@stamhoofd/backend 2.92.0 → 2.93.0

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@stamhoofd/backend",
-    "version": "2.92.0",
+    "version": "2.93.0",
     "main": "./dist/index.js",
     "exports": {
         ".": {
@@ -45,14 +45,14 @@
         "@simonbackx/simple-encoding": "2.22.0",
         "@simonbackx/simple-endpoints": "1.20.1",
         "@simonbackx/simple-logging": "^1.0.1",
-        "@stamhoofd/backend-i18n": "2.92.0",
-        "@stamhoofd/backend-middleware": "2.92.0",
-        "@stamhoofd/email": "2.92.0",
-        "@stamhoofd/models": "2.92.0",
-        "@stamhoofd/queues": "2.92.0",
-        "@stamhoofd/sql": "2.92.0",
-        "@stamhoofd/structures": "2.92.0",
-        "@stamhoofd/utility": "2.92.0",
+        "@stamhoofd/backend-i18n": "2.93.0",
+        "@stamhoofd/backend-middleware": "2.93.0",
+        "@stamhoofd/email": "2.93.0",
+        "@stamhoofd/models": "2.93.0",
+        "@stamhoofd/queues": "2.93.0",
+        "@stamhoofd/sql": "2.93.0",
+        "@stamhoofd/structures": "2.93.0",
+        "@stamhoofd/utility": "2.93.0",
         "archiver": "^7.0.1",
         "axios": "^1.8.2",
         "cookie": "^0.7.0",
@@ -70,5 +70,5 @@
     "publishConfig": {
         "access": "public"
     },
-    "gitHead": "43d1edfd8061dada1d418a02691fe5fb158aca6a"
+    "gitHead": "05b8228a7fc3871aa767609a95a2c1511132e548"
 }

package/src/audit-logs/EmailLogger.ts

@@ -58,8 +58,8 @@ export const EmailLogger = new ModelLogger(Email, {
                 type: AuditLogReplacementType.Email,
             })],
             ['c', AuditLogReplacement.create({
-                value: Formatter.integer(model.recipientCount ?? 0),
-                count: model.recipientCount ?? 0,
+                value: Formatter.integer(model.emailRecipientsCount ?? 0),
+                count: model.emailRecipientsCount ?? 0,
             })],
         ]);
         if (options.data.recipient) {

package/src/crons/amazon-ses.ts

@@ -6,9 +6,10 @@ import {
 } from '@aws-sdk/client-sqs';
 import { registerCron } from '@stamhoofd/crons';
 import { Email, EmailAddress } from '@stamhoofd/email';
-import { AuditLog, Organization } from '@stamhoofd/models';
+import { AuditLog, EmailRecipient, Organization } from '@stamhoofd/models';
 import { AuditLogReplacement, AuditLogReplacementType, AuditLogSource, AuditLogType } from '@stamhoofd/structures';
 import { ForwardHandler } from '../helpers/ForwardHandler';
+import { Email as EmailModel } from '@stamhoofd/models';
 
 registerCron('checkComplaints', checkComplaints);
 registerCron('checkReplies', checkReplies);
@@ -52,13 +53,88 @@ async function saveLog({ email, organization, type, subType, subject, response,
     await log.save();
 }
 
+async function storeEmailStatus({ headers, type, message }: { headers: Record<string, string>; type: 'hard-bounce' | 'soft-bounce' | 'complaint'; message: string }) {
+    const emailId = headers['x-email-id'];
+    const recipientId = headers['x-email-recipient-id'];
+
+    if (emailId && recipientId) {
+        // check
+        const emailRecipient = await EmailRecipient.select()
+            .where('id', recipientId)
+            .where('emailId', emailId)
+            .first(false);
+
+        if (!emailRecipient) {
+            console.log('[AWS FORWARDING] Invalid email or recipient id in headers', headers);
+            return;
+        }
+
+        let isNew = true;
+
+        switch (type) {
+            case 'hard-bounce': {
+                if (emailRecipient.hardBounceError) {
+                    isNew = false;
+                }
+                emailRecipient.hardBounceError = message;
+                break;
+            }
+            case 'soft-bounce': {
+                if (emailRecipient.softBounceError) {
+                    isNew = false;
+                }
+                emailRecipient.softBounceError = message;
+                break;
+            }
+            case 'complaint': {
+                if (emailRecipient.spamComplaintError) {
+                    isNew = false;
+                }
+                emailRecipient.spamComplaintError = message;
+                break;
+            }
+        }
+
+        console.log('[AWS FORWARDING] Marking email recipient ' + recipientId + ' for email ' + emailId + ' as ' + type);
+        if (await emailRecipient.save()) {
+            if (isNew) {
+                await EmailModel.bumpNotificationCount(emailId, type);
+            }
+        }
+    }
+}
+
+function readHeaders(message: any) {
+    try {
+        const mail = message.mail;
+        const headers: Record<string, string> = {};
+        if (mail && typeof mail === 'object' && mail !== null && Array.isArray(mail.headers)) {
+            for (const header of mail.headers) {
+                if (header.name && header.value) {
+                    headers[(header.name as string).toLowerCase()] = header.value;
+                }
+            }
+        }
+        else {
+            console.log('[AWS] Missing mail headers', message);
+        }
+        return headers;
+    }
+    catch (e) {
+        console.log('[AWS] Failed to read headers', e, message);
+        return {};
+    }
+}
+
 async function handleBounce(message: any) {
     if (message.bounce) {
+        console.log('[AWS BOUNCES] Handling bounce message', message);
+        const headers = readHeaders(message);
+
         const b = message.bounce;
         // Block all receivers that generate a permanent bounce
         const type = b.bounceType;
         const subtype = b.bounceSubType;
-
         const source = message.mail.source;
 
         // try to find organization that is responsible for this e-mail address
@@ -80,6 +156,12 @@ async function handleBounce(message: any) {
                 emailAddress.hardBounce = true;
                 await emailAddress.save();
 
