emailengine-app 2.67.3 → 2.68.1

package/translations/messages.pot

@@ -1,10 +1,10 @@
 msgid ""
 msgstr ""
 "Content-Type: text/plain; charset=ascii\n"
-"POT-Creation-Date: 2026-04-17 08:51+0000\n"
+"POT-Creation-Date: 2026-06-01 09:16+0000\n"
 
 #: views/error.hbs:4
-#: workers/api.js:7103
+#: workers/api.js:7192
 msgid "Something went wrong"
 msgstr ""
 
@@ -21,7 +21,7 @@ msgid "Dashboard"
 msgstr ""
 
 #: views/config/license.hbs:45
-#: lib/routes-ui.js:2497
+#: lib/routes-ui.js:2509
 msgid "%d day"
 msgid_plural "%d days"
 msgstr[0] ""
@@ -104,14 +104,6 @@ msgstr ""
 msgid "Enter your email address"
 msgstr ""
 
-#: views/accounts/register/index.hbs:2
-msgid "Choose your email account provider"
-msgstr ""
-
-#: views/accounts/register/index.hbs:15
-msgid "Standard IMAP"
-msgstr ""
-
 #: views/accounts/register/imap.hbs:11
 msgid "Your name"
 msgstr ""
@@ -134,6 +126,14 @@ msgstr ""
 msgid "Continue"
 msgstr ""
 
+#: views/accounts/register/index.hbs:2
+msgid "Choose your email account provider"
+msgstr ""
+
+#: views/accounts/register/index.hbs:15
+msgid "Standard IMAP"
+msgstr ""
+
 #: views/accounts/register/imap-server.hbs:19
 msgid "IMAP"
 msgstr ""
@@ -249,62 +249,62 @@ msgstr ""
 msgid "Request failed."
 msgstr ""
 
-#: lib/routes-ui.js:384
+#: lib/routes-ui.js:385
 #: lib/ui-routes/account-routes.js:60
 msgid "Delegated"
 msgstr ""
 
-#: lib/routes-ui.js:385
+#: lib/routes-ui.js:386
 #: lib/ui-routes/account-routes.js:61
 msgid "Using credentials from \"%s\""
 msgstr ""
 
-#: lib/routes-ui.js:435
+#: lib/routes-ui.js:436
 #: lib/ui-routes/account-routes.js:111
 msgid ""
 "Connection timed out. This usually occurs if you are behind a firewall or "
 "connecting to the wrong port."
 msgstr ""
 
-#: lib/routes-ui.js:438
+#: lib/routes-ui.js:439
 #: lib/ui-routes/account-routes.js:114
 msgid "The server unexpectedly closed the connection."
 msgstr ""
 
-#: lib/routes-ui.js:441
+#: lib/routes-ui.js:442
 #: lib/ui-routes/account-routes.js:117
 msgid ""
 "The server unexpectedly closed the connection. This usually happens when "
 "attempting to connect to a TLS port without TLS enabled."
 msgstr ""
 
-#: lib/routes-ui.js:446
+#: lib/routes-ui.js:447
 #: lib/ui-routes/account-routes.js:122
 msgid ""
 "The server refused the connection. This typically occurs if the server is "
 "not running, is overloaded, or you are connecting to the wrong host or port."
 msgstr ""
 
-#: lib/routes-ui.js:573
+#: lib/routes-ui.js:574
 msgid "Invalid API key for OpenAI"
 msgstr ""
 
-#: lib/routes-ui.js:2490
+#: lib/routes-ui.js:2502
 msgid "Unknown"
 msgstr ""
 
-#: lib/routes-ui.js:2499
+#: lib/routes-ui.js:2511
 msgid "Indefinite"
 msgstr ""
 
-#: lib/routes-ui.js:5133
-#: lib/routes-ui.js:5168
-#: lib/routes-ui.js:5283
-#: lib/routes-ui.js:5330
-#: lib/routes-ui.js:5577
-#: lib/routes-ui.js:5613
-#: workers/api.js:2279
-#: workers/api.js:2607
+#: lib/routes-ui.js:5285
+#: lib/routes-ui.js:5320
+#: lib/routes-ui.js:5435
+#: lib/routes-ui.js:5482
+#: lib/routes-ui.js:5729
+#: lib/routes-ui.js:5765
+#: workers/api.js:2280
+#: workers/api.js:2608
 #: lib/ui-routes/account-routes.js:554
 #: lib/ui-routes/account-routes.js:590
 #: lib/ui-routes/account-routes.js:707
@@ -314,44 +314,44 @@ msgstr ""
 msgid "Email Account Setup"
 msgstr ""
 
