emailengine-app 2.61.1 → 2.61.2

package/lib/email-client/smtp-pool-manager.js

@@ -0,0 +1,196 @@
+'use strict';
+
+const crypto = require('crypto');
+const nodemailer = require('nodemailer');
+const socks = require('socks');
+const logger = require('../logger');
+
+// Cache for SMTP connection pools to reuse connections
+const SMTP_POOLS = new Map();
+// Track last usage time for each pool to enable LRU-based cleanup
+const SMTP_POOL_LAST_USED = new Map();
+
+// Maximum idle time for SMTP pool connections (10 minutes of inactivity)
+const SMTP_POOL_MAX_IDLE = 10 * 60 * 1000;
+// Cleanup interval for idle SMTP pools (2 minutes)
+const SMTP_POOL_CLEANUP_INTERVAL = 2 * 60 * 1000;
+
+// Keys that affect SMTP connection identity
+const CONNECTION_IDENTITY_KEYS = ['name', 'localAddress', 'auth', 'host', 'port', 'secure', 'transactionLog', 'proxy'];
+
+/**
+ * Generates a unique pool key from SMTP settings
+ * @param {Object} smtpSettings - SMTP configuration settings
+ * @returns {string} SHA256 hash of connection-relevant settings
+ */
+function generatePoolKey(smtpSettings) {
+    const limitedSettings = {};
+    for (const key of CONNECTION_IDENTITY_KEYS) {
+        limitedSettings[key] = smtpSettings[key];
+    }
+    const serializedSettings = JSON.stringify(limitedSettings);
+    return crypto.createHash('sha256').update(serializedSettings).digest('hex');
+}
+
+/**
+ * Sets up event handlers for a new transporter
+ * @param {Object} transporter - Nodemailer transport instance
+ * @param {string} poolKey - Pool key for this transport
+ */
+function setupTransporterHandlers(transporter, poolKey) {
+    // Handle connection pool cleanup when idle
+    transporter.once('clear', () => {
+        // All emails processed and connection timed out
+        logger.trace({ msg: 'Clearing disconnected SMTP pool', poolKey });
+        SMTP_POOLS.delete(poolKey);
+        SMTP_POOL_LAST_USED.delete(poolKey);
+        try {
+            transporter.close();
+        } catch (closeErr) {
+            logger.error({ msg: 'Failed to close transporter', err: closeErr });
+        }
+    });
+
+    // Handle transport errors by removing from pool
+    transporter.once('error', err => {
+        // Not sure what happened, but do not re-use this transporter object anymore
+        logger.error({ msg: 'Transporter failed', err });
+        SMTP_POOLS.delete(poolKey);
+        SMTP_POOL_LAST_USED.delete(poolKey);
+        try {
+            transporter.close();
+        } catch (closeErr) {
+            logger.error({ msg: 'Failed to close transporter', err: closeErr });
+        }
+    });
+}
+
+/**
+ * Creates a new SMTP transport with pooling enabled
+ * @param {Object} smtpSettings - SMTP configuration settings
+ * @param {string} poolKey - Pool key for this transport
+ * @returns {Object} Configured nodemailer transport instance
+ */
+function createPooledTransport(smtpSettings, poolKey) {
+    // Configure connection pooling settings
+    smtpSettings.pool = true;
+    smtpSettings.maxConnections = 1;
+    smtpSettings.maxMessages = 100;
+    smtpSettings.socketTimeout = 2 * 60 * 1000; // 2 minute timeout
+
+    // Create new transport with pooling enabled
+    const transporter = nodemailer.createTransport(smtpSettings);
+    transporter.set('proxy_socks_module', socks);
+
+    setupTransporterHandlers(transporter, poolKey);
+
+    return transporter;
+}
+
+/**
+ * Gets or creates a reusable SMTP transport for the given configuration
+ * Connection pooling improves performance by reusing SMTP connections
+ * @param {Object} smtpSettings - SMTP configuration settings
+ * @returns {Object} Nodemailer transport instance
+ */
+function getMailTransport(smtpSettings) {
+    const poolKey = generatePoolKey(smtpSettings);
+
+    // Return existing transport if available
+    if (SMTP_POOLS.has(poolKey)) {
+        const transporter = SMTP_POOLS.get(poolKey);
+        // Update last used time for LRU tracking
+        SMTP_POOL_LAST_USED.set(poolKey, Date.now());
+        return transporter;
+    }
+
+    // Create new transport
+    const transporter = createPooledTransport(smtpSettings, poolKey);
+
+    // Cache the transport for reuse
+    SMTP_POOLS.set(poolKey, transporter);
+    SMTP_POOL_LAST_USED.set(poolKey, Date.now());
+    logger.trace({ msg: 'Created SMTP pool', poolKey });
+
+    return transporter;
+}
+
+/**
+ * Closes a pooled connection by key
+ * @param {string} poolKey - The pool key to close
+ */
+function closePooledConnection(poolKey) {
+    const transporter = SMTP_POOLS.get(poolKey);
+    if (transporter) {
+        try {
+            transporter.close();
+        } catch (err) {
+            logger.error({ msg: 'Failed to close pooled transporter', poolKey, err });
+        }
+        SMTP_POOLS.delete(poolKey);
+        SMTP_POOL_LAST_USED.delete(poolKey);
+    }
+}
+
+/**
+ * Performs cleanup of idle SMTP pool connections
+ */
+function cleanupIdlePools() {
+    const now = Date.now();
+    const idleKeys = [];
+
+    for (const [poolKey, lastUsed] of SMTP_POOL_LAST_USED.entries()) {
+        if (now - lastUsed > SMTP_POOL_MAX_IDLE) {
+            idleKeys.push(poolKey);
+        }
+    }
+
+    for (const poolKey of idleKeys) {
+        const transporter = SMTP_POOLS.get(poolKey);
+        if (transporter) {
+            // Check if the transporter has active connections
+            if (transporter._connectionPool && transporter._connectionPool.size > 0) {
+                // Still has active connections, update last used time
+                SMTP_POOL_LAST_USED.set(poolKey, now);
+                logger.trace({ msg: 'SMTP pool still has active connections, skipping cleanup', poolKey });
+                continue;
+            }
+
+            logger.debug({ msg: 'Cleaning up idle SMTP pool connection', poolKey, idleTime: now - SMTP_POOL_LAST_USED.get(poolKey) });
+            try {
+                transporter.close();
+            } catch (err) {
+                logger.error({ msg: 'Failed to close idle SMTP transporter', poolKey, err });
+            }
+        }
+        SMTP_POOLS.delete(poolKey);
+        SMTP_POOL_LAST_USED.delete(poolKey);
+    }
+
+    if (idleKeys.length > 0) {
+        logger.info({ msg: 'SMTP pool cleanup completed', cleaned: idleKeys.length, remaining: SMTP_POOLS.size });
+    }
+}
+
+// Periodic cleanup of idle SMTP pool connections
+const smtpPoolCleanupTimer = setInterval(cleanupIdlePools, SMTP_POOL_CLEANUP_INTERVAL);
+
+// Prevent the timer from keeping the process alive
+smtpPoolCleanupTimer.unref();
+
+/**
+ * Gets the current pool size (for testing/monitoring)
+ * @returns {number} Number of active pools
+ */
+function getPoolSize() {
+    return SMTP_POOLS.size;
+}
+
+module.exports = {
+    getMailTransport,
+    closePooledConnection,
+    getPoolSize,
+    // Export constants for testing
+    SMTP_POOL_MAX_IDLE,
+    SMTP_POOL_CLEANUP_INTERVAL
+};