+                await storeEmailStatus({
+                    headers,
+                    type: 'hard-bounce',
+                    message: recipient.diagnosticCode || 'Permanent bounce',
+                });
+
                 await saveLog({
                     id: b.feedbackId,
                     email,
@@ -95,6 +177,13 @@ async function handleBounce(message: any) {
                 type === 'Transient'
             ) {
                 const organization: Organization | undefined = source ? await Organization.getByEmail(source) : undefined;
+
+                await storeEmailStatus({
+                    headers,
+                    type: 'soft-bounce',
+                    message: recipient.diagnosticCode || 'Soft bounce',
+                });
+
                 await saveLog({
                     id: b.feedbackId,
                     email,
@@ -116,6 +205,7 @@ async function handleBounce(message: any) {
 
 async function handleComplaint(message: any) {
     if (message.complaint) {
+        const headers = readHeaders(message);
         const b = message.complaint;
         const source = message.mail.source;
         const organization: Organization | undefined = source ? await Organization.getByEmail(source) : undefined;
@@ -129,10 +219,16 @@ async function handleComplaint(message: any) {
             await emailAddress.save();
 
             if (type !== 'not-spam') {
+                await storeEmailStatus({
+                    headers,
+                    type: 'complaint',
+                    message: recipient.diagnosticCode || type || 'Complaint',
+                });
+
                 if (type === 'virus' || type === 'fraud') {
                     await saveLog({
                         id: b.feedbackId,
-                        email: source,
+                        email,
                         organization,
                         type: AuditLogType.EmailAddressFraudComplaint,
                         subType: type || 'unknown',
@@ -144,7 +240,7 @@ async function handleComplaint(message: any) {
                 else {
                     await saveLog({
                         id: b.feedbackId,
-                        email: source,
+                        email,
                         organization,
                         type: AuditLogType.EmailAddressMarkedAsSpam,
                         subType: type || 'unknown',

package/src/crons/balance-emails.ts

@@ -198,7 +198,7 @@ async function sendTemplate({
 
     try {
         const upToDate = await ContextInstance.startForUser(systemUser, organization, async () => {
-            return await model.send();
+            return await model.queueForSending(true);
         });
 
         if (!upToDate) {

package/src/email-recipient-loaders/receivable-balances.ts

@@ -1,5 +1,5 @@
 import { CachedBalance, Email } from '@stamhoofd/models';
-import { BalanceItem as BalanceItemStruct, compileToInMemoryFilter, EmailRecipient, EmailRecipientFilterType, LimitedFilteredRequest, PaginatedResponse, receivableBalanceObjectContactInMemoryFilterCompilers, Replacement, StamhoofdFilter } from '@stamhoofd/structures';
+import { BalanceItem as BalanceItemStruct, compileToInMemoryFilter, EmailRecipient, EmailRecipientFilterType, LimitedFilteredRequest, PaginatedResponse, receivableBalanceObjectContactInMemoryFilterCompilers, ReceivableBalanceType, Replacement, StamhoofdFilter } from '@stamhoofd/structures';
 import { Formatter } from '@stamhoofd/utility';
 import { GetReceivableBalancesEndpoint } from '../endpoints/organization/dashboard/receivable-balances/GetReceivableBalancesEndpoint';
 
@@ -22,6 +22,8 @@ async function fetch(query: LimitedFilteredRequest, subfilter: StamhoofdFilter |
             for (const email of contact.emails) {
                 const recipient = EmailRecipient.create({
                     objectId: balance.id, // Note: not set member, user or organization id here - should be the queryable balance id
+                    userId: balance.objectType === ReceivableBalanceType.user ? balance.object.id : null,
+                    memberId: balance.objectType === ReceivableBalanceType.member ? balance.object.id : null,
                     firstName: contact.firstName,
                     lastName: contact.lastName,
                     email,

package/src/endpoints/global/email/CreateEmailEndpoint.ts

@@ -120,8 +120,14 @@ export class CreateEmailEndpoint extends Endpoint<Params, Query, Body, ResponseB
         await model.buildExampleRecipient();
         model.updateCount();
 
-        if (request.body.status === EmailStatus.Sending || request.body.status === EmailStatus.Sent) {
-            model.send().catch(console.error);
+        if (request.body.status === EmailStatus.Sending || request.body.status === EmailStatus.Sent || request.body.status === EmailStatus.Queued) {
+            if (!await Context.auth.canSendEmail(model)) {
+                throw Context.auth.error({
+                    message: 'Cannot send emails from this sender',
+                    human: $t('1b509614-30b0-484c-af72-57d4bc9ea788'),
+                });
+            }
+            await model.queueForSending();
         }
 
         return new Response(await model.getPreviewStructure());

package/src/endpoints/global/email/GetAdminEmailsEndpoint.ts

@@ -138,8 +138,6 @@ export class GetAdminEmailsEndpoint extends Endpoint<Params, Query, Body, Respon
             query.limit(q.limit);
         }
 
-        console.log('Building query for GetAdminEmailsEndpoint', query.getSQL());
-
         return query;
     }
 

package/src/endpoints/global/email/PatchEmailEndpoint.ts

@@ -1,6 +1,6 @@
 import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
 import { Email, Platform } from '@stamhoofd/models';
-import { EmailPreview, EmailStatus, Email as EmailStruct, PermissionLevel } from '@stamhoofd/structures';
+import { EmailPreview, EmailRecipientsStatus, EmailStatus, Email as EmailStruct, PermissionLevel } from '@stamhoofd/structures';
 
 import { AutoEncoderPatchType, Decoder, patchObject } from '@simonbackx/simple-encoding';
 import { SimpleError } from '@simonbackx/simple-errors';
@@ -119,6 +119,15 @@ export class PatchEmailEndpoint extends Endpoint<Params, Query, Body, ResponseBo
         }
 
         if (request.body.recipientFilter) {
+            if (model.status !== EmailStatus.Draft) {
+                throw new SimpleError({
+                    code: 'not_draft',
+                    human: 'Email is not a draft',
+                    message: $t(`Je kan de ontvangerslijst alleen aanpassen als de e-mail nog een concept is`),
+                    statusCode: 400,
+                });
+            }
+
             model.recipientFilter = patchObject(model.recipientFilter, request.body.recipientFilter);
             rebuild = true;
         }
@@ -133,13 +142,13 @@ export class PatchEmailEndpoint extends Endpoint<Params, Query, Body, ResponseBo
 
         if (rebuild) {
             await model.buildExampleRecipient();
-            model.updateCount();
 
