@technomoron/mail-magic 1.0.32 → 1.0.33

package/CHANGES

@@ -1,6 +1,16 @@
+Version 1.0.33 (2026-02-09)
+
+- Route all env-derived config through `mailStore.vars` with explicit overrides for tests/examples.
+- Move shared helpers into `util/` modules (rate limiting, email parsing, path safety, uploads).
+- Switch template preprocessing to Unyuck’s asset collection while preserving existing URL and CID behavior.
+
 Version 1.0.32 (2026-02-08)
 
 - Add regression coverage for legacy plaintext API token migration to `token_hmac`.
+- Publish `docs/swagger/openapi.json` and install a local swagger handler that is stable regardless of `process.cwd()`.
+- Refactor public form submissions to use explicit `_mm_*` control fields (`_mm_form_key`, `_mm_locale`,
+  `_mm_recipients`) and stricter attachment field naming (`_mm_file*`).
+- Centralize captcha verification in `util/captcha` and add contract-style test coverage for the public form endpoint.
 
 Version 1.0.31 (2026-02-08)
 

package/README.md

@@ -1,18 +1,36 @@
 # @technomoron/mail-magic
 
-Mail Magic is a TypeScript service for managing, templating, and delivering transactional emails and public form
-submissions. It exposes a small REST API built on `@technomoron/api-server-base`, persists data with Sequelize/SQLite
-(by default), and renders outbound messages with Nunjucks templates.
-
-## Features
-
-- Store and send transactional templates through a JSON API
-- Store and deliver form submission templates through a public endpoint
-- Optional recipient allowlist so public forms can target a named recipient without exposing email addresses
-- Optional anti-abuse controls for public forms (rate limiting, attachment limits, CAPTCHA)
-- Preprocess templates (includes + `asset(...)` rewrites) with `@technomoron/unyuck`
-- Nodemailer transport configuration driven by environment variables
-- Optional bundled admin UI (placeholder) served at `/` when enabled
+Mail Magic is a small TypeScript HTTP service that:
+
+- stores transactional email templates and sends transactional messages (authenticated API)
+- stores “contact form” templates and accepts public form submissions (unauthenticated endpoint)
+- renders mail with Nunjucks, and delivers via Nodemailer
+
+This README is intended to be “enough to run and operate the service”. For exact request/response shapes and every
+endpoint, use the OpenAPI spec described in **Swagger / OpenAPI** below.
+
+## Contents
+
+- What You Get
+- Install
+- Quick Start
+- Concepts
+- Configuration
+- Swagger / OpenAPI
+- API Usage (Examples)
+- Public Form Endpoint Contract
+- Assets
+- Security Notes
+- Development (Repo)
+
+## What You Get
+
+- REST API built on `@technomoron/api-server-base`
+- SQLite + Sequelize persistence by default (configurable)
+- Nunjucks templating with optional HTML autoescape (`AUTOESCAPE_HTML=true` by default)
+- Config tree on disk (`CONFIG_PATH`) for per-domain templates and assets
+- Recipient allowlist so public forms can route to named recipients without exposing emails
+- Optional anti-abuse controls on the public form endpoint (rate limiting, attachment limits, CAPTCHA)
 
 ## Install
 
@@ -20,21 +38,16 @@ submissions. It exposes a small REST API built on `@technomoron/api-server-base`
 npm install @technomoron/mail-magic
 ```
 
-The package ships a `mail-magic` CLI.
-
-## Run
-
-Mail Magic loads:
+The package ships a `mail-magic` CLI that loads a `.env` file and starts the server.
 
-- **Environment variables** (the `mail-magic` CLI supports `.env`)
-- **Config directory** (`CONFIG_PATH`) containing `init-data.json`, templates, and assets
+## Quick Start
 
-### 1. Create `.env`
+### 1. Create a `.env`
 
-Copy `.env-dist` and fill in the required bits:
+Start from the repo’s `.env-dist` and set at least:
 
 ```ini
-# Required: used to HMAC API tokens before DB lookup (keep it stable).
+# REQUIRED. Keep stable: used to HMAC API tokens before DB lookup.
 API_TOKEN_PEPPER=change-me-please-use-a-long-random-string
 
