emailengine-app 1.14.0

package/encrypt.js

@@ -0,0 +1,179 @@
+'use strict';
+
+require('dotenv').config();
+try {
+    process.chdir(__dirname);
+} catch (err) {
+    // ignore
+}
+
+process.title = 'emailengine-encrypt';
+
+const { redis } = require('./lib/db');
+const config = require('wild-config');
+const { encrypt, decrypt, parseEncryptedData } = require('./lib/encrypt');
+const { encryptedKeys } = require('./lib/settings');
+const getSecret = require('./lib/get-secret');
+
+const DECRYPT_PASSWORDS = [].concat(config.decrypt || []);
+
+async function processSecret(value, encryptSecret) {
+    let lastErr = false;
+    let decrypted = value;
+
+    for (let password of DECRYPT_PASSWORDS) {
+        try {
+            decrypted = decrypt(value, password);
+            if (password === encryptSecret) {
+                // nothing was changed
+                return value;
+            }
+            break;
+        } catch (err) {
+            lastErr = err;
+        }
+    }
+
+    let parsed = parseEncryptedData(decrypted);
+    if (parsed.format !== 'cleartext') {
+        // was not able to decrypt
+        if (encryptSecret) {
+            try {
+                decrypted = decrypt(value, encryptSecret);
+                // did not throw, so the value is already encrypted with the new password
+                return value;
+            } catch (err) {
+                // ignore
+            }
+        }
+
+        throw lastErr || new Error('Could not decrypt encrypted password');
+    }
+
+    if (encryptSecret) {
+        // encrypt
+        return encrypt(decrypted, encryptSecret);
+    }
+
+    // return plaintext
+    return decrypted;
+}
+
+async function main() {
+    console.error('EmailEngine account encryption tool');
+
+    const encryptSecret = await getSecret();
+
+    if (!encryptSecret && !DECRYPT_PASSWORDS.length) {
+        console.error('Usage:');
+        console.error('  emailengine encrypt --dbs.redis="redis://url" --service.secret="new-pass" --decrypt="old-pass"');
+        console.error('Where');
+        console.error(' --dbs.redis is a Redis configuration URL');
+        console.error(' --service.secret is the secret value to use for encryption.');
+        console.error('   Leave empty to remove encryption.');
+        console.error(' --decrypt is the old secret value. Not needed if current passwords are not encrypted.');
+        console.error('   You can set this value multiple times if accounts are enrypted with different secrets.');
+        return;
+    }
+
+    // convert settings
+    for (let key of encryptedKeys) {
+        let value = await redis.hget('settings', key);
+        if (value && typeof value === 'string') {
+            try {
+                let updated = await processSecret(value, encryptSecret);
+                if (updated !== value) {
+                    await redis.hset('settings', key, updated);
+                    console.log(`${key}: Updated setting value`);
+                }
+            } catch (err) {
+                console.error(`${key}: Failed to process setting value`);
+                console.error(err);
+            }
+        }
+    }
+
+    let updatedAccounts = 0;
+    let accounts = await redis.smembers('ia:accounts');
+    for (let account of accounts) {
+        let accountData = await redis.hgetall(`iad:${account}`);
+        if (!accountData) {
+            continue;
+        }
+
+        let updates = {};
+        let updated = false;
+        for (let key of ['imap', 'smtp', 'oauth2']) {
+            if (!accountData[key]) {
+                continue;
+            }
+
+            try {
+                accountData[key] = JSON.parse(accountData[key]);
+            } catch (err) {
+                console.error(`Failed to parse ${key} for ${account}`);
+                console.error(err);
+                continue;
+            }
+
+            if (!accountData[key]) {
+                continue;
+            }
+
+            let changes = false;
+
+            for (let subKey of ['pass', 'accessToken', 'refreshToken']) {
+                if (accountData[key].auth && accountData[key].auth[subKey]) {
+                    try {
+                        let value = await processSecret(accountData[key].auth[subKey], encryptSecret);
+                        if (value !== accountData[key].auth[subKey]) {
+                            accountData[key].auth[subKey] = value;
+                            changes = true;
+                        }
+                    } catch (err) {
+                        console.error(`Could not process "${key}.auth.${subKey}" for ${account}. Check decryption secrets.`);
+                    }
+                }
+            }
+
+            for (let subKey of ['accessToken', 'refreshToken']) {
+                if (accountData[key] && accountData[key][subKey]) {
+                    try {
+                        let value = await processSecret(accountData[key][subKey], encryptSecret);
+                        if (value !== accountData[key][subKey]) {
+                            accountData[key][subKey] = value;
+                            changes = true;
+                        }
+                    } catch (err) {
+                        console.error(`Could not process "${key}.${subKey}" for ${account}. Check decryption secrets.`);
+                    }
+                }
+            }
+
+            if (changes) {
+                updates[key] = JSON.stringify(accountData[key]);
+                updated = true;
+            }
+        }
+
+        if (updated) {
+            let result = await redis.hmset(`iad:${account}`, updates);
+            if (result === 'OK') {
+                console.log(`${account}: updated`);
+            } else {
+                console.log(`${account}: Unexpected response from DB: ${result}`);
+            }
+            updatedAccounts++;
+        }
+    }
+
+    console.log(`Updated ${updatedAccounts}/${accounts.length} accounts`);
+}
+
+main()
+    .then(() => process.exit(0))
+    .catch(err => {
+        console.error(err);
+        process.exit(1);
+    })
+    .finally();

package/examples/api.md

@@ -0,0 +1,137 @@
+# API
+
+```
+curl -XPOST "localhost:3000/v1/account" -H "content-type: application/json" -d '{
+    "account": "example",
+    "name": "Example",
+    "imap": {
+        "host": "localhost",
+        "port": 9993,
+        "secure": true,
+        "auth": {
+            "user": "myuser2",
+            "pass": "verysecret"
+        },
+        "tls": {
+            "rejectUnauthorized": false
+        }
+    },
+    "smtp": {
+        "host": "localhost",
+        "port": 1025,
+        "secure": false,
+        "auth": {
+            "user": "myuser2",
+            "pass": "verysecret"
+        },
+        "tls": {
+            "rejectUnauthorized": false
+        }
+    }
+}'
+```
+
+```
+curl -XPUT "localhost:3000/account/example" -H "content-type: application/json" -d '{
+    "imap": {
+        "host": "localhost",
+        "port": 9993,
+        "secure": true,
+        "auth": {
+            "user": "myuser2",
+            "pass": "verysecret"
+        },
+        "tls": {
+            "rejectUnauthorized": false
+        }
+    }
+}'
+```
+
+```
+curl -XPOST "localhost:3000/v1/verifyAccount" -H "content-type: application/json" -d '{
+    "imap": {
+        "host": "localhost",
+        "port": 9993,
+        "secure": true,
+        "auth": {
+            "user": "myuser2",
+            "pass": "verysecret"
+        },
+        "tls": {
+            "rejectUnauthorized": false
+        }
+    },
+    "smtp": {
+        "host": "localhost",
+        "port": 1025,
+        "secure": false,
+        "auth": {
+            "user": "myuser2",
+            "pass": "verysecret"
+        },
+        "tls": {
+            "rejectUnauthorized": false
+        }
+    }
+}'
+```
+
+```
+curl -XPOST "localhost:3000/v1/account/pangalink/submit" -H "content-type: application/json" -d '{
+    "reference": {
+        "message": "AAAAAQAACnA",
+        "action": "reply"
+    },
+    "from": {
+        "name": "Pangalink",
+        "address": "no-reply@pangalink.net"
+    },
+    "to": [{
+        "name": "Andris Reinman",
+        "address": "andris@emailengine.app"
+    }],
+    "subject": "test kiri",
+    "text": "eriti test kiri",
+    "html": "<p>eriti test kiri</p>",
+    "attachments": [
+        {
+            "filename": "checkmark.png",
+            "content": "iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAQMAAAAlPW0iAAAABlBMVEUAAAD///+l2Z/dAAAAM0lEQVR4nGP4/5/h/1+G/58ZDrAz3D/McH8yw83NDDeNGe4Ug9C9zwz3gVLMDA/A6P9/AFGGFyjOXZtQAAAAAElFTkSuQmCC"
+        }
+    ]
+}'
+```
+
+```
+curl -XDELETE "localhost:3000/v1/account/example"
+```
+
+```
+curl -XGET "localhost:3000/v1/account/example/mailboxes"
+```
+
+```
+curl -XGET "localhost:3000/v1/account/example/messages?path=INBOX&page=1"
+```
+
+```
+curl -XGET "localhost:3000/v1/account/pangalink/message/AAAAAQAAMlw"
+```
+
+```
+curl -XGET "localhost:3000/v1/account/pangalink/message/AAAAAQAAMlw/source"
+```
+
+```
+curl -XGET "localhost:3000/v1/account/example/text/AAAAAQAAAeGTkaExkaEykA?textType=html&maxBytes=200"
+```
+
+```
+curl -XPUT "localhost:3000/v1/account/pangalink/message/AAAAAQAAMlw" -H "content-type: application/json" -d '{
+    "flags": {
+        "add": ["test2", "test3"],
+        "delete": ["test1"]
+    }
+}'
+```

