@technomoron/mail-magic 1.0.35 → 1.0.37

package/CHANGES

@@ -1,3 +1,23 @@
+Version 1.0.37 (2026-02-17)
+
+- Remove stale commented-out debug code from server mailer/store paths.
+- Remove unused legacy API-key store scaffolding from `mailStore` (`api_key`,
+  `ImailStore`, `keys`, `load_api_keys`, `get_api_key`).
+- Consolidate mailer address validation by reusing shared `util/email` helpers.
+
+Version 1.0.36 (2026-02-17)
+
+- Remove legacy plaintext-token fallback from request authentication; API key auth
+  now requires `token_hmac`.
+- Update token migration regression coverage to verify auth rejection before
+  migration and success after migration.
+- Extract shared `normalizeRoute` helper and reuse it across bootstrap and swagger
+  modules.
+- Standardize `getBodyValue` usage to `util/utils` imports in API modules for
+  clearer utility ownership.
+- Remove unreachable null check after `createTransport()`.
+- Add utility test coverage for route normalization.
+
 Version 1.0.35 (2026-02-17)
 
 - Enforce deterministic locale resolution for transactional template sends:
@@ -8,6 +28,20 @@ Version 1.0.35 (2026-02-17)
   locales are missing.
 - Add regression tests covering deterministic locale fallback and missing-locale
   behavior for both transactional sends and template asset upload resolution.
+- Harden JSON-backed getters for template/form asset columns so malformed DB JSON
+  safely falls back to empty arrays instead of throwing runtime errors.
+- Standardize form send SMTP failure handling to return ApiError responses
+  (consistent `message` contract instead of ad-hoc `error` payloads).
+- Guard SQLite-only PRAGMA usage by database dialect during DB sync.
+- Fix startup error text to use the current project name (`mail-magic`).
+- Fix `DB_TYPE` environment description text ("API database" wording).
+- Add regression tests for malformed JSON getter handling, standardized form-send
+  failure responses, sqlite PRAGMA guard helper behavior, startup error message,
+  and env option description text.
+- Disallow legacy plaintext-token fallback during API authentication; requests now
+  authenticate strictly via `token_hmac`.
+- Update token migration regression coverage to verify plaintext auth rejection
+  prior to migration and successful auth after migration.
 
 Version 1.0.34 (2026-02-10)
 

package/dist/cjs/index.js

@@ -0,0 +1,9 @@
+'use strict';
+
+const load = () => import('../esm/index.js');
+
+module.exports = {
+  STARTUP_ERROR_MESSAGE: 'Failed to start mail-magic:',
+  createMailMagicServer: async (...args) => (await load()).createMailMagicServer(...args),
+  startMailMagicServer: async (...args) => (await load()).startMailMagicServer(...args)
+};

package/dist/cjs/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "commonjs"
+}

package/dist/{api → esm/api}/assets.js

@@ -5,7 +5,8 @@ import { api_form } from '../models/form.js';
 import { api_txmail } from '../models/txmail.js';
 import { SEGMENT_PATTERN, normalizeSubdir } from '../util/paths.js';
 import { moveUploadedFiles } from '../util/uploads.js';
-import { decodeComponent, getBodyValue, sendFileAsync } from '../util.js';
+import { getBodyValue } from '../util/utils.js';
+import { decodeComponent, sendFileAsync } from '../util.js';
 import { assert_domain_and_user } from './auth.js';
 const DOMAIN_PATTERN = /^[a-z0-9][a-z0-9._-]*$/i;
 export class AssetAPI extends ApiModule {

package/dist/{api → esm/api}/auth.js

@@ -1,7 +1,7 @@
 import { ApiError } from '@technomoron/api-server-base';
 import { api_domain } from '../models/domain.js';
 import { api_user } from '../models/user.js';
-import { getBodyValue } from '../util.js';
+import { getBodyValue } from '../util/utils.js';
 export async function assert_domain_and_user(apireq) {
     const body = apireq.req.body ?? {};
     const domain = getBodyValue(body, 'domain');

package/dist/{api → esm/api}/forms.js

@@ -8,7 +8,8 @@ import { api_recipient } from '../models/recipient.js';
 import { buildFormTemplateRecord, buildFormTemplatePaths, buildRecipientTo, buildReplyToValue, buildSubmissionContext, enforceAttachmentPolicy, enforceCaptchaPolicy, filterSubmissionFields, getPrimaryRecipientInfo, normalizeRecipientEmail, normalizeRecipientIdname, normalizeRecipientName, parseIdnameList, parseFormTemplatePayload, parseRecipientPayload, parsePublicSubmissionOrThrow, resolveFormKeyForTemplate, resolveFormKeyForRecipient, resolveRecipients, validateFormTemplatePayload } from '../util/forms.js';
 import { FixedWindowRateLimiter, enforceFormRateLimit } from '../util/ratelimit.js';
 import { buildAttachments, cleanupUploadedFiles } from '../util/uploads.js';
-import { buildRequestMeta, getBodyValue } from '../util.js';
+import { getBodyValue } from '../util/utils.js';
+import { buildRequestMeta } from '../util.js';
 import { assert_domain_and_user } from './auth.js';
 export class FormAPI extends ApiModule {
     rateLimiter = new FixedWindowRateLimiter();
@@ -187,7 +188,7 @@ export class FormAPI extends ApiModule {
             catch (error) {
                 const errorMessage = error instanceof Error ? error.message : String(error);
                 this.server.storage.print_debug('Error sending email: ' + errorMessage);
-                return [500, { error: `Error sending email: ${errorMessage}` }];
+                throw new ApiError({ code: 500, message: `Error sending email: ${errorMessage}` });
             }
             return [200, {}];
         }

package/dist/{api → esm/api}/mailer.js

@@ -1,21 +1,11 @@
 import { ApiModule, ApiError } from '@technomoron/api-server-base';
-import emailAddresses from 'email-addresses';
 import { convert } from 'html-to-text';
 import nunjucks from 'nunjucks';
 import { api_txmail } from '../models/txmail.js';
+import { validateEmail } from '../util/email.js';
 import { buildRequestMeta } from '../util.js';
 import { assert_domain_and_user } from './auth.js';
 export class MailerAPI extends ApiModule {
-    //
-    // Validate and return the parsed email address
-    //
-    validateEmail(email) {
-        const parsed = emailAddresses.parseOneAddress(email);
-        if (parsed) {
-            return parsed.address;
-        }
-        return undefined;
-    }
     //
     // Validate a set of email addresses. Return arrays of invalid
     // and valid email addresses.
@@ -27,7 +17,7 @@ export class MailerAPI extends ApiModule {
             .map((email) => email.trim())
             .filter((email) => email !== '');
         emails.forEach((email) => {
-            const addr = this.validateEmail(email);
+            const addr = validateEmail(email);
             if (addr) {
                 valid.push(addr);
             }
@@ -56,13 +46,6 @@ export class MailerAPI extends ApiModule {
             sender,
             template
         };
-        /*
-        console.log(JSON.stringify({
-        user: apireq.user,
-        domain: apireq.domain,
-        domain_id: apireq.domain.domain_id,
-        data
-        }, undefined, 2)); */
         try {
             const [templateRecord, created] = await api_txmail.upsert(data, {
                 returning: true
@@ -94,7 +77,6 @@ export class MailerAPI extends ApiModule {
             }
         }
         const thevars = parsedVars;
-        // const dbdomain = await api_domain.findOne({ where: { domain } });
         const { valid, invalid } = this.validateEmails(rcpt);
         if (invalid.length > 0) {
             throw new ApiError({ code: 400, message: 'Invalid email address(es): ' + invalid.join(',') });
@@ -145,7 +127,7 @@ export class MailerAPI extends ApiModule {
         const replyToValue = (replyTo || reply_to);
         let normalizedReplyTo;
         if (replyToValue) {
-            normalizedReplyTo = this.validateEmail(replyToValue);
+            normalizedReplyTo = validateEmail(replyToValue);
             if (!normalizedReplyTo) {
                 throw new ApiError({ code: 400, message: 'Invalid reply-to email address' });
             }
@@ -191,7 +173,6 @@ export class MailerAPI extends ApiModule {
             return [200, { Status: 'OK', Message: 'Emails sent successfully' }];
         }
         catch (error) {
-            // console.log(JSON.stringify(e, null, 2));
             throw new ApiError({
                 code: 500,
                 message: error instanceof Error ? error.message : String(error)

package/dist/{index.js → esm/index.js}

@@ -5,20 +5,8 @@ import { MailerAPI } from './api/mailer.js';
 import { mailApiServer } from './server.js';
 import { mailStore } from './store/store.js';
 import { installMailMagicSwagger } from './swagger.js';
-function normalizeRoute(value, fallback = '') {
-    if (!value) {
-        return fallback;
-    }
-    const trimmed = value.trim();
-    if (!trimmed) {
-        return fallback;
-    }
-    const withLeading = trimmed.startsWith('/') ? trimmed : `/${trimmed}`;
-    if (withLeading === '/') {
-        return withLeading;
-    }
-    return withLeading.replace(/\/+$/, '');
-}
+import { normalizeRoute } from './util/route.js';
+export const STARTUP_ERROR_MESSAGE = 'Failed to start mail-magic:';
 function mergeStaticDirs(base, override) {
     const merged = { ...base, ...(override ?? {}) };
     if (Object.keys(merged).length === 0) {
@@ -107,7 +95,7 @@ async function bootMailMagic() {
         console.log(`mail-magic server listening on ${vars.API_HOST}:${vars.API_PORT}`);
     }
     catch (err) {
-        console.error('Failed to start FormMailer:', err);
+        console.error(STARTUP_ERROR_MESSAGE, err);
         process.exit(1);
     }
 }

package/dist/{models → esm/models}/db.js

@@ -5,6 +5,9 @@ import { importData } from './init.js';
 import { init_api_recipient, api_recipient } from './recipient.js';
 import { init_api_txmail, api_txmail } from './txmail.js';
 import { init_api_user, api_user, migrateLegacyApiTokens } from './user.js';
+export function usesSqlitePragmas(db) {
+    return db.getDialect() === 'sqlite';
+}
 export async function init_api_db(db, store) {
     await init_api_user(db);
     await init_api_domain(db);
@@ -71,11 +74,16 @@ export async function init_api_db(db, store) {
         foreignKey: 'domain_id',
         as: 'domain'
     });
-    await db.query('PRAGMA foreign_keys = OFF');
+    const useSqlitePragmas = usesSqlitePragmas(db);
+    if (useSqlitePragmas) {
+        await db.query('PRAGMA foreign_keys = OFF');
+    }
     const alter = Boolean(store.vars.DB_SYNC_ALTER);
     store.print_debug(`DB sync: alter=${alter} force=${store.vars.DB_FORCE_SYNC}`);
     await db.sync({ alter, force: store.vars.DB_FORCE_SYNC });
-    await db.query('PRAGMA foreign_keys = ON');
+    if (useSqlitePragmas) {
+        await db.query('PRAGMA foreign_keys = ON');
+    }
     await importData(store);
     try {
         const { migrated, cleared } = await migrateLegacyApiTokens(store.vars.API_TOKEN_PEPPER);

package/dist/{models → esm/models}/form.js

@@ -170,7 +170,16 @@ export async function init_api_form(api_db) {
             get() {
                 // This column is stored as JSON text but exposed as `string[]` via getter/setter.
                 const raw = this.getDataValue('allowed_fields');
-                return raw ? JSON.parse(raw) : [];
+                if (!raw) {
+                    return [];
+                }
+                try {
+                    const parsed = JSON.parse(raw);
+                    return Array.isArray(parsed) ? parsed : [];
+                }
+                catch {
+                    return [];
+                }
             },
             set(value) {
                 this.setDataValue('allowed_fields', JSON.stringify(value ?? []));
@@ -188,7 +197,16 @@ export async function init_api_form(api_db) {
             get() {
                 // This column is stored as JSON text but exposed as `StoredFile[]` via getter/setter.
                 const raw = this.getDataValue('files');
-                return raw ? JSON.parse(raw) : [];
+                if (!raw) {
+                    return [];
+                }
+                try {
+                    const parsed = JSON.parse(raw);
+                    return Array.isArray(parsed) ? parsed : [];
+                }
+                catch {
+                    return [];
+                }
             },
             set(value) {
                 this.setDataValue('files', JSON.stringify(value ?? []));

package/dist/{models → esm/models}/txmail.js

@@ -131,7 +131,16 @@ export async function init_api_txmail(api_db) {
             defaultValue: '[]',
             get() {
                 const raw = this.getDataValue('files');
-                return raw ? JSON.parse(raw) : [];
+                if (!raw) {
+                    return [];
+                }
+                try {
+                    const parsed = JSON.parse(raw);
+                    return Array.isArray(parsed) ? parsed : [];
+                }
+                catch {
+                    return [];
+                }
             },
             set(value) {
                 this.setDataValue('files', JSON.stringify(value ?? []));

package/dist/esm/server.js

@@ -0,0 +1,22 @@
+import { ApiServer } from '@technomoron/api-server-base';
+import { apiTokenToHmac, api_user } from './models/user.js';
+export class mailApiServer extends ApiServer {
+    store;
+    storage;
+    constructor(config, store) {
+        super(config);
+        this.store = store;
+        this.storage = store;
+    }
+    async getApiKey(token) {
+        this.storage.print_debug('Looking up api key');
+        const pepper = this.storage.vars.API_TOKEN_PEPPER;
+        const token_hmac = apiTokenToHmac(token, pepper);
+        const user = await api_user.findOne({ where: { token_hmac } });
+        if (user) {
+            return { uid: user.user_id };
+        }
+        this.storage.print_debug('Unable to find user for api key');
+        return null;
+    }
+}

package/dist/{store → esm/store}/envloader.js

@@ -82,7 +82,7 @@ export const envOptions = defineEnvOptions({
         default: 'localhost'
     },
     DB_TYPE: {
-        description: 'Database type of WP database',
+        description: 'Database type for the API database',
         options: ['sqlite'],
         default: 'sqlite'
     },

package/dist/{store → esm/store}/store.js

@@ -22,13 +22,9 @@ function create_mail_transport(vars) {
     if (user && pass) {
         args.auth = { user, pass };
     }
-    // console.log(JSON.stringify(args, undefined, 2));
     const mailer = createTransport({
         ...args
     });
-    if (!mailer) {
-        throw new Error('Unable to create mailer');
-    }
     return mailer;
 }
 export class mailStore {
@@ -36,9 +32,7 @@ export class mailStore {
     vars;
     transport;
     api_db = null;
-    keys = {};
     configpath = '';
-    deflocale;
     uploadTemplate;
     uploadStagingPath;
     print_debug(msg) {
@@ -102,17 +96,6 @@ export class mailStore {
             }
         }));
     }
-    async load_api_keys(cfgpath) {
-        const keyfile = path.resolve(cfgpath, 'api-keys.json');
-        if (fs.existsSync(keyfile)) {
-            const raw = fs.readFileSync(keyfile, 'utf-8');
-            const jsonData = JSON.parse(raw);
-            this.print_debug(`API Key Database loaded from ${keyfile}`);
-            return jsonData;
-        }
-        this.print_debug(`No api-keys.json file found: tried ${keyfile}`);
-        return {};
-    }
     async init(overrides = {}) {
         // Load env config only via EnvLoader + envOptions (avoid ad-hoc `process.env` parsing here).
         // If DEBUG is enabled, re-load with EnvLoader debug output enabled.
@@ -168,7 +151,6 @@ export class mailStore {
                 this.print_debug(`Unable to create upload staging path: ${err}`);
             }
         }
-        // this.keys = await this.load_api_keys(this.configpath);
         this.transport = await create_mail_transport(this.vars);
         this.api_db = await connect_api_db(this);
         if (this.vars.DB_AUTO_RELOAD) {
@@ -185,7 +167,4 @@ export class mailStore {
         }
         return this;
     }
-    get_api_key(key) {
-        return this.keys[key] || null;
-    }
 }