             // Force null - because we have stale data
-            model.recipientCount = null;
+            model.emailRecipientsCount = null;
+            model.updateCount();
         }
 
-        if (request.body.status === EmailStatus.Sending || request.body.status === EmailStatus.Sent) {
+        if (request.body.status === EmailStatus.Sending || request.body.status === EmailStatus.Sent || request.body.status === EmailStatus.Queued) {
             if (!await Context.auth.canSendEmail(model)) {
                 throw Context.auth.error({
                     message: 'Cannot send emails from this sender',
@@ -175,7 +184,8 @@ export class PatchEmailEndpoint extends Endpoint<Params, Query, Body, ResponseBo
                 }
             }
 
-            model.send().catch(console.error);
+            // Preview the sending status
+            await model.queueForSending();
         }
 
         return new Response(await model.getPreviewStructure());

package/src/endpoints/global/email-recipients/GetEmailRecipientsCountEndpoint.ts

@@ -0,0 +1,47 @@
+import { Decoder } from '@simonbackx/simple-encoding';
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { CountFilteredRequest, CountResponse } from '@stamhoofd/structures';
+
+import { Context } from '../../../helpers/Context';
+import { GetEmailRecipientsEndpoint } from './GetEmailRecipientsEndpoint';
+
+type Params = Record<string, never>;
+type Query = CountFilteredRequest;
+type Body = undefined;
+type ResponseBody = CountResponse;
+
+export class GetEmailRecipientsCountEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    queryDecoder = CountFilteredRequest as Decoder<CountFilteredRequest>;
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method !== 'GET') {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, '/email-recipients/count', {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOptionalOrganizationScope();
+        await Context.authenticate();
+
+        if (!await Context.auth.canReadEmails(organization)) {
+            throw Context.auth.error();
+        }
+        const query = await GetEmailRecipientsEndpoint.buildQuery(request.query);
+
+        const count = await query
+            .count();
+
+        return new Response(
+            CountResponse.create({
+                count,
+            }),
+        );
+    }
+}

