@technomoron/mail-magic 1.0.4 → 1.0.6

package/CHANGES

@@ -1,4 +1,21 @@
-CHANGES
+Version 1.0.6 (2025-11-06)
+
+- Added the dedicated asset API module so files stored under `config/<domain>/assets`
+  are served directly from `/asset/<domain>/<path>` (configurable via `ASSET_ROUTE`).
+- Tightened the template preprocessor to require non-inline assets to live in the
+  domain `assets/` folder and automatically rewrite `asset('logo.png')` calls to the
+  public route.
+- Clarified inline usage: `asset('logo.png', true)` continues to embed a CID-backed
+  attachment, while omitting the second argument keeps the file external and expects
+  it under `config/<domain>/assets`.
+
+Version 1.0.5 (2025-10-29)
+
+- Store compiled templates and assets under domain-rooted directories inside
+  `CONFIG_PATH`, removing the redundant user segment while keeping slugs and
+  API behaviour unchanged.
+- Update documentation and examples to reflect the domain-first configuration
+  layout.
 
 Version 1.0.4 (2025-09-27)
 
@@ -22,4 +39,3 @@ Version 1.0.3 (2025-09-26)
   to match the renamed package and repository.
 - Added workspace metadata and sample templates so pnpm and new installs pick up example
   assets.
-

package/README.md

@@ -24,11 +24,17 @@ During development you can run `npm run dev` for a watch mode that recompiles on
 ## Configuration
 
 - **Environment variables** are defined in `src/store/envloader.ts`. Important settings include SMTP credentials, API host/port, the config directory path, and database options.
-- **Config directory** (`CONFIG_PATH`) contains JSON seed data (`init-data.json`), optional API key files, and template assets. Review `config-example/` for the recommended layout, in particular the `form-template/` and `tx-template/` folders used for compiled Nunjucks templates.
+- **Config directory** (`CONFIG_PATH`) contains JSON seed data (`init-data.json`), optional API key files, and template assets. Each domain now lives directly under the config root (for example `config/example.com/form-template/…`). Review `config-example/` for the recommended layout, in particular the `form-template/` and `tx-template/` folders used for compiled Nunjucks templates.
 - **Database** defaults to SQLite (`maildata.db`). You can switch dialects by updating the environment options if your deployment requires another database.
 
 When `DB_AUTO_RELOAD` is enabled the service watches `init-data.json` and refreshes templates and forms without a restart.
 
+### Template assets and inline resources
+
+- Keep any non-inline files (images, attachments, etc.) under `config/<domain>/assets`. Mail Magic rewrites `asset('logo.png')` to the public route `/asset/<domain>/logo.png` (or whatever you set via `ASSET_ROUTE`).
+- Pass `true` as the second argument when you want to embed a file as an inline CID attachment: `asset('logo.png', true)` stores the file in Nodemailer and rewrites the HTML to reference `cid:logo.png`.
+- Avoid mixing template-type folders for assets; everything that should be linked externally belongs in the shared `<domain>/assets` tree so it can be served for both form and transactional templates.
+
 ## API Overview
 
