npm - emailengine-app - Versions diffs - 2.64.0 → 2.65.0 - Mend

emailengine-app 2.64.0 → 2.65.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/.github/workflows/test.yml +4 -0
package/CHANGELOG.md +14 -0
package/copy-static-files.sh +1 -1
package/data/google-crawlers.json +1 -1
package/lib/account.js +7 -7
package/lib/api-routes/account-routes.js +7 -1
package/lib/email-client/outlook/graph-api.js +2 -2
package/lib/email-client/outlook-client.js +43 -10
package/lib/export.js +17 -0
package/lib/imapproxy/imap-server.js +2 -2
package/lib/oauth/outlook.js +99 -1
package/lib/oauth2-apps.js +66 -12
package/lib/outbox.js +1 -1
package/lib/routes-ui.js +7 -147
package/lib/schemas.js +171 -11
package/lib/ui-routes/account-routes.js +6 -1
package/lib/ui-routes/oauth-routes.js +18 -172
package/package.json +19 -19
package/sbom.json +1 -1
package/static/licenses.html +23 -83
package/translations/messages.pot +71 -71
package/views/config/oauth/edit.hbs +2 -0
package/views/config/oauth/index.hbs +2 -1
package/views/config/oauth/new.hbs +2 -0
package/views/partials/oauth_form.hbs +179 -4
package/views/partials/scope_info.hbs +10 -0
package/workers/export.js +6 -2
package/workers/imap.js +3 -2