package/src/endpoints/global/email-recipients/GetEmailRecipientsEndpoint.test.ts

@@ -0,0 +1,225 @@
+import { STExpect, TestUtils } from '@stamhoofd/test-utils';
+import { GetEmailRecipientsEndpoint } from './GetEmailRecipientsEndpoint';
+import { AccessRight, EmailStatus, LimitedFilteredRequest, OrganizationEmail, PermissionLevel, Permissions, PermissionsResourceType, ResourcePermissions } from '@stamhoofd/structures';
+import { Email, EmailRecipient, Organization, OrganizationFactory, RegistrationPeriod, RegistrationPeriodFactory, Token, User, UserFactory } from '@stamhoofd/models';
+import { Request } from '@simonbackx/simple-endpoints';
+import { testServer } from '../../../../tests/helpers/TestServer';
+
+const baseUrl = `/email-recipients`;
+
+describe('Endpoint.GetEmailRecipients', () => {
+    const endpoint = new GetEmailRecipientsEndpoint();
+    let period: RegistrationPeriod;
+    let organization: Organization;
+    let token: Token;
+    let user: User;
+    let sender: OrganizationEmail;
+    let sender2: OrganizationEmail;
+
+    let token2: Token;
+    let user2: User;
+
+    beforeAll(async () => {
+        TestUtils.setPermanentEnvironment('userMode', 'platform');
+        period = await new RegistrationPeriodFactory({
+            startDate: new Date(2023, 0, 1),
+            endDate: new Date(2023, 11, 31),
+        }).create();
+
+        organization = await new OrganizationFactory({ period })
+            .create();
+
+        sender = OrganizationEmail.create({
+            email: 'groepsleiding@voorbeeld.com',
+            name: 'Groepsleiding',
+        });
+        sender2 = OrganizationEmail.create({
+            email: 'kapoenen@voorbeeld.com',
+            name: 'Kapoenen',
+        });
+
+        organization.privateMeta.emails.push(sender);
+        organization.privateMeta.emails.push(sender2);
+        await organization.save();
+
+        user = await new UserFactory({
+            organization,
+            permissions: Permissions.create({
+                level: PermissionLevel.None,
+                resources: new Map([
+                    [PermissionsResourceType.Senders, new Map([['', ResourcePermissions.create({
+                        resourceName: sender.name!,
+                        level: PermissionLevel.Read,
+                    })]])],
+                ]),
+            }),
+        })
+            .create();
+
+        token = await Token.createToken(user);
+
+        user2 = await new UserFactory({
+            organization,
+            permissions: Permissions.create({
+                level: PermissionLevel.None,
+                resources: new Map([
+                    [PermissionsResourceType.Senders, new Map([[sender2.id, ResourcePermissions.create({
+                        resourceName: sender.name!,
+                        level: PermissionLevel.Read,
+                    })]])],
+                ]),
+            }),
+        })
+            .create();
+
+        token2 = await Token.createToken(user2);
+    });
+
+    test('It can request all email recipients if read permission for all senders', async () => {
+        const email = new Email();
+        email.subject = 'test subject';
+        email.status = EmailStatus.Draft;
+        email.text = 'test email';
+        email.html = `<p style="margin: 0; padding: 0; line-height: 1.4;">test email</p>`;
+        email.json = {};
+        email.organizationId = organization.id;
+        email.senderId = sender.id;
+        await email.save();
+
+        const emailRecipient = new EmailRecipient();
+        emailRecipient.email = 'jan.janssens@geenemail.com';
+        emailRecipient.firstName = 'Jan';
+        emailRecipient.lastName = 'Janssens';
+        emailRecipient.emailId = email.id;
+        emailRecipient.organizationId = organization.id;
+        await emailRecipient.save();
+
+        const request = Request.get({
+            path: baseUrl,
+            host: organization.getApiHost(),
+            query: new LimitedFilteredRequest({
+                filter: {},
+                limit: 10,
+            }),
+            headers: {
+                authorization: 'Bearer ' + token.accessToken,
+            },
+        });
+        const result = await testServer.test(endpoint, request);
+        expect(result.body.results).toHaveLength(1);
+        expect(result.body.results[0]).toMatchObject({
+            id: emailRecipient.id,
+        });
+    });
+
+    test('It can not request all email recipients if not read permission for all senders', async () => {
+        const email = new Email();
+        email.subject = 'test subject';
+        email.status = EmailStatus.Draft;
+        email.text = 'test email';
+        email.html = `<p style="margin: 0; padding: 0; line-height: 1.4;">test email</p>`;
+        email.json = {};
+        email.organizationId = organization.id;
+        email.senderId = sender2.id;
+        await email.save();
+
+        const emailRecipient = new EmailRecipient();
+        emailRecipient.email = 'jan.janssens@geenemail.com';
+        emailRecipient.firstName = 'Jan';
+        emailRecipient.lastName = 'Janssens';
+        emailRecipient.emailId = email.id;
+        emailRecipient.organizationId = organization.id;
+        await emailRecipient.save();
+
+        const request = Request.get({
+            path: baseUrl,
+            host: organization.getApiHost(),
+            query: new LimitedFilteredRequest({
+                filter: {},
+                limit: 10,
+            }),
+            headers: {
+                authorization: 'Bearer ' + token2.accessToken,
+            },
+        });
+        await expect(testServer.test(endpoint, request))
+            .rejects
+            .toThrow(STExpect.errorWithCode('permission_denied'));
+    });
+
+    test('It request all email recipients of a single email if read permission for that sender', async () => {
+        const email = new Email();
+        email.subject = 'test subject';
+        email.status = EmailStatus.Draft;
+        email.text = 'test email';
+        email.html = `<p style="margin: 0; padding: 0; line-height: 1.4;">test email</p>`;
+        email.json = {};
+        email.organizationId = organization.id;
+        email.senderId = sender2.id;
+        await email.save();
+
+        const emailRecipient = new EmailRecipient();
+        emailRecipient.email = 'jan.janssens@geenemail.com';
+        emailRecipient.firstName = 'Jan';
+        emailRecipient.lastName = 'Janssens';
+        emailRecipient.emailId = email.id;
+        emailRecipient.organizationId = organization.id;
+        await emailRecipient.save();
+
+        const request = Request.get({
+            path: baseUrl,
+            host: organization.getApiHost(),
+            query: new LimitedFilteredRequest({
+                filter: {
+                    emailId: email.id,
+                },
+                limit: 10,
+            }),
+            headers: {
+                authorization: 'Bearer ' + token2.accessToken,
+            },
+        });
+        const result = await testServer.test(endpoint, request);
+        expect(result.body.results).toHaveLength(1);
+        expect(result.body.results[0]).toMatchObject({
+            id: emailRecipient.id,
+        });
+    });
+
+    test('It cannot request all email recipients of a single email if read permission for another sender', async () => {
+        const email = new Email();
+        email.subject = 'test subject';
+        email.status = EmailStatus.Draft;
+        email.text = 'test email';
+        email.html = `<p style="margin: 0; padding: 0; line-height: 1.4;">test email</p>`;
+        email.json = {};
+        email.organizationId = organization.id;
+        email.senderId = sender.id;
+        await email.save();
+
+        const emailRecipient = new EmailRecipient();
+        emailRecipient.email = 'jan.janssens@geenemail.com';
+        emailRecipient.firstName = 'Jan';
+        emailRecipient.lastName = 'Janssens';
+        emailRecipient.emailId = email.id;
+        emailRecipient.organizationId = organization.id;
+        await emailRecipient.save();
+
+        const request = Request.get({
+            path: baseUrl,
+            host: organization.getApiHost(),
+            query: new LimitedFilteredRequest({
+                filter: {
+                    emailId: email.id,
+                },
+                limit: 10,
+            }),
+            headers: {
+                authorization: 'Bearer ' + token2.accessToken,
+            },
+        });
+        await expect(testServer.test(endpoint, request))
+            .rejects
+            .toThrow(STExpect.errorWithCode('permission_denied'));
+    });
+});

