@technomoron/mail-magic 1.0.6 → 1.0.8

package/src/models/init.ts

@@ -35,16 +35,17 @@ function resolveAsset(basePath: string, domainName: string, assetName: string):
 	if (!fs.existsSync(assetsRoot)) {
 		return null;
 	}
-	const resolvedRoot = path.resolve(assetsRoot);
+	const resolvedRoot = fs.realpathSync(assetsRoot);
 	const normalizedRoot = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
 	const candidate = path.resolve(assetsRoot, assetName);
-	if (!candidate.startsWith(normalizedRoot)) {
+	if (!fs.existsSync(candidate) || !fs.statSync(candidate).isFile()) {
 		return null;
 	}
-	if (fs.existsSync(candidate) && fs.statSync(candidate).isFile()) {
-		return candidate;
+	const realCandidate = fs.realpathSync(candidate);
+	if (!realCandidate.startsWith(normalizedRoot)) {
+		return null;
 	}
-	return null;
+	return realCandidate;
 }
 
 function buildAssetUrl(baseUrl: string, route: string, domainName: string, assetPath: string): string {
@@ -122,9 +123,11 @@ async function _load_template(
 		relFile = filename.slice(prefix.length);
 	}
 
-	const absPath = path.resolve(rootDir, pathname || '', relFile);
+	const resolvedRoot = path.resolve(rootDir);
+	const normalizedRoot = resolvedRoot.endsWith(path.sep) ? resolvedRoot : resolvedRoot + path.sep;
+	const absPath = path.resolve(resolvedRoot, pathname || '', relFile);
 
-	if (!absPath.startsWith(rootDir)) {
+	if (!absPath.startsWith(normalizedRoot)) {
 		throw new Error(`Invalid template path "${filename}"`);
 	}
 	if (!fs.existsSync(absPath)) {

package/src/models/txmail.ts

@@ -43,6 +43,17 @@ export class api_txmail extends Model {
 	declare files: StoredFile[];
 }
 
+function assertSafeRelativePath(filename: string, label: string): string {
+	const normalized = path.normalize(filename);
+	if (path.isAbsolute(normalized)) {
+		throw new Error(`${label} path must be relative`);
+	}
+	if (normalized.split(path.sep).includes('..')) {
+		throw new Error(`${label} path cannot include '..' segments`);
+	}
+	return normalized;
+}
+
 export async function upsert_txmail(record: api_txmail_type): Promise<api_txmail> {
 	const { user, domain } = await user_and_domain(record.domain_id);
 
@@ -66,7 +77,7 @@ export async function upsert_txmail(record: api_txmail_type): Promise<api_txmail
 	if (!record.filename.endsWith('.njk')) {
 		record.filename += '.njk';
 	}
-	record.filename = path.normalize(record.filename);
+	record.filename = assertSafeRelativePath(record.filename, 'Template filename');
 
 	const [instance] = await api_txmail.upsert(record);
 	return instance;
@@ -115,7 +126,7 @@ export async function init_api_txmail(api_db: Sequelize): Promise<typeof api_txm
 				unique: false
 			},
 			template: {
-				type: DataTypes.STRING,
+				type: DataTypes.TEXT,
 				allowNull: false,
 				defaultValue: ''
 			},
@@ -173,8 +184,6 @@ export async function init_api_txmail(api_db: Sequelize): Promise<typeof api_txm
 	api_txmail.addHook('beforeValidate', async (template: api_txmail) => {
 		const { user, domain } = await user_and_domain(template.domain_id);
 
