@stamhoofd/backend 1.0.0

package/src/helpers/Context.ts

@@ -0,0 +1,202 @@
+import { Request } from "@simonbackx/simple-endpoints";
+import { SimpleError } from "@simonbackx/simple-errors";
+import { I18n } from "@stamhoofd/backend-i18n";
+import { Organization, Platform, RateLimiter, Token, User } from "@stamhoofd/models";
+import { AsyncLocalStorage } from "async_hooks";
+
+import { AdminPermissionChecker } from "./AdminPermissionChecker";
+
+export const apiUserRateLimiter = new RateLimiter({
+    limits: [
+        {   
+            // Block heavy bursts (5req/s for 5s)
+            limit: 25,
+            duration: 5 * 1000
+        },
+        {   
+            // max 1req/s during 150s
+            limit: 150,
+            duration: 150 * 1000
+        },
+        {   
+            // 1000 requests per hour
+            limit: 1000,
+            duration: 60 * 1000 * 60
+        },
+        {   
+            // 2000 requests per day
+            limit: 2000,
+            duration: 24 * 60 * 1000 * 60
+        }
+    ]
+});
+
+export class ContextInstance {
+    request: Request
+
+    user?: User
+    organization?: Organization
+
+    #i18n: I18n|null = null
+    #auth: AdminPermissionChecker|null = null
+
+    constructor(request: Request) {
+        this.request = request;
+    }
+
+    static asyncLocalStorage = new AsyncLocalStorage<ContextInstance>();
+
+    static get current(): ContextInstance {
+        const c = this.asyncLocalStorage.getStore();
+
+        if (!c) {
+            throw new SimpleError({
+                code: 'no_context',
+                message: 'No context found',
+                statusCode: 500
+            })
+        }
+
+        return c;
+    }
+
+    static async start<T>(request: Request, handler: () => Promise<T>): Promise<T> {
+        const context = new ContextInstance(request);
+
+        return await this.asyncLocalStorage.run(context, async () => {
+            return await handler()
+        });
+    }
+
+    get version() {
+        return this.request.getVersion()
+    }
+
+    get i18n() {
+        if (!this.#i18n) {
+            this.#i18n = I18n.fromRequest(this.request)
+        }
+        return this.#i18n
+    }
+
+    get auth() {
+        if (!this.#auth) {
+            throw new SimpleError({
+                code: 'internal_error',
+                statusCode: 500,
+                message: 'AdminPermissionChecker not set in RequestContext: make sure the request is authenticated before using the permissionChecker'
+            })
+        }
+        return this.#auth
+    }
+
+    get optionalAuth() {
+        return this.#auth
+    }
+
+    async setOptionalOrganizationScope() {
+        try {
+            return await this.setOrganizationScope()
+        } catch (e) {
+            return null
+        }
+    }
+
+    /**
+     * Require organization scope if userMode is not platform
+     */
+    async setUserOrganizationScope() {
+        if (STAMHOOFD.userMode === 'platform') {
+            return null;
+        }
+        return await this.setOrganizationScope()
+    }
+
+    async setOrganizationScope() {
+        const organization = await Organization.fromApiHost(this.request.host);
+
+        this.organization = organization
+        this.i18n.switchToLocale({ country: organization.address.country })
+
+        return organization
+    }
+
+    async optionalAuthenticate({allowWithoutAccount = false}: {allowWithoutAccount?: boolean} = {}): Promise<{user?: User}> {
+        const header = this.request.headers.authorization
+        if (!header) {
+            return {}
+        }
+        return this.authenticate({allowWithoutAccount})
+    }
+
+    async authenticate({allowWithoutAccount = false}: {allowWithoutAccount?: boolean} = {}): Promise<{user: User, token: Token}> {
+        const header = this.request.headers.authorization
+        if (!header) {
+            throw new SimpleError({
+                code: "not_authenticated",
+                message: "Missing required authorization header",
+                statusCode: 401
+            })
+        }
+
+        if (!header.startsWith("Bearer ")) {
+            throw new SimpleError({
+                code: "not_supported_authentication",
+                message: "Authentication method not supported. Please authenticate with OAuth2",
+                statusCode: 401
+            })
+        }
+
+        const accessToken = header.substring("Bearer ".length);
+
+        const token = await Token.getByAccessToken(accessToken, true)
+        