package/views/partials/oauth_form.hbs CHANGED Viewed

@@ -1,3 +1,77 @@
+{{#if activeOutlook}}
+<div class="card border-left-info shadow mb-4">
+    <div class="card-body">
+        <div class="row no-gutters align-items-center">
+            <div class="col mr-2">
+                <strong>Delegated</strong> access means EmailEngine acts on behalf of a signed-in user. Each
+                mailbox owner must complete an interactive OAuth2 login. Use this when users manage their own
+                accounts or when you have access to the mailbox credentials.
+                {{#if providerData.tutorialUrl}}
+                Read about setting up {{providerData.comment}} OAuth2 project from <a
+                    href="{{providerData.tutorialUrl}}" target="_blank" rel="noopener noreferrer"
+                    referrerpolicy="no-referrer">here</a>.
+                {{/if}}
+            </div>
+            <div class="col-auto">
+                <i class="fas fa-info-circle fa-2x text-gray-300"></i>
+            </div>
+        </div>
+    </div>
+</div>
+{{/if}}
+{{#if activeGmailService}}
+<div class="card border-left-info shadow mb-4">
+    <div class="card-body">
+        <div class="row no-gutters align-items-center">
+            <div class="col mr-2">
+                <strong>Service accounts</strong> allow EmailEngine to access Gmail mailboxes using a Google Cloud
+                service key, with no interactive user login required. The service account must have domain-wide
+                delegation enabled in Google Workspace. Use this for automated integrations where you cannot
+                perform interactive logins.
+                Accounts using service access can only be added via the
+                <a href="/admin/swagger#/Account/postV1Account">REST API</a>,
+                not through the hosted authentication form.
+                {{#if providerData.tutorialUrl}}
+                Read about setting up {{providerData.comment}} from <a
+                    href="{{providerData.tutorialUrl}}" target="_blank" rel="noopener noreferrer"
+                    referrerpolicy="no-referrer">here</a>.
+                {{/if}}
+            </div>
+            <div class="col-auto">
+                <i class="fas fa-info-circle fa-2x text-gray-300"></i>
+            </div>
+        </div>
+    </div>
+</div>
+{{/if}}
+{{#if activeOutlookService}}
+<div class="card border-left-info shadow mb-4">
+    <div class="card-body">
+        <div class="row no-gutters align-items-center">
+            <div class="col mr-2">
+                <strong>Application</strong> access means EmailEngine authenticates as the app itself using
+                client credentials, with no interactive user login required. The Entra app registration must have
+                <strong>application permissions</strong> (not delegated) with admin consent. Use this for
+                service integrations, shared mailboxes, or when you cannot perform interactive logins.
+                Accounts using application access can only be added via the
+                <a href="/admin/swagger#/Account/postV1Account">REST API</a>,
+                not through the hosted authentication form.
+                {{#if providerData.tutorialUrl}}
+                Read about setting up {{providerData.comment}} from <a
+                    href="{{providerData.tutorialUrl}}" target="_blank" rel="noopener noreferrer"
+                    referrerpolicy="no-referrer">here</a>.
+                {{/if}}
+            </div>
+            <div class="col-auto">
+                <i class="fas fa-info-circle fa-2x text-gray-300"></i>
+            </div>
+        </div>
+    </div>
+</div>
+{{/if}}
 <div class="card mb-4">
     <div class="card-body">
@@ -42,7 +116,7 @@
             <small class="form-text text-muted">Optional application description or a comment.</small>
         </div>
-        {{#unless activeGmailService}}
+        {{#unless activeGmailService}}{{#unless activeOutlookService}}
         <div class="form-group">
             <label for="title">
@@ -63,7 +137,7 @@
             <small class="form-text text-muted">Optional display title next to the application button on the account
                 type selection page.</small>
         </div>
-        {{/unless}}
+        {{/unless}}{{/unless}}
         {{#if activeGmail}}
@@ -82,7 +156,7 @@
         </div>
         {{/if}}
-        {{#unless activeGmailService}}
+        {{#unless activeGmailService}}{{#unless activeOutlookService}}
         <div class="form-group form-check">
             <input type="checkbox" class="form-check-input {{#if errors.enabled}}is-invalid{{/if}}" id="enabled"
@@ -94,7 +168,7 @@
             <small class="form-text text-muted">If enabled, then this OAuth2 app is shown as an
                 account type option in the hosted authentication form.</small>
         </div>
-        {{/unless}}
+        {{/unless}}{{/unless}}
     </div>
 </div>
@@ -175,6 +249,66 @@
             {{/if}}
         </div>
+        {{else if activeOutlookService}}
+        <div class="form-group">
+            <label for="clientId">
+                Azure Application Id
+            </label>
+            <input type="text" class="form-control {{#if errors.clientId}}is-invalid{{/if}}" id="clientId"
+                name="clientId" value="{{values.clientId}}" placeholder="Enter application (client) ID&mldr;" required />
+            {{#if errors.clientId}}
+            <span class="invalid-feedback">{{errors.clientId}}</span>
+            {{/if}}
+            <small class="form-text text-muted">The Application (client) ID from your Entra app registration.</small>
+        </div>
+        <div class="form-group">
+            <label for="clientSecret">Client Secret</label>
+            <input type="text" class="form-control {{#if errors.clientSecret}}is-invalid{{/if}}" id="clientSecret"
+                name="clientSecret" value="{{values.clientSecret}}" {{#if hasClientSecret}}
+                placeholder="Client secret is set but not shown&mldr;" {{else}} placeholder="Enter client secret&mldr;"
+                {{/if}} {{#unless hasClientSecret}}required{{/unless}} />
+            {{#if errors.clientSecret}}
+            <span class="invalid-feedback">{{errors.clientSecret}}</span>
+            {{/if}}
+            <small class="form-text text-muted">Client secret value from Certificates &amp; secrets.</small>
+        </div>
+        <div class="form-group">
+            <label for="cloud">Azure cloud environment</label>
+            <select class="custom-select custom-select-sm {{#if errors.cloud}}is-invalid{{/if}}" id="cloud" name="cloud"
+                required>
+                {{#each azureClouds}}
+                <option value="{{id}}" {{#if selected}}selected{{/if}}>{{name}}{{#if
+                    description}} &mdash;
+                    {{description}}{{/if}}</option>
+                {{/each}}
+            </select>
+            {{#if errors.cloud}}
+            <span class="invalid-feedback">{{errors.cloud}}</span>
+            {{/if}}
+            <small class="form-text text-muted">Accounts hosted in different cloud environments use different OAuth2
+                endpoints.</small>
+        </div>
+        <div class="form-group">
+            <label for="authority">Directory (tenant) ID</label>
+            <input type="text" class="form-control {{#if errors.authority}}is-invalid{{/if}}" id="authority"
+                name="authority" value="{{values.authority}}"
+                placeholder="Enter tenant ID, eg. &quot;f8cdef31-a31e-4b4a-93e4-5f571e91255a&quot;" required />
+            {{#if errors.authority}}
+            <span class="invalid-feedback">{{errors.authority}}</span>
+            {{/if}}
+            <small class="form-text text-muted">The Directory (tenant) ID from your Entra app registration. Client
+                credentials flow requires a specific tenant ID.</small>
+        </div>
         {{else}}
         {{#if activeGmail}}
@@ -702,6 +836,47 @@
 {{/if}}
+{{#if activeOutlookService}}
+<div class="card mb-4">
+    <div class="card-header py-3">
+        <h6 class="m-0 font-weight-bold text-primary">Connection type</h6>
+    </div>
+    <div class="card-body">
+        <input type="hidden" name="baseScopes" value="api" />
+        <p><strong>MS Graph API</strong> &mdash; This app uses Microsoft Graph API with application permissions
+            (client credentials). Requires <code>Mail.ReadWrite</code>, <code>Mail.Send</code>, and
+            <code>User.Read.All</code> application permissions with admin consent in Entra.</p>
+    </div>
+    <div class="card-footer">
+        <p>Microsoft Graph delivers change notifications to EmailEngine at these two endpoints:</p>
+        <pre><code>{{mainServiceUrl}}/oauth/msg/lifecycle
+{{mainServiceUrl}}/oauth/msg/notification</code></pre>
+        <p>
+            Both endpoints must be publicly reachable for anonymous HTTPS
+            <strong>POST</strong> requests. When a notification arrives, EmailEngine
+            immediately forwards the event to your application through its own webhooks.
+        </p>
+        <p>
+            If your EmailEngine instance cannot be exposed directly, configure a public
+            proxy domain in <span class="text-muted code-link"><a href="/admin/swagger#/Settings/postV1Settings"
+                    target="_blank" rel="noopener noreferrer">notificationBaseUrl</a></span>. Microsoft Graph will then
+            post to <code>https://&lt;proxy-domain&gt;/oauth/msg/...</code> instead of
+            <code>{{mainServiceUrl}}</code>.
+        </p>
+    </div>
+</div>
+{{/if}}
 {{#if activeGmail}}
 <div class="card mb-4 {{#unless baseScopesApi}}d-none{{/unless}}" id="account-type-card-gmail">
     <div class="card-header py-3">