package/src/endpoints/global/email-recipients/GetEmailRecipientsEndpoint.ts

@@ -0,0 +1,164 @@
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { assertSort, CountFilteredRequest, EmailRecipient as EmailRecipientStruct, getSortFilter, LimitedFilteredRequest, PaginatedResponse, PermissionLevel, StamhoofdFilter } from '@stamhoofd/structures';
+
+import { Decoder } from '@simonbackx/simple-encoding';
+import { SimpleError } from '@simonbackx/simple-errors';
+import { EmailRecipient } from '@stamhoofd/models';
+import { applySQLSorter, compileToSQLFilter, SQLFilterDefinitions, SQLSortDefinitions } from '@stamhoofd/sql';
+import { Context } from '../../../helpers/Context';
+import { emailRecipientsFilterCompilers } from '../../../sql-filters/email-recipients';
+import { emailRecipientSorters } from '../../../sql-sorters/email-recipients';
+import { validateEmailRecipientFilter } from './helpers/validateEmailRecipientFilter';
+
+type Params = Record<string, never>;
+type Query = LimitedFilteredRequest;
+type Body = undefined;
+type ResponseBody = PaginatedResponse<EmailRecipientStruct[], LimitedFilteredRequest>;
+
+const filterCompilers: SQLFilterDefinitions = emailRecipientsFilterCompilers;
+const sorters: SQLSortDefinitions<EmailRecipient> = emailRecipientSorters;
+
+export class GetEmailRecipientsEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    queryDecoder = LimitedFilteredRequest as Decoder<LimitedFilteredRequest>;
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method !== 'GET') {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, '/email-recipients', {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    static async buildQuery(q: CountFilteredRequest | LimitedFilteredRequest) {
+        const organization = Context.organization;
+        let scopeFilter: StamhoofdFilter | undefined = undefined;
+
+        if (organization) {
+            scopeFilter = {
+                organizationId: organization.id,
+            };
+        }
+        const canReadAllEmails = await Context.auth.canReadAllEmails(organization ?? null);
+
+        if (!canReadAllEmails) {
+            // Check if scope is correctly limited to a single email, otherwise throw an error.
+            if (!await validateEmailRecipientFilter({ filter: q.filter, permissionLevel: PermissionLevel.Read })) {
+                throw Context.auth.error({
+                    message: 'You do not have sufficient permissions to view all email recipients',
+                    human: $t(`Je hebt niet voldoende toegangsrechten om alle email ontvangers te bekijken. Filter op één specifieke e-mail.`),
+                });
+            }
+        }
+
+        const query = EmailRecipient.select();
+
+        if (scopeFilter) {
+            query.where(await compileToSQLFilter(scopeFilter, filterCompilers));
+        }
+
+        if (q.filter) {
+            query.where(await compileToSQLFilter(q.filter, filterCompilers));
+        }
+
+        if (q.search) {
+            let searchFilter: StamhoofdFilter | null = null;
+
+            searchFilter = {
+                $or: [
+                    {
+                        email: {
+                            $contains: q.search,
+                        },
+                    },
+                    {
+                        name: {
+                            $contains: q.search,
+                        },
+                    },
+                ],
+            };
+
+            if (searchFilter) {
+                query.where(await compileToSQLFilter(searchFilter, filterCompilers));
+            }
+        }
+
+        if (q instanceof LimitedFilteredRequest) {
+            if (q.pageFilter) {
+                query.where(await compileToSQLFilter(q.pageFilter, filterCompilers));
+            }
+
+            q.sort = assertSort(q.sort, [{ key: 'id' }]);
+            applySQLSorter(query, q.sort, sorters);
+            query.limit(q.limit);
+        }
+
+        return query;
+    }
+
+    static async buildData(requestQuery: LimitedFilteredRequest) {
+        const query = await GetEmailRecipientsEndpoint.buildQuery(requestQuery);
+        const recipients = await query.fetch();
+
+        let next: LimitedFilteredRequest | undefined;
+
+        if (recipients.length >= requestQuery.limit) {
+            const lastObject = recipients[recipients.length - 1];
+            const nextFilter = getSortFilter(lastObject, sorters, requestQuery.sort);
+
+            next = new LimitedFilteredRequest({
+                filter: requestQuery.filter,
+                pageFilter: nextFilter,
+                sort: requestQuery.sort,
+                limit: requestQuery.limit,
+                search: requestQuery.search,
+            });
+
+            if (JSON.stringify(nextFilter) === JSON.stringify(requestQuery.pageFilter)) {
+                console.error('Found infinite loading loop for', requestQuery);
+                next = undefined;
+            }
+        }
+
+        return new PaginatedResponse<EmailRecipientStruct[], LimitedFilteredRequest>({
+            results: recipients.map(r => r.getStructure()),
+            next,
+        });
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOptionalOrganizationScope();
+        await Context.authenticate();
+
+        if (!await Context.auth.canReadEmails(organization)) {
+            throw Context.auth.error();
+        }
+
+        const maxLimit = Context.auth.hasSomePlatformAccess() ? 1000 : 100;
+
+        if (request.query.limit > maxLimit) {
+            throw new SimpleError({
+                code: 'invalid_field',
+                field: 'limit',
+                message: 'Limit can not be more than ' + maxLimit,
+            });
+        }
+
+        if (request.query.limit < 1) {
+            throw new SimpleError({
+                code: 'invalid_field',
+                field: 'limit',
+                message: 'Limit can not be less than 1',
+            });
+        }
+
+        return new Response(
+            await GetEmailRecipientsEndpoint.buildData(request.query),
+        );
+    }
+}

package/src/endpoints/global/email-recipients/helpers/validateEmailRecipientFilter.ts

@@ -0,0 +1,64 @@
+import { SimpleError } from '@simonbackx/simple-errors';
+import { Email } from '@stamhoofd/models';
+import { FilterWrapperMarker, PermissionLevel, StamhoofdFilter, unwrapFilter, WrapperFilter } from '@stamhoofd/structures';
+import { Context } from '../../../../helpers/Context';
+
+export async function validateEmailRecipientFilter({ filter, permissionLevel }: { filter: StamhoofdFilter; permissionLevel: PermissionLevel }) {
+    // Require presence of a filter
+    const requiredFilter: WrapperFilter = {
+        emailId: FilterWrapperMarker,
+    };
+
+    const unwrapped = unwrapFilter(filter, requiredFilter);
+    if (!unwrapped.match) {
+        return false;
+    }
+
+    const emailIds = typeof unwrapped.markerValue === 'string'
+        ? [unwrapped.markerValue]
+        : unwrapFilter(unwrapped.markerValue as StamhoofdFilter, {
+            $in: FilterWrapperMarker,
+        })?.markerValue;
+
+    if (!Array.isArray(emailIds)) {
+        throw new SimpleError({
+            code: 'invalid_field',
+            field: 'filter',
+            message: 'You must filter on an email id of the email recipients you are trying to access',
+            human: $t(`Je hebt niet voldoende toegangsrechten om alle email ontvangers te bekijken.`),
+        });
+    }
+
+    if (emailIds.length === 0) {
+        throw new SimpleError({
+            code: 'invalid_field',
+            field: 'filter',
+            message: 'Filtering on an empty list of email ids is not supported',
+        });
+    }
+
+    for (const emailId of emailIds) {
+        if (typeof emailId !== 'string') {
+            throw new SimpleError({
+                code: 'invalid_field',
+                field: 'filter',
+                message: 'Invalid email ID in filter',
+            });
+        }
+    }
+
+    const emails = await Email.getByIDs(...emailIds as string[]);
+
+    console.log('Fetching recipients for emails', emails.map(g => g.subject));
+
+    for (const email of emails) {
+        if (!await Context.auth.canAccessEmail(email, permissionLevel)) {
+            throw Context.auth.error({
+                message: 'You do not have access to this email',
+                human: $t(`Je hebt geen toegangsrechten tot de ontvangers van deze email`),
+            });
+        }
+    }
+
+    return true;
+}