-		console.log('HERE');
-
 		const dname = normalizeSlug(domain.name);
 		const name = normalizeSlug(template.name);
 		const locale = normalizeSlug(template.locale || domain.locale || user.locale || '');
@@ -190,8 +199,7 @@ export async function init_api_txmail(api_db: Sequelize): Promise<typeof api_txm
 		if (!template.filename.endsWith('.njk')) {
 			template.filename += '.njk';
 		}
-
-		console.log(`FILENAME IS: ${template.filename}`);
+		template.filename = assertSafeRelativePath(template.filename, 'Template filename');
 	});
 
 	return api_txmail;

package/src/store/envloader.ts

@@ -29,6 +29,15 @@ export const envOptions = defineEnvOptions({
 		description: 'Sets the public URL for the API (i.e. https://ml.example.com:3790)',
 		default: 'http://localhost:3776'
 	},
+	SWAGGER_ENABLED: {
+		description: 'Enable the Swagger/OpenAPI endpoint',
+		type: 'boolean',
+		default: false
+	},
+	SWAGGER_PATH: {
+		description: 'Path to expose the Swagger/OpenAPI spec (default: /api/swagger when enabled)',
+		default: ''
+	},
 	ASSET_ROUTE: {
 		description: 'Route prefix exposed for config assets',
 		default: '/asset'

package/src/store/store.ts

@@ -51,6 +51,7 @@ export interface ImailStore {
 	transport?: Transporter<SMTPTransport.SentMessageInfo>;
 	keys: Record<string, api_key>;
 	configpath: string;
+	deflocale?: string;
 }
 
 export class mailStore implements ImailStore {
@@ -59,6 +60,7 @@ export class mailStore implements ImailStore {
 	api_db: Sequelize | null = null;
 	keys: Record<string, api_key> = {};
 	configpath = '';
+	deflocale?: string;
 
 	print_debug(msg: string) {
 		if (this.env.DEBUG) {

package/tests/fixtures/certs/test.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUdLeUy6x+te3ab//X8pY28fcoWgkwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI1MTIzMTEyNDY0MloXDTI2MTIz
+MTEyNDY0MlowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA6CIYqJHvEMqZo5tZ6AhCUrTUOiD+kGz3eI+wPhjw9qYT
+9bgsxqAQWryWg5K8VU6wTBT2YkXuCFyRaKXFjP9O1Gh/KgoB6K3zQYfZhqqV+EG2
+d0feM32C8NQt3ELkQjS0DAmm/XOkXh0R8gnCorXzk92llhaBV9ps7u2Ov9qLsHw0
+85hPdOU7/uN/lB8G2HZSqz10gewNNE2O7fJieo04sOOaTg7m/SyrHtBAqzc1FT6v
+CNQF8A3pCuOQCVUZzpze+/vZzQOjwcxxOfaHqP9Ff7a8IgzSgLBjwydMAjKiikPK
+9pA8Uw30qYe42fHwfvT0nVf5KN+bmEZNTv9zHnBZLQIDAQABo1MwUTAdBgNVHQ4E
+FgQUndM22wxNv6N+L1Nz/1L8o+ri2Q0wHwYDVR0jBBgwFoAUndM22wxNv6N+L1Nz
+/1L8o+ri2Q0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAneWq
+A5FrJ77oyy6HEyMUA1jY6mDvY3lfRFuV9zrTcfocc6XZZis6433XG416noWlBZIT
+Jb1TYKn+k/8+kCjSzFLeL9q9gSYHMt4yQjtmXdQ6ZhyrFsIymEHqDcLRTY/PqLd6
+mBFhf6tvX2pudduSG4mWkQVAaa3pa+t8to7M2fTraOOPWPXasdP1QOLcUooG/FWu
+WZXHo5v/1PTPWtFb3CwlhxjV1su81Uc6H6/qlw0DghlJMYwuixBdw1b4T5RqP/MO
+94Fs/GfLvHgPFNPwWD/+1Q2OxwFd0VgeQvChUW1856r4dDV/ZUbAx143GHrb/S3C
+s7P6f2l+3faq+LiH1Q==
+-----END CERTIFICATE-----