-#: lib/routes-ui.js:5193
-#: lib/routes-ui.js:5226
-#: lib/routes-ui.js:8186
+#: lib/routes-ui.js:5345
+#: lib/routes-ui.js:5378
+#: lib/routes-ui.js:8338
 #: lib/ui-routes/account-routes.js:615
 #: lib/ui-routes/account-routes.js:649
 msgid "Invalid request. Check your input and try again."
 msgstr ""
 
-#: lib/routes-ui.js:5386
-#: lib/routes-ui.js:5397
+#: lib/routes-ui.js:5538
+#: lib/routes-ui.js:5549
 #: lib/ui-routes/account-routes.js:811
 #: lib/ui-routes/account-routes.js:822
 #: lib/ui-routes/admin-entities-routes.js:2020
 msgid "Server hostname was not found"
 msgstr ""
 
-#: lib/routes-ui.js:5389
-#: lib/routes-ui.js:5400
+#: lib/routes-ui.js:5541
+#: lib/routes-ui.js:5552
 #: lib/ui-routes/account-routes.js:814
 #: lib/ui-routes/account-routes.js:825
 #: lib/ui-routes/admin-entities-routes.js:2023
 msgid "Invalid username or password"
 msgstr ""
 
-#: lib/routes-ui.js:5403
+#: lib/routes-ui.js:5555
 #: lib/ui-routes/account-routes.js:828
 #: lib/ui-routes/admin-entities-routes.js:2026
 msgid "Authentication credentials were not provided"
 msgstr ""
 
-#: lib/routes-ui.js:5406
+#: lib/routes-ui.js:5558
 #: lib/ui-routes/account-routes.js:831
 #: lib/ui-routes/admin-entities-routes.js:2029
 msgid "OAuth2 authentication failed"
 msgstr ""
 
-#: lib/routes-ui.js:5409
-#: lib/routes-ui.js:5413
+#: lib/routes-ui.js:5561
+#: lib/routes-ui.js:5565
 #: lib/ui-routes/account-routes.js:834
 #: lib/ui-routes/account-routes.js:838
 #: lib/ui-routes/admin-entities-routes.js:2032
@@ -359,38 +359,38 @@ msgstr ""
 msgid "TLS protocol error"
 msgstr ""
 
-#: lib/routes-ui.js:5417
+#: lib/routes-ui.js:5569
 #: lib/ui-routes/account-routes.js:842
 #: lib/ui-routes/admin-entities-routes.js:2040
 msgid "Connection timed out"
 msgstr ""
 
-#: lib/routes-ui.js:5420
+#: lib/routes-ui.js:5572
 #: lib/ui-routes/account-routes.js:845
 #: lib/ui-routes/admin-entities-routes.js:2043
 msgid "Could not connect to server"
 msgstr ""
 
-#: lib/routes-ui.js:5423
+#: lib/routes-ui.js:5575
 #: lib/ui-routes/account-routes.js:848
 #: lib/ui-routes/admin-entities-routes.js:2046
 msgid "Unexpected server response"
 msgstr ""
 
-#: lib/routes-ui.js:8149
+#: lib/routes-ui.js:8301
 #: lib/tools.js:950
 msgid "Invalid input"
 msgstr ""
 
-#: lib/routes-ui.js:8159
-#: lib/routes-ui.js:8277
-#: lib/routes-ui.js:8294
-#: lib/routes-ui.js:8330
+#: lib/routes-ui.js:8311
+#: lib/routes-ui.js:8429
+#: lib/routes-ui.js:8446
+#: lib/routes-ui.js:8482
 msgid "Subscription Management"
 msgstr ""
 
-#: workers/api.js:7102
-#: workers/api.js:7219
+#: workers/api.js:7191
+#: workers/api.js:7308
 msgid "Requested page not found"
 msgstr ""
 

package/views/config/oauth/app.hbs

@@ -33,6 +33,11 @@
                     <i class="fas fa-user-edit fa-fw"></i> Edit app
                 </a>
 
+                <button type="button" class="btn btn-light" data-toggle="modal" data-target="#verifySetupModal"
+                    title="Run live checks against the provider" id="verify-btn" data-placement="top">
+                    <i class="fas fa-clipboard-check fa-fw"></i> Verify setup
+                </button>
+
                 <button type="button" class="btn btn-light" data-toggle="modal" data-target="#deleteModal"
                     title="Delete this application" id="delete-btn" data-placement="top">
                     <i class="fas fa-trash-alt fa-fw"></i> Delete app
@@ -40,6 +45,16 @@
 
             </div>
 
+            {{#if canAddServiceAccount}}
+            <div class="btn-group ml-auto mb-1" role="group" aria-label="Account actions">
+                <button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addServiceAccountModal"
+                    title="Register an email account that authenticates through this service application"
+                    id="add-service-account-btn" data-placement="top">
+                    <i class="fas fa-user-plus fa-fw"></i> Add account
+                </button>
+            </div>
+            {{/if}}
+
         </div>
 