 CONFIG_PATH=./data
@@ -50,9 +63,9 @@ SMTP_SECURE=false
 SMTP_TLS_REJECT=false
 ```
 
-### 2. Create a config directory
+### 2. Create a minimal config directory
 
-Minimum layout:
+`CONFIG_PATH` points at a directory containing `init-data.json` plus per-domain subfolders:
 
 ```text
 data/
@@ -60,19 +73,15 @@ data/
   example.test/
     assets/
       images/logo.png
-      files/banner.png
     tx-template/
       welcome.njk
-      partials/
-        header.njk
     form-template/
       contact.njk
-      partials/
-        fields.njk
 ```
 
-Important: assets referenced via `asset('...')` must live under `<CONFIG_PATH>/<domain>/assets` (not under
-`tx-template/` or `form-template/`).
+Assets referenced via `asset('...')` must live under:
+
+`<CONFIG_PATH>/<domain>/assets/...`
 
 ### 3. Start the server
 
@@ -80,142 +89,224 @@ Important: assets referenced via `asset('...')` must live under `<CONFIG_PATH>/<
 mail-magic --env ./.env
 ```
 
-In this repository, development is optimized for `pnpm`:
+## Concepts
 
-```bash
-pnpm install
-pnpm -w --filter @technomoron/mail-magic dev
-```
+### Domain-first config layout
 
-## Authentication (API Tokens)
+Mail Magic treats each domain as a root for templates and assets on disk:
 
-Authenticated endpoints require:
+- Transactional templates: `<CONFIG_PATH>/<domain>/tx-template/...`
+- Form templates: `<CONFIG_PATH>/<domain>/form-template/...`
+- Public assets: `<CONFIG_PATH>/<domain>/assets/...`
 
-```text
-Authorization: Bearer apikey-<user_token>
-```
+### Transactional vs form messages
 
-Tokens are stored as `HMAC-SHA256(token, API_TOKEN_PEPPER)` in the database. You can seed a plaintext `token` in
-`init-data.json`; it will be HMACed on import and the plaintext cleared.
+- Transactional:
+    - authenticated endpoints
+    - you choose recipient email(s) in the send request
+    - templates can use `_vars_` and `_rcpt_email_`
+- Form:
+    - authenticated endpoint to store/update the form template and configuration
+    - unauthenticated endpoint to submit the form
+    - public submissions are identified by a random `form_key`
 
-## API Overview
+### `form_key` (public identifier)
 
-All routes are mounted under `API_BASE_PATH` (default `/api`), so the full path is typically `/api/v1/...`.
+`POST /api/v1/form/template` returns a stable random `form_key`. Public submissions use that key as `_mm_form_key`.
 
-| Auth | Method | Path                 | Description                                             |
-| ---- | ------ | -------------------- | ------------------------------------------------------- |
-| No   | GET    | `/v1/ping`           | Health check                                            |
-| Yes  | POST   | `/v1/tx/template`    | Store/update a transactional template                   |
-| Yes  | POST   | `/v1/tx/message`     | Render + deliver a stored transactional message         |
-| Yes  | POST   | `/v1/form/template`  | Store/update a form template (returns `form_key`)       |
-| Yes  | POST   | `/v1/form/recipient` | Upsert a recipient mapping (domain-wide or form-scoped) |
-| No   | POST   | `/v1/form/message`   | Public form submission endpoint                         |
-| Yes  | POST   | `/v1/assets`         | Upload domain or template-scoped assets                 |
+Treat `form_key` as sensitive: anyone who has it can submit to that form.
 
-Public assets are served from `ASSET_ROUTE` (default `/asset`). When `API_BASE_PATH` is in use, assets are also
-reachable under `/api/asset/...` to match older `API_URL` defaults.
+### Recipient allowlist
 
-## Public Forms (`form_key`) and Recipient Allowlist
+For “choose a recipient” forms, do not accept user-supplied emails. Instead:
 
-### Prefer `form_key` for public submissions
+1. Configure recipients server-side with `POST /api/v1/form/recipient` (authenticated).
+2. In the public request, pass `_mm_recipients` containing recipient `idname`s.
 
-`POST /api/v1/form/template` returns a stable random ID (`data.form_key`, generated via nanoid). Public form submissions
-should use `form_key` instead of `domain + formid`, because `domain + formid` can be ambiguous across locales or
-multi-tenant setups.
+The server resolves those `idname`s to real email addresses using the allowlist.
 