package/tests/fixtures/certs/test.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDoIhioke8Qypmj
+m1noCEJStNQ6IP6QbPd4j7A+GPD2phP1uCzGoBBavJaDkrxVTrBMFPZiRe4IXJFo
+pcWM/07UaH8qCgHorfNBh9mGqpX4QbZ3R94zfYLw1C3cQuRCNLQMCab9c6ReHRHy
+CcKitfOT3aWWFoFX2mzu7Y6/2ouwfDTzmE905Tv+43+UHwbYdlKrPXSB7A00TY7t
+8mJ6jTiw45pODub9LKse0ECrNzUVPq8I1AXwDekK45AJVRnOnN77+9nNA6PBzHE5
+9oeo/0V/trwiDNKAsGPDJ0wCMqKKQ8r2kDxTDfSph7jZ8fB+9PSdV/ko35uYRk1O
+/3MecFktAgMBAAECggEAB9zFyIne1ssB7q5vmmITOwFoccqVzLcAH8uAHO5T1QrV
+gLxa+eRIgYZDM9QnwFzwsDcCjFwRfqOCAlEhEpBAL4YVjos1utePdm//QGYtO7Ig
+F8StpEFTSsxo/D2gxRRLZ9/40btVvSFPbwsBFmlCxYabmeyLt3nMuEAAFoP0uMa/
+rqA9t+Tv/lzV1Uon0ED4Z2vmA4vCX/LoSlKpHAGt8rEXIu7S7rRLqNW3MsJPs4zB
+M0jE3635LTHZMboX8g90yCBajtSSCVQiVEYW3nLecsgjLTKKgMSK0FyRJnvcwlBQ
+pRCmsn664diwSyyYKSG6dm4j6bm6hKg8842d6ZO18QKBgQD9jk36T4AWzxWQZ9Tv
+SjYE5npy0uq4esKD1d/ROKppEnG10kkUu40YPwGxfFQutzdCFeqou5/8A4AV3lUE
+mTwi+q2g+M8UpjzgmziiZfARFxdQrohCDmbU9OptS2FU2ZOW5sViBpi+GE9ndOaA
+cPui/1OuOr7vjhCnJfTi3ojS8QKBgQDqXu1lXOhferraiy1VpD8EWIUj8UmX4Sea
+TiNpxFi9S+xN8tMvo+K14+L39jsNw6rJwTzJL9V6fQyl1wIUyX/kKJ3r4jtSMnZv
+GVhcgcyksTZGIfwFcLJEOmaPTgL0AItrHa8kyKzCBOo5etrJyGLVVSzR4TkuFfGJ
+AZ605tPx/QKBgBOXk17sFbGtfrUR0NpMma/3Py7wLULj+XPGauz3u/MygabTAOKh
+O13MQI0+ViLl9Vcd6mvvU4Vdn+AQtfENBiCNzizKDPZDgiC43b9usQYhCqQpWE4C
+Xt/FrPeVA4hS55yZaFcSu2q05i3QUp9KG6eUoxqrX2WTTKYdwLZnC5uBAoGBAIze
+V7QIHsdcvjijVLFYEmRrTEMpQQGf3Czb8F8fG/NTUgob/KFy0M5g1cgSYLZKODoi
+AoYuURLZXKPFUsPpxQv++cSQ6vThzdvDESAxCC6pMSUAQjmG3i8yJvjVe+Lq/OF6
+Kw5h66yGRb4cwKpt3jG5i0HvLG4t1Ep0Bc9XumaFAoGAR0UIShGDKmvMg8T7wE7a
+OeVvUqRu1mWxLMKd/YZZya2OTXIRu3gtHw7CtuzyfwJCZqPEqGzhgQg2843X/bS0
+H4dT1MQBQMhYijwzTI41RLofItC41f4wPNvjHkJ9NCN6ojVGT1uSYJs+tBWgJ2Et
+R6II7nP1/ybElZeCLdy9YDU=
+-----END PRIVATE KEY-----