package/examples/auth-server.js

@@ -0,0 +1,104 @@
+'use strict';
+
+// This is an example authentication server
+// It provides fixed credentials for an account called "example" and generates OAuth2 access tokens for an account called "oauth-user"
+
+const Hapi = require('@hapi/hapi');
+const hapiPino = require('hapi-pino');
+const XOAuth2 = require('nodemailer/lib/xoauth2');
+
+// Gmail oauth app credentials. Must have https://mail.google.com scope set
+const OAUTH2_CLIENT_ID = process.env.OAUTH2_CLIENT_ID;
+const OAUTH2_CLIENT_SECRET = process.env.OAUTH2_CLIENT_SECRET;
+
+// Single user specific credentials as our demo only provides tokens for a single user
+const USER_ADDRESS = process.env.USER_ADDRESS;
+const USER_REFRESH_TOKEN = process.env.USER_REFRESH_TOKEN;
+
+const init = async () => {
+    const server = Hapi.server({
+        port: 3080,
+        host: 'localhost'
+    });
+
+    await server.register({
+        plugin: hapiPino,
+        options: {
+            level: 'trace'
+        }
+    });
+
+    server.route({
+        method: 'GET',
+        path: '/credentials',
+
+        async handler(request) {
+            switch (request.query.account) {
+                // account with id "example" uses password based authentication
+                case 'example':
+                    return {
+                        user: 'myuser2',
+                        pass: 'verysecret'
+                    };
+
+                // account with id "oauth-user" uses OAuth2 tokens
+                case 'oauth-user':
+                    return {
+                        user: USER_ADDRESS,
+                        accessToken: await getAccessToken(USER_ADDRESS, USER_REFRESH_TOKEN)
+                    };
+            }
+
+            return false;
+        }
+    });
+
+    await server.start();
+    console.log('Authentication Server URL: %s/credentials', server.info.uri);
+};
+
+// The following crux re-uses OAuth2 token generation from the Nodemailer package.
+// Normally you'd probably use something like this instead: https://www.npmjs.com/package/google-auth-library
+const tokens = new Map();
+async function getAccessToken(user, refreshToken) {
+    // check cache first
+    if (tokens.has(user)) {
+        let token = tokens.get(user);
+        if (token.expires > new Date()) {
+            // use cached token
+            return token.accessToken;
+        }
+        // clear expired token
+        tokens.delete(user);
+    }
+
+    // generate new token
+    let token = await new Promise((resolve, reject) => {
+        let xoauth = new XOAuth2({
+            user,
+            clientId: OAUTH2_CLIENT_ID,
+            clientSecret: OAUTH2_CLIENT_SECRET,
+            refreshToken,
+            accessUrl: 'https://accounts.google.com/o/oauth2/token'
+        });
+        xoauth.generateToken(err => {
+            if (err) {
+                return reject(err);
+            }
+            if (!xoauth.accessToken) {
+                return reject(new Error('Could not generate new access token'));
+            }
+            resolve({
+                accessToken: xoauth.accessToken,
+                expires: xoauth.expires
+            });
+        });
+    });
+
+    // update cache
+    tokens.set(user, token);
+
+    return token.accessToken;
+}
+
+init();

package/getswagger.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+export EENGINE_PORT=5678
+
+npm start > /dev/null 2>&1 &
+sleep 5
+curl -s "http://127.0.0.1:${EENGINE_PORT}/swagger.json" > swagger.json
+pkill emailengine