@technomoron/mail-magic 1.0.5 → 1.0.8

package/dist/api/mailer.js

@@ -15,7 +15,7 @@ export class MailerAPI extends ApiModule {
         if (parsed) {
             return parsed.address;
         }
-        return null;
+        return undefined;
     }
     //
     // Validate a set of email addresses. Return arrays of invalid
@@ -51,6 +51,9 @@ export class MailerAPI extends ApiModule {
         if (!dbdomain) {
             throw new ApiError({ code: 401, message: `Unable to look up the domain ${domain}` });
         }
+        if (dbdomain.user_id !== user.user_id) {
+            throw new ApiError({ code: 403, message: `Domain ${domain} is not owned by this user` });
+        }
         apireq.domain = dbdomain;
         apireq.locale = locale || 'en';
         apireq.user = user;
@@ -85,7 +88,7 @@ export class MailerAPI extends ApiModule {
             const [templateRecord, created] = await api_txmail.upsert(data, {
                 returning: true
             });
-            console.log('Template upserted:', templateRecord.name, 'Created:', created);
+            this.server.storage.print_debug(`Template upserted: ${templateRecord.name} (created=${created})`);
         }
         catch (error) {
             throw new ApiError({
@@ -98,7 +101,7 @@ export class MailerAPI extends ApiModule {
     // Send a template using posted arguments.
     async post_send(apireq) {
         await this.assert_domain_and_user(apireq);
-        const { name, rcpt, domain = '', locale = '', vars = {} } = apireq.req.body;
+        const { name, rcpt, domain = '', locale = '', vars = {}, replyTo, reply_to, headers } = apireq.req.body;
         if (!name || !rcpt || !domain) {
             throw new ApiError({ code: 400, message: 'name/rcpt/domain required' });
         }
@@ -107,7 +110,7 @@ export class MailerAPI extends ApiModule {
             try {
                 parsedVars = JSON.parse(vars);
             }
-            catch (error) {
+            catch {
                 throw new ApiError({ code: 400, message: 'Invalid JSON provided in "vars"' });
             }
         }
@@ -118,7 +121,7 @@ export class MailerAPI extends ApiModule {
             throw new ApiError({ code: 400, message: 'Invalid email address(es): ' + invalid.join(',') });
         }
         let template = null;
-        const deflocale = apireq.server.store.deflocale || '';
+        const deflocale = this.server.storage.deflocale || '';
         const domain_id = apireq.domain.domain_id;
         try {
             template =
@@ -159,8 +162,29 @@ export class MailerAPI extends ApiModule {
         for (const file of rawFiles) {
             attachmentMap[file.fieldname] = file.originalname;
         }
-        console.log(JSON.stringify({ vars, thevars }, undefined, 2));
+        this.server.storage.print_debug(`Template vars: ${JSON.stringify({ vars, thevars }, undefined, 2)}`);
         const meta = buildRequestMeta(apireq.req);
+        const replyToValue = (replyTo || reply_to);
+        let normalizedReplyTo;
+        if (replyToValue) {
+            normalizedReplyTo = this.validateEmail(replyToValue);
+            if (!normalizedReplyTo) {
+                throw new ApiError({ code: 400, message: 'Invalid reply-to email address' });
+            }
+        }
+        let normalizedHeaders;
+        if (headers !== undefined) {
+            if (!headers || typeof headers !== 'object' || Array.isArray(headers)) {
+                throw new ApiError({ code: 400, message: 'headers must be a key/value object' });
+            }
+            normalizedHeaders = {};
+            for (const [key, value] of Object.entries(headers)) {
+                if (typeof value !== 'string') {
+                    throw new ApiError({ code: 400, message: `headers.${key} must be a string` });
+                }
+                normalizedHeaders[key] = value;
+            }
+        }
         try {
             const env = new nunjucks.Environment(null, { autoescape: false });
             const compiled = nunjucks.compile(template.template, env);
@@ -180,9 +204,11 @@ export class MailerAPI extends ApiModule {
                     subject: template.subject || apireq.req.body.subject || '',
                     html,
                     text,
-                    attachments
+                    attachments,
+                    ...(normalizedReplyTo ? { replyTo: normalizedReplyTo } : {}),
+                    ...(normalizedHeaders ? { headers: normalizedHeaders } : {})
                 };
-                await apireq.server.storage.transport.sendMail(sendargs);
+                await this.server.storage.transport.sendMail(sendargs);
             }
             return [200, { Status: 'OK', Message: 'Emails sent successfully' }];
         }

