emailengine-app 2.63.4 → 2.65.0

package/lib/schemas.js

@@ -4,6 +4,7 @@ const Joi = require('joi');
 const config = require('@zone-eu/wild-config');
 const { getByteSize } = require('./tools');
 const { locales } = require('./translations');
+const { LEGACY_KEYS, OAUTH_PROVIDERS } = require('./oauth2-apps');
 
 const RESYNC_DELAY = 15 * 60;
 
@@ -22,13 +23,6 @@ const ADDRESS_STRATEGIES = [
     { key: 'random', title: 'Random' }
 ];
 
-const OAUTH_PROVIDERS = {
-    gmail: 'Gmail',
-    gmailService: 'Gmail Service Accounts',
-    outlook: 'Outlook',
-    mailRu: 'Mail.ru'
-};
-
 const accountIdSchema = Joi.string().empty('').trim().max(256).example('user123').description('Unique identifier for the email account');
 
 // Allowed configuration keys
@@ -450,6 +444,14 @@ const settingsSchema = {
     queueKeep: Joi.number().integer().empty('').min(0).description('Number of completed and failed queue entries to retain for debugging'),
     deliveryAttempts: Joi.number().integer().empty('').min(0).description('Maximum number of delivery attempts before marking a message as permanently failed'),
 
+    gmailSubscriptionTtl: Joi.number()
+        .integer()
+        .empty('')
+        .min(0)
+        .max(365)
+        .description('Gmail Pub/Sub subscription inactivity expiration in days. Empty for Google default (31 days), 0 for no expiration.')
+        .label('GmailSubscriptionTTL'),
+
     /* ──────────────  Templates  ────────────── */
 
     templateHeader: Joi.string()
@@ -1159,6 +1161,13 @@ const lastErrorSchema = Joi.object({
         .label('OAuthTokenRequestError')
 }).label('AccountErrorEntry');
 
+const pubSubErrorSchema = Joi.object({
+    message: Joi.string().example('Failed to process subscription loop').description('Error message'),
+    description: Joi.string().allow(null).example('Subscription not found').description('Error details')
+})
+    .description('Pub/Sub subscription error, if any')
+    .label('PubSubError');
+
 const templateSchemas = {
     subject: Joi.string()
         .allow('')
@@ -1350,6 +1359,7 @@ const googleProjectIdSchema = Joi.string()
     .trim()
     .allow('', false, null)
     .max(256)
+    .pattern(/^[a-z][a-z0-9-]{4,28}[a-z0-9]$/)
     .example('project-name-425411')
     .description('Google Cloud Project ID')
     .label('GoogleProjectId');
@@ -1513,8 +1523,18 @@ const oauthCreateSchema = {
         .empty('')
         .max(1024)
         .when('provider', {
-            is: 'outlook',
-            then: Joi.required(),
+            switch: [
+                {
+                    is: 'outlookService',
+                    then: Joi.string().required().invalid('common', 'organizations', 'consumers').messages({
+                        'any.invalid': 'Client credentials flow requires a specific tenant ID; "{{#value}}" is not allowed'
+                    })
+                },
+                {
+                    is: 'outlook',
+                    then: Joi.required()
+                }
+            ],
             otherwise: Joi.optional().valid(false, null)
         })
         .example('common')
@@ -1525,7 +1545,7 @@ const oauthCreateSchema = {
         .trim()
         .empty('')
         .when('provider', {
-            is: 'outlook',
+            is: Joi.valid('outlook', 'outlookService'),
             then: Joi.valid('global', 'gcc-high', 'dod', 'china').default('global'),
             otherwise: Joi.optional().valid(false, null)
         })
@@ -1549,7 +1569,7 @@ const oauthCreateSchema = {
         .allow('')
         .uri({ scheme: ['http', 'https'], allowRelative: false })
         .when('provider', {
-            not: 'gmailService',
+            not: Joi.valid('gmailService', 'outlookService'),
             then: Joi.required(),
             otherwise: Joi.optional().valid(false, null)
         })
@@ -1558,6 +1578,160 @@ const oauthCreateSchema = {
         .label('OAuth2AppRedirectUrl')
 };
 
