@technomoron/mail-magic 1.0.6 → 1.0.8

package/dist/store/store.js

@@ -37,6 +37,7 @@ export class mailStore {
     api_db = null;
     keys = {};
     configpath = '';
+    deflocale;
     print_debug(msg) {
         if (this.env.DEBUG) {
             console.log(msg);

package/eslint.config.mjs

@@ -1,9 +1,45 @@
+import tsPlugin from '@typescript-eslint/eslint-plugin';
 import tsParser from '@typescript-eslint/parser';
-import { defineConfigWithVueTs, vueTsConfigs } from '@vue/eslint-config-typescript';
+import eslintConfigPrettier from 'eslint-config-prettier/flat';
 import pluginImport from 'eslint-plugin-import';
-import pluginPrettier from 'eslint-plugin-prettier';
-import pluginVue from 'eslint-plugin-vue';
 import jsoncParser from 'jsonc-eslint-parser';
+const TS_FILE_GLOBS = ['**/*.{ts,tsx,mts,cts,vue}'];
+const TS_PLUGIN_FILE_GLOBS = ['**/*.{ts,tsx,mts,cts,js,mjs,cjs,vue}'];
+const VUE_FILE_GLOBS = ['**/*.vue'];
+
+const { hasVueSupport, pluginVue, vueTypeScriptConfigs } = await loadVueSupport();
+const scopedVueTypeScriptConfigs = hasVueSupport
+	? scopeVueConfigs(vueTypeScriptConfigs).map(stripTypeScriptPlugin)
+	: [];
+const vueSpecificBlocks = hasVueSupport
+	? [
+			...scopedVueTypeScriptConfigs,
+			{
+				files: VUE_FILE_GLOBS,
+				plugins: {
+					vue: pluginVue
+				},
+				rules: {
+					'vue/html-indent': 'off', // Let Prettier handle indentation
+					'vue/max-attributes-per-line': 'off', // Let Prettier handle line breaks
+					'vue/first-attribute-linebreak': 'off', // Let Prettier handle attribute positioning
+					'vue/singleline-html-element-content-newline': 'off',
+					'vue/html-self-closing': [
+						'error',
+						{
+							html: {
+								void: 'always',
+								normal: 'always',
+								component: 'always'
+							}
+						}
+					],
+					'vue/multi-word-component-names': 'off', // Disable multi-word name restriction
+					'vue/attribute-hyphenation': ['error', 'always']
+				}
+			}
+		]
+	: [];
 