 | Method | Path                | Description                                   |

package/TUTORIAL.MD

@@ -0,0 +1,293 @@
+# Mail Magic Configuration Tutorial (MyOrg)
+
+This guide walks through building a standalone configuration tree for the user `myorg` and the domain `myorg.com`. The finished layout adds a contact form template and a transactional welcome template that both reuse partials and embed the MyOrg logo inline so it is shipped as a CID attachment.
+
+---
+
+## 1. Prepare an external config workspace
+
+Mail Magic loads configuration from the folder referenced by the `CONFIG_PATH` environment variable. Keeping your custom assets outside the application repository makes upgrades easier.
+
+```bash
+# run this next to the mail-magic checkout
+mkdir -p ../myorg-config
+export CONFIG_ROOT=$(realpath ../myorg-config)
+```
+
+Update your `.env` (or runtime environment) to point at the new workspace:
+
+```
+CONFIG_PATH=${CONFIG_ROOT}
+DB_AUTO_RELOAD=1  # optional: hot‑reload init-data and templates
+```
+
+From now on the tutorial assumes `${CONFIG_ROOT}` is the root of the custom config tree.
+
+---
+
+## 2. Create the base directory structure
+
+```bash
+mkdir -p \
+  "$CONFIG_ROOT"/myorg.com/{form-template,tx-template} \
+  "$CONFIG_ROOT"/myorg.com/form-template/{partials,assets} \
+  "$CONFIG_ROOT"/myorg.com/tx-template/{partials,assets}
+```
+
+The resulting tree should look like this (logo placement shown for clarity — add the file in step 4):
+
+```
+myorg-config/
+├── init-data.json
+└── myorg.com/
+    ├── form-template/
+    │   ├── assets/
+    │   ├── contact.njk
+    │   └── partials/
+    │       ├── footer.njk
+    │       └── header.njk
+    └── tx-template/
+        ├── assets/
+        │   └── logo.png
+        ├── partials/
+        │   ├── footer.njk
+        │   └── header.njk
+        └── welcome.njk
+```
+
+> **Tip:** If you want to share partials between templates, keep file names aligned (e.g. identical `header.njk` content under both `form-template/partials/` and `tx-template/partials/`).
+
+> **Assets vs inline:** Any file you want to serve as an external URL must live under `myorg.com/assets/`. The template helper `asset('logo.png')` will become `/asset/myorg.com/logo.png`. Use `asset('logo.png', true)` when you need the file embedded as a CID attachment instead.
+
+---
+
+## 3. Seed users, domains, and templates with `init-data.json`
+
+Create `${CONFIG_ROOT}/init-data.json` so the service can bootstrap the MyOrg user, domain, and template metadata:
+
+```json
+{
+	"user": [
+		{
+			"user_id": 10,
+			"idname": "myorg",
+			"token": "<generate-a-32-char-hex-token>",
+			"name": "MyOrg",
+			"email": "notifications@myorg.com"
+		}
+	],
+	"domain": [
+		{
+			"domain_id": 10,
+			"user_id": 10,
+			"name": "myorg.com",
+			"sender": "MyOrg Mailer <noreply@myorg.com>"
+		}
+	],
+	"template": [
+		{
+			"template_id": 100,
+			"user_id": 10,
+			"domain_id": 10,
+			"name": "welcome",
+			"slug": "welcome",
+			"locale": "",
+			"filename": "welcome.njk",
+			"sender": "support@myorg.com",
+			"subject": "Welcome to MyOrg",
+			"template": ""
+		}
+	],
+	"form": [
+		{
+			"form_id": 100,
+			"user_id": 10,
+			"domain_id": 10,
+			"idname": "contact",
+			"filename": "contact.njk",
+			"sender": "MyOrg Support <support@myorg.com>",
+			"recipient": "contact@myorg.com",
+			"subject": "New contact form submission"
+		}
+	]
+}
+```
+
+- Generate the API token with `openssl rand -hex 16` (or any 32-character hex string).
+- Leave `template` empty; Mail Magic will populate it with the flattened HTML the first time it processes the files.
+- Set `DB_AUTO_RELOAD=1` (see step 1) if you want the service to re-import whenever `init-data.json` changes.
+
+---
+
+## 4. Author shared partials and templates
+
+### 4.1 Transactional email partials (`tx-template/partials`)
+
+`$CONFIG_ROOT/myorg.com/tx-template/partials/header.njk`
+
+```njk
+<table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="background:#102347;color:#ffffff;padding:24px 0;font-family:'Segoe UI',Tahoma,sans-serif;">
+  <tr>
+    <td align="center">
+      <img src="asset('logo.png', true)" alt="MyOrg" width="96" height="96" style="display:block;border:none;border-radius:50%;box-shadow:0 4px 14px rgba(0,0,0,0.18);" />
+      <h1 style="margin:16px 0 0;font-size:24px;letter-spacing:0.08em;text-transform:uppercase;">MyOrg</h1>
+    </td>
+  </tr>
+</table>
+```
+
+`$CONFIG_ROOT/myorg.com/tx-template/partials/footer.njk`
+
+```njk
+<table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="background:#f4f6fb;color:#6b7280;padding:24px 0;font-family:'Segoe UI',Tahoma,sans-serif;font-size:12px;">
+  <tr>
+    <td align="center">
+      <p style="margin:0;">You are receiving this email because you created a MyOrg account.</p>
+      <p style="margin:8px 0 0;">MyOrg, 123 Demo Street, Oslo</p>
+    </td>
+  </tr>
+</table>
+```
+
+### 4.2 Transactional welcome template (`tx-template/welcome.njk`)
+
+`$CONFIG_ROOT/myorg.com/tx-template/welcome.njk`
+
+```njk
+{% include 'partials/header.njk' %}
+
+<table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="background:#ffffff;padding:32px 0;font-family:'Segoe UI',Tahoma,sans-serif;color:#1f2937;">
+  <tr>
+    <td align="center">
+      <table role="presentation" width="600" cellpadding="0" cellspacing="0" style="max-width:92%;text-align:left;">
+        <tr>
+          <td style="padding:0 0 24px;font-size:18px;font-weight:600;">Hi {{ _vars_.first_name or _rcpt_email_ }},</td>
+        </tr>
+        <tr>
+          <td style="padding:0 0 16px;font-size:15px;line-height:1.6;">
+            <p style="margin:0 0 12px;">Welcome to MyOrg! Your workspace <strong>{{ _vars_.workspace or 'Starter Plan' }}</strong> is ready.</p>
+            <p style="margin:0;">Use the button below to confirm your email and finish the setup.</p>
+          </td>
+        </tr>
+        <tr>
+          <td align="center" style="padding:12px 0 28px;">
+            <a href="{{ _vars_.cta_url or '#' }}" style="display:inline-block;background:#2563eb;color:#ffffff;text-decoration:none;padding:14px 28px;border-radius:6px;font-size:15px;">Confirm email</a>
+          </td>
+        </tr>
+        <tr>
+          <td style="font-size:13px;line-height:1.5;color:#6b7280;">
+            <p style="margin:0 0 8px;">If you did not sign up for MyOrg, you can ignore this email.</p>
+            <p style="margin:0;">Need help? Reply to this message or visit {{ _vars_.support_url or 'https://myorg.com/support' }}.</p>
+          </td>
+        </tr>
+      </table>
+    </td>
+  </tr>
+</table>
+
+{% include 'partials/footer.njk' %}
+```
+
+### 4.3 Contact form partials (`form-template/partials`)
+
+`$CONFIG_ROOT/myorg.com/form-template/partials/header.njk`
+
+```njk
+<table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="background:#102347;color:#ffffff;padding:18px 0;font-family:Arial,sans-serif;">
+  <tr>
+    <td align="center" style="font-size:20px;font-weight:600;">New MyOrg contact form submission</td>
+  </tr>
+</table>
+```
+
+`$CONFIG_ROOT/myorg.com/form-template/partials/footer.njk`
+
+```njk
+<table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="background:#f4f6fb;color:#6b7280;padding:16px 0;font-family:Arial,sans-serif;font-size:12px;">
+  <tr>
+    <td align="center">
+      <p style="margin:0;">Delivered by Mail Magic for MyOrg.</p>
+    </td>
+  </tr>
+</table>
+```
+
+### 4.4 Contact form template (`form-template/contact.njk`)
+
+`$CONFIG_ROOT/myorg.com/form-template/contact.njk`
+
+```njk
+{% include 'partials/header.njk' %}
+
+<table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="background:#ffffff;padding:24px 0;font-family:Arial,sans-serif;color:#111827;">
+  <tr>
+    <td align="center">
+      <table role="presentation" width="640" cellpadding="0" cellspacing="0" style="max-width:94%;text-align:left;border:1px solid #e5e7eb;border-radius:6px;overflow:hidden;">
+        <tr>
+          <td style="padding:20px 24px;font-size:16px;font-weight:600;background:#f9fafb;">Submitted fields</td>
+        </tr>
+        <tr>
+          <td style="padding:16px 24px;">
+            {% if _fields_ %}
+              <table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="font-size:14px;">
+                {% for field, value in _fields_ %}
+                <tr>
+                  <td style="padding:8px 0;color:#6b7280;width:180px;">{{ field | replace('_', ' ') | title }}</td>
+                  <td style="padding:8px 0;color:#111827;">{{ value }}</td>
+                </tr>
+                {% endfor %}
+              </table>
+            {% else %}
+              <p>No form fields were included.</p>
+            {% endif %}
+          </td>
+        </tr>
+        {% if _meta_ %}
+        <tr>
+          <td style="padding:16px 24px;background:#f9fafb;color:#4b5563;font-size:12px;">
+            <strong>Sender IP:</strong> {{ _meta_.client_ip | default('unknown') }} ·
+            <strong>Received at:</strong> {{ _meta_.received_at | default(now().iso8601()) }}
+          </td>
+        </tr>
+        {% endif %}
+      </table>
+    </td>
+  </tr>
+</table>
+
+{% include 'partials/footer.njk' %}
+```
+
+### 4.5 Provide the logo asset
+
+Copy or design a square PNG logo and add it to both asset folders so the inline references resolve (Mail Magic resolves assets per template type):
+
+```bash
+cp path/to/myorg-logo.png "$CONFIG_ROOT"/myorg.com/tx-template/assets/logo.png
+cp path/to/myorg-logo.png "$CONFIG_ROOT"/myorg.com/form-template/assets/logo.png
+```
+
+The inline flag (`true`) in `asset('logo.png', true)` tells Mail Magic to attach the image and rewrite the markup to `cid:logo.png` when messages are flattened.
+
+---
+
+## 5. Start Mail Magic and verify
+
+1. Restart `mail-magic` (or run `npm run dev`) so it picks up the new `CONFIG_PATH`.
+2. Confirm the bootstrap worked — the logs should mention importing user `myorg` and domain `myorg.com`.
+3. Trigger a transactional email:
+    ```bash
+    curl -X POST http://localhost:3000/v1/tx/message \
+      -H 'Content-Type: application/json' \
+      -H 'X-API-Token: <your 32-char token>' \
+      -d '{
+        "user": "myorg",
+        "domain": "myorg.com",
+        "slug": "welcome",
+        "to": "new.user@myorg.com",
+        "variables": {"first_name": "Kai", "cta_url": "https://myorg.com/confirm"}
+      }'
+    ```
+4. Trigger the contact form template the same way your frontend will post to `/v1/form/message` (Supply `form_id` or `idname` of `contact`). With `DB_AUTO_RELOAD=1`, editing the templates or assets is as simple as saving the file.
+
+You now have a clean, self-contained configuration for MyOrg that inherits Mail Magic behaviour while keeping templates, partials, and assets under version control in a dedicated folder.