+const oauthUpdateSchema = {
+    app: Joi.string().empty('').max(255).example('gmail').label('Provider').required(),
+
+    provider: Joi.string()
+        .trim()
+        .empty('')
+        .max(256)
+        .valid(...Object.keys(OAUTH_PROVIDERS))
+        .example('gmail')
+        .required()
+        .description('OAuth2 provider'),
+
+    name: Joi.string()
+        .trim()
+        .empty('')
+        .max(256)
+        .example('My Gmail App')
+        .description('Application name')
+        .when('app', {
+            not: Joi.string().valid(...LEGACY_KEYS),
+            then: Joi.required(),
+            otherwise: Joi.optional().valid(false, null)
+        }),
+    description: Joi.string().trim().allow('').max(1024).example('My cool app').description('Application description'),
+
+    title: Joi.string().allow('').trim().max(256).example('App title').description('Title for the application button'),
+
+    enabled: Joi.boolean().truthy('Y', 'true', '1', 'on').falsy('N', 'false', 0, '').default(false).description('Enable this app'),
+
+    clientId: Joi.string()
+        .trim()
+        .allow('')
+        .max(256)
+        .when('provider', {
+            not: 'gmailService',
+            then: Joi.required(),
+            otherwise: Joi.optional().valid(false, null)
+        })
+        .description('OAuth2 Client ID'),
+
+    clientSecret: Joi.string()
+        .trim()
+        .empty('', false, null)
+        .max(256)
+        .when('provider', {
+            not: 'gmailService',
+            then: Joi.optional(),
+            otherwise: Joi.forbidden()
+        })
+        .description('OAuth2 Client Secret'),
+
+    pubSubApp: Joi.string()
+        .empty('')
+        .base64({ paddingRequired: false, urlSafe: true })
+        .max(512)
+        .example('AAAAAQAACnA')
+        .description('Cloud Pub/Sub app for Gmail API webhooks'),
+
+    extraScopes: Joi.string()
+        .allow('')
+        .trim()
+        .max(10 * 1024)
+        .description('OAuth2 Extra Scopes'),
+
+    skipScopes: Joi.string()
+        .allow('')
+        .trim()
+        .max(10 * 1024)
+        .description('OAuth2 scopes to skip from the base set'),
+
+    serviceClient: Joi.string()
+        .trim()
+        .allow('')
+        .max(256)
+        .when('provider', {
+            is: 'gmailService',
+            then: Joi.required(),
+            otherwise: Joi.optional().valid(false, null)
+        })
+        .description('OAuth2 Service Client ID'),
+
+    googleProjectId: googleProjectIdSchema,
+
+    googleWorkspaceAccounts: googleWorkspaceAccountsSchema.when('provider', {
+        is: 'gmail',
+        then: Joi.optional().default(false)
+    }),
+
+    serviceClientEmail: Joi.string()
+        .trim()
+        .allow('')
+        .email()
+        .when('provider', {
+            is: 'gmailService',
+            then: Joi.required(),
+            otherwise: Joi.optional().valid(false, null)
+        })
+        .example('name@project-123.iam.gserviceaccount.com')
+        .description('Service Client Email for 2-legged OAuth2 applications'),
+
+    serviceKey: Joi.string()
+        .trim()
+        .empty('', false, null)
+        .max(100 * 1024)
+        .when('provider', {
+            is: 'gmailService',
+            then: Joi.optional(),
+            otherwise: Joi.forbidden()
+        })
+        .description('OAuth2 Secret Service Key'),
+
+    authority: Joi.string()
+        .trim()
+        .empty('')
+        .max(1024)
+        .when('provider', {
+            switch: [
+                {
+                    is: 'outlookService',
+                    then: Joi.string().required().invalid('common', 'organizations', 'consumers').messages({
+                        'any.invalid': 'Client credentials flow requires a specific tenant ID; "{{#value}}" is not allowed'
+                    })
+                },
+                {
+                    is: 'outlook',
+                    then: Joi.required()
+                }
+            ],
+            otherwise: Joi.optional().valid(false, null)
+        })
+        .example(false)
+        .label('SupportedAccountTypes'),
+
+    cloud: Joi.string()
+        .trim()
+        .empty('')
+        .valid('global', 'gcc-high', 'dod', 'china')
+        .example('global')
+        .description('Azure cloud type for Outlook OAuth2 applications')
+        .label('AzureCloud'),
+
+    tenant: Joi.string().trim().empty('').max(1024).example('f8cdef31-a31e-4b4a-93e4-5f571e91255a').label('Directorytenant'),
+
+    redirectUrl: Joi.string()
+        .allow('')
+        .uri({ scheme: ['http', 'https'], allowRelative: false })
+        .when('provider', {
+            not: Joi.valid('gmailService', 'outlookService'),
+            then: Joi.required(),
+            otherwise: Joi.optional().valid(false, null)
+        })
+        .description('OAuth2 Callback URL')
+};
+
 const tokenRestrictionsSchema = Joi.object({
     referrers: Joi.array()
         .items(Joi.string())
@@ -1806,6 +1980,7 @@ const exportStatusSchema = Joi.object({
     progress: exportProgressSchema,
     created: Joi.date().iso().example('2024-01-15T10:30:00Z').description('When export was created'),
     expiresAt: Joi.date().iso().example('2024-01-16T10:30:00Z').description('When export file expires'),
+    truncated: Joi.boolean().example(true).description('Whether the export was truncated due to message count or size limits'),
     error: Joi.string().allow(null).description('Error message if export failed')
 }).label('ExportStatus');
 