 export default [
 	{
@@ -12,54 +48,31 @@ export default [
 			'dist',
 			'.output',
 			'.nuxt',
+			'.netlify',
+			'node_modules/.netlify',
+			'4000/.nuxt',
 			'coverage',
 			'**/*.d.ts',
+			'configure-eslint.cjs',
 			'configure-eslint.js',
 			'*.config.js',
-			'*.config.ts',
 			'public'
 		]
 	},
-	...defineConfigWithVueTs(vueTsConfigs.recommended),
 	{
-		files: ['**/*.vue'],
+		files: TS_PLUGIN_FILE_GLOBS,
 		plugins: {
-			vue: pluginVue,
-			prettier: pluginPrettier
-		},
-		rules: {
-			'prettier/prettier': 'error', // Enforce Prettier rules
-			'vue/html-indent': 'off', // Let Prettier handle indentation
-			'vue/max-attributes-per-line': 'off', // Let Prettier handle line breaks
-			'vue/first-attribute-linebreak': 'off', // Let Prettier handle attribute positioning
-			'vue/singleline-html-element-content-newline': 'off',
-			'vue/html-self-closing': [
-				'error',
-				{
-					html: {
-						void: 'always',
-						normal: 'always',
-						component: 'always'
-					}
-				}
-			],
-			'vue/multi-word-component-names': 'off', // Disable multi-word name restriction
-			'vue/attribute-hyphenation': ['error', 'always']
+			'@typescript-eslint': tsPlugin
 		}
 	},
+	...vueSpecificBlocks,
 	{
-		files: ['*.json'],
+		files: ['**/*.json'],
 		languageOptions: {
 			parser: jsoncParser
 		},
-		plugins: {
-			prettier: pluginPrettier
-		},
 		rules: {
-			quotes: ['error', 'double'], // Enforce double quotes in JSON
-			'prettier/prettier': 'error',
-			'@typescript-eslint/no-unused-expressions': 'off',
-			'@typescript-eslint/no-unused-vars': 'off'
+			quotes: ['error', 'double'] // Enforce double quotes in JSON
 		}
 	},
 	{
@@ -79,15 +92,9 @@ export default [
 			}
 		},
 		plugins: {
-			prettier: pluginPrettier,
 			import: pluginImport
 		},
 		rules: {
-			indent: ['error', 'tab', { SwitchCase: 1 }], // Use tabs for JS/TS
-			quotes: ['warn', 'single', { avoidEscape: true }], // Prefer single quotes
-			semi: ['error', 'always'], // Enforce semicolons
-			'comma-dangle': 'off', // Disable trailing commas
-			'prettier/prettier': 'error', // Enforce Prettier rules
 			'import/order': [
 				'error',
 				{
@@ -100,5 +107,90 @@ export default [
 			'@typescript-eslint/no-unused-vars': ['warn'],
 			'@typescript-eslint/no-require-imports': 'off'
 		}
+	},
+	{
+		...eslintConfigPrettier
 	}
 ];
+
+async function loadVueSupport() {
+	try {
+		const [vuePluginModule, vueConfigModule] = await Promise.all([
+			import('eslint-plugin-vue'),
+			import('@vue/eslint-config-typescript')
+		]);
+
+		const pluginVue = unwrapDefault(vuePluginModule);
+		const { defineConfigWithVueTs, vueTsConfigs } = vueConfigModule;
+		const configs = defineConfigWithVueTs(vueTsConfigs.recommended);
+
+		return {
+			hasVueSupport: Boolean(pluginVue && configs.length),
+			pluginVue,
+			vueTypeScriptConfigs: configs
+		};
+	} catch (error) {
+		if (isModuleNotFoundError(error)) {
+			return {
+				hasVueSupport: false,
+				pluginVue: null,
+				vueTypeScriptConfigs: []
+			};
+		}
+
+		throw error;
+	}
+}
+
+function scopeVueConfigs(configs) {
+	return configs.map((config) => {
+		const files = config.files ?? [];
+		const referencesOnlyVueFiles = files.length > 0 && files.every((pattern) => pattern.includes('.vue'));
+		const hasVuePlugin = Boolean(config.plugins?.vue);
+
+		if (hasVuePlugin || referencesOnlyVueFiles) {
+			return {
+				...config,
+				files: VUE_FILE_GLOBS
+			};
+		}
+
+		return {
+			...config,
+			files: TS_FILE_GLOBS
+		};
+	});
+}
+
+function stripTypeScriptPlugin(config) {
+	const { plugins = {}, ...rest } = config;
+
+	if (!plugins['@typescript-eslint']) {
+		return config;
+	}
+
+	const otherPlugins = { ...plugins };
+	delete otherPlugins['@typescript-eslint'];
+	const hasOtherPlugins = Object.keys(otherPlugins).length > 0;
+
+	return {
+		...rest,
+		...(hasOtherPlugins ? { plugins: otherPlugins } : {})
+	};
+}
+
+function unwrapDefault(module) {
+	return module?.default ?? module;
+}
+
+function isModuleNotFoundError(error) {
+	if (!error) {
+		return false;
+	}
+
+	if (error.code === 'ERR_MODULE_NOT_FOUND' || error.code === 'MODULE_NOT_FOUND') {
+		return true;
+	}
+
+	return typeof error.message === 'string' && error.message.includes('Cannot find module');
+}