package/src/endpoints/global/members/PatchOrganizationMembersEndpoint.ts

@@ -966,7 +966,11 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
     }
 
     static shouldCheckIfMemberIsDuplicate(put: Member): boolean {
-        if (put.details.firstName.length <= 3 && put.details.lastName.length <= 3) {
+        if (put.details.firstName === '???') {
+            return false;
+        }
+
+        if (put.details.name.length <= 3) {
             return false;
         }
 

package/src/endpoints/global/registration-periods/GetRegistrationPeriodsEndpoint.ts

@@ -5,6 +5,7 @@ import { Decoder } from '@simonbackx/simple-encoding';
 import { SimpleError } from '@simonbackx/simple-errors';
 import { RegistrationPeriod } from '@stamhoofd/models';
 import { applySQLSorter, compileToSQLFilter, SQLFilterDefinitions, SQLSortDefinitions } from '@stamhoofd/sql';
+import { Context } from '../../../helpers/Context';
 import { registrationPeriodFilterCompilers } from '../../../sql-filters/registration-periods';
 import { registrationPeriodSorters } from '../../../sql-sorters/registration-periods';
 
@@ -33,9 +34,24 @@ export class GetRegistrationPeriodsEndpoint extends Endpoint<Params, Query, Body
     }
 
     static async buildQuery(q: CountFilteredRequest | LimitedFilteredRequest) {
-        const scopeFilter: StamhoofdFilter | undefined = undefined;
+        let scopeFilter: StamhoofdFilter | undefined = undefined;
         const query = RegistrationPeriod.select();
 
+        if (STAMHOOFD.userMode === 'organization') {
+            const organization = Context.organization;
+
+            if (!organization) {
+                throw new SimpleError({
+                    code: 'no_organization',
+                    message: 'Organization is undefined on Context',
+                });
+            }
+
+            scopeFilter = {
+                organizationId: organization.id,
+            };
+        }
+
         if (scopeFilter) {
             query.where(await compileToSQLFilter(scopeFilter, filterCompilers));
         }
@@ -127,6 +143,8 @@ export class GetRegistrationPeriodsEndpoint extends Endpoint<Params, Query, Body
             });
         }
 
+        await Context.setUserOrganizationScope();
+
         return new Response(
             await GetRegistrationPeriodsEndpoint.buildData(request.query),
         );

package/src/helpers/EmailResumer.ts

@@ -6,7 +6,7 @@ import { ContextInstance } from './Context';
 export async function resumeEmails() {
     const query = SQL.select()
         .from(SQL.table(Email.table))
-        .where(SQL.column('status'), EmailStatus.Sending);
+        .where(SQL.column('status'), [EmailStatus.Sending, EmailStatus.Queued]);
 
     const result = await query.fetch();
     const emails = Email.fromRows(result, Email.table);
@@ -28,7 +28,7 @@ export async function resumeEmails() {
 
         try {
             await ContextInstance.startForUser(user, organization, async () => {
-                await email.send();
+                await email.resumeSending();
             });
         }
         catch (e) {

package/src/seeds/1755790070-fill-email-recipient-errors.ts

@@ -0,0 +1,96 @@
+import { Migration } from '@simonbackx/simple-database';
+import { SimpleError, SimpleErrors } from '@simonbackx/simple-errors';
+import { EmailRecipient } from '@stamhoofd/models';
+
+function stringToError(message: string) {
+    if (message === 'Recipient has hard bounced') {
+        return new SimpleErrors(
+            new SimpleError({
+                code: 'email_skipped_hard_bounce',
+                message: 'The recipient has hard bounced. This means that the email address is invalid or no longer exists.',
+                human: $t(`af49a569-ce88-48d9-ac37-81e594e16c03`),
+            }),
+        );
+    }
+
+    if (message === 'Recipient has marked as spam') {
+        return new SimpleErrors(
+            new SimpleError({
+                code: 'email_skipped_spam',
+                message: 'Recipient has marked as spam',
+                human: $t(`e6523f56-397e-4127-8bf7-8396f6f25a62`),
+            }),
+        );
+    }
+
+    if (message === 'Recipient has unsubscribed') {
+        return new SimpleErrors(
+            new SimpleError({
+                code: 'email_skipped_unsubscribed',
+                message: 'Recipient has unsubscribed',
+                human: $t('De ontvanger heeft zich afgemeld voor e-mails'),
+            }),
+        );
+    }
+
+    if (message === 'Recipient has unsubscribed from marketing') {
+        return new SimpleErrors(
+            new SimpleError({
+                code: 'email_skipped_unsubscribed',
+                message: 'Recipient has unsubscribed from marketing',
+                human: $t('De ontvanger heeft zich afgemeld voor e-mails'),
+            }),
+        );
+    }
+
+    if (message === 'All recipients are filtered due to hard bounce or spam') {
+        return new SimpleErrors(
+            new SimpleError({
+                code: 'all_filtered',
+                message: 'All recipients are filtered due to hard bounce or spam',
+                human: $t('Deze ontvanger komt voor op de gedeelde bounce of spamlijst. De ontvanger was eerder permanent onbereikbaar of heeft eerder een e-mail als spam gemarkeerd.'),
+            }),
+        );
+    }
+
+    if (message === 'Invalid email address') {
+        return new SimpleErrors(
+            new SimpleError({
+                code: 'invalid_email_address',
+                message: 'Invalid email address',
+                human: $t(`cbbff442-758c-4f76-b8c2-26bb176fefcc`),
+            }),
+        );
+    }
+
+    return new SimpleErrors(
+        new SimpleError({
+            code: 'unknown_error',
+            message: message,
+        }),
+    );
+}
+
+export default new Migration(async () => {
+    if (STAMHOOFD.environment === 'test') {
+        console.log('skipped in tests');
+        return;
+    }
+
+    console.log('Start setting failError object on email recipients.');
+
+    const batchSize = 100;
+    let count = 0;
+
+    for await (const r of EmailRecipient.select()
+        .whereNot('failErrorMessage', null).limit(batchSize).all()) {
+        if (!r.failErrorMessage) {
+            continue;
+        }
+        r.failError = stringToError(r.failErrorMessage);
+        await r.save();
+        count++;
+    }
+
+    console.log('Finished saving ' + count + ' recipients with error object.');
+});