@@ -1860,6 +2035,7 @@ module.exports = {
     searchSchema,
     messageUpdateSchema,
     oauthCreateSchema,
+    oauthUpdateSchema,
     tokenRestrictionsSchema,
     accountIdSchema,
     ipSchema,
@@ -1880,7 +2056,8 @@ module.exports = {
     exportStatusSchema,
     exportListSchema,
     exportProgressSchema,
-    exportIdSchema
+    exportIdSchema,
+    pubSubErrorSchema
 };
 
 /*

package/lib/ui-routes/account-routes.js

@@ -22,7 +22,7 @@ const {
 } = require('../tools');
 const { Account } = require('../account');
 const { Gateway } = require('../gateway');
-const { oauth2Apps, oauth2ProviderData } = require('../oauth2-apps');
+const { oauth2Apps, oauth2ProviderData, SERVICE_ACCOUNT_PROVIDERS } = require('../oauth2-apps');
 const { autodetectImapSettings } = require('../autodetect-imap-settings');
 const getSecret = require('../get-secret');
 const capa = require('../capa');
@@ -538,6 +538,11 @@ function init(args) {
                 requestPayload.email = accountData.email;
             }
 
+            // Service providers use client_credentials - no interactive authorization
+            if (SERVICE_ACCOUNT_PROVIDERS.has(oAuth2Client.provider)) {
+                throw Boom.badRequest('Application-only OAuth providers do not support interactive authorization');
+            }
+
             let authorizeUrl = oAuth2Client.generateAuthUrl(requestPayload);
 
             return h.redirect(authorizeUrl);
@@ -1352,7 +1357,7 @@ function init(args) {
 
                 async failAction(request, h, err) {
                     await request.flash({ type: 'danger', message: `Couldn't delete account. Try again.` });
-                    request.logger.error({ msg: 'Failed to delete delete the account', err });
+                    request.logger.error({ msg: 'Failed to delete the account', err });
 
                     return h.redirect('/admin/accounts').takeover();
                 },

package/lib/ui-routes/admin-entities-routes.js

@@ -766,7 +766,7 @@ return payload;`)
 
                 async failAction(request, h, err) {
                     await request.flash({ type: 'danger', message: `Couldn't delete webhook. Try again.` });
-                    request.logger.error({ msg: 'Failed to delete delete Webhook Route', err });
+                    request.logger.error({ msg: 'Failed to delete Webhook Route', err });
 
                     return h.redirect('/admin/webhooks').takeover();
                 },
@@ -1415,7 +1415,7 @@ return payload;`)
 
                 async failAction(request, h, err) {
                     await request.flash({ type: 'danger', message: `Couldn't delete account. Try again.` });
-                    request.logger.error({ msg: 'Failed to delete delete the account', err });
+                    request.logger.error({ msg: 'Failed to delete the account', err });
 
                     return h.redirect('/admin/templates').takeover();
                 },
@@ -2122,7 +2122,7 @@ return payload;`)
 