package/dist/api/assets.js

@@ -0,0 +1,64 @@
+import fs from 'fs';
+import path from 'path';
+import { ApiModule, ApiError } from '@technomoron/api-server-base';
+import { decodeComponent, sendFileAsync } from '../util.js';
+const DOMAIN_PATTERN = /^[a-z0-9][a-z0-9._-]*$/i;
+const SEGMENT_PATTERN = /^[a-zA-Z0-9._-]+$/;
+export class AssetAPI extends ApiModule {
+    async getAsset(apiReq) {
+        const domain = decodeComponent(apiReq.req.params.domain);
+        if (!domain || !DOMAIN_PATTERN.test(domain)) {
+            throw new ApiError({ code: 404, message: 'Asset not found' });
+        }
+        const rawPath = apiReq.req.params[0] ?? '';
+        const segments = rawPath
+            .split('/')
+            .filter(Boolean)
+            .map((segment) => decodeComponent(segment));
+        if (!segments.length || segments.some((segment) => !SEGMENT_PATTERN.test(segment))) {
+            throw new ApiError({ code: 404, message: 'Asset not found' });
+        }
+        const assetsRoot = path.join(this.server.storage.configpath, domain, 'assets');
+        const resolvedRoot = path.resolve(assetsRoot);
+        const normalizedRoot = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
+        const candidate = path.resolve(assetsRoot, path.join(...segments));
+        if (!candidate.startsWith(normalizedRoot)) {
+            throw new ApiError({ code: 404, message: 'Asset not found' });
+        }
+        try {
+            await fs.promises.access(candidate, fs.constants.R_OK);
+        }
+        catch {
+            throw new ApiError({ code: 404, message: 'Asset not found' });
+        }
+        const { res } = apiReq;
+        const originalStatus = res.status.bind(res);
+        const originalJson = res.json.bind(res);
+        res.status = ((code) => (res.headersSent ? res : originalStatus(code)));
+        res.json = ((body) => (res.headersSent ? res : originalJson(body)));
+        res.type(path.extname(candidate));
+        res.set('Cache-Control', 'public, max-age=300');
+        try {
+            await sendFileAsync(res, candidate);
+        }
+        catch (err) {
+            this.server.storage.print_debug(`Failed to serve asset ${domain}/${segments.join('/')}: ${err instanceof Error ? err.message : String(err)}`);
+            if (!res.headersSent) {
+                throw new ApiError({ code: 500, message: 'Failed to stream asset' });
+            }
+        }
+        return [200, null];
+    }
+    defineRoutes() {
+        const route = this.server.storage.env.ASSET_ROUTE;
+        const normalizedRoute = route.startsWith('/') ? route : `/${route}`;
+        return [
+            {
+                method: 'get',
+                path: `${normalizedRoute}/:domain/*`,
+                handler: (apiReq) => this.getAsset(apiReq),
+                auth: { type: 'none', req: 'any' }
+            }
+        ];
+    }
+}