package/lintconfig.cjs

@@ -0,0 +1,81 @@
+#!/usr/bin/env node
+const { execSync, spawnSync } = require('child_process');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const RELEASE_API_URL = 'https://api.github.com/repos/technomoron/vscode-eslint-defaults/releases/latest';
+const INSTALLER_ASSET_NAME = 'installer.tgz';
+
+async function fetch_json(url) {
+	const response = await fetch(url, {
+		headers: {
+			'User-Agent': 'vscode-eslint-defaults-lintconfig',
+			Accept: 'application/vnd.github+json'
+		}
+	});
+
+	if (!response.ok) {
+		throw new Error(`Failed to fetch ${url}: ${response.status} ${response.statusText}`);
+	}
+
+	return response.json();
+}
+
+async function download_asset(url, destination) {
+	const response = await fetch(url, {
+		headers: {
+			'User-Agent': 'vscode-eslint-defaults-lintconfig'
+		}
+	});
+
+	if (!response.ok) {
+		throw new Error(`Failed to download ${url}: ${response.status} ${response.statusText}`);
+	}
+
+	const buffer = Buffer.from(await response.arrayBuffer());
+	fs.writeFileSync(destination, buffer);
+}
+
+async function run() {
+	const release = await fetch_json(RELEASE_API_URL);
+	const assets = Array.isArray(release.assets) ? release.assets : [];
+	const asset = assets.find((item) => item.name === INSTALLER_ASSET_NAME);
+
+	if (!asset?.browser_download_url) {
+		throw new Error('Latest release does not include installer.tgz.');
+	}
+
+	const temp_dir = fs.mkdtempSync(path.join(os.tmpdir(), 'lintconfig-'));
+	const tgz_path = path.join(temp_dir, INSTALLER_ASSET_NAME);
+	const args = process.argv.slice(2);
+	let exit_code = 0;
+
+	try {
+		await download_asset(asset.browser_download_url, tgz_path);
+		execSync(`tar -xzf "${tgz_path}" -C "${process.cwd()}"`, { stdio: 'inherit' });
+
+		const configure_path = path.join(process.cwd(), 'configure-eslint.cjs');
+		if (!fs.existsSync(configure_path)) {
+			throw new Error('configure-eslint.cjs not found after extraction.');
+		}
+
+		const result = spawnSync(process.execPath, [configure_path, ...args], { stdio: 'inherit' });
+		if (result.status !== 0) {
+			exit_code = result.status ?? 1;
+		} else {
+			fs.unlinkSync(configure_path);
+		}
+	} finally {
+		fs.rmSync(temp_dir, { recursive: true, force: true });
+	}
+
+	if (exit_code !== 0) {
+		process.exit(exit_code);
+	}
+}
+
+run().catch((error) => {
+	console.error(error.message || error);
+	process.exit(1);
+});