                 async failAction(request, h, err) {
                     await request.flash({ type: 'danger', message: `Couldn't delete gateway. Try again.` });
-                    request.logger.error({ msg: 'Failed to delete delete the gateway', err });
+                    request.logger.error({ msg: 'Failed to delete the gateway', err });
 
                     return h.redirect('/admin/gateways').takeover();
                 },

package/lib/ui-routes/oauth-routes.js

@@ -5,14 +5,22 @@ const Joi = require('joi');
 
 const settings = require('../settings');
 const { redis } = require('../db');
-const { oauth2Apps, LEGACY_KEYS, OAUTH_PROVIDERS, oauth2ProviderData } = require('../oauth2-apps');
+const { oauth2Apps, OAUTH_PROVIDERS, oauth2ProviderData } = require('../oauth2-apps');
 const getSecret = require('../get-secret');
 const { Account } = require('../account');
-const { oauthCreateSchema, googleProjectIdSchema, googleWorkspaceAccountsSchema } = require('../schemas');
+const { oauthCreateSchema, oauthUpdateSchema } = require('../schemas');
 const consts = require('../consts');
 
 const { DEFAULT_PAGE_SIZE } = consts;
 
+// Microsoft Entra requires 'localhost' rather than '127.0.0.1' in redirect URIs
+function normalizeOutlookRedirectUrl(redirectUrl, provider) {
+    if (provider === 'outlook') {
+        return redirectUrl.replace(/^http:\/\/127\.0\.0\.1\b/i, 'http://localhost');
+    }
+    return redirectUrl;
+}
+
 const AZURE_CLOUDS = [
     {
         id: 'global',
@@ -39,150 +47,6 @@ const AZURE_CLOUDS = [
     }
 ];
 
-const oauthUpdateSchema = {
-    app: Joi.string().empty('').max(255).example('gmail').label('Provider').required(),
-
-    provider: Joi.string()
-        .trim()
-        .empty('')
-        .max(256)
-        .valid(...Object.keys(OAUTH_PROVIDERS))
-        .example('gmail')
-        .required()
-        .description('OAuth2 provider'),
-
-    name: Joi.string()
-        .trim()
-        .empty('')
-        .max(256)
-        .example('My Gmail App')
-        .description('Application name')
-        .when('app', {
-            not: Joi.string().valid(...LEGACY_KEYS),
-            then: Joi.required(),
-            otherwise: Joi.optional().valid(false, null)
-        }),
-    description: Joi.string().trim().allow('').max(1024).example('My cool app').description('Application description'),
-
-    title: Joi.string().allow('').trim().max(256).example('App title').description('Title for the application button'),
-
-    enabled: Joi.boolean().truthy('Y', 'true', '1', 'on').falsy('N', 'false', 0, '').default(false).description('Enable this app'),
-
-    clientId: Joi.string()
-        .trim()
-        .allow('')
-        .max(256)
-        .when('provider', {
-            not: 'gmailService',
-            then: Joi.required(),
-            otherwise: Joi.optional().valid(false, null)
-        })
-        .description('OAuth2 Client ID'),
-
-    clientSecret: Joi.string()
-        .trim()
-        .empty('', false, null)
-        .max(256)
-        .when('provider', {
-            not: 'gmailService',
-            then: Joi.optional(),
-            otherwise: Joi.forbidden()
-        })
-        .description('OAuth2 Client Secret'),
-
-    pubSubApp: Joi.string()
-        .empty('')
-        .base64({ paddingRequired: false, urlSafe: true })
-        .max(512)
-        .example('AAAAAQAACnA')
-        .description('Cloud Pub/Sub app for Gmail API webhooks'),
-
-    extraScopes: Joi.string()
-        .allow('')
-        .trim()
-        .max(10 * 1024)
-        .description('OAuth2 Extra Scopes'),
-
-    skipScopes: Joi.string()
-        .allow('')
-        .trim()
-        .max(10 * 1024)
-        .description('OAuth2 scopes to skip from the base set'),
-
-    serviceClient: Joi.string()
-        .trim()
-        .allow('')
-        .max(256)
-        .when('provider', {
-            is: 'gmailService',
-            then: Joi.required(),
-            otherwise: Joi.optional().valid(false, null)
-        })
-        .description('OAuth2 Service Client ID'),
-
-    googleProjectId: googleProjectIdSchema,
-
-    googleWorkspaceAccounts: googleWorkspaceAccountsSchema.when('provider', {
-        is: 'gmail',
-        then: Joi.optional().default(false)
-    }),
-
-    serviceClientEmail: Joi.string()
-        .trim()
-        .allow('')
-        .email()
-        .when('provider', {
-            is: 'gmailService',
-            then: Joi.required(),
-            otherwise: Joi.optional().valid(false, null)
-        })
-        .example('name@project-123.iam.gserviceaccount.com')
-        .description('Service Client Email for 2-legged OAuth2 applications'),
-
-    serviceKey: Joi.string()
-        .trim()
-        .empty('', false, null)
-        .max(100 * 1024)
-        .when('provider', {
-            is: 'gmailService',
-            then: Joi.optional(),
-            otherwise: Joi.forbidden()
-        })
-        .description('OAuth2 Secret Service Key'),
-
-    authority: Joi.string()
-        .trim()
-        .empty('')
-        .max(1024)
-        .when('provider', {
-            is: 'outlook',
-            then: Joi.required(),
-            otherwise: Joi.optional().valid(false, null)
-        })
-        .example(false)
-        .label('SupportedAccountTypes'),
-
-    cloud: Joi.string()
-        .trim()
-        .empty('')
-        .valid('global', 'gcc-high', 'dod', 'china')
-        .example('global')
-        .description('Azure cloud type for Outlook OAuth2 applications')
-        .label('AzureCloud'),
-
-    tenant: Joi.string().trim().empty('').max(1024).example('f8cdef31-a31e-4b4a-93e4-5f571e91255a').label('Directorytenant'),
-
-    redirectUrl: Joi.string()
-        .allow('')
-        .uri({ scheme: ['http', 'https'], allowRelative: false })
-        .when('provider', {
-            not: 'gmailService',
-            then: Joi.required(),
-            otherwise: Joi.optional().valid(false, null)
-        })
-        .description('OAuth2 Callback URL')
-};
-
 function init({ server, call }) {
     // GET /admin/config/oauth - OAuth applications list
     server.route({
@@ -402,6 +266,12 @@ function init({ server, call }) {
             try {
                 await oauth2Apps.del(request.payload.app);
 