package/dist/index.js

@@ -1,4 +1,5 @@
 import { pathToFileURL } from 'node:url';
+import { AssetAPI } from './api/assets.js';
 import { FormAPI } from './api/forms.js';
 import { MailerAPI } from './api/mailer.js';
 import { mailApiServer } from './server.js';
@@ -10,13 +11,16 @@ function buildServerConfig(store, overrides) {
         apiPort: env.API_PORT,
         uploadPath: env.UPLOAD_PATH,
         debug: env.DEBUG,
+        apiBasePath: '',
+        swaggerEnabled: env.SWAGGER_ENABLED,
+        swaggerPath: env.SWAGGER_PATH,
         ...overrides
     };
 }
 export async function createMailMagicServer(overrides = {}) {
     const store = await new mailStore().init();
     const config = buildServerConfig(store, overrides);
-    const server = new mailApiServer(config, store).api(new MailerAPI()).api(new FormAPI());
+    const server = new mailApiServer(config, store).api(new MailerAPI()).api(new FormAPI()).api(new AssetAPI());
     return { server, store, env: store.env };
 }
 export async function startMailMagicServer(overrides = {}) {

package/dist/models/form.js

@@ -128,6 +128,16 @@ export async function init_api_form(api_db) {
     });
     return api_form;
 }
+function assertSafeRelativePath(filename, label) {
+    const normalized = path.normalize(filename);
+    if (path.isAbsolute(normalized)) {
+        throw new Error(`${label} path must be relative`);
+    }
+    if (normalized.split(path.sep).includes('..')) {
+        throw new Error(`${label} path cannot include '..' segments`);
+    }
+    return normalized;
+}
 export async function upsert_form(record) {
     const { user, domain } = await user_and_domain(record.domain_id);
     const idname = normalizeSlug(user.idname);
@@ -150,7 +160,7 @@ export async function upsert_form(record) {
     if (!record.filename.endsWith('.njk')) {
         record.filename += '.njk';
     }
-    record.filename = path.normalize(record.filename);
+    record.filename = assertSafeRelativePath(record.filename, 'Form filename');
     let instance = null;
     instance = await api_form.findByPk(record.form_id);
     if (instance) {