package/package.json

@@ -1,23 +1,34 @@
 {
 	"name": "@technomoron/mail-magic",
-	"version": "1.0.6",
+	"version": "1.0.8",
 	"main": "dist/index.js",
 	"type": "module",
 	"repository": {
 		"type": "git",
 		"url": "git+https://github.com/technomoron/mail-magic.git"
 	},
+	"pnpm": {
+		"onlyBuiltDependencies": [
+			"core-js",
+			"@scarf/scarf",
+			"esbuild",
+			"sqlite3"
+		]
+	},
 	"scripts": {
 		"start": "node dist/index.js",
 		"dev": "NODE_ENV=development nodemon --watch 'src/**/*.ts' --watch 'config/**/*.*' --watch '.env' --exec 'tsx' src/index.ts",
 		"run": "NODE_ENV=production npm run start",
 		"build": "tsc",
+		"test": "vitest run",
+		"test:watch": "vitest",
 		"scrub": "rm -rf ./node_modules/ ./dist/ pnpm-lock.yaml",
-		"lint": "eslint --ext .js,.cjs,.mjs,.ts,.mts,.tsx,.vue ./",
-		"lintfix": "eslint --fix --ext .js,.cjs,.mjs,.ts,.mts,.tsx,.vue ./",
-		"pretty": "prettier --write \"**/*.{js,jsx,cjs,mjs,ts,tsx,mts,vue,json,css,scss,md}\"",
+		"lint": "eslint --no-error-on-unmatched-pattern --ext .js,.cjs,.mjs,.ts,.mts,.tsx,.vue,.json ./",
+		"lintfix": "eslint --fix --no-error-on-unmatched-pattern --ext .js,.cjs,.mjs,.ts,.mts,.tsx,.vue,.json ./",
+		"pretty": "prettier --write \"**/*.{js,jsx,cjs,mjs,ts,tsx,mts,vue,json,md}\"",
 		"format": "npm run lintfix && npm run pretty",
-		"cleanbuild": "rm -rf ./dist/ && npm run lintfix && npm run format && npm run build"
+		"cleanbuild": "rm -rf ./dist/ && npm run format && npm run build",
+		"lintconfig": "node lintconfig.cjs"
 	},
 	"keywords": [],
 	"author": "Bjørn Erik Jacobsen",
@@ -27,7 +38,7 @@
 		"url": "https://github.com/technomoron/mail-magic/issues"
 	},
 	"dependencies": {
-		"@technomoron/api-server-base": "^1.0.40",
+		"@technomoron/api-server-base": "2.0.0-beta.15",
 		"@technomoron/env-loader": "^1.0.8",
 		"@technomoron/unyuck": "^1.0.4",
 		"bcryptjs": "^3.0.2",
@@ -45,23 +56,22 @@
 		"@types/html-to-text": "^9.0.4",
 		"@types/nodemailer": "^6.4.19",
 		"@types/nunjucks": "^3.2.6",
-		"@typescript-eslint/eslint-plugin": "8.44.1",
-		"@typescript-eslint/parser": "8.44.1",
-		"@vue/eslint-config-prettier": "10.2.0",
-		"@vue/eslint-config-typescript": "^14.6.0",
-		"eslint": "9.36.0",
-		"eslint-config-prettier": "10.1.8",
-		"eslint-import-resolver-alias": "1.1.2",
-		"eslint-plugin-import": "2.32.0",
-		"eslint-plugin-nuxt": "4.0.0",
-		"eslint-plugin-prettier": "5.5.4",
-		"eslint-plugin-vue": "^10.5.0",
+		"@types/supertest": "^6.0.3",
+		"@typescript-eslint/eslint-plugin": "^8.50.1",
+		"@typescript-eslint/parser": "^8.50.1",
+		"eslint": "^9.39.2",
+		"eslint-config-prettier": "^10.1.8",
+		"eslint-plugin-import": "^2.32.0",
 		"jsonc-eslint-parser": "^2.4.1",
+		"mailparser": "^3.9.1",
 		"nodemon": "^3.1.10",
-		"prettier": "3.6.2",
+		"prettier": "^3.7.4",
+		"smtp-server": "^3.18.0",
+		"supertest": "^7.1.4",
 		"tsx": "^4.20.5",
 		"typescript": "^5.9.2",
-		"vue-eslint-parser": "^10.2.0"
+		"vitest": "^4.0.16"
 	},
-	"homepage": "https://github.com/technomoron/mail-magic#readme"
+	"homepage": "https://github.com/technomoron/mail-magic#readme",
+	"packageManager": "pnpm@10.26.1+sha512.664074abc367d2c9324fdc18037097ce0a8f126034160f709928e9e9f95d98714347044e5c3164d65bd5da6c59c6be362b107546292a8eecb7999196e5ce58fa"
 }

package/src/api/assets.ts

@@ -1,7 +1,7 @@
 import fs from 'fs';
 import path from 'path';
 
-import { ApiModule, ApiRoute, ApiError } from '@technomoron/api-server-base';
+import { ApiError, ApiModule, ApiRoute } from '@technomoron/api-server-base';
 
 import { mailApiServer } from '../server.js';
 import { decodeComponent, sendFileAsync } from '../util.js';
@@ -28,18 +28,31 @@ export class AssetAPI extends ApiModule<mailApiServer> {
 		}
 
 		const assetsRoot = path.join(this.server.storage.configpath, domain, 'assets');
-		const resolvedRoot = path.resolve(assetsRoot);
+		if (!fs.existsSync(assetsRoot)) {
+			throw new ApiError({ code: 404, message: 'Asset not found' });
+		}
+		const resolvedRoot = fs.realpathSync(assetsRoot);
 		const normalizedRoot = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
 		const candidate = path.resolve(assetsRoot, path.join(...segments));
-		if (!candidate.startsWith(normalizedRoot)) {
+
+		try {
+			const stats = await fs.promises.stat(candidate);
+			if (!stats.isFile()) {
+				throw new ApiError({ code: 404, message: 'Asset not found' });
+			}
+		} catch {
 			throw new ApiError({ code: 404, message: 'Asset not found' });
 		}
 