+                try {
+                    await call({ cmd: 'googlePubSubRemove', app: request.payload.app });
+                } catch (err) {
+                    request.logger.error({ msg: 'Failed to notify workers about OAuth2 app deletion', err, app: request.payload.app });
+                }
+
                 await request.flash({ type: 'info', message: `OAuth2 app deleted` });
 
                 return h.redirect('/admin/config/oauth');
@@ -421,7 +291,7 @@ function init({ server, call }) {
 
                 async failAction(request, h, err) {
                     await request.flash({ type: 'danger', message: `Couldn't delete OAuth2 app. Try again.` });
-                    request.logger.error({ msg: 'Failed to delete delete the OAuth2 application', err });
+                    request.logger.error({ msg: 'Failed to delete the OAuth2 application', err });
 
                     return h.redirect('/admin/config/oauth').takeover();
                 },
@@ -442,10 +312,7 @@ function init({ server, call }) {
             let providerData = oauth2ProviderData(provider);
 
             let serviceUrl = await settings.get('serviceUrl');
-            let defaultRedirectUrl = `${serviceUrl}/oauth`;
-            if (provider === 'outlook') {
-                defaultRedirectUrl = defaultRedirectUrl.replace(/^http:\/\/127\.0\.0\.1\b/i, 'http://localhost');
-            }
+            let defaultRedirectUrl = normalizeOutlookRedirectUrl(`${serviceUrl}/oauth`, provider);
 
             let pubSubApps = await oauth2Apps.list(0, 1000, { pubsub: true });
 
@@ -477,10 +344,10 @@ function init({ server, call }) {
 
                     values: {
                         provider,
-                        redirectUrl: defaultRedirectUrl
+                        ...(provider !== 'outlookService' ? { redirectUrl: defaultRedirectUrl } : {})
                     },
 
-                    authorityCommon: true
+                    authorityCommon: provider !== 'outlookService'
                 },
                 {
                     layout: 'app'
@@ -538,7 +405,7 @@ function init({ server, call }) {
                     throw new Error('Unexpected result');
                 }
 