package/lib/imapproxy/imap-server.js

@@ -6,17 +6,8 @@ const config = require('@zone-eu/wild-config');
 const logger = require('../logger');
 const { oauth2Apps, oauth2ProviderData } = require('../oauth2-apps');
 
-const {
-    getDuration,
-    getBoolean,
-    resolveCredentials,
-    hasEnvValue,
-    readEnvValue,
-    emitChangeEvent,
-    matchIp,
-    getLocalAddress,
-    loadTlsConfig
-} = require('../tools');
+const { getDuration, getBoolean, resolveCredentials, hasEnvValue, readEnvValue, emitChangeEvent, loadTlsConfig } = require('../tools');
+const { matchIp, getLocalAddress } = require('../utils/network');
 
 const { redis } = require('../db');
 const { Account } = require('../account');
@@ -247,7 +238,7 @@ async function onAuth(auth, session) {
         // load OAuth2 tokens
         let now = Date.now();
         let accessToken;
-        if (!accountData.oauth2.accessToken || !accountData.oauth2.expires || accountData.oauth2.expires < new Date(now - 30 * 1000)) {
+        if (!accountData.oauth2.accessToken || !accountData.oauth2.expires || accountData.oauth2.expires < new Date(now + 30 * 1000)) {
             // renew access token
             try {
                 accountData = await accountObject.renewAccessToken();

package/lib/oauth/gmail.js

@@ -110,7 +110,7 @@ const checkForUserFlags = err => {
 
     let { error, error_description: description } = err;
 
-    if (description && typeof description === 'string' && description.indexOf('Token has been expired or revoked')) {
+    if (description && typeof description === 'string' && description.includes('Token has been expired or revoked')) {
         description = `Refresh token has expired or been revoked. This usually happens if you're using a public OAuth2 application that hasn't passed Google's security verification process-in such cases, refresh tokens expire after 7 days. It may also occur if the user has revoked your app's access to their email account. To fix this, consider completing the verification process or ask the user to reauthorize your app.`;
     }
 
@@ -338,7 +338,7 @@ class GmailOauth {
                     await this.setFlag(flag);
                     err.tokenRequest.flag = flag;
                 }
-            } catch (err) {
+            } catch (e) {
                 // ignore
             }
 
@@ -456,7 +456,7 @@ class GmailOauth {
                 if (userFlag) {
                     err.tokenRequest.userFlag = userFlag;
                 }
-            } catch (err) {
+            } catch (e) {
                 // ignore
             }
             throw err;
@@ -538,7 +538,7 @@ class GmailOauth {
                 let flag = checkForFlags(err.oauthRequest.response);
                 if (flag) {
                     await this.setFlag(flag);
-                    err.tokenRequest.flag = flag;
+                    err.oauthRequest.flag = flag;
                     if (flag.code && !err.code) {
                         err.code = flag.code;
                     }

package/lib/oauth/mail-ru.js

@@ -161,7 +161,7 @@ class MailRuOauth {
                     await this.setFlag(flag);
                     err.tokenRequest.flag = flag;
                 }
-            } catch (err) {
+            } catch (e) {
                 // ignore
             }
             throw err;
@@ -244,7 +244,7 @@ class MailRuOauth {
                     await this.setFlag(flag);
                     err.tokenRequest.flag = flag;
                 }
-            } catch (err) {
+            } catch (e) {
                 // ignore
             }
             throw err;
@@ -291,9 +291,9 @@ class MailRuOauth {
                 let flag = checkForFlags(err.oauthRequest.response);
                 if (flag) {
                     await this.setFlag(flag);
-                    err.tokenRequest.flag = flag;
+                    err.oauthRequest.flag = flag;
                 }
-            } catch (err) {
+            } catch (e) {
                 // ignore
             }
             throw err;
@@ -302,7 +302,32 @@ class MailRuOauth {
         // clear potential auth flag
         await this.setFlag();
 
-        return await res.json();
+        // Parse JSON response with handling for empty or invalid responses
+        let responseText = await res.text();
+        if (!responseText || !responseText.trim()) {
+            let err = new Error('Empty response from API');
+            err.code = 'EmptyResponse';
+            err.oauthRequest = { url, method, provider: this.provider, status: res.status, clientId: this.clientId };
+            throw err;
+        }
+
+        try {
+            return JSON.parse(responseText);
+        } catch (parseErr) {
+            let err = new Error('Invalid JSON response from API');
+            err.code = 'InvalidJSON';
+            err.oauthRequest = {
+                url,
+                method,
+                provider: this.provider,
+                status: res.status,
+                clientId: this.clientId,
+                responseLength: responseText.length,
+                responseStart: responseText.slice(0, 200),
+                responseEnd: responseText.length > 200 ? responseText.slice(-200) : undefined
+            };
+            throw err;
+        }
     }
 }
 

package/lib/oauth/outlook.js

@@ -316,7 +316,7 @@ class OutlookOauth {
                     await this.setFlag(flag);
                     err.tokenRequest.flag = flag;
                 }
-            } catch (err) {
+            } catch (e) {
                 // ignore
             }
             throw err;
@@ -415,7 +415,7 @@ class OutlookOauth {
                 if (userFlag) {
                     err.tokenRequest.userFlag = userFlag;
                 }
-            } catch (err) {
+            } catch (e) {
                 // ignore
             }
             throw err;
@@ -484,6 +484,18 @@ class OutlookOauth {
                 retryCount,
                 reqTime
             };
+
+            // Capture Retry-After header for rate limiting (429) responses
+            if (res.status === 429) {
+                const retryAfterHeader = res.headers.get('retry-after');
+                if (retryAfterHeader) {
+                    // Retry-After can be seconds or HTTP-date; parse as seconds
+                    const retryAfterSeconds = parseInt(retryAfterHeader, 10);
+                    err.retryAfter = !isNaN(retryAfterSeconds) ? retryAfterSeconds : null;
+                    err.oauthRequest.retryAfter = err.retryAfter;
+                }
+            }
+
             try {
                 err.oauthRequest.response = await res.json();
 