+		let realCandidate: string;
 		try {
-			await fs.promises.access(candidate, fs.constants.R_OK);
+			realCandidate = await fs.promises.realpath(candidate);
 		} catch {
 			throw new ApiError({ code: 404, message: 'Asset not found' });
 		}
+		if (!realCandidate.startsWith(normalizedRoot)) {
+			throw new ApiError({ code: 404, message: 'Asset not found' });
+		}
 
 		const { res } = apiReq;
 		const originalStatus = res.status.bind(res);
@@ -47,11 +60,11 @@ export class AssetAPI extends ApiModule<mailApiServer> {
 		res.status = ((code: number) => (res.headersSent ? res : originalStatus(code))) as typeof res.status;
 		res.json = ((body: unknown) => (res.headersSent ? res : originalJson(body))) as typeof res.json;
 
-		res.type(path.extname(candidate));
+		res.type(path.extname(realCandidate));
 		res.set('Cache-Control', 'public, max-age=300');
 
 		try {
-			await sendFileAsync(res, candidate);
+			await sendFileAsync(res, realCandidate);
 		} catch (err) {
 			this.server.storage.print_debug(
 				`Failed to serve asset ${domain}/${segments.join('/')}: ${err instanceof Error ? err.message : String(err)}`

package/src/api/forms.ts

@@ -1,6 +1,7 @@
 import path from 'path';
 
 import { ApiRoute, ApiRequest, ApiModule, ApiError } from '@technomoron/api-server-base';
+import emailAddresses, { ParsedMailbox } from 'email-addresses';
 import nunjucks from 'nunjucks';
 
 import { api_domain } from '../models/domain.js';
@@ -12,6 +13,14 @@ import { buildRequestMeta, normalizeSlug } from '../util.js';
 import type { mailApiRequest, UploadedFile } from '../types.js';
 
 export class FormAPI extends ApiModule<mailApiServer> {
+	private validateEmail(email: string): string | undefined {
+		const parsed = emailAddresses.parseOneAddress(email);
+		if (parsed) {
+			return (parsed as ParsedMailbox).address;
+		}
+		return undefined;
+	}
+
 	private async assertDomainAndUser(apireq: mailApiRequest): Promise<void> {
 		const { domain, locale } = apireq.req.body;
 
@@ -26,6 +35,9 @@ export class FormAPI extends ApiModule<mailApiServer> {
 		if (!dbdomain) {
 			throw new ApiError({ code: 401, message: `Unable to look up the domain ${domain}` });
 		}
+		if (dbdomain.user_id !== user.user_id) {
+			throw new ApiError({ code: 403, message: `Domain ${domain} is not owned by this user` });
+		}
 		apireq.domain = dbdomain;
 		apireq.locale = locale || 'en';
 		apireq.user = user;
@@ -107,7 +119,7 @@ export class FormAPI extends ApiModule<mailApiServer> {
 	}
 
 	private async postSendForm(apireq: ApiRequest): Promise<[number, Record<string, unknown>]> {
-		const { formid, secret, recipient, vars = {} } = apireq.req.body;
+		const { formid, secret, recipient, vars = {}, replyTo, reply_to } = apireq.req.body;
 
 		if (!formid) {
 			throw new ApiError({ code: 404, message: 'Missing formid field in form' });
@@ -127,12 +139,27 @@ export class FormAPI extends ApiModule<mailApiServer> {
 		if (recipient && !form.secret) {
 			throw new ApiError({ code: 401, message: "'recipient' parameterer requires form secret to be set" });
 		}
+		let normalizedReplyTo: string | undefined;
+		let normalizedRecipient: string | undefined;
+		const replyToValue = (replyTo || reply_to) as string | undefined;
+		if (replyToValue) {
+			normalizedReplyTo = this.validateEmail(replyToValue);
+			if (!normalizedReplyTo) {
+				throw new ApiError({ code: 400, message: 'Invalid reply-to email address' });
+			}
+		}
+		if (recipient) {
+			normalizedRecipient = this.validateEmail(String(recipient));
+			if (!normalizedRecipient) {
+				throw new ApiError({ code: 400, message: 'Invalid recipient email address' });
+			}
+		}
 
