@technomoron/mail-magic 1.0.5 → 1.0.8

package/lintconfig.cjs

@@ -0,0 +1,81 @@
+#!/usr/bin/env node
+const { execSync, spawnSync } = require('child_process');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const RELEASE_API_URL = 'https://api.github.com/repos/technomoron/vscode-eslint-defaults/releases/latest';
+const INSTALLER_ASSET_NAME = 'installer.tgz';
+
+async function fetch_json(url) {
+	const response = await fetch(url, {
+		headers: {
+			'User-Agent': 'vscode-eslint-defaults-lintconfig',
+			Accept: 'application/vnd.github+json'
+		}
+	});
+
+	if (!response.ok) {
+		throw new Error(`Failed to fetch ${url}: ${response.status} ${response.statusText}`);
+	}
+
+	return response.json();
+}
+
+async function download_asset(url, destination) {
+	const response = await fetch(url, {
+		headers: {
+			'User-Agent': 'vscode-eslint-defaults-lintconfig'
+		}
+	});
+
+	if (!response.ok) {
+		throw new Error(`Failed to download ${url}: ${response.status} ${response.statusText}`);
+	}
+
+	const buffer = Buffer.from(await response.arrayBuffer());
+	fs.writeFileSync(destination, buffer);
+}
+
+async function run() {
+	const release = await fetch_json(RELEASE_API_URL);
+	const assets = Array.isArray(release.assets) ? release.assets : [];
+	const asset = assets.find((item) => item.name === INSTALLER_ASSET_NAME);
+
+	if (!asset?.browser_download_url) {
+		throw new Error('Latest release does not include installer.tgz.');
+	}
+
+	const temp_dir = fs.mkdtempSync(path.join(os.tmpdir(), 'lintconfig-'));
+	const tgz_path = path.join(temp_dir, INSTALLER_ASSET_NAME);
+	const args = process.argv.slice(2);
+	let exit_code = 0;
+
+	try {
+		await download_asset(asset.browser_download_url, tgz_path);
+		execSync(`tar -xzf "${tgz_path}" -C "${process.cwd()}"`, { stdio: 'inherit' });
+
+		const configure_path = path.join(process.cwd(), 'configure-eslint.cjs');
+		if (!fs.existsSync(configure_path)) {
+			throw new Error('configure-eslint.cjs not found after extraction.');
+		}
+
+		const result = spawnSync(process.execPath, [configure_path, ...args], { stdio: 'inherit' });
+		if (result.status !== 0) {
+			exit_code = result.status ?? 1;
+		} else {
+			fs.unlinkSync(configure_path);
+		}
+	} finally {
+		fs.rmSync(temp_dir, { recursive: true, force: true });
+	}
+
+	if (exit_code !== 0) {
+		process.exit(exit_code);
+	}
+}
+
+run().catch((error) => {
+	console.error(error.message || error);
+	process.exit(1);
+});