-### Public recipient selection without exposing email addresses
+## Configuration
 
-For cases like "contact a journalist", you can configure named recipients (allowlist) and let the public client select
-by `recipient_idname`:
+Mail Magic is configured via environment variables plus the `CONFIG_PATH` directory.
 
-1. Upsert recipient mapping (authenticated): `POST /api/v1/form/recipient` `{ domain, form_key?, idname, email, name? }`
-2. Submit the public form (no auth): `POST /api/v1/form/message` `{ form_key, recipient_idname, ...fields }`
+The full set of environment variables is documented in the repository’s `.env-dist`.
 
-Mappings are scoped by `(domain_id, form_key, idname)`:
+Commonly used variables:
 
-- Use `form_key` to create a per-form allowlist.
-- Omit `form_key` to create a domain-wide default allowlist.
-- Form-scoped mappings override domain-wide mappings for the same `idname`.
+- `API_HOST`, `API_PORT`, `API_URL`
+- `API_BASE_PATH` (default `/api`)
+- `CONFIG_PATH` (default `./data/`)
+- `ASSET_ROUTE` (default `/asset`)
+- `ASSET_PUBLIC_BASE` (optional public base URL for assets)
+- `AUTOESCAPE_HTML` (default `true`)
+- `UPLOAD_PATH`, `UPLOAD_MAX` (multipart uploads)
+- Public form anti-abuse:
+    - `FORM_RATE_LIMIT_WINDOW_SEC`, `FORM_RATE_LIMIT_MAX`
+    - `FORM_MAX_ATTACHMENTS`, `FORM_KEEP_UPLOADS`
+    - `FORM_CAPTCHA_PROVIDER`, `FORM_CAPTCHA_SECRET`, `FORM_CAPTCHA_REQUIRED`
+- Swagger/OpenAPI:
+    - `SWAGGER_ENABLED`, `SWAGGER_PATH`
 
-### Overriding `recipient` is secret-gated
+## Swagger / OpenAPI
 
-The `recipient` field on the public endpoint is accepted only when the form has a `secret` configured. This prevents
-turning `/v1/form/message` into an open relay.
+Mail Magic ships an OpenAPI JSON spec and can expose it at runtime.
 
-## Anti-Abuse Controls (Public Form Endpoint)
+Packaged spec (on disk):
 
-All knobs below are optional and default to "off" unless stated otherwise:
+- `node_modules/@technomoron/mail-magic/docs/swagger/openapi.json`
 
-- Upload size limit per file: `UPLOAD_MAX` (bytes, enforced by the API server)
-- Attachment count limit: `FORM_MAX_ATTACHMENTS` (`-1` unlimited, `0` disables attachments)
-- Rate limiting: `FORM_RATE_LIMIT_WINDOW_SEC` + `FORM_RATE_LIMIT_MAX` (fixed window, in-memory, per client IP)
-- Upload cleanup: `FORM_KEEP_UPLOADS` (when `false`, uploaded files are deleted after processing, even on failure)
+Runtime spec endpoint:
 
-### CAPTCHA (optional)
+- set `SWAGGER_ENABLED=true`
+- optionally set `SWAGGER_PATH` (defaults to `<API_BASE_PATH>/swagger`, typically `/api/swagger`)
+- fetch the JSON from that endpoint and feed it to Swagger UI / Postman / Insomnia
 
-CAPTCHA verification is enabled when `FORM_CAPTCHA_SECRET` is set. You can require tokens globally with
-`FORM_CAPTCHA_REQUIRED=true`, or per form with `captcha_required=true` on `POST /api/v1/form/template`.
+This spec is the canonical reference for:
 
-Supported providers (`FORM_CAPTCHA_PROVIDER`):
+- the exact route list
+- request/response bodies
+- status codes and error shapes
 
-- `turnstile` (Cloudflare)
-- `hcaptcha`
-- `recaptcha` (Google)
+## API Usage (Examples)
 
