npm - @technomoron/mail-magic - Versions diffs - 1.0.16 → 1.0.23 - Mend

@technomoron/mail-magic 1.0.16 → 1.0.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/CHANGES CHANGED Viewed

@@ -1,3 +1,51 @@
+Version 1.0.23 (2026-02-07)
+- Added a form recipient allowlist table plus `POST /api/v1/form/recipient` to map a
+  public recipient `idname` to an email address (with optional display name),
+  scoped per domain and optionally per `form_key`.
+- `POST /api/v1/form/message` now supports `recipient_idname` so public forms can
+  select a configured recipient without exposing email addresses client-side.
+- Added integration tests covering recipient allowlist fallbacks, overrides, locale scoping,
+  validation, and ownership checks.
+Version 1.0.22 (2026-02-07)
+- Added opt-in anti-abuse controls for public form submissions, including:
+  `UPLOAD_MAX`, in-memory IP rate limiting, optional CAPTCHA verification
+  (Turnstile/hCaptcha/reCAPTCHA) with per-form `captcha_required`, optional
+  attachment count limits, and optional upload cleanup.
+Version 1.0.21 (2026-02-07)
+- Added `AUTOESCAPE_HTML` (default: true) to control Nunjucks HTML autoescaping
+  when rendering transactional and form templates.
+Version 1.0.20 (2026-02-07)
+- Centralized env parsing in `mailStore` (no direct `process.env` reads in core
+  server code).
+Version 1.0.19 (2026-02-07)
+- Store API tokens as HMAC-SHA256 (with required `API_TOKEN_PEPPER`) instead of
+  plaintext, and migrate legacy plaintext tokens on startup.
+Version 1.0.18 (2026-02-07)
+- Added a stable `form_key` (generated via nanoid) to uniquely identify forms and
+  return it from `POST /api/v1/form/template`.
+- Updated `POST /api/v1/form/message` form lookup to use `form_key` (preferred),
+  otherwise require `domain` + `formid` (+ optional `locale`) to avoid ambiguous
+  cross-domain/locale matches.
+Version 1.0.17 (2026-02-07)
+- Reduced sensitive logging by disabling env dumps unless `DEBUG` is enabled,
+  removing API tokens from debug output and API errors, and redacting DB
+  credentials in debug logs.
+- Fixed TypeScript build issues by aligning Express typings and updating
+  Express-related utility types.
 Version 1.0.15 (2026-02-01)
 - Made the optional admin UI/API opt-in via `ADMIN_ENABLED`, delegating admin

package/dist/api/assets.js CHANGED Viewed

@@ -144,17 +144,27 @@ export class AssetAPI extends ApiModule {
     }
 }
 export function createAssetHandler(server) {
-    return async (req, res) => {
+    return async (req, res, next) => {
+        if (req.method && req.method !== 'GET' && req.method !== 'HEAD') {
+            if (next) {
+                next();
+                return;
+            }
+            res.status(405).end();
+            return;
+        }
         const domain = decodeComponent(req?.params?.domain);
         if (!domain || !DOMAIN_PATTERN.test(domain)) {
             res.status(404).end();
             return;
         }
-        const rawPath = typeof req?.params?.[0] === 'string' ? req.params[0] : '';
-        const segments = rawPath
-            .split('/')
-            .filter(Boolean)
-            .map((segment) => decodeComponent(segment));
+        const rawPathParam = req?.params?.path ?? req?.params?.[0];
+        const rawSegments = Array.isArray(rawPathParam)
+            ? rawPathParam
+            : typeof rawPathParam === 'string'
+                ? rawPathParam.split('/').filter(Boolean)
+                : [];
+        const segments = rawSegments.map((segment) => decodeComponent(typeof segment === 'string' ? segment : ''));
         if (!segments.length || segments.some((segment) => !SEGMENT_PATTERN.test(segment))) {
             res.status(404).end();
             return;
@@ -191,9 +201,10 @@ export function createAssetHandler(server) {
             return;
         }
         res.type(path.extname(realCandidate));
-        res.set('Cache-Control', 'public, max-age=300');
         try {
-            await sendFileAsync(res, realCandidate);
+            // Express' `sendFile()` sets Cache-Control based on `maxAge` (in ms). Setting the header
+            // before calling `sendFile()` can be overwritten by Express defaults.
+            await sendFileAsync(res, realCandidate, { maxAge: 300_000 });
         }
         catch (err) {
             server.storage.print_debug(`Failed to serve asset ${domain}/${segments.join('/')}: ${err instanceof Error ? err.message : String(err)}`);

package/dist/api/auth.js CHANGED Viewed

@@ -20,9 +20,14 @@ export async function assert_domain_and_user(apireq) {
     if (!domain) {
         throw new ApiError({ code: 401, message: 'Missing domain' });
     }
-    const user = await api_user.findOne({ where: { token: apireq.token } });
+    const rawUid = apireq.getRealUid();
+    const uid = rawUid === null ? null : Number(rawUid);
+    if (!uid || Number.isNaN(uid)) {
+        throw new ApiError({ code: 401, message: 'Invalid/Unknown API Key/Token' });
+    }
+    const user = await api_user.findByPk(uid);
     if (!user) {
-        throw new ApiError({ code: 401, message: `Invalid/Unknown API Key/Token '${apireq.token}'` });
+        throw new ApiError({ code: 401, message: 'Invalid/Unknown API Key/Token' });
     }
     const dbdomain = await api_domain.findOne({ where: { name: domain } });
     if (!dbdomain) {