package/package.json

@@ -1,23 +1,34 @@
 {
 	"name": "@technomoron/mail-magic",
-	"version": "1.0.5",
+	"version": "1.0.8",
 	"main": "dist/index.js",
 	"type": "module",
 	"repository": {
 		"type": "git",
 		"url": "git+https://github.com/technomoron/mail-magic.git"
 	},
+	"pnpm": {
+		"onlyBuiltDependencies": [
+			"core-js",
+			"@scarf/scarf",
+			"esbuild",
+			"sqlite3"
+		]
+	},
 	"scripts": {
 		"start": "node dist/index.js",
 		"dev": "NODE_ENV=development nodemon --watch 'src/**/*.ts' --watch 'config/**/*.*' --watch '.env' --exec 'tsx' src/index.ts",
 		"run": "NODE_ENV=production npm run start",
 		"build": "tsc",
+		"test": "vitest run",
+		"test:watch": "vitest",
 		"scrub": "rm -rf ./node_modules/ ./dist/ pnpm-lock.yaml",
-		"lint": "eslint --ext .js,.cjs,.mjs,.ts,.mts,.tsx,.vue ./",
-		"lintfix": "eslint --fix --ext .js,.cjs,.mjs,.ts,.mts,.tsx,.vue ./",
-		"pretty": "prettier --write \"**/*.{js,jsx,cjs,mjs,ts,tsx,mts,vue,json,css,scss,md}\"",
+		"lint": "eslint --no-error-on-unmatched-pattern --ext .js,.cjs,.mjs,.ts,.mts,.tsx,.vue,.json ./",
+		"lintfix": "eslint --fix --no-error-on-unmatched-pattern --ext .js,.cjs,.mjs,.ts,.mts,.tsx,.vue,.json ./",
+		"pretty": "prettier --write \"**/*.{js,jsx,cjs,mjs,ts,tsx,mts,vue,json,md}\"",
 		"format": "npm run lintfix && npm run pretty",
-		"cleanbuild": "rm -rf ./dist/ && npm run lintfix && npm run format && npm run build"
+		"cleanbuild": "rm -rf ./dist/ && npm run format && npm run build",
+		"lintconfig": "node lintconfig.cjs"
 	},
 	"keywords": [],
 	"author": "Bjørn Erik Jacobsen",
@@ -27,7 +38,7 @@
 		"url": "https://github.com/technomoron/mail-magic/issues"
 	},
 	"dependencies": {
-		"@technomoron/api-server-base": "^1.0.40",
+		"@technomoron/api-server-base": "2.0.0-beta.15",
 		"@technomoron/env-loader": "^1.0.8",
 		"@technomoron/unyuck": "^1.0.4",
 		"bcryptjs": "^3.0.2",
@@ -45,23 +56,22 @@
 		"@types/html-to-text": "^9.0.4",
 		"@types/nodemailer": "^6.4.19",
 		"@types/nunjucks": "^3.2.6",
-		"@typescript-eslint/eslint-plugin": "8.44.1",
-		"@typescript-eslint/parser": "8.44.1",
-		"@vue/eslint-config-prettier": "10.2.0",
-		"@vue/eslint-config-typescript": "^14.6.0",
-		"eslint": "9.36.0",
-		"eslint-config-prettier": "10.1.8",
-		"eslint-import-resolver-alias": "1.1.2",
-		"eslint-plugin-import": "2.32.0",
-		"eslint-plugin-nuxt": "4.0.0",
-		"eslint-plugin-prettier": "5.5.4",
-		"eslint-plugin-vue": "^10.5.0",
+		"@types/supertest": "^6.0.3",
+		"@typescript-eslint/eslint-plugin": "^8.50.1",
+		"@typescript-eslint/parser": "^8.50.1",
+		"eslint": "^9.39.2",
+		"eslint-config-prettier": "^10.1.8",
+		"eslint-plugin-import": "^2.32.0",
 		"jsonc-eslint-parser": "^2.4.1",
+		"mailparser": "^3.9.1",
 		"nodemon": "^3.1.10",
-		"prettier": "3.6.2",
+		"prettier": "^3.7.4",
+		"smtp-server": "^3.18.0",
+		"supertest": "^7.1.4",
 		"tsx": "^4.20.5",
 		"typescript": "^5.9.2",
-		"vue-eslint-parser": "^10.2.0"
+		"vitest": "^4.0.16"
 	},
-	"homepage": "https://github.com/technomoron/mail-magic#readme"
+	"homepage": "https://github.com/technomoron/mail-magic#readme",
+	"packageManager": "pnpm@10.26.1+sha512.664074abc367d2c9324fdc18037097ce0a8f126034160f709928e9e9f95d98714347044e5c3164d65bd5da6c59c6be362b107546292a8eecb7999196e5ce58fa"
 }

package/src/api/assets.ts

@@ -0,0 +1,92 @@
+import fs from 'fs';
+import path from 'path';
+
+import { ApiError, ApiModule, ApiRoute } from '@technomoron/api-server-base';
+
+import { mailApiServer } from '../server.js';
+import { decodeComponent, sendFileAsync } from '../util.js';
+
+import type { ApiRequest } from '@technomoron/api-server-base';
+
+const DOMAIN_PATTERN = /^[a-z0-9][a-z0-9._-]*$/i;
+const SEGMENT_PATTERN = /^[a-zA-Z0-9._-]+$/;
+
+export class AssetAPI extends ApiModule<mailApiServer> {
+	private async getAsset(apiReq: ApiRequest): Promise<[number, null]> {
+		const domain = decodeComponent(apiReq.req.params.domain);
+		if (!domain || !DOMAIN_PATTERN.test(domain)) {
+			throw new ApiError({ code: 404, message: 'Asset not found' });
+		}
+
+		const rawPath = apiReq.req.params[0] ?? '';
+		const segments = rawPath
+			.split('/')
+			.filter(Boolean)
+			.map((segment: string) => decodeComponent(segment));
+		if (!segments.length || segments.some((segment) => !SEGMENT_PATTERN.test(segment))) {
+			throw new ApiError({ code: 404, message: 'Asset not found' });
+		}
+
+		const assetsRoot = path.join(this.server.storage.configpath, domain, 'assets');
+		if (!fs.existsSync(assetsRoot)) {
+			throw new ApiError({ code: 404, message: 'Asset not found' });
+		}
+		const resolvedRoot = fs.realpathSync(assetsRoot);
+		const normalizedRoot = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
+		const candidate = path.resolve(assetsRoot, path.join(...segments));
+
+		try {
+			const stats = await fs.promises.stat(candidate);
+			if (!stats.isFile()) {
+				throw new ApiError({ code: 404, message: 'Asset not found' });
+			}
+		} catch {
+			throw new ApiError({ code: 404, message: 'Asset not found' });
+		}
+
+		let realCandidate: string;
+		try {
+			realCandidate = await fs.promises.realpath(candidate);
+		} catch {
+			throw new ApiError({ code: 404, message: 'Asset not found' });
+		}
+		if (!realCandidate.startsWith(normalizedRoot)) {
+			throw new ApiError({ code: 404, message: 'Asset not found' });
+		}
+
+		const { res } = apiReq;
+		const originalStatus = res.status.bind(res);
+		const originalJson = res.json.bind(res);
+		res.status = ((code: number) => (res.headersSent ? res : originalStatus(code))) as typeof res.status;
+		res.json = ((body: unknown) => (res.headersSent ? res : originalJson(body))) as typeof res.json;
+
+		res.type(path.extname(realCandidate));
+		res.set('Cache-Control', 'public, max-age=300');
+
+		try {
+			await sendFileAsync(res, realCandidate);
+		} catch (err) {
+			this.server.storage.print_debug(
+				`Failed to serve asset ${domain}/${segments.join('/')}: ${err instanceof Error ? err.message : String(err)}`
+			);
+			if (!res.headersSent) {
+				throw new ApiError({ code: 500, message: 'Failed to stream asset' });
+			}
+		}
+
+		return [200, null];
+	}
+
+	override defineRoutes(): ApiRoute[] {
+		const route = this.server.storage.env.ASSET_ROUTE;
+		const normalizedRoute = route.startsWith('/') ? route : `/${route}`;
+		return [
+			{
+				method: 'get',
+				path: `${normalizedRoute}/:domain/*`,
+				handler: (apiReq) => this.getAsset(apiReq),
+				auth: { type: 'none', req: 'any' }
+			}
+		];
+	}
+}

package/src/api/forms.ts

@@ -1,6 +1,7 @@
 import path from 'path';
 
 import { ApiRoute, ApiRequest, ApiModule, ApiError } from '@technomoron/api-server-base';
+import emailAddresses, { ParsedMailbox } from 'email-addresses';
 import nunjucks from 'nunjucks';
 
 import { api_domain } from '../models/domain.js';
@@ -12,6 +13,14 @@ import { buildRequestMeta, normalizeSlug } from '../util.js';
 import type { mailApiRequest, UploadedFile } from '../types.js';
 
 export class FormAPI extends ApiModule<mailApiServer> {
+	private validateEmail(email: string): string | undefined {
+		const parsed = emailAddresses.parseOneAddress(email);
+		if (parsed) {
+			return (parsed as ParsedMailbox).address;
+		}
+		return undefined;
+	}
+
 	private async assertDomainAndUser(apireq: mailApiRequest): Promise<void> {
 		const { domain, locale } = apireq.req.body;
 
@@ -26,6 +35,9 @@ export class FormAPI extends ApiModule<mailApiServer> {
 		if (!dbdomain) {
 			throw new ApiError({ code: 401, message: `Unable to look up the domain ${domain}` });
 		}
+		if (dbdomain.user_id !== user.user_id) {
+			throw new ApiError({ code: 403, message: `Domain ${domain} is not owned by this user` });
+		}
 		apireq.domain = dbdomain;
 		apireq.locale = locale || 'en';
 		apireq.user = user;
@@ -107,7 +119,7 @@ export class FormAPI extends ApiModule<mailApiServer> {
 	}
 
 	private async postSendForm(apireq: ApiRequest): Promise<[number, Record<string, unknown>]> {
-		const { formid, secret, recipient, vars = {} } = apireq.req.body;
+		const { formid, secret, recipient, vars = {}, replyTo, reply_to } = apireq.req.body;
 
 		if (!formid) {
 			throw new ApiError({ code: 404, message: 'Missing formid field in form' });
@@ -127,12 +139,27 @@ export class FormAPI extends ApiModule<mailApiServer> {
 		if (recipient && !form.secret) {
 			throw new ApiError({ code: 401, message: "'recipient' parameterer requires form secret to be set" });
 		}
+		let normalizedReplyTo: string | undefined;
+		let normalizedRecipient: string | undefined;
+		const replyToValue = (replyTo || reply_to) as string | undefined;
+		if (replyToValue) {
+			normalizedReplyTo = this.validateEmail(replyToValue);
+			if (!normalizedReplyTo) {
+				throw new ApiError({ code: 400, message: 'Invalid reply-to email address' });
+			}
+		}
+		if (recipient) {
+			normalizedRecipient = this.validateEmail(String(recipient));
+			if (!normalizedRecipient) {
+				throw new ApiError({ code: 400, message: 'Invalid recipient email address' });
+			}
+		}
 
 		let parsedVars: unknown = vars ?? {};
 		if (typeof vars === 'string') {
 			try {
 				parsedVars = JSON.parse(vars);
-			} catch (error) {
+			} catch {
 				throw new ApiError({ code: 400, message: 'Invalid JSON provided in "vars"' });
 			}
 		}
@@ -172,16 +199,17 @@ export class FormAPI extends ApiModule<mailApiServer> {
 
 		const mailOptions = {
 			from: form.sender,
-			to: recipient || form.recipient,
+			to: normalizedRecipient || form.recipient,
 			subject: form.subject,
 			html,
-			attachments
+			attachments,
+			...(normalizedReplyTo ? { replyTo: normalizedReplyTo } : {})
 		};
 
 		try {
 			const info = await this.server.storage.transport!.sendMail(mailOptions);
 			this.server.storage.print_debug('Email sent: ' + info.response);
-		} catch (error) {
+		} catch (error: unknown) {
 			const errorMessage = error instanceof Error ? error.message : String(error);
 			this.server.storage.print_debug('Error sending email: ' + errorMessage);
 			return [500, { error: `Error sending email: ${errorMessage}` }];

package/src/api/mailer.ts

@@ -15,12 +15,12 @@ export class MailerAPI extends ApiModule<mailApiServer> {
 	//
 	// Validate and return the parsed email address
 	//
-	validateEmail(email: string): string | null {
+	validateEmail(email: string): string | undefined {
 		const parsed = emailAddresses.parseOneAddress(email);
 		if (parsed) {
 			return (parsed as ParsedMailbox).address;
 		}
-		return null;
+		return undefined;
 	}
 
 	//
@@ -61,6 +61,9 @@ export class MailerAPI extends ApiModule<mailApiServer> {
 		if (!dbdomain) {
 			throw new ApiError({ code: 401, message: `Unable to look up the domain ${domain}` });
 		}
+		if (dbdomain.user_id !== user.user_id) {
+			throw new ApiError({ code: 403, message: `Domain ${domain} is not owned by this user` });
+		}
 		apireq.domain = dbdomain;
 		apireq.locale = locale || 'en';
 		apireq.user = user;
@@ -102,7 +105,7 @@ export class MailerAPI extends ApiModule<mailApiServer> {
 			const [templateRecord, created] = await api_txmail.upsert(data, {
 				returning: true
 			});
-			console.log('Template upserted:', templateRecord.name, 'Created:', created);
+			this.server.storage.print_debug(`Template upserted: ${templateRecord.name} (created=${created})`);
 		} catch (error: unknown) {
 			throw new ApiError({
 				code: 500,
@@ -117,7 +120,7 @@ export class MailerAPI extends ApiModule<mailApiServer> {
 	private async post_send(apireq: mailApiRequest): Promise<[number, Record<string, unknown>]> {
 		await this.assert_domain_and_user(apireq);
 
-		const { name, rcpt, domain = '', locale = '', vars = {} } = apireq.req.body;
+		const { name, rcpt, domain = '', locale = '', vars = {}, replyTo, reply_to, headers } = apireq.req.body;
 
 		if (!name || !rcpt || !domain) {
 			throw new ApiError({ code: 400, message: 'name/rcpt/domain required' });
@@ -127,7 +130,7 @@ export class MailerAPI extends ApiModule<mailApiServer> {
 		if (typeof vars === 'string') {
 			try {
 				parsedVars = JSON.parse(vars);
-			} catch (error) {
+			} catch {
 				throw new ApiError({ code: 400, message: 'Invalid JSON provided in "vars"' });
 			}
 		}
@@ -140,7 +143,7 @@ export class MailerAPI extends ApiModule<mailApiServer> {
 			throw new ApiError({ code: 400, message: 'Invalid email address(es): ' + invalid.join(',') });
 		}
 		let template: api_txmail | null = null;
-		const deflocale = apireq.server.store.deflocale || '';
+		const deflocale = this.server.storage.deflocale || '';
 		const domain_id = apireq.domain!.domain_id;
 
 		try {
@@ -184,9 +187,31 @@ export class MailerAPI extends ApiModule<mailApiServer> {
 		for (const file of rawFiles) {
 			attachmentMap[file.fieldname] = file.originalname;
 		}
-		console.log(JSON.stringify({ vars, thevars }, undefined, 2));
+		this.server.storage.print_debug(`Template vars: ${JSON.stringify({ vars, thevars }, undefined, 2)}`);
 
 		const meta = buildRequestMeta(apireq.req);
+		const replyToValue = (replyTo || reply_to) as string | undefined;
+		let normalizedReplyTo: string | undefined;
+		if (replyToValue) {
+			normalizedReplyTo = this.validateEmail(replyToValue);
+			if (!normalizedReplyTo) {
+				throw new ApiError({ code: 400, message: 'Invalid reply-to email address' });
+			}
+		}
+
+		let normalizedHeaders: Record<string, string> | undefined;
+		if (headers !== undefined) {
+			if (!headers || typeof headers !== 'object' || Array.isArray(headers)) {
+				throw new ApiError({ code: 400, message: 'headers must be a key/value object' });
+			}
+			normalizedHeaders = {};
+			for (const [key, value] of Object.entries(headers as Record<string, unknown>)) {
+				if (typeof value !== 'string') {
+					throw new ApiError({ code: 400, message: `headers.${key} must be a string` });
+				}
+				normalizedHeaders[key] = value;
+			}
+		}
 
 		try {
 			const env = new nunjucks.Environment(null, { autoescape: false });
@@ -209,9 +234,11 @@ export class MailerAPI extends ApiModule<mailApiServer> {
 					subject: template.subject || apireq.req.body.subject || '',
 					html,
 					text,
-					attachments
+					attachments,
+					...(normalizedReplyTo ? { replyTo: normalizedReplyTo } : {}),
+					...(normalizedHeaders ? { headers: normalizedHeaders } : {})
 				};
-				await apireq.server.storage.transport.sendMail(sendargs);
+				await this.server.storage.transport!.sendMail(sendargs);
 			}
 			return [200, { Status: 'OK', Message: 'Emails sent successfully' }];
 		} catch (error: unknown) {

package/src/index.ts

@@ -1,5 +1,6 @@
 import { pathToFileURL } from 'node:url';
 
+import { AssetAPI } from './api/assets.js';
 import { FormAPI } from './api/forms.js';
 import { MailerAPI } from './api/mailer.js';
 import { mailApiServer } from './server.js';
@@ -22,6 +23,9 @@ function buildServerConfig(store: mailStore, overrides: MailMagicServerOptions):
 		apiPort: env.API_PORT,
 		uploadPath: env.UPLOAD_PATH,
 		debug: env.DEBUG,
+		apiBasePath: '',
+		swaggerEnabled: env.SWAGGER_ENABLED,
+		swaggerPath: env.SWAGGER_PATH,
 		...overrides
 	};
 }
@@ -29,7 +33,7 @@ function buildServerConfig(store: mailStore, overrides: MailMagicServerOptions):
 export async function createMailMagicServer(overrides: MailMagicServerOptions = {}): Promise<MailMagicServerBootstrap> {
 	const store = await new mailStore().init();
 	const config = buildServerConfig(store, overrides);
-	const server = new mailApiServer(config, store).api(new MailerAPI()).api(new FormAPI());
+	const server = new mailApiServer(config, store).api(new MailerAPI()).api(new FormAPI()).api(new AssetAPI());
 
 	return { server, store, env: store.env };
 }

package/src/models/form.ts

@@ -156,6 +156,17 @@ export async function init_api_form(api_db: Sequelize): Promise<typeof api_form>
 	return api_form;
 }
 
+function assertSafeRelativePath(filename: string, label: string): string {
+	const normalized = path.normalize(filename);
+	if (path.isAbsolute(normalized)) {
+		throw new Error(`${label} path must be relative`);
+	}
+	if (normalized.split(path.sep).includes('..')) {
+		throw new Error(`${label} path cannot include '..' segments`);
+	}
+	return normalized;
+}
+
 export async function upsert_form(record: api_form_type): Promise<api_form> {
 	const { user, domain } = await user_and_domain(record.domain_id);
 
@@ -179,7 +190,7 @@ export async function upsert_form(record: api_form_type): Promise<api_form> {
 	if (!record.filename.endsWith('.njk')) {
 		record.filename += '.njk';
 	}
-	record.filename = path.normalize(record.filename);
+	record.filename = assertSafeRelativePath(record.filename, 'Form filename');
 
 	let instance: api_form | null = null;
 	instance = await api_form.findByPk(record.form_id);

package/src/models/init.ts

@@ -28,48 +28,46 @@ const init_data_schema = z.object({
 type InitData = z.infer<typeof init_data_schema>;
 
 /**
- * Resolve an asset file within ./config/<userid>/<domain>/<type>/assets
+ * Resolve an asset file within ./config/<domain>/assets
  */
-function resolveAsset(
-	basePath: string,
-	type: 'form-template' | 'tx-template',
-	domainName: string,
-	assetName: string,
-	locale?: string | null
-): string | null {
-	const searchPaths: string[] = [];
-
-	// always domain-scoped
-	if (locale) {
-		searchPaths.push(path.join(domainName, type, locale));
+function resolveAsset(basePath: string, domainName: string, assetName: string): string | null {
+	const assetsRoot = path.join(basePath, domainName, 'assets');
+	if (!fs.existsSync(assetsRoot)) {
+		return null;
 	}
-	searchPaths.push(path.join(domainName, type));
-
-	// no domain fallback → do not leak assets between domains
-	// but allow locale fallbacks inside type
-	if (locale) {
-		searchPaths.push(path.join(type, locale));
+	const resolvedRoot = fs.realpathSync(assetsRoot);
+	const normalizedRoot = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
+	const candidate = path.resolve(assetsRoot, assetName);
+	if (!fs.existsSync(candidate) || !fs.statSync(candidate).isFile()) {
+		return null;
 	}
-	searchPaths.push(type);
-
-	for (const p of searchPaths) {
-		const candidate = path.join(basePath, p, 'assets', assetName);
-		if (fs.existsSync(candidate)) {
-			return candidate;
-		}
+	const realCandidate = fs.realpathSync(candidate);
+	if (!realCandidate.startsWith(normalizedRoot)) {
+		return null;
 	}
-	return null;
+	return realCandidate;
+}
+
+function buildAssetUrl(baseUrl: string, route: string, domainName: string, assetPath: string): string {
+	const trimmedBase = baseUrl.endsWith('/') ? baseUrl.slice(0, -1) : baseUrl;
+	const normalizedRoute = route.startsWith('/') ? route : `/${route}`;
+	const encodedDomain = encodeURIComponent(domainName);
+	const encodedPath = assetPath
+		.split('/')
+		.filter((segment) => segment.length > 0)
+		.map((segment) => encodeURIComponent(segment))
+		.join('/');
+	const trailing = encodedPath ? `/${encodedPath}` : '';
+	return `${trimmedBase}${normalizedRoute}/${encodedDomain}${trailing}`;
 }
 