package/src/seeds/1756115432-remove-old-drafts.ts

@@ -0,0 +1,16 @@
+import { Migration } from '@simonbackx/simple-database';
+import { Email } from '@stamhoofd/models';
+import { EmailStatus } from '@stamhoofd/structures';
+
+export default new Migration(async () => {
+    if (STAMHOOFD.environment === 'test') {
+        console.log('skipped in tests');
+        return;
+    }
+
+    const { affectedRows } = await Email.delete()
+        .where('status', EmailStatus.Draft)
+        .where('createdAt', '<', new Date(Date.now() - 1000 * 60 * 60 * 24 * 30)) // older than 30 days
+        .delete();
+    console.log('Deleted ' + affectedRows + ' old draft emails.');
+});

package/src/seeds/1756115433-fill-email-recipient-organization-id.ts

@@ -0,0 +1,30 @@
+import { Migration } from '@simonbackx/simple-database';
+import { Email, EmailRecipient } from '@stamhoofd/models';
+import { SQL } from '@stamhoofd/sql';
+
+export default new Migration(async () => {
+    if (STAMHOOFD.environment === 'test') {
+        console.log('skipped in tests');
+        return;
+    }
+
+    console.log('Start setting organizationId object on email recipients.');
+
+    const batchSize = 100;
+    let count = 0;
+
+    for await (const email of Email.select().where('organizationId', '!=', null).limit(batchSize).all()) {
+        if (!email.organizationId) {
+            continue;
+        }
+
+        await SQL.update(EmailRecipient.table)
+            .set('organizationId', email.organizationId)
+            .where('emailId', email.id)
+            .update();
+
+        count++;
+    }
+
+    console.log('Finished saving email recipients of ' + count + ' emails with organization id.');
+});

package/src/sql-filters/email-recipients.ts

@@ -0,0 +1,59 @@
+import { baseSQLFilterCompilers, createColumnFilter, SQL, SQLConcat, SQLFilterDefinitions, SQLScalar, SQLValueType } from '@stamhoofd/sql';
+
+export const emailRecipientsFilterCompilers: SQLFilterDefinitions = {
+    ...baseSQLFilterCompilers,
+    id: createColumnFilter({
+        expression: SQL.column('id'),
+        type: SQLValueType.String,
+        nullable: false,
+    }),
+    email: createColumnFilter({
+        expression: SQL.column('email'),
+        type: SQLValueType.String,
+        nullable: true,
+    }),
+    name: createColumnFilter({
+        expression: new SQLConcat(
+            SQL.column('firstName'),
+            new SQLScalar(' '),
+            SQL.column('lastName'),
+        ),
+        type: SQLValueType.String,
+        nullable: true,
+    }),
+    organizationId: createColumnFilter({
+        expression: SQL.column('organizationId'),
+        type: SQLValueType.String,
+        nullable: true,
+    }),
+    emailId: createColumnFilter({
+        expression: SQL.column('emailId'),
+        type: SQLValueType.String,
+        nullable: false,
+    }),
+    sentAt: createColumnFilter({
+        expression: SQL.column('sentAt'),
+        type: SQLValueType.Datetime,
+        nullable: true,
+    }),
+    failError: createColumnFilter({
+        expression: SQL.column('failError'),
+        type: SQLValueType.JSONObject,
+        nullable: true,
+    }),
+    spamComplaintError: createColumnFilter({
+        expression: SQL.column('spamComplaintError'),
+        type: SQLValueType.String,
+        nullable: true,
+    }),
+    softBounceError: createColumnFilter({
+        expression: SQL.column('softBounceError'),
+        type: SQLValueType.String,
+        nullable: true,
+    }),
+    hardBounceError: createColumnFilter({
+        expression: SQL.column('hardBounceError'),
+        type: SQLValueType.String,
+        nullable: true,
+    }),
+};

package/src/sql-filters/emails.ts

@@ -47,11 +47,36 @@ export const emailFilterCompilers: SQLFilterDefinitions = {
         type: SQLValueType.String,
         nullable: false,
     }),
-    recipientCount: createColumnFilter({
-        expression: SQL.column('recipientCount'),
+    emailRecipientsCount: createColumnFilter({
+        expression: SQL.column('emailRecipientsCount'),
         type: SQLValueType.Number,
         nullable: true,
     }),
+    failedCount: createColumnFilter({
+        expression: SQL.column('failedCount'),
+        type: SQLValueType.Number,
+        nullable: false,
+    }),
+    softFailedCount: createColumnFilter({
+        expression: SQL.column('softFailedCount'),
+        type: SQLValueType.Number,
+        nullable: false,
+    }),
+    hardBouncesCount: createColumnFilter({
+        expression: SQL.column('hardBouncesCount'),
+        type: SQLValueType.Number,
+        nullable: false,
+    }),
+    softBouncesCount: createColumnFilter({
+        expression: SQL.column('softBouncesCount'),
+        type: SQLValueType.Number,
+        nullable: false,
+    }),
+    spamComplaintsCount: createColumnFilter({
+        expression: SQL.column('spamComplaintsCount'),
+        type: SQLValueType.Number,
+        nullable: false,
+    }),
     createdAt: createColumnFilter({
         expression: SQL.column('createdAt'),
         type: SQLValueType.Datetime,
@@ -62,4 +87,9 @@ export const emailFilterCompilers: SQLFilterDefinitions = {
         type: SQLValueType.Datetime,
         nullable: true,
     }),
+    senderId: createColumnFilter({
+        expression: SQL.column('senderId'),
+        type: SQLValueType.String,
+        nullable: true,
+    }),
 };