 		let parsedVars: unknown = vars ?? {};
 		if (typeof vars === 'string') {
 			try {
 				parsedVars = JSON.parse(vars);
-			} catch (error) {
+			} catch {
 				throw new ApiError({ code: 400, message: 'Invalid JSON provided in "vars"' });
 			}
 		}
@@ -172,16 +199,17 @@ export class FormAPI extends ApiModule<mailApiServer> {
 
 		const mailOptions = {
 			from: form.sender,
-			to: recipient || form.recipient,
+			to: normalizedRecipient || form.recipient,
 			subject: form.subject,
 			html,
-			attachments
+			attachments,
+			...(normalizedReplyTo ? { replyTo: normalizedReplyTo } : {})
 		};
 
 		try {
 			const info = await this.server.storage.transport!.sendMail(mailOptions);
 			this.server.storage.print_debug('Email sent: ' + info.response);
-		} catch (error) {
+		} catch (error: unknown) {
 			const errorMessage = error instanceof Error ? error.message : String(error);
 			this.server.storage.print_debug('Error sending email: ' + errorMessage);
 			return [500, { error: `Error sending email: ${errorMessage}` }];

package/src/api/mailer.ts

@@ -15,12 +15,12 @@ export class MailerAPI extends ApiModule<mailApiServer> {
 	//
 	// Validate and return the parsed email address
 	//
-	validateEmail(email: string): string | null {
+	validateEmail(email: string): string | undefined {
 		const parsed = emailAddresses.parseOneAddress(email);
 		if (parsed) {
 			return (parsed as ParsedMailbox).address;
 		}
-		return null;
+		return undefined;
 	}
 
 	//
@@ -61,6 +61,9 @@ export class MailerAPI extends ApiModule<mailApiServer> {
 		if (!dbdomain) {
 			throw new ApiError({ code: 401, message: `Unable to look up the domain ${domain}` });
 		}
+		if (dbdomain.user_id !== user.user_id) {
+			throw new ApiError({ code: 403, message: `Domain ${domain} is not owned by this user` });
+		}
 		apireq.domain = dbdomain;
 		apireq.locale = locale || 'en';
 		apireq.user = user;
@@ -102,7 +105,7 @@ export class MailerAPI extends ApiModule<mailApiServer> {
 			const [templateRecord, created] = await api_txmail.upsert(data, {
 				returning: true
 			});
-			console.log('Template upserted:', templateRecord.name, 'Created:', created);
+			this.server.storage.print_debug(`Template upserted: ${templateRecord.name} (created=${created})`);
 		} catch (error: unknown) {
 			throw new ApiError({
 				code: 500,
@@ -117,7 +120,7 @@ export class MailerAPI extends ApiModule<mailApiServer> {
 	private async post_send(apireq: mailApiRequest): Promise<[number, Record<string, unknown>]> {
 		await this.assert_domain_and_user(apireq);
 
-		const { name, rcpt, domain = '', locale = '', vars = {} } = apireq.req.body;
+		const { name, rcpt, domain = '', locale = '', vars = {}, replyTo, reply_to, headers } = apireq.req.body;
 
 		if (!name || !rcpt || !domain) {
 			throw new ApiError({ code: 400, message: 'name/rcpt/domain required' });
@@ -127,7 +130,7 @@ export class MailerAPI extends ApiModule<mailApiServer> {
 		if (typeof vars === 'string') {
 			try {
 				parsedVars = JSON.parse(vars);
-			} catch (error) {
+			} catch {
 				throw new ApiError({ code: 400, message: 'Invalid JSON provided in "vars"' });
 			}
 		}
@@ -140,7 +143,7 @@ export class MailerAPI extends ApiModule<mailApiServer> {
 			throw new ApiError({ code: 400, message: 'Invalid email address(es): ' + invalid.join(',') });
 		}
 		let template: api_txmail | null = null;
-		const deflocale = apireq.server.store.deflocale || '';
+		const deflocale = this.server.storage.deflocale || '';
 		const domain_id = apireq.domain!.domain_id;
 
