+  ): void {
+    const policy = auth.token?.policy;
+    if (!policy || policy.role !== 'gatewayClient' || !target?.smtpForward) return;
+    const allowedTargets = policy.allowedRouteTargets || [];
+    if (allowedTargets.length === 0) {
+      throw new plugins.typedrequest.TypedResponseError('gateway client token has no allowed route targets');
+    }
+    const host = target.smtpForward.host.trim().toLowerCase();
+    const port = Number(target.smtpForward.port);
+    const allowed = allowedTargets.some((allowedTarget) => {
+      return allowedTarget.host.trim().toLowerCase() === host && allowedTarget.ports.includes(port);
+    });
+    if (!allowed) {
+      throw new plugins.typedrequest.TypedResponseError(`mail target is outside token policy: ${host}:${port}`);
+    }
+  }
+
   private matchesHostnamePatterns(hostname: string, patterns: string[]): boolean {
     const normalizedHostname = hostname.trim().toLowerCase();
     if (!normalizedHostname) return false;

package/ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '14.0.0',
+  version: '14.1.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }