@techstream/quark-core 1.1.0 → 1.4.0

package/src/email-templates.test.js

@@ -0,0 +1,124 @@
+import assert from "node:assert";
+import { test } from "node:test";
+import { passwordResetEmail, welcomeEmail } from "./email-templates.js";
+
+test("welcomeEmail", async (t) => {
+	await t.test("returns subject, html, and text", () => {
+		const result = welcomeEmail({});
+		assert.ok(result.subject);
+		assert.ok(result.html);
+		assert.ok(result.text);
+	});
+
+	await t.test("uses default app name in subject", () => {
+		const result = welcomeEmail({});
+		assert.strictEqual(result.subject, "Welcome to Quark!");
+	});
+
+	await t.test("uses custom app name in subject", () => {
+		const result = welcomeEmail({ appName: "MyApp" });
+		assert.strictEqual(result.subject, "Welcome to MyApp!");
+	});
+
+	await t.test("includes user name in html when provided", () => {
+		const result = welcomeEmail({ name: "Alice" });
+		assert.ok(result.html.includes("Alice"));
+		assert.ok(result.text.includes("Alice"));
+	});
+
+	await t.test("uses fallback greeting when no name provided", () => {
+		const result = welcomeEmail({});
+		assert.ok(result.html.includes("there"));
+		assert.ok(result.text.includes("there"));
+	});
+
+	await t.test("includes login URL when provided", () => {
+		const result = welcomeEmail({ loginUrl: "https://app.test/login" });
+		assert.ok(result.html.includes("https://app.test/login"));
+		assert.ok(result.text.includes("https://app.test/login"));
+	});
+
+	await t.test("omits sign-in button when no login URL", () => {
+		const result = welcomeEmail({});
+		assert.ok(!result.html.includes("Sign In"));
+	});
+
+	await t.test("escapes HTML in user name", () => {
+		const result = welcomeEmail({ name: "<script>alert('xss')</script>" });
+		assert.ok(!result.html.includes("<script>"));
+		assert.ok(result.html.includes("&lt;script&gt;"));
+	});
+
+	await t.test("wraps content in html layout", () => {
+		const result = welcomeEmail({});
+		assert.ok(result.html.includes("<!DOCTYPE html>"));
+		assert.ok(result.html.includes("</html>"));
+	});
+});
+
+test("passwordResetEmail", async (t) => {
+	const validArgs = { resetUrl: "https://app.test/reset?token=abc123" };
+
+	await t.test("returns subject, html, and text", () => {
+		const result = passwordResetEmail(validArgs);
+		assert.ok(result.subject);
+		assert.ok(result.html);
+		assert.ok(result.text);
+	});
+
+	await t.test("throws when resetUrl is missing", () => {
+		assert.throws(() => passwordResetEmail({}), /resetUrl is required/);
+	});
+
+	await t.test("includes reset URL in html and text", () => {
+		const result = passwordResetEmail(validArgs);
+		assert.ok(result.html.includes(validArgs.resetUrl));
+		assert.ok(result.text.includes(validArgs.resetUrl));
+	});
+
+	await t.test("uses default app name", () => {
+		const result = passwordResetEmail(validArgs);
+		assert.ok(result.subject.includes("Quark"));
+	});
+
+	await t.test("uses custom app name", () => {
+		const result = passwordResetEmail({ ...validArgs, appName: "MyApp" });
+		assert.ok(result.subject.includes("MyApp"));
+	});
+
+	await t.test("includes user name when provided", () => {
+		const result = passwordResetEmail({ ...validArgs, name: "Bob" });
+		assert.ok(result.html.includes("Bob"));
+		assert.ok(result.text.includes("Bob"));
+	});
+
+	await t.test("uses default expiry time", () => {
+		const result = passwordResetEmail(validArgs);
+		assert.ok(result.html.includes("1 hour"));
+		assert.ok(result.text.includes("1 hour"));
+	});
+
+	await t.test("uses custom expiry time", () => {
+		const result = passwordResetEmail({
+			...validArgs,
+			expiresIn: "30 minutes",
+		});
+		assert.ok(result.html.includes("30 minutes"));
+		assert.ok(result.text.includes("30 minutes"));
+	});
+
+	await t.test("escapes HTML in user name", () => {
+		const result = passwordResetEmail({
+			...validArgs,
+			name: '<img src=x onerror="alert(1)">',
+		});
+		assert.ok(!result.html.includes("<img"));
+		assert.ok(result.html.includes("&lt;img"));
+	});
+
+	await t.test("wraps content in html layout", () => {
+		const result = passwordResetEmail(validArgs);
+		assert.ok(result.html.includes("<!DOCTYPE html>"));
+		assert.ok(result.html.includes("</html>"));
+	});
+});

package/src/email.js

@@ -55,13 +55,15 @@ async function createSmtpTransport() {
 async function sendViaResend(from, to, subject, html, text) {
 	const apiKey = process.env.RESEND_API_KEY;
 	if (!apiKey) {
-		throw new Error("RESEND_API_KEY environment variable is required when EMAIL_PROVIDER=resend");
+		throw new Error(
+			"RESEND_API_KEY environment variable is required when EMAIL_PROVIDER=resend",
+		);
 	}
 
 	const response = await fetch("https://api.resend.com/emails", {
 		method: "POST",
 		headers: {
-			"Authorization": `Bearer ${apiKey}`,
+			Authorization: `Bearer ${apiKey}`,
 			"Content-Type": "application/json",
 		},
 		body: JSON.stringify({
@@ -75,8 +77,12 @@ async function sendViaResend(from, to, subject, html, text) {
 	});
 
 	if (!response.ok) {
-		const error = await response.json().catch(() => ({ message: response.statusText }));
-		throw new Error(`Resend API error: ${error.message || response.statusText}`);
+		const error = await response
+			.json()
+			.catch(() => ({ message: response.statusText }));
+		throw new Error(
+			`Resend API error: ${error.message || response.statusText}`,
+		);
 	}
 
 	return response.json();
@@ -84,7 +90,7 @@ async function sendViaResend(from, to, subject, html, text) {
 
 /**
  * Create an email service instance
- * 
+ *
  * @param {Object} [options]
  * @param {string} [options.provider] - "smtp" or "resend" (defaults to EMAIL_PROVIDER env var or "smtp")
  * @param {string} [options.from] - Sender address (defaults to EMAIL_FROM env var)
@@ -92,7 +98,8 @@ async function sendViaResend(from, to, subject, html, text) {
  */
 export function createEmailService(options = {}) {
 	const provider = options.provider || process.env.EMAIL_PROVIDER || "smtp";
-	const from = options.from || process.env.EMAIL_FROM || "Quark <noreply@localhost>";
+	const from =
+		options.from || process.env.EMAIL_FROM || "Quark <noreply@localhost>";
 
 	let smtpTransport = null;
 

package/src/email.test.js

@@ -1,133 +1,146 @@
 import assert from "node:assert";
-import { mock, test } from "node:test";
+import { test } from "node:test";
 import { createEmailService } from "./email.js";
 