package/dist/api/forms.js

@@ -46,7 +46,7 @@ export class FormAPI extends ApiModule {
         const formSlug = normalizeSlug(idname);
         const localeSlug = normalizeSlug(resolvedLocale || domain.locale || user.locale || '');
         const slug = `${userSlug}-${domainSlug}${localeSlug ? '-' + localeSlug : ''}-${formSlug}`;
-        const filenameParts = [userSlug, domainSlug, 'form-template'];
+        const filenameParts = [domainSlug, 'form-template'];
         if (localeSlug) {
             filenameParts.push(localeSlug);
         }

package/dist/index.js

@@ -1,4 +1,5 @@
 import { pathToFileURL } from 'node:url';
+import { AssetAPI } from './api/assets.js';
 import { FormAPI } from './api/forms.js';
 import { MailerAPI } from './api/mailer.js';
 import { mailApiServer } from './server.js';
@@ -10,13 +11,14 @@ function buildServerConfig(store, overrides) {
         apiPort: env.API_PORT,
         uploadPath: env.UPLOAD_PATH,
         debug: env.DEBUG,
+        apiBasePath: '',
         ...overrides
     };
 }
 export async function createMailMagicServer(overrides = {}) {
     const store = await new mailStore().init();
     const config = buildServerConfig(store, overrides);
-    const server = new mailApiServer(config, store).api(new MailerAPI()).api(new FormAPI());
+    const server = new mailApiServer(config, store).api(new MailerAPI()).api(new FormAPI()).api(new AssetAPI());
     return { server, store, env: store.env };
 }
 export async function startMailMagicServer(overrides = {}) {

package/dist/models/form.js

@@ -138,14 +138,14 @@ export async function upsert_form(record) {
         record.slug = `${idname}-${dname}${locale ? '-' + locale : ''}-${name}`;
     }
     if (!record.filename) {
-        const parts = [idname, dname, 'form-template'];
+        const parts = [dname, 'form-template'];
         if (locale)
             parts.push(locale);
         parts.push(name);
         record.filename = path.join(...parts);
     }
     else {
-        record.filename = path.join(idname, dname, 'form-template', record.filename);
+        record.filename = path.join(dname, 'form-template', record.filename);
     }
     if (!record.filename.endsWith('.njk')) {
         record.filename += '.njk';