package/dist/models/init.js

@@ -14,34 +14,42 @@ const init_data_schema = z.object({
     form: z.array(api_form_schema).default([])
 });
 /**
- * Resolve an asset file within ./config/<userid>/<domain>/<type>/assets
+ * Resolve an asset file within ./config/<domain>/assets
  */
-function resolveAsset(basePath, type, domainName, assetName, locale) {
-    const searchPaths = [];
-    // always domain-scoped
-    if (locale) {
-        searchPaths.push(path.join(domainName, type, locale));
+function resolveAsset(basePath, domainName, assetName) {
+    const assetsRoot = path.join(basePath, domainName, 'assets');
+    if (!fs.existsSync(assetsRoot)) {
+        return null;
     }
-    searchPaths.push(path.join(domainName, type));
-    // no domain fallback → do not leak assets between domains
-    // but allow locale fallbacks inside type
-    if (locale) {
-        searchPaths.push(path.join(type, locale));
+    const resolvedRoot = fs.realpathSync(assetsRoot);
+    const normalizedRoot = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
+    const candidate = path.resolve(assetsRoot, assetName);
+    if (!fs.existsSync(candidate) || !fs.statSync(candidate).isFile()) {
+        return null;
     }
-    searchPaths.push(type);
-    for (const p of searchPaths) {
-        const candidate = path.join(basePath, p, 'assets', assetName);
-        if (fs.existsSync(candidate)) {
-            return candidate;
-        }
+    const realCandidate = fs.realpathSync(candidate);
+    if (!realCandidate.startsWith(normalizedRoot)) {
+        return null;
     }
-    return null;
+    return realCandidate;
+}
+function buildAssetUrl(baseUrl, route, domainName, assetPath) {
+    const trimmedBase = baseUrl.endsWith('/') ? baseUrl.slice(0, -1) : baseUrl;
+    const normalizedRoute = route.startsWith('/') ? route : `/${route}`;
+    const encodedDomain = encodeURIComponent(domainName);
+    const encodedPath = assetPath
+        .split('/')
+        .filter((segment) => segment.length > 0)
+        .map((segment) => encodeURIComponent(segment))
+        .join('/');
+    const trailing = encodedPath ? `/${encodedPath}` : '';
+    return `${trimmedBase}${normalizedRoute}/${encodedDomain}${trailing}`;
 }
 function extractAndReplaceAssets(html, opts) {
     const regex = /src=["']asset\(['"]([^'"]+)['"](?:,\s*(true|false|[01]))?\)["']/g;
     const assets = [];
     const replacedHtml = html.replace(regex, (_m, relPath, inlineFlag) => {
-        const fullPath = resolveAsset(opts.basePath, opts.type, opts.domainName, relPath, opts.locale ?? undefined);
+        const fullPath = resolveAsset(opts.basePath, opts.domainName, relPath);
         if (!fullPath) {
             throw new Error(`Missing asset "${relPath}"`);
         }
@@ -52,13 +60,17 @@ function extractAndReplaceAssets(html, opts) {
             cid: isInline ? relPath : undefined
         };
         assets.push(storedFile);
-        return isInline
-            ? `src="cid:${relPath}"`
-            : `src="${opts.apiUrl}/image/${opts.idname}/${opts.type}/` +
-                `${opts.domainName ? opts.domainName + '/' : ''}` +
-                `${opts.locale ? opts.locale + '/' : ''}` +
-                relPath +
-                '"';
+        if (isInline) {
+            return `src="cid:${relPath}"`;
+        }
+        const domainAssetsRoot = path.join(opts.basePath, opts.domainName, 'assets');
+        const relativeToAssets = path.relative(domainAssetsRoot, fullPath);
+        if (!relativeToAssets || relativeToAssets.startsWith('..')) {
+            throw new Error(`Asset path escapes domain assets directory: ${fullPath}`);
+        }
+        const normalizedAssetPath = relativeToAssets.split(path.sep).join('/');
+        const assetUrl = buildAssetUrl(opts.apiUrl, opts.assetRoute, opts.domainName, normalizedAssetPath);
+        return `src="${assetUrl}"`;
     });
     return { html: replacedHtml, assets };
 }
@@ -69,8 +81,10 @@ async function _load_template(store, filename, pathname, user, domain, locale, t
     if (filename.startsWith(prefix)) {
         relFile = filename.slice(prefix.length);
     }
-    const absPath = path.resolve(rootDir, pathname || '', relFile);
-    if (!absPath.startsWith(rootDir)) {
+    const resolvedRoot = path.resolve(rootDir);
+    const normalizedRoot = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
+    const absPath = path.resolve(resolvedRoot, pathname || '', relFile);
+    if (!absPath.startsWith(normalizedRoot)) {
         throw new Error(`Invalid template path "${filename}"`);
     }
     if (!fs.existsSync(absPath)) {
@@ -90,11 +104,9 @@ async function _load_template(store, filename, pathname, user, domain, locale, t
         const merged = processor.flattenNoAssets(templateKey);
         const { html, assets } = extractAndReplaceAssets(merged, {
             basePath: baseConfigPath,
-            type,
             domainName: domain.name,
-            locale,
             apiUrl: store.env.API_URL,
-            idname: user.idname
+            assetRoute: store.env.ASSET_ROUTE
         });
         return { html, assets };
     }