@@ -532,7 +544,49 @@ class OutlookOauth {
             return await res.text();
         }
 
-        return await res.json();
+        // Parse JSON response with handling for empty or invalid responses
+        // Microsoft Graph API may occasionally return 200 OK with empty body
+        let responseText = await res.text();
+        if (!responseText || !responseText.trim()) {
+            let err = new Error('Empty response from API');
+            err.code = 'EmptyResponse';
+            err.statusCode = res.status;
+            err.oauthRequest = {
+                url,
+                method,
+                provider: this.provider,
+                status: res.status,
+                clientId: this.clientId,
+                reqTime
+            };
+            if (this.logger) {
+                this.logger.error(Object.assign({ msg: 'API returned empty response' }, err.oauthRequest));
+            }
+            throw err;
+        }
+
+        try {
+            return JSON.parse(responseText);
+        } catch (parseErr) {
+            let err = new Error('Invalid JSON response from API');
+            err.code = 'InvalidJSON';
+            err.statusCode = res.status;
+            err.oauthRequest = {
+                url,
+                method,
+                provider: this.provider,
+                status: res.status,
+                clientId: this.clientId,
+                reqTime,
+                responseLength: responseText.length,
+                responseStart: responseText.slice(0, 200),
+                responseEnd: responseText.length > 200 ? responseText.slice(-200) : undefined
+            };
+            if (this.logger) {
+                this.logger.error(Object.assign({ msg: 'API returned invalid JSON' }, err.oauthRequest, { parseError: parseErr.message }));
+            }
+            throw err;
+        }
     }
 }
 

package/lib/oauth/pubsub/google.js

@@ -147,14 +147,31 @@ class PubSubInstance {
             });
 
             for (let receivedMessage of pullRes?.receivedMessages || []) {
+                // Check stopped flag at start of each message for faster shutdown
+                if (this.stopped) {
+                    logger.info({ msg: 'Stopping message processing due to shutdown', app: this.app });
+                    return;
+                }
+
+                let processingSuccess = false;
                 try {
                     await this.processPulledMessage(
                         receivedMessage?.message?.messageId,
-                        Buffer.from(receivedMessage?.message?.data || '', 'base64url').toString()
+                        Buffer.from(receivedMessage?.message?.data || '', 'base64').toString()
                     );
-                } finally {
-                    // ack the message
-                    // might be expired
+                    processingSuccess = true;
+                } catch (err) {
+                    // Processing failed - don't ACK so message will be redelivered
+                    logger.error({
+                        msg: 'Failed to process subscription message',
+                        app: this.app,
+                        messageId: receivedMessage?.message?.messageId,
+                        err
+                    });
+                }
+
+                // Only ACK after successful processing
+                if (processingSuccess) {
                     try {
                         accessToken = await this.getAccessToken();
                         if (!accessToken) {
@@ -163,14 +180,14 @@ class PubSubInstance {
                                 app: this.app,
                                 messageId: receivedMessage?.message?.messageId
                             });
+                        } else {
+                            await this.client.request(accessToken, acknowledgeUrl, 'POST', { ackIds: [receivedMessage?.ackId] }, { returnText: true });
+                            logger.debug({
+                                msg: 'Acked subscription message',
+                                app: this.app,
+                                messageId: receivedMessage?.message?.messageId
+                            });
                         }
-
-                        await this.client.request(accessToken, acknowledgeUrl, 'POST', { ackIds: [receivedMessage?.ackId] }, { returnText: true });
-                        logger.debug({
-                            msg: 'Acked subscription message',
-                            app: this.app,
-                            messageId: receivedMessage?.message?.messageId
-                        });
                     } catch (err) {
                         // failed to ack
                         logger.error({
@@ -239,6 +256,8 @@ class GooglePubSub {
 
     async remove(app) {
         if (this.pubSubInstances.has(app)) {
+            const instance = this.pubSubInstances.get(app);
+            instance.stopped = true; // Stop the loop before removing
             this.pubSubInstances.delete(app);
         }
     }