package/dist/{swagger.js → esm/swagger.js}

@@ -1,20 +1,7 @@
 import fs from 'node:fs';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
-function normalizeRoute(value, fallback = '') {
-    if (!value) {
-        return fallback;
-    }
-    const trimmed = value.trim();
-    if (!trimmed) {
-        return fallback;
-    }
-    const withLeading = trimmed.startsWith('/') ? trimmed : `/${trimmed}`;
-    if (withLeading === '/') {
-        return withLeading;
-    }
-    return withLeading.replace(/\/+$/, '');
-}
+import { normalizeRoute } from './util/route.js';
 function replacePrefix(input, from, to) {
     if (input === from) {
         return to;

package/dist/esm/util/route.js

@@ -0,0 +1,14 @@
+export function normalizeRoute(value, fallback = '') {
+    if (!value) {
+        return fallback;
+    }
+    const trimmed = value.trim();
+    if (!trimmed) {
+        return fallback;
+    }
+    const withLeading = trimmed.startsWith('/') ? trimmed : `/${trimmed}`;
+    if (withLeading === '/') {
+        return withLeading;
+    }
+    return withLeading.replace(/\/+$/, '');
+}

package/package.json

@@ -1,10 +1,17 @@
 {
 	"name": "@technomoron/mail-magic",
-	"version": "1.0.35",
-	"main": "dist/index.js",
+	"version": "1.0.37",
+	"main": "dist/cjs/index.js",
+	"module": "dist/esm/index.js",
 	"type": "module",
 	"bin": {
-		"mail-magic": "dist/bin/mail-magic.js"
+		"mail-magic": "dist/esm/bin/mail-magic.js"
+	},
+	"exports": {
+		".": {
+			"import": "./dist/esm/index.js",
+			"require": "./dist/cjs/index.js"
+		}
 	},
 	"files": [
 		"dist",
@@ -18,10 +25,12 @@
 		"directory": "packages/mail-magic"
 	},
 	"scripts": {
-		"start": "node dist/index.js",
+		"start": "node dist/esm/index.js",
 		"dev": "NODE_ENV=development nodemon --watch 'src/**/*.ts' --watch 'config/**/*.*' --watch '.env' --exec 'tsx' src/index.ts",
 		"run": "NODE_ENV=production npm run start",
-		"build": "tsc",
+		"build:esm": "tsc --project tsconfig/tsconfig.esm.json",
+		"build:cjs": "node scripts/add-shebang.cjs --cjs-only",
+		"build": "npm run build:esm && npm run build:cjs",
 		"postbuild": "node scripts/add-shebang.cjs",
 		"prepack": "npm run build",
 		"test": "vitest run",

package/dist/server.js

@@ -1,34 +0,0 @@
-import { ApiServer } from '@technomoron/api-server-base';
-import { apiTokenToHmac, api_user } from './models/user.js';
-export class mailApiServer extends ApiServer {
-    store;
-    storage;
-    constructor(config, store) {
-        super(config);
-        this.store = store;
-        this.storage = store;
-    }
-    async getApiKey(token) {
-        this.storage.print_debug('Looking up api key');
-        const pepper = this.storage.vars.API_TOKEN_PEPPER;
-        const token_hmac = apiTokenToHmac(token, pepper);
-        const user = await api_user.findOne({ where: { token_hmac } });
-        if (user) {
-            return { uid: user.user_id };
-        }
-        // Backwards-compatible fallback for legacy databases that still store plaintext tokens.
-        const legacy = await api_user.findOne({ where: { token } });
-        if (!legacy) {
-            this.storage.print_debug('Unable to find user for api key');
-            return null;
-        }
-        try {
-            await legacy.update({ token_hmac, token: '' });
-        }
-        catch (err) {
-            // Don't leak token data; just surface the update failure for debugging.
-            this.storage.print_debug(`Unable to migrate legacy api token: ${err instanceof Error ? err.message : String(err)}`);
-        }
-        return { uid: legacy.user_id };
-    }
-}