package/tests/helpers/test-setup.ts

@@ -0,0 +1,316 @@
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+import { simpleParser } from 'mailparser';
+import { SMTPServer } from 'smtp-server';
+
+import { createMailMagicServer } from '../../src/index.js';
+
+import type { mailApiServer } from '../../src/server.js';
+import type { mailStore } from '../../src/store/store.js';
+import type { ParsedMail } from 'mailparser';
+import type { AddressInfo } from 'node:net';
+
+type SmtpCapture = {
+	server: SMTPServer;
+	port: number;
+	messages: ParsedMail[];
+	waitForMessage: (timeoutMs?: number) => Promise<ParsedMail>;
+	reset: () => void;
+};
+
+type EnvSnapshot = Record<string, string | undefined>;
+
+export type TestContext = {
+	server: mailApiServer;
+	store: mailStore;
+	smtp: SmtpCapture;
+	tempDir: string;
+	configPath: string;
+	uploadFile: string;
+	domainName: string;
+	userToken: string;
+	apiUrl: string;
+	cleanup: () => Promise<void>;
+};
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const CERT_PATH = path.join(__dirname, '../fixtures/certs/test.crt');
+const KEY_PATH = path.join(__dirname, '../fixtures/certs/test.key');
+
+function snapshotEnv(keys: string[]): EnvSnapshot {
+	return keys.reduce<EnvSnapshot>((acc, key) => {
+		acc[key] = process.env[key];
+		return acc;
+	}, {});
+}
+
+function restoreEnv(snapshot: EnvSnapshot) {
+	for (const [key, value] of Object.entries(snapshot)) {
+		if (value === undefined) {
+			delete process.env[key];
+		} else {
+			process.env[key] = value;
+		}
+	}
+}
+
+function writeFixtureConfig(configPath: string, domainName: string) {
+	const domainRoot = path.join(configPath, domainName);
+	const assetsRoot = path.join(domainRoot, 'assets');
+	const txRoot = path.join(domainRoot, 'tx-template');
+	const formRoot = path.join(domainRoot, 'form-template');
+
+	fs.mkdirSync(path.join(assetsRoot, 'images'), { recursive: true });
+	fs.mkdirSync(path.join(assetsRoot, 'files'), { recursive: true });
+	fs.mkdirSync(path.join(txRoot, 'partials'), { recursive: true });
+	fs.mkdirSync(path.join(formRoot, 'partials'), { recursive: true });
+
+	fs.writeFileSync(path.join(assetsRoot, 'images', 'logo.png'), 'logo-bytes');
+	fs.writeFileSync(path.join(assetsRoot, 'files', 'banner.png'), 'banner-bytes');
+
+	const txBase = `<!doctype html>
+<html>
+  <head><title>{{ title }}</title></head>
+  <body>
+    {% block body %}{% endblock %}
+  </body>
+</html>
+`;
+	const txHeader = `<h1>{{ heading }}</h1>`;
+	const txWelcome = `{% extends "base.njk" %}
+{% block body %}
+{% include "partials/header.njk" %}
+<p>Hello {{ name }}</p>
+<img src="asset('images/logo.png', true)" alt="logo" />
+<img src="asset('files/banner.png')" alt="banner" />
+{% endblock %}
+`;
+