 test("Email Service", async (t) => {
-	await t.test("createEmailService returns object with sendEmail method", () => {
-		const service = createEmailService();
-		assert.strictEqual(typeof service, "object");
-		assert.strictEqual(typeof service.sendEmail, "function");
-	});
-
-	await t.test("SMTP provider: uses Mailhog defaults when no SMTP_HOST set", async () => {
-		// Clear any explicit SMTP env vars
-		const origHost = process.env.SMTP_HOST;
-		const origPort = process.env.SMTP_PORT;
-		delete process.env.SMTP_HOST;
-		delete process.env.SMTP_PORT;
-
-		try {
-			const service = createEmailService({ provider: "smtp" });
-
-			// Mock nodemailer at the transport level
-			let capturedConfig = null;
-			const mockTransport = {
-				sendMail: async (opts) => {
-					return { messageId: "test-id-123", ...opts };
-				},
-			};
-
-			// We test that sendEmail resolves without error
-			// The transport is lazily created, so sendEmail triggers creation
-			// We can't easily intercept the dynamic import, but we can verify
-			// the service was created correctly
-			assert.strictEqual(typeof service.sendEmail, "function");
-		} finally {
-			if (origHost !== undefined) process.env.SMTP_HOST = origHost;
-			else delete process.env.SMTP_HOST;
-			if (origPort !== undefined) process.env.SMTP_PORT = origPort;
-			else delete process.env.SMTP_PORT;
-		}
-	});
-
-	await t.test("SMTP provider: uses explicit SMTP_HOST/SMTP_PORT when set", () => {
-		const origHost = process.env.SMTP_HOST;
-		const origPort = process.env.SMTP_PORT;
-		process.env.SMTP_HOST = "mail.example.com";
-		process.env.SMTP_PORT = "587";
-
-		try {
-			const service = createEmailService({ provider: "smtp" });
+	await t.test(
+		"createEmailService returns object with sendEmail method",
+		() => {
+			const service = createEmailService();
+			assert.strictEqual(typeof service, "object");
 			assert.strictEqual(typeof service.sendEmail, "function");
-		} finally {
-			if (origHost !== undefined) process.env.SMTP_HOST = origHost;
-			else delete process.env.SMTP_HOST;
-			if (origPort !== undefined) process.env.SMTP_PORT = origPort;
-			else delete process.env.SMTP_PORT;
-		}
-	});
-
-	await t.test("Resend provider: throws if RESEND_API_KEY missing", async () => {
-		const origKey = process.env.RESEND_API_KEY;
-		delete process.env.RESEND_API_KEY;
-
-		try {
-			const service = createEmailService({ provider: "resend" });
-
-			await assert.rejects(
-				() => service.sendEmail("test@example.com", "Subject", "<p>body</p>"),
-				(err) =>
-					err instanceof Error &&
-					/RESEND_API_KEY/.test(err.message),
-			);
-		} finally {
-			if (origKey !== undefined) process.env.RESEND_API_KEY = origKey;
-			else delete process.env.RESEND_API_KEY;
-		}
-	});
-
-	await t.test("Resend provider: calls fetch with correct URL, headers, and body", async () => {
-		const origKey = process.env.RESEND_API_KEY;
-		process.env.RESEND_API_KEY = "re_test_key_123";
-
-		// Mock global fetch
-		const originalFetch = globalThis.fetch;
-		let capturedUrl = null;
-		let capturedOptions = null;
-
-		globalThis.fetch = async (url, opts) => {
-			capturedUrl = url;
-			capturedOptions = opts;
-			return {
-				ok: true,
-				json: async () => ({ id: "resend-msg-id" }),
+		},
+	);
+
+	await t.test(
+		"SMTP provider: uses Mailhog defaults when no SMTP_HOST set",
+		async () => {
+			// Clear any explicit SMTP env vars
+			const origHost = process.env.SMTP_HOST;
+			const origPort = process.env.SMTP_PORT;
+			delete process.env.SMTP_HOST;
+			delete process.env.SMTP_PORT;
+
+			try {
+				const service = createEmailService({ provider: "smtp" });
+
+				// Mock nodemailer at the transport level
+				const _capturedConfig = null;
+				const _mockTransport = {
+					sendMail: async (opts) => {
+						return { messageId: "test-id-123", ...opts };
+					},
+				};
+
+				// We test that sendEmail resolves without error
+				// The transport is lazily created, so sendEmail triggers creation
+				// We can't easily intercept the dynamic import, but we can verify
+				// the service was created correctly
+				assert.strictEqual(typeof service.sendEmail, "function");
+			} finally {
+				if (origHost !== undefined) process.env.SMTP_HOST = origHost;
+				else delete process.env.SMTP_HOST;
+				if (origPort !== undefined) process.env.SMTP_PORT = origPort;
+				else delete process.env.SMTP_PORT;
+			}
+		},
+	);
+
+	await t.test(
+		"SMTP provider: uses explicit SMTP_HOST/SMTP_PORT when set",
+		() => {
+			const origHost = process.env.SMTP_HOST;
+			const origPort = process.env.SMTP_PORT;
+			process.env.SMTP_HOST = "mail.example.com";
+			process.env.SMTP_PORT = "587";
+
+			try {
+				const service = createEmailService({ provider: "smtp" });
+				assert.strictEqual(typeof service.sendEmail, "function");
+			} finally {
+				if (origHost !== undefined) process.env.SMTP_HOST = origHost;
+				else delete process.env.SMTP_HOST;
+				if (origPort !== undefined) process.env.SMTP_PORT = origPort;
+				else delete process.env.SMTP_PORT;
+			}
+		},
+	);
+
+	await t.test(
+		"Resend provider: throws if RESEND_API_KEY missing",
+		async () => {
+			const origKey = process.env.RESEND_API_KEY;
+			delete process.env.RESEND_API_KEY;
+
+			try {
+				const service = createEmailService({ provider: "resend" });
+
+				await assert.rejects(
+					() => service.sendEmail("test@example.com", "Subject", "<p>body</p>"),
+					(err) => err instanceof Error && /RESEND_API_KEY/.test(err.message),
+				);
+			} finally {
+				if (origKey !== undefined) process.env.RESEND_API_KEY = origKey;
+				else delete process.env.RESEND_API_KEY;
+			}
+		},
+	);
+
+	await t.test(
+		"Resend provider: calls fetch with correct URL, headers, and body",
+		async () => {
+			const origKey = process.env.RESEND_API_KEY;
+			process.env.RESEND_API_KEY = "re_test_key_123";
+
+			// Mock global fetch
+			const originalFetch = globalThis.fetch;
+			let capturedUrl = null;
+			let capturedOptions = null;
+
+			globalThis.fetch = async (url, opts) => {
+				capturedUrl = url;
+				capturedOptions = opts;
+				return {
+					ok: true,
+					json: async () => ({ id: "resend-msg-id" }),
+				};
 			};
-		};
-
-		try {
-			const service = createEmailService({
-				provider: "resend",
-				from: "Test <test@example.com>",
-			});
-
-			const result = await service.sendEmail(
-				"recipient@example.com",
-				"Test Subject",
-				"<p>Hello</p>",
-				"Hello",
-			);
-
-			assert.strictEqual(capturedUrl, "https://api.resend.com/emails");
-			assert.strictEqual(capturedOptions.method, "POST");
-
-			const headers = capturedOptions.headers;
-			assert.strictEqual(headers.Authorization, "Bearer re_test_key_123");
-			assert.strictEqual(headers["Content-Type"], "application/json");
 