package/views/partials/scope_info.hbs CHANGED Viewed

@@ -119,6 +119,16 @@
 </div>
 {{/if}}
+{{#if activeOutlookService}}
+<div>Your Entra app registration <strong>must</strong> have the following <strong>application permissions</strong> (not
+    delegated) with admin consent:</div>
+<ul>
+    <li><code>"Mail.ReadWrite"</code></li>
+    <li><code>"Mail.Send"</code></li>
+    <li><code>"User.Read.All"</code></li>
+</ul>
+{{/if}}
 {{#if activeMailRu}}
 <div>Your OAuth2 project <strong>must</strong> have the following scopes enabled:</div>
 <ul>

package/workers/export.js CHANGED Viewed

@@ -755,7 +755,7 @@ const exportWorker = new Worker(
                 throw new Error('Export not found');
             }
-            await Export.update(account, exportId, { status: 'processing', phase: 'indexing' });
+            await Export.startProcessing(account, exportId);
             await indexMessages(job, exportData);
             await Export.update(account, exportId, { phase: 'exporting' });
@@ -788,7 +788,11 @@ const exportWorker = new Worker(
                 await fs.promises.unlink(exportData.filePath).catch(() => {});
             }
-            await Export.fail(account, exportId, err.message);
+            if (err.code === 'ExportCancelled') {
+                await Export.deleteFully(account, exportId);
+            } else {
+                await Export.fail(account, exportId, err.message);
+            }
             if (err.code !== 'AccountDeleted' && err.code !== 'AccountNotFound' && err.code !== 'ExportCancelled') {
                 await notify(account, EXPORT_FAILED_NOTIFY, {

package/workers/imap.js CHANGED Viewed

@@ -37,7 +37,7 @@ const { GmailClient } = require('../lib/email-client/gmail-client');
 const { OutlookClient } = require('../lib/email-client/outlook-client');
 const { BaseClient } = require('../lib/email-client/base-client');
 const { Account } = require('../lib/account');
-const { oauth2Apps } = require('../lib/oauth2-apps');
+const { oauth2Apps, isApiBasedApp } = require('../lib/oauth2-apps');
 const { redis, notifyQueue, submitQueue, documentsQueue, getFlowProducer } = require('../lib/db');
 const { MessagePortWritable } = require('../lib/message-port-stream');
 const { getESClient } = require('../lib/document-store');
@@ -209,7 +209,7 @@ class ConnectionHandler {
                 oauth2App = await oauth2Apps.get(accountData.oauth2.provider);
             }
-            if (oauth2App && oauth2App.baseScopes === 'api') {
+            if (isApiBasedApp(oauth2App)) {
                 // Use API instead of IMAP
                 switch (oauth2App.provider) {
@@ -232,6 +232,7 @@ class ConnectionHandler {
                         accountObject.logger = accountObject.connection.logger;
                         break;
+                    case 'outlookService':
                     case 'outlook':
                         accountObject.connection = new OutlookClient(account, {
                             runIndex,