+	fs.writeFileSync(path.join(txRoot, 'base.njk'), txBase);
+	fs.writeFileSync(path.join(txRoot, 'partials', 'header.njk'), txHeader);
+	fs.writeFileSync(path.join(txRoot, 'welcome.njk'), txWelcome);
+
+	const formBase = `<!doctype html>
+<html>
+  <body>
+    {% block body %}{% endblock %}
+  </body>
+</html>
+`;
+	const formFields = `<p>Name: {{ _fields_.name }}</p>
+<p>Email: {{ _fields_.email }}</p>`;
+	const formContact = `{% extends "base.njk" %}
+{% block body %}
+{% include "partials/fields.njk" %}
+<p>IP: {{ _meta_.client_ip }}</p>
+<img src="asset('images/logo.png', true)" alt="logo" />
+{% endblock %}
+`;
+
+	fs.writeFileSync(path.join(formRoot, 'base.njk'), formBase);
+	fs.writeFileSync(path.join(formRoot, 'partials', 'fields.njk'), formFields);
+	fs.writeFileSync(path.join(formRoot, 'contact.njk'), formContact);
+
+	const initData = {
+		user: [
+			{
+				user_id: 1,
+				idname: 'testuser',
+				token: 'test-token',
+				name: 'Test User',
+				email: 'testuser@example.test',
+				domain: 1
+			}
+		],
+		domain: [
+			{
+				domain_id: 1,
+				user_id: 1,
+				name: domainName,
+				sender: 'Test Sender <sender@example.test>',
+				is_default: true
+			}
+		],
+		template: [
+			{
+				template_id: 1,
+				user_id: 1,
+				domain_id: 1,
+				name: 'welcome',
+				locale: '',
+				template: '',
+				filename: '',
+				sender: 'sender@example.test',
+				subject: 'Welcome!',
+				slug: ''
+			}
+		],
+		form: [
+			{
+				form_id: 1,
+				user_id: 1,
+				domain_id: 1,
+				locale: '',
+				idname: 'contact',
+				sender: 'forms@example.test',
+				recipient: 'owner@example.test',
+				subject: 'Contact',
+				template: '',
+				filename: '',
+				slug: '',
+				secret: 's3cret',
+				files: []
+			}
+		]
+	};
+
+	fs.writeFileSync(path.join(configPath, 'init-data.json'), JSON.stringify(initData, null, 2));
+}
+
+async function startSmtpServer(): Promise<SmtpCapture> {
+	const cert = fs.readFileSync(CERT_PATH);
+	const key = fs.readFileSync(KEY_PATH);
+	const messages: ParsedMail[] = [];
+
+	const server = new SMTPServer({
+		secure: true,
+		key,
+		cert,
+		authOptional: true,
+		onData(stream, _session, callback) {
+			const chunks: Buffer[] = [];
+			stream.on('data', (chunk) => chunks.push(chunk));
+			stream.on('end', async () => {
+				try {
+					const parsed = await simpleParser(Buffer.concat(chunks));
+					messages.push(parsed);
+					callback();
+				} catch (err) {
+					callback(err as Error);
+				}
+			});
+		}
+	});
+
+	await new Promise<void>((resolve, reject) => {
+		server.once('error', reject);
+		server.listen(0, '127.0.0.1', () => resolve());
+	});
+
+	const address = server.server.address() as AddressInfo;
+	const port = address.port;
+
+	const waitForMessage = async (timeoutMs = 5000) => {