-Token field names accepted by the server:
+All authenticated routes require:
+
+```text
+Authorization: Bearer apikey-<user_token>
+```
+
+Tokens are stored as `HMAC-SHA256(token, API_TOKEN_PEPPER)` in the DB. You can seed a plaintext `token` in
+`init-data.json`; it will be HMACed on import and the plaintext cleared.
+
+### Transactional: store template (authenticated)
+
+```bash
+curl -X POST http://localhost:3776/api/v1/tx/template \
+  -H "Authorization: Bearer apikey-<token>" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "domain": "example.test",
+    "name": "welcome",
+    "sender": "Example <noreply@example.test>",
+    "subject": "Welcome",
+    "locale": "en",
+    "template": "<p>Hi {{ _vars_.first_name }}</p>"
+  }'
+```
+
+### Transactional: send message (authenticated)
+
+```bash
+curl -X POST http://localhost:3776/api/v1/tx/message \
+  -H "Authorization: Bearer apikey-<token>" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "domain": "example.test",
+    "name": "welcome",
+    "locale": "en",
+    "rcpt": ["person@example.test"],
+    "vars": { "first_name": "Ada" }
+  }'
+```
+
+### Forms: store form template (authenticated)
+
+This returns `data.form_key` which is used by the public endpoint.
+
+```bash
+curl -X POST http://localhost:3776/api/v1/form/template \
+  -H "Authorization: Bearer apikey-<token>" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "domain": "example.test",
+    "idname": "contact",
+    "sender": "Example Forms <forms@example.test>",
+    "recipient": "owner@example.test",
+    "subject": "New contact form submission",
+    "locale": "en",
+    "template": "<p>Contact from {{ _fields_.name }} ({{ _fields_.email }})</p>"
+  }'
+```
+
+### Forms: submit (public endpoint, no auth)
+
+```bash
+curl -X POST http://localhost:3776/api/v1/form/message \
+  -H "Content-Type: application/json" \
+  -d '{
+    "_mm_form_key": "<form_key from the template response>",
+    "name": "Kai",
+    "email": "kai@example.test",
+    "message": "Hello"
+  }'
+```
+
+## Public Form Endpoint Contract
+
+Endpoint:
+
+- `POST /api/v1/form/message` (no auth)
+
+Required system fields:
+
+- `_mm_form_key` (string)
+
+Optional system fields:
+
+- `_mm_locale` (string)
+- `_mm_recipients` (string[] or comma-separated string)
+
+CAPTCHA token fields (accepted as-is, provider-native):
 
 - `cf-turnstile-response`
 - `h-captcha-response`
 - `g-recaptcha-response`
-- `captcha` (generic)
-
-## Template Rendering Notes
+- `captcha`
 
-### Autoescape (`AUTOESCAPE_HTML`)
+Attachments (multipart):
 
-Nunjucks HTML autoescape is enabled by default. You can toggle it via `AUTOESCAPE_HTML` (default: `true`).
+- attachment field names must start with `_mm_file` (example: `_mm_file1`, `_mm_file2`)
+- the server enforces `FORM_MAX_ATTACHMENTS` (and `UPLOAD_MAX` per file)
 
-Nunjucks also supports the `|safe` filter. Use it only for trusted content.
+All other non-`_mm_*` fields are treated as user fields and are exposed to templates as `_fields_` (optionally filtered
+by the form template’s `allowed_fields` setting).
 
-### Context Variables
+## Assets
 
-Transactional templates receive:
+Templates may reference assets with `asset('path')`:
 
-- `_rcpt_email_`: current recipient
-- `_vars_`: the `vars` object
-- `_attachments_`: multipart field-name to filename map for uploaded attachments
-- `_meta_`: request metadata (`client_ip`, `ip_chain`, `received_at`)
+- `asset('images/logo.png')` rewrites to a public URL under `ASSET_ROUTE` (default `/asset`)
+- `asset('images/logo.png', true)` embeds as a CID attachment
 
-Form templates receive:
+All assets must live under:
 
-- `_fields_`: all submitted fields (including `vars`, `formid`, etc)
-- `_files_`: uploaded files
-- `_attachments_`, `_vars_`, `_meta_`
-- `_rcpt_email_`, `_rcpt_name_`, `_rcpt_idname_` (when using `recipient_idname`)
+`<CONFIG_PATH>/<domain>/assets/...`
 
-### Assets (`asset('...')`)
+## Security Notes
 
-In HTML templates, write:
+If you expose `POST /api/v1/form/message` publicly, read:
 
-- `asset('images/logo.png', true)` to embed as a CID attachment (`cid:images/logo.png`)
-- `asset('files/banner.png')` to rewrite to a public URL under `ASSET_ROUTE`
+- `docs/form-security.md` (in this package) for the contract and operational hardening guidance
 