package/dist/models/init.js

@@ -14,34 +14,41 @@ const init_data_schema = z.object({
     form: z.array(api_form_schema).default([])
 });
 /**
- * Resolve an asset file within ./config/<userid>/<domain>/<type>/assets
+ * Resolve an asset file within ./config/<domain>/assets
  */
-function resolveAsset(basePath, type, domainName, assetName, locale) {
-    const searchPaths = [];
-    // always domain-scoped
-    if (locale) {
-        searchPaths.push(path.join(domainName, type, locale));
+function resolveAsset(basePath, domainName, assetName) {
+    const assetsRoot = path.join(basePath, domainName, 'assets');
+    if (!fs.existsSync(assetsRoot)) {
+        return null;
     }
-    searchPaths.push(path.join(domainName, type));
-    // no domain fallback → do not leak assets between domains
-    // but allow locale fallbacks inside type
-    if (locale) {
-        searchPaths.push(path.join(type, locale));
+    const resolvedRoot = path.resolve(assetsRoot);
+    const normalizedRoot = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
+    const candidate = path.resolve(assetsRoot, assetName);
+    if (!candidate.startsWith(normalizedRoot)) {
+        return null;
     }
-    searchPaths.push(type);
-    for (const p of searchPaths) {
-        const candidate = path.join(basePath, p, 'assets', assetName);
-        if (fs.existsSync(candidate)) {
-            return candidate;
-        }
+    if (fs.existsSync(candidate) && fs.statSync(candidate).isFile()) {
+        return candidate;
     }
     return null;
 }
+function buildAssetUrl(baseUrl, route, domainName, assetPath) {
+    const trimmedBase = baseUrl.endsWith('/') ? baseUrl.slice(0, -1) : baseUrl;
+    const normalizedRoute = route.startsWith('/') ? route : `/${route}`;
+    const encodedDomain = encodeURIComponent(domainName);
+    const encodedPath = assetPath
+        .split('/')
+        .filter((segment) => segment.length > 0)
+        .map((segment) => encodeURIComponent(segment))
+        .join('/');
+    const trailing = encodedPath ? `/${encodedPath}` : '';
+    return `${trimmedBase}${normalizedRoute}/${encodedDomain}${trailing}`;
+}
 function extractAndReplaceAssets(html, opts) {
     const regex = /src=["']asset\(['"]([^'"]+)['"](?:,\s*(true|false|[01]))?\)["']/g;
     const assets = [];
     const replacedHtml = html.replace(regex, (_m, relPath, inlineFlag) => {
-        const fullPath = resolveAsset(opts.basePath, opts.type, opts.domainName, relPath, opts.locale ?? undefined);
+        const fullPath = resolveAsset(opts.basePath, opts.domainName, relPath);
         if (!fullPath) {
             throw new Error(`Missing asset "${relPath}"`);
         }
@@ -52,20 +59,24 @@ function extractAndReplaceAssets(html, opts) {
             cid: isInline ? relPath : undefined
         };
         assets.push(storedFile);
-        return isInline
-            ? `src="cid:${relPath}"`
-            : `src="${opts.apiUrl}/image/${opts.idname}/${opts.type}/` +
-                `${opts.domainName ? opts.domainName + '/' : ''}` +
-                `${opts.locale ? opts.locale + '/' : ''}` +
-                relPath +
-                '"';
+        if (isInline) {
+            return `src="cid:${relPath}"`;
+        }
+        const domainAssetsRoot = path.join(opts.basePath, opts.domainName, 'assets');
+        const relativeToAssets = path.relative(domainAssetsRoot, fullPath);
+        if (!relativeToAssets || relativeToAssets.startsWith('..')) {
+            throw new Error(`Asset path escapes domain assets directory: ${fullPath}`);
+        }
+        const normalizedAssetPath = relativeToAssets.split(path.sep).join('/');
+        const assetUrl = buildAssetUrl(opts.apiUrl, opts.assetRoute, opts.domainName, normalizedAssetPath);
+        return `src="${assetUrl}"`;
     });
     return { html: replacedHtml, assets };
 }
 async function _load_template(store, filename, pathname, user, domain, locale, type) {
-    const rootDir = path.join(store.configpath, user.idname, domain.name, type);
+    const rootDir = path.join(store.configpath, domain.name, type);
     let relFile = filename;
-    const prefix = path.join(user.idname, domain.name, type) + path.sep;
+    const prefix = path.join(domain.name, type) + path.sep;
     if (filename.startsWith(prefix)) {
         relFile = filename.slice(prefix.length);
     }
@@ -81,20 +92,18 @@ async function _load_template(store, filename, pathname, user, domain, locale, t
         throw new Error(`Template file "${absPath}" is empty`);
     }
     try {
-        const baseUserPath = path.join(store.configpath, user.idname);
-        const templateKey = path.relative(baseUserPath, absPath);
+        const baseConfigPath = store.configpath;
+        const templateKey = path.relative(baseConfigPath, absPath);
         if (!templateKey) {
             throw new Error(`Unable to resolve template path for "${absPath}"`);
         }
-        const processor = new Unyuck({ basePath: baseUserPath });
+        const processor = new Unyuck({ basePath: baseConfigPath });
         const merged = processor.flattenNoAssets(templateKey);
         const { html, assets } = extractAndReplaceAssets(merged, {
-            basePath: path.join(store.configpath, user.idname),
-            type,
+            basePath: baseConfigPath,
             domainName: domain.name,
-            locale,
             apiUrl: store.env.API_URL,
-            idname: user.idname
+            assetRoute: store.env.ASSET_ROUTE
         });
         return { html, assets };
     }

package/dist/models/txmail.js

@@ -33,14 +33,14 @@ export async function upsert_txmail(record) {
         record.slug = `${idname}-${dname}${locale ? '-' + locale : ''}-${name}`;
     }
     if (!record.filename) {
-        const parts = [idname, dname, 'tx-template'];
+        const parts = [dname, 'tx-template'];
         if (locale)
             parts.push(locale);
         parts.push(name);
         record.filename = path.join(...parts);
     }
     else {
-        record.filename = path.join(idname, dname, 'tx-template', record.filename);
+        record.filename = path.join(dname, 'tx-template', record.filename);
     }
     if (!record.filename.endsWith('.njk')) {
         record.filename += '.njk';
@@ -146,13 +146,12 @@ export async function init_api_txmail(api_db) {
     api_txmail.addHook('beforeValidate', async (template) => {
         const { user, domain } = await user_and_domain(template.domain_id);
         console.log('HERE');
-        const idname = normalizeSlug(user.idname);
         const dname = normalizeSlug(domain.name);
         const name = normalizeSlug(template.name);
         const locale = normalizeSlug(template.locale || domain.locale || user.locale || '');
-        template.slug ||= `${idname}-${dname}${locale ? '-' + locale : ''}-${name}`;
+        template.slug ||= `${normalizeSlug(user.idname)}-${dname}${locale ? '-' + locale : ''}-${name}`;
         if (!template.filename) {
-            const parts = [idname, dname, 'tx-template'];
+            const parts = [dname, 'tx-template'];
             if (locale)
                 parts.push(locale);
             parts.push(name);

package/dist/store/envloader.js

@@ -28,31 +28,14 @@ export const envOptions = defineEnvOptions({
         description: 'Sets the public URL for the API (i.e. https://ml.example.com:3790)',
         default: 'http://localhost:3776'
     },
+    ASSET_ROUTE: {
+        description: 'Route prefix exposed for config assets',
+        default: '/asset'
+    },
     CONFIG_PATH: {
         description: 'Path to directory where config files are located',
         default: './config/'
     },
-    /*
-    SWAGGER_ENABLE: {
-        description: 'Enable Swagger API docs',
-        default: 'false',
-        type: 'boolean'
-    },
-    SWAGGER_PATH: {
-        description: 'Path for swagger api docs',
-        default: '/api-docs'
-    },
-    */
-    /*
-    JWT_SECRET: {
-        description: 'Secret key for generating JWT access tokens',
-        required: true
-    },
-    JWT_REFRESH: {
-        description: 'Secret key for generating JWT refresh tokens',
-        required: true
-    },
-    */
     DB_USER: {
         description: 'Database username for API database'
     },