package/lib/oauth/scope-checker.js

@@ -0,0 +1,202 @@
+'use strict';
+
+const { GMAIL_API_SCOPES } = require('./gmail');
+const { OUTLOOK_API_SCOPES } = require('./outlook');
+
+// Known Microsoft Graph API endpoints across different cloud environments
+const MS_GRAPH_DOMAINS = [
+    'graph.microsoft.com', // Global cloud
+    'graph.microsoft.us', // GCC-High cloud
+    'dod-graph.microsoft.us', // DoD cloud
+    'microsoftgraph.chinacloudapi.cn' // China cloud
+];
+
+/**
+ * Normalizes Microsoft Graph scope URLs to their scope names.
+ * Supports multiple MS Graph endpoints (global, GCC-High, DoD, China).
+ *
+ * Examples:
+ *   https://graph.microsoft.com/Mail.Send -> Mail.Send
+ *   https://graph.microsoft.us/Mail.ReadWrite -> Mail.ReadWrite
+ *   https://dod-graph.microsoft.us/Mail.Send -> Mail.Send
+ *   https://microsoftgraph.chinacloudapi.cn/Mail.Send -> Mail.Send
+ *   offline_access -> offline_access (passed through)
+ *
+ * @param {string} scope - The scope string to normalize
+ * @param {Object} [logger] - Optional logger for warnings
+ * @returns {string} Normalized scope name
+ */
+function normalizeMsGraphScope(scope, logger) {
+    // Handle plain scope names (e.g., offline_access, openid)
+    // These are not URLs and should be passed through as-is
+    if (!scope.includes('://')) {
+        return scope;
+    }
+
+    // Try to parse as URL to validate it's a Microsoft Graph endpoint
+    try {
+        const url = new URL(scope);
+
+        // Validate protocol - must be https
+        if (url.protocol !== 'https:') {
+            if (logger) {
+                logger.warn({
+                    msg: 'Invalid protocol in MS Graph scope URL, expected https',
+                    scope,
+                    protocol: url.protocol
+                });
+            }
+            return scope; // Return as-is for non-https URLs
+        }
+
+        // Check if this is a recognized MS Graph domain
+        if (MS_GRAPH_DOMAINS.includes(url.hostname)) {
+            // Extract scope name from path only (ignoring query params and fragments)
+            // Examples:
+            //   /Mail.Send -> Mail.Send
+            //   /Mail.Send?foo=bar -> Mail.Send
+            //   /Mail.Send#section -> Mail.Send
+            //   /Mail.Send/ -> Mail.Send (removes trailing slash)
+            const scopeName = url.pathname.substring(1).replace(/\/$/, '');
+            if (scopeName) {
+                return scopeName;
+            }
+            if (logger) {
+                logger.warn({
+                    msg: 'MS Graph scope URL has no scope name in path',
+                    scope
+                });
+            }
+        }
+    } catch (err) {
+        // Invalid URL format
+        if (logger) {
+            logger.warn({
+                msg: 'Failed to parse MS Graph scope URL',
+                scope,
+                err: err.message
+            });
+        }
+    }
+
+    // Return as-is if not a recognized Graph URL or parsing failed
+    return scope;
+}
+
+/**
+ * Checks OAuth2 scopes to determine account capabilities.
+ *
+ * @param {string} provider - OAuth2 provider name ('gmail' or 'outlook')
+ * @param {Array<string>} scopes - Array of OAuth2 scope strings
+ * @param {Object} [logger] - Optional logger for warnings (used for Outlook scope parsing)
+ * @returns {{hasSendScope: boolean, hasReadScope: boolean}} Object indicating send and read capabilities
+ *
+ * @example
+ * // Gmail send-only account
+ * checkAccountScopes('gmail', ['https://www.googleapis.com/auth/gmail.send'])
+ * // Returns: { hasSendScope: true, hasReadScope: false }
+ *
+ * @example
+ * // Gmail full access account
+ * checkAccountScopes('gmail', ['https://www.googleapis.com/auth/gmail.modify'])
+ * // Returns: { hasSendScope: false, hasReadScope: true }
+ *
+ * @example
+ * // Outlook send-only account (global cloud)
+ * checkAccountScopes('outlook', ['https://graph.microsoft.com/Mail.Send', 'offline_access'])