package/dist/models/txmail.js

@@ -23,6 +23,16 @@ export const api_txmail_schema = z.object({
 });
 export class api_txmail extends Model {
 }
+function assertSafeRelativePath(filename, label) {
+    const normalized = path.normalize(filename);
+    if (path.isAbsolute(normalized)) {
+        throw new Error(`${label} path must be relative`);
+    }
+    if (normalized.split(path.sep).includes('..')) {
+        throw new Error(`${label} path cannot include '..' segments`);
+    }
+    return normalized;
+}
 export async function upsert_txmail(record) {
     const { user, domain } = await user_and_domain(record.domain_id);
     const idname = normalizeSlug(user.idname);
@@ -45,7 +55,7 @@ export async function upsert_txmail(record) {
     if (!record.filename.endsWith('.njk')) {
         record.filename += '.njk';
     }
-    record.filename = path.normalize(record.filename);
+    record.filename = assertSafeRelativePath(record.filename, 'Template filename');
     const [instance] = await api_txmail.upsert(record);
     return instance;
 }
@@ -91,7 +101,7 @@ export async function init_api_txmail(api_db) {
             unique: false
         },
         template: {
-            type: DataTypes.STRING,
+            type: DataTypes.TEXT,
             allowNull: false,
             defaultValue: ''
         },
@@ -145,7 +155,6 @@ export async function init_api_txmail(api_db) {
     });
     api_txmail.addHook('beforeValidate', async (template) => {
         const { user, domain } = await user_and_domain(template.domain_id);
-        console.log('HERE');
         const dname = normalizeSlug(domain.name);
         const name = normalizeSlug(template.name);
         const locale = normalizeSlug(template.locale || domain.locale || user.locale || '');
@@ -160,7 +169,7 @@ export async function init_api_txmail(api_db) {
         if (!template.filename.endsWith('.njk')) {
             template.filename += '.njk';
         }
-        console.log(`FILENAME IS: ${template.filename}`);
+        template.filename = assertSafeRelativePath(template.filename, 'Template filename');
     });
     return api_txmail;
 }

package/dist/store/envloader.js

@@ -28,31 +28,23 @@ export const envOptions = defineEnvOptions({
         description: 'Sets the public URL for the API (i.e. https://ml.example.com:3790)',
         default: 'http://localhost:3776'
     },
-    CONFIG_PATH: {
-        description: 'Path to directory where config files are located',
-        default: './config/'
-    },
-    /*
-    SWAGGER_ENABLE: {
-        description: 'Enable Swagger API docs',
-        default: 'false',
-        type: 'boolean'
+    SWAGGER_ENABLED: {
+        description: 'Enable the Swagger/OpenAPI endpoint',
+        type: 'boolean',
+        default: false
     },
     SWAGGER_PATH: {
-        description: 'Path for swagger api docs',
-        default: '/api-docs'
+        description: 'Path to expose the Swagger/OpenAPI spec (default: /api/swagger when enabled)',
+        default: ''
     },
-    */
-    /*
-    JWT_SECRET: {
-        description: 'Secret key for generating JWT access tokens',
-        required: true
+    ASSET_ROUTE: {
+        description: 'Route prefix exposed for config assets',
+        default: '/asset'
     },
-    JWT_REFRESH: {
-        description: 'Secret key for generating JWT refresh tokens',
-        required: true
+    CONFIG_PATH: {
+        description: 'Path to directory where config files are located',
+        default: './config/'
     },
-    */
     DB_USER: {
         description: 'Database username for API database'
     },

package/dist/store/store.js

@@ -37,6 +37,7 @@ export class mailStore {
     api_db = null;
     keys = {};
     configpath = '';
+    deflocale;
     print_debug(msg) {
         if (this.env.DEBUG) {
             console.log(msg);