+        if (!token || (this.organization && token.user.organizationId !== null && token.user.organizationId !== this.organization.id) || (!this.organization && token.user.organizationId)) {
+            throw new SimpleError({
+                code: "invalid_access_token",
+                message: "The access token is invalid",
+                human: "Je bent automatisch uitgelogd, log opnieuw in om verder te gaan",
+                statusCode: 401
+            })
+        }
+        
+        if (token.isAccessTokenExpired()) {
+            throw new SimpleError({
+                code: "expired_access_token",
+                message: "The access token is expired",
+                human: "Je bent automatisch uitgelogd, log opnieuw in om verder te gaan",
+                statusCode: 401
+            })
+        }
+
+        if (!token.user.hasAccount() && !allowWithoutAccount) {
+            throw new SimpleError({
+                code: "not_activated",
+                message: "This user is not yet activated",
+                human: "Maak een account aan op dit e-mailadres om een wachtwoord in te stellen voor je inlogt.",
+                statusCode: 401
+            })
+        }
+
+        // Rate limits for api users
+        if (token.user.isApiUser) {
+            apiUserRateLimiter.track(this.organization?.id ?? token.user.id)
+        }
+
+        const user = token.user
+        this.user = user
+        this.#auth = new AdminPermissionChecker(user, await Platform.getSharedPrivateStruct(), this.organization);
+
+        return {user, token};
+    }
+}
+
+export const Context = new Proxy(ContextInstance, {
+    get(target, prop, receiver) {
+        const c = target.current[prop];
+        if (c && typeof c == 'function') {
+            return c.bind(target.current)
+        }
+        return c;
+    }
+}) as unknown as ContextInstance;

package/src/helpers/CookieHelper.ts

@@ -0,0 +1,45 @@
+import { DecodedRequest, Response } from "@simonbackx/simple-endpoints";
+import cookie from 'cookie';
+
+type DecodedRequestWithCookies = DecodedRequest<any, any, any> & { cookies?: Record<string, string>}
+
+export class CookieHelper {
+    static getCookies(request: DecodedRequest<any, any, any>): Record<string, string> {
+        const r = request as DecodedRequestWithCookies
+        if (r.cookies) {
+            return r.cookies
+        }
+
+        const header = r.headers.cookie
+        if (!header) {
+            r.cookies = {}
+            return r.cookies
+        }
+
+        // Parse
+        r.cookies = cookie.parse(header)
+        return r.cookies
+    }
+
+    static getCookie(request: DecodedRequest<any, any, any>, name: string): string | undefined {
+        const cookies = this.getCookies(request)
+        return cookies[name]
+    }
+
+    static setCookie(response: Response<any>, name: string, value: string, options?: cookie.CookieSerializeOptions | undefined) {
+        const cookies = cookie.serialize(name, value, options)
+        let currentCookies = response.headers['set-cookie']
+        if (!currentCookies) {
+            response.headers['set-cookie'] = [
+                cookies
+            ]
+        } else {
+            if (!Array.isArray(currentCookies)) {
+                currentCookies = [currentCookies.toString()]
+                response.headers['set-cookie'] = currentCookies
+            }
+            // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+            (currentCookies ).push(cookies)
+        }
+    }
+}

package/src/helpers/ForwardHandler.test.ts

@@ -0,0 +1,216 @@
+/* eslint-disable jest/expect-expect */
+
+import { EmailAddress } from "@stamhoofd/email"
+import { OrganizationFactory, UserFactory } from "@stamhoofd/models"
+import { OrganizationEmail, PermissionLevel, Permissions } from "@stamhoofd/structures"
+
+import { ForwardHandler } from "./ForwardHandler"
+
+describe("ForwardHandler", () => {
+    it("should send to default e-mail", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        organization.privateMeta.emails.push(OrganizationEmail.create({
+            name: "First",
+            email: "first@example.com"
+        }))
+        organization.privateMeta.emails.push(OrganizationEmail.create({
+            name: "default",
+            email: "def@example.com",
+            default: true
+        }))
+        await organization.save()
+
+        const options = await ForwardHandler.handle("From: someone@example.com\nSubject: Hello\nTo: "+organization.uri + "@stamhoofd.email\nContent-Type: text/plain\n\nContent hier", {
+            recipients: [organization.uri + "@stamhoofd.email"],
+            spamVerdict: { status: 'PASS' },
+            virusVerdict: { status: 'PASS' },