+		const start = Date.now();
+		while (messages.length === 0) {
+			if (Date.now() - start > timeoutMs) {
+				throw new Error('Timed out waiting for SMTP message');
+			}
+			await new Promise((resolve) => setTimeout(resolve, 25));
+		}
+		const next = messages.shift();
+		if (!next) {
+			throw new Error('SMTP message queue was empty');
+		}
+		return next;
+	};
+
+	return {
+		server,
+		port,
+		messages,
+		waitForMessage,
+		reset: () => {
+			messages.length = 0;
+		}
+	};
+}
+
+export async function createTestContext(): Promise<TestContext> {
+	const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'mail-magic-test-'));
+	const configPath = path.join(tempDir, 'config');
+	fs.mkdirSync(configPath, { recursive: true });
+
+	const domainName = 'example.test';
+	writeFixtureConfig(configPath, domainName);
+
+	const smtp = await startSmtpServer();
+
+	const uploadPath = path.join(tempDir, 'uploads');
+	fs.mkdirSync(uploadPath, { recursive: true });
+
+	const uploadFile = path.join(tempDir, 'upload.txt');
+	fs.writeFileSync(uploadFile, 'upload-bytes');
+
+	const apiUrl = 'http://mail.test/api';
+
+	const envKeys = [
+		'NODE_ENV',
+		'CONFIG_PATH',
+		'DB_NAME',
+		'DB_TYPE',
+		'DB_FORCE_SYNC',
+		'DB_AUTO_RELOAD',
+		'API_URL',
+		'ASSET_ROUTE',
+		'API_HOST',
+		'API_PORT',
+		'UPLOAD_PATH',
+		'SMTP_HOST',
+		'SMTP_PORT',
+		'SMTP_SECURE',
+		'SMTP_TLS_REJECT',
+		'SMTP_USER',
+		'SMTP_PASSWORD',
+		'DEBUG'
+	];
+	const envSnapshot = snapshotEnv(envKeys);
+
+	process.env.NODE_ENV = 'development';
+	process.env.CONFIG_PATH = configPath;
+	process.env.DB_NAME = path.join(tempDir, 'mailmagic-test.db');
+	process.env.DB_TYPE = 'sqlite';
+	process.env.DB_FORCE_SYNC = 'true';
+	process.env.DB_AUTO_RELOAD = 'false';
+	process.env.API_URL = apiUrl;
+	process.env.ASSET_ROUTE = '/asset';
+	process.env.API_HOST = '127.0.0.1';
+	process.env.API_PORT = '0';
+	process.env.UPLOAD_PATH = uploadPath;
+	process.env.SMTP_HOST = '127.0.0.1';
+	process.env.SMTP_PORT = String(smtp.port);
+	process.env.SMTP_SECURE = 'true';
+	process.env.SMTP_TLS_REJECT = 'false';
+	process.env.SMTP_USER = '';
+	process.env.SMTP_PASSWORD = '';
+	process.env.DEBUG = 'false';
+
+	const bootstrap = await createMailMagicServer({ apiBasePath: '' });
+
+	const cleanup = async () => {
+		await new Promise<void>((resolve) => {
+			smtp.server.close(() => resolve());
+		});
+		if (bootstrap.store.api_db) {
+			await bootstrap.store.api_db.close();
+		}
+		restoreEnv(envSnapshot);
+		fs.rmSync(tempDir, { recursive: true, force: true });
+	};
+
+	return {
+		server: bootstrap.server,
+		store: bootstrap.store,
+		smtp,
+		tempDir,
+		configPath,
+		uploadFile,
+		domainName,
+		userToken: 'test-token',
+		apiUrl,
+		cleanup
+	};
+}