package/dist/util.js

@@ -92,3 +92,26 @@ export function buildRequestMeta(rawReq) {
         ip_chain: uniqueIps
     };
 }
+export function decodeComponent(value) {
+    if (!value) {
+        return '';
+    }
+    try {
+        return decodeURIComponent(value);
+    }
+    catch {
+        return value;
+    }
+}
+export function sendFileAsync(res, file) {
+    return new Promise((resolve, reject) => {
+        res.sendFile(file, (err) => {
+            if (err) {
+                reject(err);
+            }
+            else {
+                resolve();
+            }
+        });
+    });
+}

package/eslint.config.mjs

@@ -1,9 +1,45 @@
+import tsPlugin from '@typescript-eslint/eslint-plugin';
 import tsParser from '@typescript-eslint/parser';
-import { defineConfigWithVueTs, vueTsConfigs } from '@vue/eslint-config-typescript';
+import eslintConfigPrettier from 'eslint-config-prettier/flat';
 import pluginImport from 'eslint-plugin-import';
-import pluginPrettier from 'eslint-plugin-prettier';
-import pluginVue from 'eslint-plugin-vue';
 import jsoncParser from 'jsonc-eslint-parser';
+const TS_FILE_GLOBS = ['**/*.{ts,tsx,mts,cts,vue}'];
+const TS_PLUGIN_FILE_GLOBS = ['**/*.{ts,tsx,mts,cts,js,mjs,cjs,vue}'];
+const VUE_FILE_GLOBS = ['**/*.vue'];
+
+const { hasVueSupport, pluginVue, vueTypeScriptConfigs } = await loadVueSupport();
+const scopedVueTypeScriptConfigs = hasVueSupport
+	? scopeVueConfigs(vueTypeScriptConfigs).map(stripTypeScriptPlugin)
+	: [];
+const vueSpecificBlocks = hasVueSupport
+	? [
+			...scopedVueTypeScriptConfigs,
+			{
+				files: VUE_FILE_GLOBS,
+				plugins: {
+					vue: pluginVue
+				},
+				rules: {
+					'vue/html-indent': 'off', // Let Prettier handle indentation
+					'vue/max-attributes-per-line': 'off', // Let Prettier handle line breaks
+					'vue/first-attribute-linebreak': 'off', // Let Prettier handle attribute positioning
+					'vue/singleline-html-element-content-newline': 'off',
+					'vue/html-self-closing': [
+						'error',
+						{
+							html: {
+								void: 'always',
+								normal: 'always',
+								component: 'always'
+							}
+						}
+					],
+					'vue/multi-word-component-names': 'off', // Disable multi-word name restriction
+					'vue/attribute-hyphenation': ['error', 'always']
+				}
+			}
+		]
+	: [];
 