+            spfVerdict: { status: 'PASS' },
+            dkimVerdict: { status: 'PASS' },
+            dmarcVerdict: { status: 'PASS' },
+        })
+        expect(options).toMatchObject({
+            to: [
+                {
+                    email: "def@example.com",
+                    name: "default",
+                }
+            ],
+            subject: "Hello",
+            replyTo: "someone@example.com"
+        })
+        expect(options!.text).toContain("Content hier")
+    })
+
+    it("should send to first e-mail", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        organization.privateMeta.emails.push(OrganizationEmail.create({
+            name: "First",
+            email: "first@example.com"
+        }))
+        organization.privateMeta.emails.push(OrganizationEmail.create({
+            name: "second",
+            email: "second@example.com",
+        }))
+        await organization.save()
+
+        const options = await ForwardHandler.handle("From: someone@example.com\nSubject: Hello\nTo: "+organization.uri + "@stamhoofd.email\nContent-Type: text/plain\n\nContent hier", {
+            recipients: [organization.uri + "@stamhoofd.email"],
+            spamVerdict: { status: 'PASS' },
+            virusVerdict: { status: 'PASS' },
+            spfVerdict: { status: 'PASS' },
+            dkimVerdict: { status: 'PASS' },
+            dmarcVerdict: { status: 'PASS' },
+        })
+        expect(options).toMatchObject({
+            to: [
+                {
+                    email: "first@example.com",
+                    name: "First"
+                }
+            ],
+            subject: "Hello",
+            replyTo: "someone@example.com"
+        })
+        expect(options!.text).toContain("Content hier")
+    })
+
+    it("should send to administrators if no emails defined", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        const user = await new UserFactory({ organization, permissions: Permissions.create({ level: PermissionLevel.Full }) }).create()
+
+        const options = await ForwardHandler.handle("From: someone@example.com\nSubject: Hello\nTo: "+organization.uri + "@stamhoofd.email\nContent-Type: text/plain\n\nContent hier", {
+            recipients: [organization.uri + "@stamhoofd.email"],
+            spamVerdict: { status: 'PASS' },
+            virusVerdict: { status: 'PASS' },
+            spfVerdict: { status: 'PASS' },
+            dkimVerdict: { status: 'PASS' },
+            dmarcVerdict: { status: 'PASS' },
+        })
+        expect(options).toMatchObject({
+            to: [
+                {
+                    email: user.email,
+                    name: null
+                }
+            ],
+            subject: "Hello",
+            replyTo: "someone@example.com"
+        })
+        expect(options!.text).toContain("Content hier")
+
+        // Check notice
+        expect(options!.text).toContain("naar alle beheerders")
+    })
+
+    it("should send to all full administrators if no emails defined", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        const user = await new UserFactory({ organization, permissions: Permissions.create({ level: PermissionLevel.Full }) }).create()
+        const user2 = await new UserFactory({ organization, permissions: Permissions.create({ level: PermissionLevel.Full }) }).create()
+        
+        // Admin that should get ignored
+        await new UserFactory({ organization, permissions: Permissions.create({ level: PermissionLevel.Read }) }).create()
+
+        const options = await ForwardHandler.handle("From: someone@example.com\nSubject: Hello\nTo: "+organization.uri + "@stamhoofd.email\nContent-Type: text/plain\n\nContent hier", {
+            recipients: [organization.uri + "@stamhoofd.email"],
+            spamVerdict: { status: 'PASS' },
+            virusVerdict: { status: 'PASS' },
+            spfVerdict: { status: 'PASS' },
+            dkimVerdict: { status: 'PASS' },
+            dmarcVerdict: { status: 'PASS' },
+        })
+
+        expect(options).toMatchObject({
+            subject: "Hello",
+            replyTo: "someone@example.com"
+        })
+        expect(options!.to).toIncludeAllMembers([
+            {
+                email: user.email,
+                name: null
+            },
+            {
+                email: user2.email,
+                name: null
+            }
+        ])
+        expect(options!.text).toContain("Content hier")
+
+        // Check notice
+        expect(options!.text).toContain("naar alle beheerders")
+    })
+