package/tests/mail-magic.test.ts

@@ -0,0 +1,154 @@
+import request from 'supertest';
+
+import { api_form } from '../src/models/form.js';
+import { api_txmail } from '../src/models/txmail.js';
+
+import { createTestContext } from './helpers/test-setup.js';
+
+import type { TestContext } from './helpers/test-setup.js';
+
+describe('mail-magic API', () => {
+	let ctx: TestContext | null = null;
+	let api: ReturnType<typeof request>;
+
+	beforeAll(async () => {
+		ctx = await createTestContext();
+		api = request((ctx.server as unknown as { app: unknown }).app);
+	});
+
+	afterAll(async () => {
+		if (ctx) {
+			await ctx.cleanup();
+		}
+	});
+
+	beforeEach(() => {
+		ctx?.smtp.reset();
+	});
+
+	test('loads transactional templates with hierarchy and assets', async () => {
+		const template = await api_txmail.findOne({ where: { name: 'welcome' } });
+		expect(template).toBeTruthy();
+		if (!template) {
+			return;
+		}
+
+		expect(template.template).toContain('<title>{{ title }}</title>');
+		expect(template.template).toContain('<h1>{{ heading }}</h1>');
+		expect(template.template).toContain('cid:images/logo.png');
+
+		const expectedUrl = `${ctx.apiUrl}/asset/${ctx.domainName}/files/banner.png`;
+		expect(template.template).toContain(expectedUrl);
+
+		const inline = template.files.find((file) => file.filename === 'images/logo.png');
+		const external = template.files.find((file) => file.filename === 'files/banner.png');
+
+		expect(inline?.cid).toBe('images/logo.png');
+		expect(external?.cid).toBeUndefined();
+	});
+
+	test('loads form templates with hierarchy and asset rewrites', async () => {
+		const form = await api_form.findOne({ where: { idname: 'contact' } });
+		expect(form).toBeTruthy();
+		if (!form) {
+			return;
+		}
+
+		expect(form.template).toContain('Name: {{ _fields_.name }}');
+		expect(form.template).toContain('Email: {{ _fields_.email }}');
+		expect(form.template).toContain('cid:images/logo.png');
+	});
+
+	test('serves assets from the public route and blocks traversal', async () => {
+		const assetPath = `/api/asset/${ctx.domainName}/files/banner.png`;
+		const res = await api.get(assetPath);
+		expect(res.status).toBe(200);
+		expect(res.headers['cache-control']).toContain('max-age=300');
+		expect(res.headers['content-type']).toContain('image/png');
+		expect(res.body.toString()).toBe('banner-bytes');
+
+		const bad = await api.get(`/api/asset/${ctx.domainName}/%2e%2e/secret.txt`);
+		expect(bad.status).toBe(404);
+	});
+
+	test('responds to ping', async () => {
+		const res = await api.get('/api/v1/ping');
+		expect(res.status).toBe(200);
+		expect(res.body.success).toBe(true);
+	});
+
+	test('stores templates via the API', async () => {
+		const res = await api.post('/api/v1/tx/template').set('Authorization', `Bearer apikey-${ctx.userToken}`).send({
+			name: 'custom',
+			domain: ctx.domainName,
+			sender: 'sender@example.test',
+			subject: 'Custom',
+			template: '<p>Custom {{ name }}</p>'
+		});
+
+		expect(res.status).toBe(200);
+
+		const stored = await api_txmail.findOne({ where: { name: 'custom' } });
+		expect(stored?.template).toContain('Custom');
+	});
+
+	test('sends transactional mail with inline assets and attachments', async () => {
+		const res = await api
+			.post('/api/v1/tx/message')
+			.set('Authorization', `Bearer apikey-${ctx.userToken}`)
+			.field('name', 'welcome')
+			.field('domain', ctx.domainName)
+			.field('rcpt', 'recipient@example.test')
+			.field('vars', JSON.stringify({ title: 'Hello', heading: 'Mail Magic', name: 'Jane' }))
+			.attach('file1', ctx.uploadFile);
+
+		expect(res.status).toBe(200);
+
+		const message = await ctx.smtp.waitForMessage();
+		const html = typeof message.html === 'string' ? message.html : String(message.html ?? '');
+		expect(message.subject).toBe('Welcome!');
+		expect(html).toContain('Mail Magic');
+		expect(html).toContain('Hello Jane');
+
+		const filenames = message.attachments.map((att) => att.filename ?? '');
+		expect(filenames.some((name) => name.endsWith('logo.png'))).toBe(true);
+		expect(filenames.some((name) => name.endsWith('banner.png'))).toBe(true);
+		expect(filenames).toContain('upload.txt');
+		const inline = message.attachments.find((att) => att.contentId?.includes('images/logo.png'));
+		expect(inline).toBeTruthy();
+	});
+
+	test('rejects form submissions without the secret', async () => {
+		const res = await api.post('/api/v1/form/message').send({
+			formid: 'contact',
+			name: 'Ada',
+			email: 'ada@example.test'
+		});
+
+		expect(res.status).toBe(401);
+	});
+
+	test('accepts form submissions and delivers mail', async () => {
+		const res = await api
+			.post('/api/v1/form/message')
+			.set('x-forwarded-for', '203.0.113.10')
+			.field('formid', 'contact')
+			.field('secret', 's3cret')
+			.field('recipient', 'receiver@example.test')
+			.field('name', 'Ada')
+			.field('email', 'ada@example.test')
+			.attach('file1', ctx.uploadFile);
+
+		expect(res.status).toBe(200);
+
+		const message = await ctx.smtp.waitForMessage();
+		const html = typeof message.html === 'string' ? message.html : String(message.html ?? '');
+		expect(message.subject).toBe('Contact');
+		expect(html).toContain('Name: Ada');
+		expect(html).toContain('Email: ada@example.test');
+		expect(html).toContain('IP: 203.0.113.10');
+
+		const filenames = message.attachments.map((att) => att.filename ?? '');
+		expect(filenames).toContain('upload.txt');
+	});
+});

package/vitest.config.ts

@@ -0,0 +1,11 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+	test: {
+		environment: 'node',
+		globals: true,
+		include: ['tests/**/*.test.ts'],
+		testTimeout: 20000,
+		hookTimeout: 20000
+	}
+});