package/dist/util.js

@@ -92,3 +92,26 @@ export function buildRequestMeta(rawReq) {
         ip_chain: uniqueIps
     };
 }
+export function decodeComponent(value) {
+    if (!value) {
+        return '';
+    }
+    try {
+        return decodeURIComponent(value);
+    }
+    catch {
+        return value;
+    }
+}
+export function sendFileAsync(res, file) {
+    return new Promise((resolve, reject) => {
+        res.sendFile(file, (err) => {
+            if (err) {
+                reject(err);
+            }
+            else {
+                resolve();
+            }
+        });
+    });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@technomoron/mail-magic",
-	"version": "1.0.4",
+	"version": "1.0.6",
 	"main": "dist/index.js",
 	"type": "module",
 	"repository": {

package/src/api/assets.ts

@@ -0,0 +1,79 @@
+import fs from 'fs';
+import path from 'path';
+
+import { ApiModule, ApiRoute, ApiError } from '@technomoron/api-server-base';
+
+import { mailApiServer } from '../server.js';
+import { decodeComponent, sendFileAsync } from '../util.js';
+
+import type { ApiRequest } from '@technomoron/api-server-base';
+
+const DOMAIN_PATTERN = /^[a-z0-9][a-z0-9._-]*$/i;
+const SEGMENT_PATTERN = /^[a-zA-Z0-9._-]+$/;
+
+export class AssetAPI extends ApiModule<mailApiServer> {
+	private async getAsset(apiReq: ApiRequest): Promise<[number, null]> {
+		const domain = decodeComponent(apiReq.req.params.domain);
+		if (!domain || !DOMAIN_PATTERN.test(domain)) {
+			throw new ApiError({ code: 404, message: 'Asset not found' });
+		}
+
+		const rawPath = apiReq.req.params[0] ?? '';
+		const segments = rawPath
+			.split('/')
+			.filter(Boolean)
+			.map((segment: string) => decodeComponent(segment));
+		if (!segments.length || segments.some((segment) => !SEGMENT_PATTERN.test(segment))) {
+			throw new ApiError({ code: 404, message: 'Asset not found' });
+		}
+
+		const assetsRoot = path.join(this.server.storage.configpath, domain, 'assets');
+		const resolvedRoot = path.resolve(assetsRoot);
+		const normalizedRoot = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
+		const candidate = path.resolve(assetsRoot, path.join(...segments));
+		if (!candidate.startsWith(normalizedRoot)) {
+			throw new ApiError({ code: 404, message: 'Asset not found' });
+		}
+
+		try {
+			await fs.promises.access(candidate, fs.constants.R_OK);
+		} catch {
+			throw new ApiError({ code: 404, message: 'Asset not found' });
+		}
+
+		const { res } = apiReq;
+		const originalStatus = res.status.bind(res);
+		const originalJson = res.json.bind(res);
+		res.status = ((code: number) => (res.headersSent ? res : originalStatus(code))) as typeof res.status;
+		res.json = ((body: unknown) => (res.headersSent ? res : originalJson(body))) as typeof res.json;
+
+		res.type(path.extname(candidate));
+		res.set('Cache-Control', 'public, max-age=300');
+
+		try {
+			await sendFileAsync(res, candidate);
+		} catch (err) {
+			this.server.storage.print_debug(
+				`Failed to serve asset ${domain}/${segments.join('/')}: ${err instanceof Error ? err.message : String(err)}`
+			);
+			if (!res.headersSent) {
+				throw new ApiError({ code: 500, message: 'Failed to stream asset' });
+			}
+		}
+
+		return [200, null];
+	}
+
+	override defineRoutes(): ApiRoute[] {
+		const route = this.server.storage.env.ASSET_ROUTE;
+		const normalizedRoute = route.startsWith('/') ? route : `/${route}`;
+		return [
+			{
+				method: 'get',
+				path: `${normalizedRoute}/:domain/*`,
+				handler: (apiReq) => this.getAsset(apiReq),
+				auth: { type: 'none', req: 'any' }
+			}
+		];
+	}
+}

package/src/api/forms.ts

@@ -65,7 +65,7 @@ export class FormAPI extends ApiModule<mailApiServer> {
 		const formSlug = normalizeSlug(idname);
 		const localeSlug = normalizeSlug(resolvedLocale || domain.locale || user.locale || '');
 		const slug = `${userSlug}-${domainSlug}${localeSlug ? '-' + localeSlug : ''}-${formSlug}`;
-		const filenameParts = [userSlug, domainSlug, 'form-template'];
+		const filenameParts = [domainSlug, 'form-template'];
 		if (localeSlug) {
 			filenameParts.push(localeSlug);
 		}

package/src/index.ts

@@ -1,5 +1,6 @@
 import { pathToFileURL } from 'node:url';
 