-			const body = JSON.parse(capturedOptions.body);
-			assert.strictEqual(body.from, "Test <test@example.com>");
-			assert.deepStrictEqual(body.to, ["recipient@example.com"]);
-			assert.strictEqual(body.subject, "Test Subject");
-			assert.strictEqual(body.html, "<p>Hello</p>");
-			assert.strictEqual(body.text, "Hello");
-
-			assert.strictEqual(result.id, "resend-msg-id");
-		} finally {
-			globalThis.fetch = originalFetch;
-			if (origKey !== undefined) process.env.RESEND_API_KEY = origKey;
-			else delete process.env.RESEND_API_KEY;
-		}
-	});
+			try {
+				const service = createEmailService({
+					provider: "resend",
+					from: "Test <test@example.com>",
+				});
+
+				const result = await service.sendEmail(
+					"recipient@example.com",
+					"Test Subject",
+					"<p>Hello</p>",
+					"Hello",
+				);
+
+				assert.strictEqual(capturedUrl, "https://api.resend.com/emails");
+				assert.strictEqual(capturedOptions.method, "POST");
+
+				const headers = capturedOptions.headers;
+				assert.strictEqual(headers.Authorization, "Bearer re_test_key_123");
+				assert.strictEqual(headers["Content-Type"], "application/json");
+
+				const body = JSON.parse(capturedOptions.body);
+				assert.strictEqual(body.from, "Test <test@example.com>");
+				assert.deepStrictEqual(body.to, ["recipient@example.com"]);
+				assert.strictEqual(body.subject, "Test Subject");
+				assert.strictEqual(body.html, "<p>Hello</p>");
+				assert.strictEqual(body.text, "Hello");
+
+				assert.strictEqual(result.id, "resend-msg-id");
+			} finally {
+				globalThis.fetch = originalFetch;
+				if (origKey !== undefined) process.env.RESEND_API_KEY = origKey;
+				else delete process.env.RESEND_API_KEY;
+			}
+		},
+	);
 