+    it("should ignore aws bounce emails", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        organization.privateMeta.emails.push(OrganizationEmail.create({
+            name: "First",
+            email: "first@example.com"
+        }))
+        organization.privateMeta.emails.push(OrganizationEmail.create({
+            name: "second",
+            email: "second@example.com",
+        }))
+        await organization.save()
+
+        const options = await ForwardHandler.handle("From: bounces@amazonses.com\nSubject: Hello\nTo: "+organization.uri + "@stamhoofd.email\nContent-Type: text/plain\n\nContent hier", {
+            recipients: [organization.uri + "@stamhoofd.email"],
+            spamVerdict: { status: 'PASS' },
+            virusVerdict: { status: 'PASS' },
+            spfVerdict: { status: 'PASS' },
+            dkimVerdict: { status: 'PASS' },
+            dmarcVerdict: { status: 'PASS' },
+        })
+        expect(options).toBeUndefined()
+    })
+
+    it("should ignore aws bounce emails for unknown organizations", async () => {
+        const options = await ForwardHandler.handle("From: bounces@amazonses.com\nSubject: Hello\nTo: ksjdgsdgkjlsdg@stamhoofd.email\nContent-Type: text/plain\n\nContent hier", {
+            recipients: ["ksjdgsdgkjlsdg@stamhoofd.email"],
+            spamVerdict: { status: 'PASS' },
+            virusVerdict: { status: 'PASS' },
+            spfVerdict: { status: 'PASS' },
+            dkimVerdict: { status: 'PASS' },
+            dmarcVerdict: { status: 'PASS' },
+        })
+        expect(options).toBeUndefined()
+    })
+
+    it("should unsubscribe email addresses that send to unsubscribe", async () => {
+        const address = new EmailAddress()
+        address.email = "exampleaddress-unsusbcribe-test@example.com";
+        address.organizationId = null
+        address.token = null;
+        await address.save()
+
+        const id = address.id
+
+        const options = await ForwardHandler.handle(`From: bounces@amazonses.com\nSubject: Hello\nTo: unsubscribe+${id}@stamhoofd.email\nContent-Type: text/plain\n\nContent hier`, {
+            recipients: [`unsubscribe+${id}@stamhoofd.email`],
+            spamVerdict: { status: 'PASS' },
+            virusVerdict: { status: 'PASS' },
+            spfVerdict: { status: 'PASS' },
+            dkimVerdict: { status: 'PASS' },
+            dmarcVerdict: { status: 'PASS' },
+        })
+        expect(options).toBeUndefined()
+
+        // Refresh adress and check unsubscribed for all
+        const updatedAddress = await EmailAddress.getByID(id)
+        expect(updatedAddress).toBeDefined()
+        expect(updatedAddress!.unsubscribedAll).toEqual(true);
+    })
+
+    it("should forward unsubscribe emails to unrecognized id", async () => {
+        const options = await ForwardHandler.handle(`From: bounces@amazonses.com\nSubject: Hello\nTo: unsubscribe+testid@stamhoofd.email\nContent-Type: text/plain\n\nContent hier`, {
+            recipients: [`unsubscribe+testid@stamhoofd.email`],
+            spamVerdict: { status: 'PASS' },
+            virusVerdict: { status: 'PASS' },
+            spfVerdict: { status: 'PASS' },
+            dkimVerdict: { status: 'PASS' },
+            dmarcVerdict: { status: 'PASS' },
+        })
+        expect(options).toMatchObject({
+             to: "hallo@stamhoofd.be",
+            subject: "E-mail unsubscribe mislukt",
+        });
+    })
+})

package/src/helpers/ForwardHandler.ts

@@ -0,0 +1,140 @@
+import { EmailAddress, EmailInterfaceRecipient } from "@stamhoofd/email";
+import { Organization } from "@stamhoofd/models";
+import { Formatter } from "@stamhoofd/utility";
+import { simpleParser } from "mailparser";
+
+export class ForwardHandler {
+    static async handle(content: any, receipt: {
+            recipients: string[];
+            spamVerdict: { status: 'PASS' | string };
+            virusVerdict: { status: 'PASS' | string };
+            spfVerdict: { status: 'PASS' | string };
+            dkimVerdict: { status: 'PASS' | string };
+            dmarcVerdict: { status: 'PASS' | string };
+        }
+    ) {
+        const recipients = receipt.recipients
+        const email: string | undefined = recipients[0]
+        const organization: Organization | undefined = email ? await Organization.getByEmail(email) : undefined
+
+        const parsed = await simpleParser(content);
+        const from = parsed.from?.value[0]?.address
+
+        if (from && from.endsWith("amazonses.com") && organization) {
+            console.log("Bounce e-mails from AWS SES for organizations are not forwarded. Received from "+from+", to "+email)
+            return;
+        }
+
+        // Unsubscribe email?