+ * // Returns: { hasSendScope: true, hasReadScope: false }
+ *
+ * @example
+ * // Outlook full access account (GCC-High cloud)
+ * checkAccountScopes('outlook', ['https://graph.microsoft.us/Mail.ReadWrite', 'https://graph.microsoft.us/Mail.Send'])
+ * // Returns: { hasSendScope: true, hasReadScope: true }
+ *
+ * @example
+ * // Outlook send-only account (DoD cloud)
+ * checkAccountScopes('outlook', ['https://dod-graph.microsoft.us/Mail.Send', 'offline_access'])
+ * // Returns: { hasSendScope: true, hasReadScope: false }
+ */
+function checkAccountScopes(provider, scopes, logger) {
+    if (!scopes || !Array.isArray(scopes)) {
+        return { hasSendScope: false, hasReadScope: false };
+    }
+
+    if (provider === 'gmail') {
+        const hasSendScope = scopes.some(s => s.includes(GMAIL_API_SCOPES.send));
+        const hasReadScope = scopes.some(
+            s =>
+                s.includes(GMAIL_API_SCOPES.modify) ||
+                s.includes(GMAIL_API_SCOPES.readonly) ||
+                s.includes(GMAIL_API_SCOPES.labels) ||
+                s.includes('mail.google.com')
+        );
+        return { hasSendScope, hasReadScope };
+    }
+
+    if (provider === 'outlook') {
+        // Normalize scopes by extracting the scope name from the full URL
+        const normalizedScopes = scopes.map(s => normalizeMsGraphScope(s, logger));
+
+        const hasSendScope = normalizedScopes.some(s => s === OUTLOOK_API_SCOPES.send);
+        const hasReadScope = normalizedScopes.some(s => s === OUTLOOK_API_SCOPES.read || s === OUTLOOK_API_SCOPES.readWrite);
+        return { hasSendScope, hasReadScope };
+    }
+
+    return { hasSendScope: false, hasReadScope: false };
+}
+
+/**
+ * Checks Gmail-specific scope requirements from account data.
+ *
+ * @param {Object} accountData - Account configuration object with oauth2 property
+ * @returns {{hasSendScope: boolean, hasReadScope: boolean}} Object indicating send and read capabilities
+ *
+ * @example
+ * checkGmailScopes({ oauth2: { scope: ['https://www.googleapis.com/auth/gmail.send'] } })
+ * // Returns: { hasSendScope: true, hasReadScope: false }
+ */
+function checkGmailScopes(accountData) {
+    const scopes = accountData?.oauth2?.accessToken?.scope || accountData?.oauth2?.scope || [];
+    return checkAccountScopes('gmail', scopes);
+}
+
+/**
+ * Checks Outlook-specific scope requirements from account data.
+ *
+ * @param {Object} accountData - Account configuration object with oauth2 property
+ * @param {Object} [logger] - Optional logger for warnings
+ * @returns {{hasSendScope: boolean, hasReadScope: boolean}} Object indicating send and read capabilities
+ *
+ * @example
+ * checkOutlookScopes({ oauth2: { scope: ['https://graph.microsoft.com/Mail.Send'] } })
+ * // Returns: { hasSendScope: true, hasReadScope: false }
+ */
+function checkOutlookScopes(accountData, logger) {
+    const scopes = accountData?.oauth2?.accessToken?.scope || accountData?.oauth2?.scope || [];
+    return checkAccountScopes('outlook', scopes, logger);
+}
+
+/**
+ * Determines if an account is in send-only mode based on its scopes.
+ *
+ * @param {string} provider - OAuth2 provider name ('gmail' or 'outlook')
+ * @param {Object} accountData - Account configuration object with oauth2 property
+ * @param {Object} [logger] - Optional logger for warnings
+ * @returns {boolean} True if account has send scope but not read scope
+ */
+function isSendOnlyByScopes(provider, accountData, logger) {
+    const scopes = accountData?.oauth2?.accessToken?.scope || accountData?.oauth2?.scope || [];
+    const { hasSendScope, hasReadScope } = checkAccountScopes(provider, scopes, logger);
+    return hasSendScope && !hasReadScope;
+}
+
+module.exports = {
+    checkAccountScopes,
+    checkGmailScopes,
+    checkOutlookScopes,
+    isSendOnlyByScopes,
+    normalizeMsGraphScope,
+    GMAIL_API_SCOPES,
+    OUTLOOK_API_SCOPES,
+    MS_GRAPH_DOMAINS
+};