npm - emailengine-app - Versions diffs - 2.67.3 → 2.68.0 - Mend

emailengine-app 2.67.3 → 2.68.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

package/.github/workflows/test.yml +3 -0
package/CHANGELOG.md +27 -0
package/data/google-crawlers.json +1 -1
package/lib/account.js +24 -1
package/lib/api-routes/account-routes.js +12 -2
package/lib/email-client/base-client.js +26 -20
package/lib/email-client/gmail-client.js +14 -12
package/lib/oauth/external-account-config.js +132 -0
package/lib/oauth/external-account-signer.js +256 -0
package/lib/oauth/gmail.js +113 -14
package/lib/oauth/verify-app.js +397 -0
package/lib/oauth2-apps.js +51 -6
package/lib/routes-ui.js +153 -1
package/lib/schemas.js +80 -2
package/lib/settings.js +1 -0
package/lib/tools.js +10 -10
package/package.json +22 -22
package/sbom.json +1 -1
package/static/js/ace/ace.js +1 -1
package/static/js/ace/ext-searchbox.js +1 -1
package/static/js/ace/mode-handlebars.js +1 -1
package/static/js/ace/mode-html.js +1 -1
package/static/js/ace/mode-javascript.js +1 -1
package/static/js/ace/mode-markdown.js +1 -1
package/static/js/ace/worker-html.js +1 -1
package/static/js/ace/worker-javascript.js +1 -1
package/static/js/ace/worker-json.js +1 -1
package/static/licenses.html +226 -66
package/translations/messages.pot +13 -13
package/views/config/oauth/app.hbs +224 -0
package/views/config/oauth/edit.hbs +69 -0
package/views/config/oauth/new.hbs +69 -0
package/views/partials/oauth_form.hbs +99 -32
package/workers/api.js +91 -2

package/workers/api.js CHANGED Viewed

@@ -84,6 +84,7 @@ const pathlib = require('path');
 const crypto = require('crypto');
 const { Transform, finished } = require('stream');
 const { oauth2Apps, OAUTH_PROVIDERS } = require('../lib/oauth2-apps');
+const { verifyOAuth2App } = require('../lib/oauth/verify-app');
 const handlebars = require('handlebars');
 const AuthBearer = require('hapi-auth-bearer-token');
@@ -5016,7 +5017,7 @@ Include your token in requests using one of these methods:
                 let response = await oauth2Apps.list(request.query.page, request.query.pageSize);
                 for (let app of response.apps) {
-                    for (let secretKey of ['clientSecret', 'serviceKey', 'accessToken']) {
+                    for (let secretKey of ['clientSecret', 'serviceKey', 'accessToken', 'externalAccount']) {
                         if (app[secretKey]) {
                             app[secretKey] = '******';
                         }
@@ -5170,7 +5171,7 @@ Include your token in requests using one of these methods:
                 let app = await oauth2Apps.get(request.params.app);
                 // remove secrets
-                for (let secretKey of ['clientSecret', 'serviceKey', 'accessToken']) {
+                for (let secretKey of ['clientSecret', 'serviceKey', 'accessToken', 'externalAccount']) {
                     if (app[secretKey]) {
                         app[secretKey] = '******';
                     }
@@ -5576,6 +5577,94 @@ Include your token in requests using one of these methods:
         }
     });
+    server.route({
+        method: 'POST',
+        path: '/v1/oauth2/{app}/verify',
+        async handler(request) {
+            try {
+                return await verifyOAuth2App(request.params.app, {
+                    account: request.payload.account,
+                    testConnection: request.payload.testConnection
+                });
+            } catch (err) {
+                request.logger.error({ msg: 'API request failed', err });
+                if (Boom.isBoom(err)) {
+                    throw err;
+                }
+                let error = Boom.boomify(err, { statusCode: err.statusCode || 500 });
+                if (err.code) {
+                    error.output.payload.code = err.code;
+                }
+                throw error;
+            }
+        },
+        options: {
+            description: 'Verify OAuth2 application setup',
+            notes: 'Runs the provider authentication chain step by step and reports which steps pass or fail, with hints for fixing failures. For service-account apps an optional mailbox address enables the delegation and live mailbox checks.',
+            tags: ['api', 'OAuth2 Applications'],
+            plugins: {},
+            auth: {
+                strategy: 'api-token',
+                mode: 'required'
+            },
+            cors: CORS_CONFIG,
+            validate: {
+                options: {
+                    stripUnknown: false,
+                    abortEarly: false,
+                    convert: true
+                },
+                failAction,
+                params: Joi.object({
+                    app: Joi.string().max(256).required().example('AAABhaBPHscAAAAH').description('OAuth2 application ID')
+                }),
+                payload: Joi.object({
+                    account: Joi.string()
+                        .trim()
+                        .empty('')
+                        .max(256)
+                        .example('user@example.com')
+                        .description('Mailbox address used to verify domain-wide delegation and live mailbox access'),
+                    testConnection: Joi.boolean()
+                        .truthy('Y', 'true', '1', 'on')
+                        .falsy('N', 'false', 0, '')
+                        .default(true)
+                        .description('Perform the live IMAP/API connection step when an access token is obtained')
+                }).label('VerifyOAuth2AppRequest')
+            },
+            response: {
+                schema: Joi.object({
+                    app: Joi.string().max(256).required().example('AAABhaBPHscAAAAH').description('OAuth2 application ID'),
+                    provider: Joi.string().example('gmailService').description('Provider type'),
+                    authMethod: Joi.string().allow(null).example('externalAccount').description('Authentication method for service-account apps'),
+                    account: Joi.string().allow(null).example('user@example.com').description('Mailbox used for the delegation/mailbox checks'),
+                    ok: Joi.boolean().example(true).description('True when no verification step failed'),
+                    steps: Joi.array()
+                        .items(
+                            Joi.object({
+                                id: Joi.string().example('signJwt').description('Step identifier'),
+                                label: Joi.string().example('Sign assertion (signJwt)').description('Human readable step name'),
+                                status: Joi.string().valid('ok', 'fail', 'skip').example('ok').description('Step outcome'),
+                                message: Joi.string().allow(null).example('Assertion signed via IAM signJwt').description('Outcome detail'),
+                                hint: Joi.string()
+                                    .example('Grant roles/iam.serviceAccountTokenCreator to the workload principal')
+                                    .description('How to fix a failed step')
+                            }).label('OAuth2VerifyStep')
+                        )
+                        .label('OAuth2VerifySteps')
+                }).label('VerifyOAuth2AppResponse'),
+                failAction: 'log'
+            }
+        }
+    });
     server.route({
         method: 'GET',
         path: '/v1/gateways',