+import { AssetAPI } from './api/assets.js';
 import { FormAPI } from './api/forms.js';
 import { MailerAPI } from './api/mailer.js';
 import { mailApiServer } from './server.js';
@@ -22,6 +23,7 @@ function buildServerConfig(store: mailStore, overrides: MailMagicServerOptions):
 		apiPort: env.API_PORT,
 		uploadPath: env.UPLOAD_PATH,
 		debug: env.DEBUG,
+		apiBasePath: '',
 		...overrides
 	};
 }
@@ -29,7 +31,7 @@ function buildServerConfig(store: mailStore, overrides: MailMagicServerOptions):
 export async function createMailMagicServer(overrides: MailMagicServerOptions = {}): Promise<MailMagicServerBootstrap> {
 	const store = await new mailStore().init();
 	const config = buildServerConfig(store, overrides);
-	const server = new mailApiServer(config, store).api(new MailerAPI()).api(new FormAPI());
+	const server = new mailApiServer(config, store).api(new MailerAPI()).api(new FormAPI()).api(new AssetAPI());
 
 	return { server, store, env: store.env };
 }

package/src/models/form.ts

@@ -169,12 +169,12 @@ export async function upsert_form(record: api_form_type): Promise<api_form> {
 	}
 
 	if (!record.filename) {
-		const parts = [idname, dname, 'form-template'];
+		const parts = [dname, 'form-template'];
 		if (locale) parts.push(locale);
 		parts.push(name);
 		record.filename = path.join(...parts);
 	} else {
-		record.filename = path.join(idname, dname, 'form-template', record.filename);
+		record.filename = path.join(dname, 'form-template', record.filename);
 	}
 	if (!record.filename.endsWith('.njk')) {
 		record.filename += '.njk';

package/src/models/init.ts

@@ -28,48 +28,45 @@ const init_data_schema = z.object({
 type InitData = z.infer<typeof init_data_schema>;
 
 /**
- * Resolve an asset file within ./config/<userid>/<domain>/<type>/assets
+ * Resolve an asset file within ./config/<domain>/assets
  */
-function resolveAsset(
-	basePath: string,
-	type: 'form-template' | 'tx-template',
-	domainName: string,
-	assetName: string,
-	locale?: string | null
-): string | null {
-	const searchPaths: string[] = [];
-
-	// always domain-scoped
-	if (locale) {
-		searchPaths.push(path.join(domainName, type, locale));
+function resolveAsset(basePath: string, domainName: string, assetName: string): string | null {
+	const assetsRoot = path.join(basePath, domainName, 'assets');
+	if (!fs.existsSync(assetsRoot)) {
+		return null;
 	}
-	searchPaths.push(path.join(domainName, type));
-
-	// no domain fallback → do not leak assets between domains
-	// but allow locale fallbacks inside type
-	if (locale) {
-		searchPaths.push(path.join(type, locale));
+	const resolvedRoot = path.resolve(assetsRoot);
+	const normalizedRoot = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
+	const candidate = path.resolve(assetsRoot, assetName);
+	if (!candidate.startsWith(normalizedRoot)) {
+		return null;
 	}
-	searchPaths.push(type);
-
-	for (const p of searchPaths) {
-		const candidate = path.join(basePath, p, 'assets', assetName);
-		if (fs.existsSync(candidate)) {
-			return candidate;
-		}
+	if (fs.existsSync(candidate) && fs.statSync(candidate).isFile()) {
+		return candidate;
 	}
 	return null;
 }
 
+function buildAssetUrl(baseUrl: string, route: string, domainName: string, assetPath: string): string {
+	const trimmedBase = baseUrl.endsWith('/') ? baseUrl.slice(0, -1) : baseUrl;
+	const normalizedRoute = route.startsWith('/') ? route : `/${route}`;
+	const encodedDomain = encodeURIComponent(domainName);
+	const encodedPath = assetPath
+		.split('/')
+		.filter((segment) => segment.length > 0)
+		.map((segment) => encodeURIComponent(segment))
+		.join('/');
+	const trailing = encodedPath ? `/${encodedPath}` : '';
+	return `${trimmedBase}${normalizedRoute}/${encodedDomain}${trailing}`;
+}
+
 function extractAndReplaceAssets(
 	html: string,
 	opts: {
 		basePath: string;
-		type: 'form-template' | 'tx-template';
 		domainName: string;
-		locale?: string | null;
 		apiUrl: string;
-		idname: string;
+		assetRoute: string;
 	}
 ): { html: string; assets: StoredFile[] } {
 	const regex = /src=["']asset\(['"]([^'"]+)['"](?:,\s*(true|false|[01]))?\)["']/g;
@@ -77,7 +74,7 @@ function extractAndReplaceAssets(
 	const assets: StoredFile[] = [];
 
 	const replacedHtml = html.replace(regex, (_m, relPath: string, inlineFlag?: string) => {
-		const fullPath = resolveAsset(opts.basePath, opts.type, opts.domainName, relPath, opts.locale ?? undefined);
+		const fullPath = resolveAsset(opts.basePath, opts.domainName, relPath);
 		if (!fullPath) {
 			throw new Error(`Missing asset "${relPath}"`);
 		}
@@ -91,13 +88,18 @@ function extractAndReplaceAssets(
 
 		assets.push(storedFile);
 
-		return isInline
-			? `src="cid:${relPath}"`
-			: `src="${opts.apiUrl}/image/${opts.idname}/${opts.type}/` +
-					`${opts.domainName ? opts.domainName + '/' : ''}` +
-					`${opts.locale ? opts.locale + '/' : ''}` +
-					relPath +
-					'"';
+		if (isInline) {
+			return `src="cid:${relPath}"`;
+		}
+
+		const domainAssetsRoot = path.join(opts.basePath, opts.domainName, 'assets');
+		const relativeToAssets = path.relative(domainAssetsRoot, fullPath);
+		if (!relativeToAssets || relativeToAssets.startsWith('..')) {
+			throw new Error(`Asset path escapes domain assets directory: ${fullPath}`);
+		}
+		const normalizedAssetPath = relativeToAssets.split(path.sep).join('/');
+		const assetUrl = buildAssetUrl(opts.apiUrl, opts.assetRoute, opts.domainName, normalizedAssetPath);
+		return `src="${assetUrl}"`;
 	});
 