-Files must exist under `<CONFIG_PATH>/<domain>/assets`.
+At a minimum:
 
-## Database Notes
+- treat `form_key` as sensitive
+- keep recipient routing server-side (`_mm_recipients` idnames only)
+- set conservative `UPLOAD_MAX` and `FORM_MAX_ATTACHMENTS` if you enable uploads
+- use a real edge rate limiter/WAF in front of the public endpoint
 
-- `DB_AUTO_RELOAD` watches `init-data.json` and refreshes templates/forms without a restart (development).
-- `DB_FORCE_SYNC` drops and recreates tables on startup (dangerous).
-- `DB_SYNC_ALTER` controls Sequelize `sync({ alter: ... })` on startup.
+## Development (Repo)
 
-## Admin UI / Swagger
+In this repository, `pnpm` is the preferred package manager:
 
-- `ADMIN_ENABLED=true` enables the optional admin UI and admin API module (if `@technomoron/mail-magic-admin` is
-  installed).
-- `SWAGGER_ENABLED=true` exposes Swagger/OpenAPI (path defaults to `/api/swagger`).
+```bash
+pnpm install
+pnpm -w --filter @technomoron/mail-magic dev
+pnpm -w --filter @technomoron/mail-magic test
+pnpm -w --filter @technomoron/mail-magic cleanbuild
+```
 
-## Available Scripts (Repository)
+Documentation:
 
-- `pnpm -w --filter @technomoron/mail-magic dev` - start watch mode via `nodemon`
-- `pnpm -w --filter @technomoron/mail-magic test` - run server tests
-- `pnpm -w --filter @technomoron/mail-magic cleanbuild` - format + build
+- `packages/mail-magic/docs/tutorial.md` is a hands-on config walkthrough.
+- `packages/mail-magic/docs/form-security.md` covers the public form endpoint contract and recommended mitigations.

package/dist/api/assets.js

@@ -3,64 +3,17 @@ import path from 'path';
 import { ApiError, ApiModule } from '@technomoron/api-server-base';
 import { api_form } from '../models/form.js';
 import { api_txmail } from '../models/txmail.js';
-import { decodeComponent, sendFileAsync } from '../util.js';
+import { SEGMENT_PATTERN, normalizeSubdir } from '../util/paths.js';
+import { moveUploadedFiles } from '../util/uploads.js';
+import { decodeComponent, getBodyValue, sendFileAsync } from '../util.js';
 import { assert_domain_and_user } from './auth.js';
 const DOMAIN_PATTERN = /^[a-z0-9][a-z0-9._-]*$/i;
-const SEGMENT_PATTERN = /^[a-zA-Z0-9._-]+$/;
 export class AssetAPI extends ApiModule {
-    getBodyValue(body, ...keys) {
-        for (const key of keys) {
-            const value = body[key];
-            if (Array.isArray(value) && value.length > 0) {
-                return String(value[0]);
-            }
-            if (value !== undefined && value !== null) {
-                return String(value);
-            }
-        }
-        return '';
-    }
-    normalizeSubdir(value) {
-        if (!value) {
-            return '';
-        }
-        const cleaned = value.replace(/\\/g, '/').replace(/^\/+/, '').replace(/\/+$/, '');
-        if (!cleaned) {
-            return '';
-        }
-        const segments = cleaned.split('/').filter(Boolean);
-        for (const segment of segments) {
-            if (!SEGMENT_PATTERN.test(segment)) {
-                throw new ApiError({ code: 400, message: `Invalid path segment "${segment}"` });
-            }
-        }
-        return path.join(...segments);
-    }
-    async moveUploadedFiles(files, targetDir) {
-        await fs.promises.mkdir(targetDir, { recursive: true });
-        for (const file of files) {
-            const filename = path.basename(file.originalname || '');
-            if (!filename || !SEGMENT_PATTERN.test(filename)) {
-                throw new ApiError({ code: 400, message: `Invalid filename "${file.originalname}"` });
-            }
-            const destination = path.join(targetDir, filename);
-            if (destination === file.path) {
-                continue;
-            }
-            try {
-                await fs.promises.rename(file.path, destination);
-            }
-            catch {
-                await fs.promises.copyFile(file.path, destination);
-                await fs.promises.unlink(file.path);
-            }
-        }
-    }
     async resolveTemplateDir(apireq) {
         const body = apireq.req.body ?? {};
-        const templateTypeRaw = this.getBodyValue(body, 'templateType', 'template_type', 'type');
-        const templateName = this.getBodyValue(body, 'template', 'name', 'idname', 'formid');
-        const locale = this.getBodyValue(body, 'locale');
+        const templateTypeRaw = getBodyValue(body, 'templateType', 'template_type', 'type');
+        const templateName = getBodyValue(body, 'template', 'name', 'idname', 'formid');
+        const locale = getBodyValue(body, 'locale');
         if (!templateTypeRaw) {
             throw new ApiError({ code: 400, message: 'Missing templateType for template asset upload' });
         }
@@ -115,8 +68,8 @@ export class AssetAPI extends ApiModule {
             throw new ApiError({ code: 400, message: 'No files uploaded' });
         }
         const body = apireq.req.body ?? {};
-        const subdir = this.normalizeSubdir(this.getBodyValue(body, 'path', 'dir'));
-        const templateType = this.getBodyValue(body, 'templateType', 'template_type', 'type');
+        const subdir = normalizeSubdir(getBodyValue(body, 'path', 'dir'));
+        const templateType = getBodyValue(body, 'templateType', 'template_type', 'type');
         let targetRoot;
         if (templateType) {
             targetRoot = await this.resolveTemplateDir(apireq);
@@ -129,7 +82,7 @@ export class AssetAPI extends ApiModule {
         if (candidate !== targetRoot && !candidate.startsWith(normalizedRoot)) {
             throw new ApiError({ code: 400, message: 'Invalid asset target path' });
         }
-        await this.moveUploadedFiles(rawFiles, candidate);
+        await moveUploadedFiles(rawFiles, candidate);
         return [200, { Status: 'OK' }];
     }
     defineRoutes() {