 export default [
 	{
@@ -12,54 +48,31 @@ export default [
 			'dist',
 			'.output',
 			'.nuxt',
+			'.netlify',
+			'node_modules/.netlify',
+			'4000/.nuxt',
 			'coverage',
 			'**/*.d.ts',
+			'configure-eslint.cjs',
 			'configure-eslint.js',
 			'*.config.js',
-			'*.config.ts',
 			'public'
 		]
 	},
-	...defineConfigWithVueTs(vueTsConfigs.recommended),
 	{
-		files: ['**/*.vue'],
+		files: TS_PLUGIN_FILE_GLOBS,
 		plugins: {
-			vue: pluginVue,
-			prettier: pluginPrettier
-		},
-		rules: {
-			'prettier/prettier': 'error', // Enforce Prettier rules
-			'vue/html-indent': 'off', // Let Prettier handle indentation
-			'vue/max-attributes-per-line': 'off', // Let Prettier handle line breaks
-			'vue/first-attribute-linebreak': 'off', // Let Prettier handle attribute positioning
-			'vue/singleline-html-element-content-newline': 'off',
-			'vue/html-self-closing': [
-				'error',
-				{
-					html: {
-						void: 'always',
-						normal: 'always',
-						component: 'always'
-					}
-				}
-			],
-			'vue/multi-word-component-names': 'off', // Disable multi-word name restriction
-			'vue/attribute-hyphenation': ['error', 'always']
+			'@typescript-eslint': tsPlugin
 		}
 	},
+	...vueSpecificBlocks,
 	{
-		files: ['*.json'],
+		files: ['**/*.json'],
 		languageOptions: {
 			parser: jsoncParser
 		},
-		plugins: {
-			prettier: pluginPrettier
-		},
 		rules: {
-			quotes: ['error', 'double'], // Enforce double quotes in JSON
-			'prettier/prettier': 'error',
-			'@typescript-eslint/no-unused-expressions': 'off',
-			'@typescript-eslint/no-unused-vars': 'off'
+			quotes: ['error', 'double'] // Enforce double quotes in JSON
 		}
 	},
 	{
@@ -79,15 +92,9 @@ export default [
 			}
 		},
 		plugins: {
-			prettier: pluginPrettier,
 			import: pluginImport
 		},
 		rules: {
-			indent: ['error', 'tab', { SwitchCase: 1 }], // Use tabs for JS/TS
-			quotes: ['warn', 'single', { avoidEscape: true }], // Prefer single quotes
-			semi: ['error', 'always'], // Enforce semicolons
-			'comma-dangle': 'off', // Disable trailing commas
-			'prettier/prettier': 'error', // Enforce Prettier rules
 			'import/order': [
 				'error',
 				{
@@ -100,5 +107,90 @@ export default [
 			'@typescript-eslint/no-unused-vars': ['warn'],
 			'@typescript-eslint/no-require-imports': 'off'
 		}
+	},
+	{
+		...eslintConfigPrettier
 	}
 ];
+
+async function loadVueSupport() {
+	try {
+		const [vuePluginModule, vueConfigModule] = await Promise.all([
+			import('eslint-plugin-vue'),
+			import('@vue/eslint-config-typescript')
+		]);
+
+		const pluginVue = unwrapDefault(vuePluginModule);
+		const { defineConfigWithVueTs, vueTsConfigs } = vueConfigModule;
+		const configs = defineConfigWithVueTs(vueTsConfigs.recommended);
+
+		return {
+			hasVueSupport: Boolean(pluginVue && configs.length),
+			pluginVue,
+			vueTypeScriptConfigs: configs
+		};
+	} catch (error) {
+		if (isModuleNotFoundError(error)) {
+			return {
+				hasVueSupport: false,
+				pluginVue: null,
+				vueTypeScriptConfigs: []
+			};
+		}
+
+		throw error;
+	}
+}
+
+function scopeVueConfigs(configs) {
+	return configs.map((config) => {
+		const files = config.files ?? [];
+		const referencesOnlyVueFiles = files.length > 0 && files.every((pattern) => pattern.includes('.vue'));
+		const hasVuePlugin = Boolean(config.plugins?.vue);
+
+		if (hasVuePlugin || referencesOnlyVueFiles) {
+			return {
+				...config,
+				files: VUE_FILE_GLOBS
+			};
+		}
+
+		return {
+			...config,
+			files: TS_FILE_GLOBS
+		};
+	});
+}
+
+function stripTypeScriptPlugin(config) {
+	const { plugins = {}, ...rest } = config;
+
+	if (!plugins['@typescript-eslint']) {
+		return config;
+	}
+
+	const otherPlugins = { ...plugins };
+	delete otherPlugins['@typescript-eslint'];
+	const hasOtherPlugins = Object.keys(otherPlugins).length > 0;
+
+	return {
+		...rest,
+		...(hasOtherPlugins ? { plugins: otherPlugins } : {})
+	};
+}
+
+function unwrapDefault(module) {
+	return module?.default ?? module;
+}
+
+function isModuleNotFoundError(error) {
+	if (!error) {
+		return false;
+	}
+
+	if (error.code === 'ERR_MODULE_NOT_FOUND' || error.code === 'MODULE_NOT_FOUND') {
+		return true;
+	}
+
+	return typeof error.message === 'string' && error.message.includes('Cannot find module');
+}