 	await t.test("Resend provider: throws on non-ok response", async () => {
 		const origKey = process.env.RESEND_API_KEY;
@@ -196,8 +209,7 @@ test("Email Service", async (t) => {
 			// The service should be created without error (defaults to smtp)
 			assert.strictEqual(typeof service.sendEmail, "function");
 		} finally {
-			if (origProvider !== undefined)
-				process.env.EMAIL_PROVIDER = origProvider;
+			if (origProvider !== undefined) process.env.EMAIL_PROVIDER = origProvider;
 			else delete process.env.EMAIL_PROVIDER;
 		}
 	});
@@ -209,7 +221,7 @@ test("Email Service", async (t) => {
 		const originalFetch = globalThis.fetch;
 		let capturedBody = null;
 
-		globalThis.fetch = async (url, opts) => {
+		globalThis.fetch = async (_url, opts) => {
 			capturedBody = JSON.parse(opts.body);
 			return { ok: true, json: async () => ({ id: "msg-1" }) };
 		};

package/src/index.js

@@ -7,6 +7,10 @@ export * from "./authorization.js";
 export * from "./cache.js";
 // CSRF protection exports
 export * from "./csrf.js";
+// Email service exports
+export * from "./email.js";
+// Email template exports
+export * from "./email-templates.js";
 // Error Reporter exports
 export * from "./error-reporter.js";
 // Error exports
@@ -15,8 +19,6 @@ export * from "./errors.js";
 export * from "./logger.js";
 // Mailhog exports
 export * from "./mailhog.js";
-// Email service exports
-export * from "./email.js";
 // Queue exports
 export * from "./queue/index.js";
 // Rate limiting exports

package/src/mailhog.js

@@ -30,8 +30,8 @@ function getMailhogUiUrl() {
 export const getMailhogSmtpConfig = () => {
 	const url = getMailhogSmtpUrl();
 	const match = url.match(/smtp:\/\/([^:]+):(\d+)/);
-	const host = match ? match[1] : (process.env.MAILHOG_HOST || "localhost");
-	const port = match ? match[2] : (process.env.MAILHOG_SMTP_PORT || "1025");
+	const host = match ? match[1] : process.env.MAILHOG_HOST || "localhost";
+	const port = match ? match[2] : process.env.MAILHOG_SMTP_PORT || "1025";
 
 	return {
 		host,

package/src/rate-limiter.js

@@ -143,7 +143,7 @@ class RedisRateLimiter {
 				remaining: maxRequests - currentCount,
 				resetTime,
 			};
-		} catch (error) {
+		} catch (_error) {
 			// Configurable fail-open / fail-closed behaviour
 			if (this.failOpen) {
 				return {

package/.turbo/turbo-lint.log

@@ -1,7 +0,0 @@
-
-
-> @quark/core@1.0.0 lint /Users/david/Projects/quark/packages/core
-> biome format --write && biome check --write
-
-Formatted 17 files in 40ms. No fixes applied.
-Checked 17 files in 64ms. No fixes applied.