package/dist/api/auth.js

@@ -1,18 +1,7 @@
 import { ApiError } from '@technomoron/api-server-base';
 import { api_domain } from '../models/domain.js';
 import { api_user } from '../models/user.js';
-function getBodyValue(body, ...keys) {
-    for (const key of keys) {
-        const value = body[key];
-        if (Array.isArray(value) && value.length > 0) {
-            return String(value[0]);
-        }
-        if (value !== undefined && value !== null) {
-            return String(value);
-        }
-    }
-    return '';
-}
+import { getBodyValue } from '../util.js';
 export async function assert_domain_and_user(apireq) {
     const body = apireq.req.body ?? {};
     const domain = getBodyValue(body, 'domain');

package/dist/api/form-replyto.js

@@ -0,0 +1,44 @@
+import emailAddresses from 'email-addresses';
+function getFirstStringField(body, key) {
+    const value = body[key];
+    if (Array.isArray(value) && value.length > 0) {
+        return String(value[0] ?? '');
+    }
+    if (value !== undefined && value !== null) {
+        return String(value);
+    }
+    return '';
+}
+function sanitizeHeaderValue(value, maxLen) {
+    const trimmed = String(value ?? '').trim();
+    if (!trimmed) {
+        return '';
+    }
+    // Prevent header injection.
+    if (/[\r\n]/.test(trimmed)) {
+        return '';
+    }
+    return trimmed.slice(0, maxLen);
+}
+export function extractReplyToFromSubmission(body) {
+    const emailRaw = sanitizeHeaderValue(getFirstStringField(body, 'email'), 320);
+    if (!emailRaw) {
+        return undefined;
+    }
+    const parsed = emailAddresses.parseOneAddress(emailRaw);
+    if (!parsed) {
+        return undefined;
+    }
+    const address = sanitizeHeaderValue(parsed?.address, 320);
+    if (!address) {
+        return undefined;
+    }
+    // Prefer a single "name" field, otherwise compose from first_name/last_name.
+    let name = sanitizeHeaderValue(getFirstStringField(body, 'name'), 200);
+    if (!name) {
+        const first = sanitizeHeaderValue(getFirstStringField(body, 'first_name'), 100);
+        const last = sanitizeHeaderValue(getFirstStringField(body, 'last_name'), 100);
+        name = sanitizeHeaderValue(`${first}${first && last ? ' ' : ''}${last}`, 200);
+    }
+    return name ? { name, address } : address;
+}