-                if (oauth2App && oauth2App.pubsubUpdates && oauth2App.pubsubUpdates.pubSubSubscription) {
+                if (oauth2App && oauth2App.pubsubUpdates && Object.keys(oauth2App.pubsubUpdates).length > 0) {
                     await call({ cmd: 'googlePubSub', app: oauth2App.id });
                 }
 
@@ -556,10 +423,7 @@ function init({ server, call }) {
                 let providerData = oauth2ProviderData(provider);
 
                 let serviceUrl = await settings.get('serviceUrl');
-                let defaultRedirectUrl = `${serviceUrl}/oauth`;
-                if (provider === 'outlook') {
-                    defaultRedirectUrl = defaultRedirectUrl.replace(/^http:\/\/127\.0\.0\.1\b/i, 'http://localhost');
-                }
+                let defaultRedirectUrl = normalizeOutlookRedirectUrl(`${serviceUrl}/oauth`, provider);
 
                 let pubSubApps = await oauth2Apps.list(0, 1000, { pubsub: true });
 
@@ -636,10 +500,7 @@ function init({ server, call }) {
                     let providerData = oauth2ProviderData(provider);
 
                     let serviceUrl = await settings.get('serviceUrl');
-                    let defaultRedirectUrl = `${serviceUrl}/oauth`;
-                    if (provider === 'outlook') {
-                        defaultRedirectUrl = defaultRedirectUrl.replace(/^http:\/\/127\.0\.0\.1\b/i, 'http://localhost');
-                    }
+                    let defaultRedirectUrl = normalizeOutlookRedirectUrl(`${serviceUrl}/oauth`, provider);
 
                     let pubSubApps = await oauth2Apps.list(0, 1000, { pubsub: true });
 
@@ -708,10 +569,7 @@ function init({ server, call }) {
 
             let providerData = oauth2ProviderData(appData.provider, appData.cloud);
             let serviceUrl = await settings.get('serviceUrl');
-            let defaultRedirectUrl = `${serviceUrl}/oauth`;
-            if (providerData.provider === 'outlook') {
-                defaultRedirectUrl = defaultRedirectUrl.replace(/^http:\/\/127\.0\.0\.1\b/i, 'http://localhost');
-            }
+            let defaultRedirectUrl = normalizeOutlookRedirectUrl(`${serviceUrl}/oauth`, providerData.provider);
 
             let values = Object.assign({}, appData, {
                 clientSecret: '',
@@ -824,7 +682,7 @@ function init({ server, call }) {
                     throw new Error('Unexpected result');
                 }
 
-                if (oauth2App && oauth2App.pubsubUpdates && oauth2App.pubsubUpdates.pubSubSubscription) {
+                if (oauth2App && oauth2App.pubsubUpdates && Object.keys(oauth2App.pubsubUpdates).length > 0) {
                     await call({ cmd: 'googlePubSub', app: oauth2App.id });
                 }
 
@@ -837,10 +695,7 @@ function init({ server, call }) {
                 let providerData = oauth2ProviderData(appData.provider, appData.cloud);
 
                 let serviceUrl = await settings.get('serviceUrl');
-                let defaultRedirectUrl = `${serviceUrl}/oauth`;
-                if (appData.provider === 'outlook') {
-                    defaultRedirectUrl = defaultRedirectUrl.replace(/^http:\/\/127\.0\.0\.1\b/i, 'http://localhost');
-                }
+                let defaultRedirectUrl = normalizeOutlookRedirectUrl(`${serviceUrl}/oauth`, appData.provider);
 
                 let pubSubApps = await oauth2Apps.list(0, 1000, { pubsub: true });
 
@@ -926,10 +781,7 @@ function init({ server, call }) {
                     let providerData = oauth2ProviderData(provider);
 
                     let serviceUrl = await settings.get('serviceUrl');
-                    let defaultRedirectUrl = `${serviceUrl}/oauth`;
-                    if (provider === 'outlook') {
-                        defaultRedirectUrl = defaultRedirectUrl.replace(/^http:\/\/127\.0\.0\.1\b/i, 'http://localhost');
-                    }
+                    let defaultRedirectUrl = normalizeOutlookRedirectUrl(`${serviceUrl}/oauth`, provider);
 
                     let pubSubApps = await oauth2Apps.list(0, 1000, { pubsub: true });