 	return { html: replacedHtml, assets };
@@ -112,10 +114,10 @@ async function _load_template(
 	locale: string | null,
 	type: 'form-template' | 'tx-template'
 ): Promise<LoadedTemplate> {
-	const rootDir = path.join(store.configpath, user.idname, domain.name, type);
+	const rootDir = path.join(store.configpath, domain.name, type);
 
 	let relFile = filename;
-	const prefix = path.join(user.idname, domain.name, type) + path.sep;
+	const prefix = path.join(domain.name, type) + path.sep;
 	if (filename.startsWith(prefix)) {
 		relFile = filename.slice(prefix.length);
 	}
@@ -135,22 +137,20 @@ async function _load_template(
 	}
 
 	try {
-		const baseUserPath = path.join(store.configpath, user.idname);
-		const templateKey = path.relative(baseUserPath, absPath);
+		const baseConfigPath = store.configpath;
+		const templateKey = path.relative(baseConfigPath, absPath);
 		if (!templateKey) {
 			throw new Error(`Unable to resolve template path for "${absPath}"`);
 		}
 
-		const processor = new Unyuck({ basePath: baseUserPath });
+		const processor = new Unyuck({ basePath: baseConfigPath });
 		const merged = processor.flattenNoAssets(templateKey);
 
 		const { html, assets } = extractAndReplaceAssets(merged, {
-			basePath: path.join(store.configpath, user.idname),
-			type,
+			basePath: baseConfigPath,
 			domainName: domain.name,
-			locale,
 			apiUrl: store.env.API_URL,
-			idname: user.idname
+			assetRoute: store.env.ASSET_ROUTE
 		});
 
 		return { html, assets };

package/src/models/txmail.ts

@@ -56,12 +56,12 @@ export async function upsert_txmail(record: api_txmail_type): Promise<api_txmail
 	}
 
 	if (!record.filename) {
-		const parts = [idname, dname, 'tx-template'];
+		const parts = [dname, 'tx-template'];
 		if (locale) parts.push(locale);
 		parts.push(name);
 		record.filename = path.join(...parts);
 	} else {
-		record.filename = path.join(idname, dname, 'tx-template', record.filename);
+		record.filename = path.join(dname, 'tx-template', record.filename);
 	}
 	if (!record.filename.endsWith('.njk')) {
 		record.filename += '.njk';
@@ -175,15 +175,14 @@ export async function init_api_txmail(api_db: Sequelize): Promise<typeof api_txm
 
 		console.log('HERE');
 
-		const idname = normalizeSlug(user.idname);
 		const dname = normalizeSlug(domain.name);
 		const name = normalizeSlug(template.name);
 		const locale = normalizeSlug(template.locale || domain.locale || user.locale || '');
 
-		template.slug ||= `${idname}-${dname}${locale ? '-' + locale : ''}-${name}`;
+		template.slug ||= `${normalizeSlug(user.idname)}-${dname}${locale ? '-' + locale : ''}-${name}`;
 
 		if (!template.filename) {
-			const parts = [idname, dname, 'tx-template'];
+			const parts = [dname, 'tx-template'];
 			if (locale) parts.push(locale);
 			parts.push(name);
 			template.filename = parts.join('/');

package/src/store/envloader.ts

@@ -29,31 +29,14 @@ export const envOptions = defineEnvOptions({
 		description: 'Sets the public URL for the API (i.e. https://ml.example.com:3790)',
 		default: 'http://localhost:3776'
 	},
+	ASSET_ROUTE: {
+		description: 'Route prefix exposed for config assets',
+		default: '/asset'
+	},
 	CONFIG_PATH: {
 		description: 'Path to directory where config files are located',
 		default: './config/'
 	},
-	/*
-	SWAGGER_ENABLE: {
-		description: 'Enable Swagger API docs',
-		default: 'false',
-		type: 'boolean'
-	},
-	SWAGGER_PATH: {
-		description: 'Path for swagger api docs',
-		default: '/api-docs'
-	},
-	*/
-	/*
-	JWT_SECRET: {
-		description: 'Secret key for generating JWT access tokens',
-		required: true
-	},
-	JWT_REFRESH: {
-		description: 'Secret key for generating JWT refresh tokens',
-		required: true
-	},
-	*/
 	DB_USER: {
 		description: 'Database username for API database'
 	},

package/src/util.ts

@@ -109,3 +109,29 @@ export function buildRequestMeta(rawReq: unknown): RequestMeta {
 		ip_chain: uniqueIps
 	};
 }
+
+export function decodeComponent(value: string | undefined): string {
+	if (!value) {
+		return '';
+	}
+	try {
+		return decodeURIComponent(value);
+	} catch {
+		return value;
+	}
+}
+
+export function sendFileAsync(
+	res: { sendFile: (path: string, cb: (err?: Error | null) => void) => void },
+	file: string
+): Promise<void> {
+	return new Promise((resolve, reject) => {
+		res.sendFile(file, (err) => {
+			if (err) {
+				reject(err);
+			} else {
+				resolve();
+			}
+		});
+	});
+}

package/test1.sh

@@ -1,13 +0,0 @@
-#!/bin/sh
-
-curl -X POST http://localhost:3776/api/v1/form/message \
-  -F "formid=testform" \
-  -F "domain=ml.yesmedia.no" \
-  -F "vars={\"x\":\"y\"}" \
-  -F "attachment1=@./tsconfig.json" \
-  -F "attachment2=@./config/testuser/ml.yesmedia.no/form-template/assets/3075977.png"
- 
-#  -F "rcpt=bjornjac@pm.me" \
-#  -H "Authorization: Bearer apikey-j82lkIOjUuj34sd" \
-
-