 		try {
@@ -184,9 +187,31 @@ export class MailerAPI extends ApiModule<mailApiServer> {
 		for (const file of rawFiles) {
 			attachmentMap[file.fieldname] = file.originalname;
 		}
-		console.log(JSON.stringify({ vars, thevars }, undefined, 2));
+		this.server.storage.print_debug(`Template vars: ${JSON.stringify({ vars, thevars }, undefined, 2)}`);
 
 		const meta = buildRequestMeta(apireq.req);
+		const replyToValue = (replyTo || reply_to) as string | undefined;
+		let normalizedReplyTo: string | undefined;
+		if (replyToValue) {
+			normalizedReplyTo = this.validateEmail(replyToValue);
+			if (!normalizedReplyTo) {
+				throw new ApiError({ code: 400, message: 'Invalid reply-to email address' });
+			}
+		}
+
+		let normalizedHeaders: Record<string, string> | undefined;
+		if (headers !== undefined) {
+			if (!headers || typeof headers !== 'object' || Array.isArray(headers)) {
+				throw new ApiError({ code: 400, message: 'headers must be a key/value object' });
+			}
+			normalizedHeaders = {};
+			for (const [key, value] of Object.entries(headers as Record<string, unknown>)) {
+				if (typeof value !== 'string') {
+					throw new ApiError({ code: 400, message: `headers.${key} must be a string` });
+				}
+				normalizedHeaders[key] = value;
+			}
+		}
 
 		try {
 			const env = new nunjucks.Environment(null, { autoescape: false });
@@ -209,9 +234,11 @@ export class MailerAPI extends ApiModule<mailApiServer> {
 					subject: template.subject || apireq.req.body.subject || '',
 					html,
 					text,
-					attachments
+					attachments,
+					...(normalizedReplyTo ? { replyTo: normalizedReplyTo } : {}),
+					...(normalizedHeaders ? { headers: normalizedHeaders } : {})
 				};
-				await apireq.server.storage.transport.sendMail(sendargs);
+				await this.server.storage.transport!.sendMail(sendargs);
 			}
 			return [200, { Status: 'OK', Message: 'Emails sent successfully' }];
 		} catch (error: unknown) {

package/src/index.ts

@@ -24,6 +24,8 @@ function buildServerConfig(store: mailStore, overrides: MailMagicServerOptions):
 		uploadPath: env.UPLOAD_PATH,
 		debug: env.DEBUG,
 		apiBasePath: '',
+		swaggerEnabled: env.SWAGGER_ENABLED,
+		swaggerPath: env.SWAGGER_PATH,
 		...overrides
 	};
 }

package/src/models/form.ts

@@ -156,6 +156,17 @@ export async function init_api_form(api_db: Sequelize): Promise<typeof api_form>
 	return api_form;
 }
 
+function assertSafeRelativePath(filename: string, label: string): string {
+	const normalized = path.normalize(filename);
+	if (path.isAbsolute(normalized)) {
+		throw new Error(`${label} path must be relative`);
+	}
+	if (normalized.split(path.sep).includes('..')) {
+		throw new Error(`${label} path cannot include '..' segments`);
+	}
+	return normalized;
+}
+
 export async function upsert_form(record: api_form_type): Promise<api_form> {
 	const { user, domain } = await user_and_domain(record.domain_id);
 
@@ -179,7 +190,7 @@ export async function upsert_form(record: api_form_type): Promise<api_form> {
 	if (!record.filename.endsWith('.njk')) {
 		record.filename += '.njk';
 	}
-	record.filename = path.normalize(record.filename);
+	record.filename = assertSafeRelativePath(record.filename, 'Form filename');
 
 	let instance: api_form | null = null;
 	instance = await api_form.findByPk(record.form_id);