+        if (email && email?.startsWith("unsubscribe+") && email.endsWith('@stamhoofd.email')) {
+            // Get id
+            const id = email.substring("unsubscribe+".length, email.indexOf('@stamhoofd.email'))
+            const model = await EmailAddress.getByID(id)
+            
+            if (model) {
+                console.log('[Unsubscribe] Received an unsubscribe request for ' + model.email + ' from ' + from)
+                if (model.unsubscribedAll) {
+                    // Ignore
+                    return;
+                }
+                model.unsubscribedAll = true
+                await model.save()
+            } else {
+                console.error('[Unsubscribe] Received an unsubscribe request for unknown ID ' + id + ' from ' + from)
+
+                // Forward
+                return {
+                    from: "unsubscribe@stamhoofd.be",
+                    to: "hallo@stamhoofd.be",
+                    subject: "E-mail unsubscribe mislukt",
+                    text: "Beste,\n\nEr werd een unsubscribe gemeld op "+email+" die niet kon worden verwerkt. Gelieve dit na te kijken.\n\nStamhoofd"
+                }
+
+            }
+            return;
+        }
+
+        if (receipt.spamVerdict.status != "PASS" || receipt.virusVerdict.status != "PASS" || !(receipt.spfVerdict.status == "PASS" || receipt.dkimVerdict.status == "PASS")) {
+            console.error("Received spam or virus e-mail. Ignoring", 'to', recipients, 'from', email, 'subject', parsed.subject)
+            return;
+        }
+
+        // Send a new e-mail
+        let defaultEmail: EmailInterfaceRecipient[]|string = "hallo@stamhoofd.be"
+        let organizationEmails: EmailInterfaceRecipient[] = []
+        const extraDescription = "Dit bericht werd verstuurd naar "+email+", en werd automatisch doorgestuurd naar alle beheerders. Stel in Stamhoofd de e-mailadressen in om ervoor te zorgen dat antwoorden naar een specifiek e-mailadres worden verstuurd."
+        
+        function doBounce() {
+            if (!from) {
+                return
+            }
+
+            if (from.endsWith("@amazonses.com")) {
+                // Ignore
+                return
+            }
+
+            // Send back to receiver without including the original message to avoid spam
+            return {
+                from: email ?? "unknown@stamhoofd.be",
+                to: from,
+                subject: "Ongeldig e-mailadres",
+                text: "Beste,\n\nDe vereniging die je probeert te bereiken via "+email+" is helaas niet bereikbaar via dit e-mailadres. Dit e-mailadres wordt enkel gebruikt voor het versturen van automatische e-mails in naam van een vereniging. Probeer de vereniging te contacteren via een ander e-mailadres.\n\nBedankt."
+            }
+        }
+        
+        if (organization) {
+            organizationEmails = await organization.getReplyEmails()
+            if (!organizationEmails) {
+                if (STAMHOOFD.environment === "test") {
+                    // ignore
+                } else {
+                    console.error("Missing reply emails for organization "+organization.id)
+                }
+                return doBounce();
+            } else {
+                defaultEmail = organizationEmails
+            }
+        } else {
+            return doBounce();
+        }
+
+        console.log("Forward to "+defaultEmail)       
+        
+        let html: string | undefined = undefined
+
+        if (parsed.html !== false) {
+            // Search for body
+            const body = parsed.html.toLowerCase().indexOf("<body")
+
+            if (body != -1) {
+                const endTag = parsed.html.indexOf(">", body)
+                html = parsed.html.substring(0, endTag + 1) + "<p><i>"+Formatter.escapeHtml(extraDescription)+"<br><br></i></p>"+parsed.html.substring(endTag + 1)
+            } else {
+                html = "<p><i>"+Formatter.escapeHtml(extraDescription)+"<br><br></i></p>"+parsed.html
+            }
+        }
+
+        const options = {
+            from: email ?? "unknown@stamhoofd.be",
+            to: defaultEmail,
+            replyTo: parsed.from?.text,
+            subject: parsed.subject ?? "Doorgestuurd bericht",
+            text: parsed.text ? extraDescription + "\n\n" + parsed.text : undefined,
+            html: html,
+            attachments: parsed.attachments.flatMap(a => {
+                if (a.cid) {
+                    // Already done inline in html
+                    return []
+                }
+                return [{
+                    filename: a.filename ?? "",
+                    content: a.content.toString("utf-8"),
+                    contentType: a.contentType
+                }]
+            })
+        }
+
+        return options
+    }
+}