package/src/sql-filters/members.ts

@@ -1,5 +1,5 @@
 import { SimpleError } from '@simonbackx/simple-errors';
-import { Member } from '@stamhoofd/models';
+import { Email, Member } from '@stamhoofd/models';
 import { baseSQLFilterCompilers, createColumnFilter, createExistsFilter, SQL, SQLAge, SQLCast, SQLConcat, SQLFilterDefinitions, SQLValueType, SQLScalar, createWildcardColumnFilter, SQLJsonExtract } from '@stamhoofd/sql';
 import { AccessRight } from '@stamhoofd/structures';
 import { Context } from '../helpers/Context';
@@ -413,6 +413,47 @@ export const memberFilterCompilers: SQLFilterDefinitions = {
             ),
         organizationFilterCompilers,
     ),
+    'emails': createExistsFilter(
+        SQL.select()
+            .from(
+                SQL.table('email_recipients'),
+            ).where(
+                SQL.column('memberId'),
+                SQL.column('members', 'id'),
+            ),
+        {
+            ...baseSQLFilterCompilers,
+            id: createColumnFilter({
+                expression: SQL.column('emailId'),
+                type: SQLValueType.String,
+                nullable: false,
+                checkPermission: async (filter) => {
+                    if (typeof filter !== 'string') {
+                        throw new SimpleError({
+                            code: 'invalid_filter',
+                            message: 'This filter structure is not supported here.',
+                        });
+                    }
+                    const id = filter;
+                    const email = await Email.getByID(id);
+                    if (!email) {
+                        throw new SimpleError({
+                            code: 'not_found',
+                            message: 'This email does not exist.',
+                            human: $t('Deze e-mail bestaat niet (meer)'),
+                            statusCode: 404,
+                        });
+                    }
+                    if (!await Context.auth.canAccessEmail(email)) {
+                        throw Context.auth.error({
+                            message: 'No permissions to access this email.',
+                            human: $t('Je hebt niet voldoende toegangsrechten om te filteren op deze e-mail'),
+                        });
+                    }
+                },
+            }),
+        },
+    ),
     'details': {
         ...baseSQLFilterCompilers,
         recordAnswers: createWildcardColumnFilter(

package/src/sql-filters/registration-periods.ts

@@ -7,6 +7,11 @@ export const registrationPeriodFilterCompilers: SQLFilterDefinitions = {
         type: SQLValueType.String,
         nullable: false,
     }),
+    organizationId: createColumnFilter({
+        expression: SQL.column('organizationId'),
+        type: SQLValueType.String,
+        nullable: false,
+    }),
     startDate: createColumnFilter({
         expression: SQL.column('startDate'),
         type: SQLValueType.Datetime,

package/src/sql-sorters/email-recipients.ts

@@ -0,0 +1,69 @@
+import { EmailRecipient } from '@stamhoofd/models';
+import { SQL, SQLOrderBy, SQLOrderByDirection, SQLSortDefinitions } from '@stamhoofd/sql';
+import { Formatter } from '@stamhoofd/utility';
+
+export const emailRecipientSorters: SQLSortDefinitions<EmailRecipient> = {
+    // WARNING! TEST NEW SORTERS THOROUGHLY!
+    // Try to avoid creating sorters on fields that er not 1:1 with the database, that often causes pagination issues if not thought through
+    // An example: sorting on 'name' is not a good idea, because it is a concatenation of two fields.
+    // You might be tempted to use ORDER BY firstName, lastName, but that will not work as expected and it needs to be ORDER BY CONCAT(firstName, ' ', lastName)
+    // Why? Because ORDER BY firstName, lastName produces a different order dan ORDER BY CONCAT(firstName, ' ', lastName) if there are multiple people with spaces in the first name
+    // And that again causes issues with pagination because the next query will append a filter of name > 'John Doe' - causing duplicate and/or skipped results
+    // What if you need mapping? simply map the sorters in the frontend: name -> firstname, lastname, age -> birthDay, etc.
+
+    id: {
+        getValue(a) {
+            return a.id;
+        },
+        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
+            return new SQLOrderBy({
+                column: SQL.column('id'),
+                direction,
+            });
+        },
+    },
+    sentAt: {
+        getValue(a) {
+            return a.sentAt ? Formatter.dateTimeIso(a.sentAt, 'UTC') : null;
+        },
+        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
+            return new SQLOrderBy({
+                column: SQL.column('sentAt'),
+                direction,
+            });
+        },
+    },
+    email: {
+        getValue(a) {
+            return a.email;
+        },
+        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
+            return new SQLOrderBy({
+                column: SQL.column('email'),
+                direction,
+            });
+        },
+    },
+    firstName: {
+        getValue(a) {
+            return a.firstName;
+        },
+        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
+            return new SQLOrderBy({
+                column: SQL.column('firstName'),
+                direction,
+            });
+        },
+    },
+    lastName: {
+        getValue(a) {
+            return a.lastName;
+        },
+        toSQL: (direction: SQLOrderByDirection): SQLOrderBy => {
+            return new SQLOrderBy({
+                column: SQL.column('lastName'),
+                direction,
+            });
+        },
+    },
+};