 function extractAndReplaceAssets(
 	html: string,
 	opts: {
 		basePath: string;
-		type: 'form-template' | 'tx-template';
 		domainName: string;
-		locale?: string | null;
 		apiUrl: string;
-		idname: string;
+		assetRoute: string;
 	}
 ): { html: string; assets: StoredFile[] } {
 	const regex = /src=["']asset\(['"]([^'"]+)['"](?:,\s*(true|false|[01]))?\)["']/g;
@@ -77,7 +75,7 @@ function extractAndReplaceAssets(
 	const assets: StoredFile[] = [];
 
 	const replacedHtml = html.replace(regex, (_m, relPath: string, inlineFlag?: string) => {
-		const fullPath = resolveAsset(opts.basePath, opts.type, opts.domainName, relPath, opts.locale ?? undefined);
+		const fullPath = resolveAsset(opts.basePath, opts.domainName, relPath);
 		if (!fullPath) {
 			throw new Error(`Missing asset "${relPath}"`);
 		}
@@ -91,13 +89,18 @@ function extractAndReplaceAssets(
 
 		assets.push(storedFile);
 
-		return isInline
-			? `src="cid:${relPath}"`
-			: `src="${opts.apiUrl}/image/${opts.idname}/${opts.type}/` +
-					`${opts.domainName ? opts.domainName + '/' : ''}` +
-					`${opts.locale ? opts.locale + '/' : ''}` +
-					relPath +
-					'"';
+		if (isInline) {
+			return `src="cid:${relPath}"`;
+		}
+
+		const domainAssetsRoot = path.join(opts.basePath, opts.domainName, 'assets');
+		const relativeToAssets = path.relative(domainAssetsRoot, fullPath);
+		if (!relativeToAssets || relativeToAssets.startsWith('..')) {
+			throw new Error(`Asset path escapes domain assets directory: ${fullPath}`);
+		}
+		const normalizedAssetPath = relativeToAssets.split(path.sep).join('/');
+		const assetUrl = buildAssetUrl(opts.apiUrl, opts.assetRoute, opts.domainName, normalizedAssetPath);
+		return `src="${assetUrl}"`;
 	});
 
 	return { html: replacedHtml, assets };
@@ -120,9 +123,11 @@ async function _load_template(
 		relFile = filename.slice(prefix.length);
 	}
 
-	const absPath = path.resolve(rootDir, pathname || '', relFile);
+	const resolvedRoot = path.resolve(rootDir);
+	const normalizedRoot = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
+	const absPath = path.resolve(resolvedRoot, pathname || '', relFile);
 
-	if (!absPath.startsWith(rootDir)) {
+	if (!absPath.startsWith(normalizedRoot)) {
 		throw new Error(`Invalid template path "${filename}"`);
 	}
 	if (!fs.existsSync(absPath)) {
@@ -146,11 +151,9 @@ async function _load_template(
 
 		const { html, assets } = extractAndReplaceAssets(merged, {
 			basePath: baseConfigPath,
-			type,
 			domainName: domain.name,
-			locale,
 			apiUrl: store.env.API_URL,
-			idname: user.idname
+			assetRoute: store.env.ASSET_ROUTE
 		});
 
 		return { html, assets };