         {{#if app.description}}
@@ -164,6 +179,22 @@
             <dd class="col-sm-9 text-monospace"><small>*****</small></dd>
             {{/if}}
 
+            {{#if appShowAuthMethod}}
+            <dt class="col-sm-3">Authentication method</dt>
+            <dd class="col-sm-9">
+                {{#if authMethodIsExternalAccount}}
+                Workload Identity Federation
+                {{else}}
+                Service account key
+                {{/if}}
+            </dd>
+            {{/if}}
+
+            {{#if app.externalAccount}}
+            <dt class="col-sm-3">External account config</dt>
+            <dd class="col-sm-9 text-monospace"><small>***** (set)</small></dd>
+            {{/if}}
+
             {{#if app.redirectUrl}}
             <dt class="col-sm-3">Redirect URL</dt>
             <dd class="col-sm-9 text-monospace"><small>{{app.redirectUrl}}</small></dd>
@@ -337,6 +368,199 @@
     </div>
 </div>
 
+<div class="modal fade" id="verifySetupModal" tabindex="-1" aria-labelledby="verifySetupModalLabel" aria-hidden="true">
+    <div class="modal-dialog modal-lg">
+        <div class="modal-content">
+            <div class="modal-header">
+                <h5 class="modal-title" id="verifySetupModalLabel">Verify OAuth2 setup</h5>
+                <button type="button" class="close" data-dismiss="modal" aria-label="Close">
+                    <span aria-hidden="true">&times;</span>
+                </button>
+            </div>
+            <div class="modal-body">
+                <input type="hidden" id="verify-crumb" value="{{crumb}}" />
+                <p><small class="text-muted">Runs the provider authentication chain step by step and reports what passes
+                    or fails.{{#if appShowAuthMethod}} Enter a mailbox address in your Workspace domain to also verify
+                    domain-wide delegation and live mailbox access.{{/if}}</small></p>
+
+                <div class="form-group">
+                    <div class="input-group">
+                        <input type="email" class="form-control" id="verify-account"
+                            placeholder="mailbox@example.com (optional)" autocomplete="off" />
+                        <div class="input-group-append">
+                            <button type="button" class="btn btn-primary" id="verify-run-btn">
+                                <i class="fas fa-play fa-fw"></i> Run test
+                            </button>
+                        </div>
+                    </div>
+                    <small class="form-text text-muted">Leave empty to check configuration and signing only.</small>
+                </div>
+
+                <div id="verify-pending" class="d-none">
+                    <p><i class="fas fa-spinner fa-spin fa-sm"></i> Running checks, please wait&mldr;</p>
+                </div>
+                <div id="verify-error" class="d-none">
+                    <small class="alert alert-danger text-monospace error-message" style="display: block;"></small>
+                </div>
+                <div id="verify-verdict" class="d-none mb-3"></div>
+                <ul id="verify-steps" class="list-group"></ul>
+            </div>
+            <div class="modal-footer">
+                <button type="button" class="btn btn-secondary" data-dismiss="modal">Close</button>
+            </div>
+        </div>
+    </div>
+</div>
+
+{{#if canAddServiceAccount}}
+<div class="modal fade" id="addServiceAccountModal" tabindex="-1" aria-labelledby="addServiceAccountLabel"
+    aria-hidden="true">
+    <div class="modal-dialog">
+        <div class="modal-content">
+            <div class="modal-header">
+                <h5 class="modal-title" id="addServiceAccountLabel">Add an account</h5>
+                <button type="button" class="close" data-dismiss="modal" aria-label="Close">
+                    <span aria-hidden="true">&times;</span>
+                </button>
+            </div>
+            <form method="post" action="/admin/config/oauth/app/{{app.id}}/add-account">
+                <input type="hidden" name="crumb" value="{{crumb}}">
+                <div class="modal-body">
+                    <p><small class="text-muted">This service application authenticates without an interactive consent
+                        screen, so the account is registered directly. The mailbox must be reachable with the
+                        application's service credentials.</small></p>
+                    <div class="form-group">
+                        <label for="service-account-name" class="col-form-label">Full name:</label>
+                        <input type="text" class="form-control" id="service-account-name" name="name"
+                            placeholder="e.g., John Smith">
+                    </div>
+                    <div class="form-group">
+                        <label for="service-account-email" class="col-form-label">Email address:</label>
+                        <input type="email" class="form-control" id="service-account-email" name="email"
+                            placeholder="e.g., user@example.com" required>
+                    </div>
+                    <div class="form-group">
+                        <label for="service-account-id" class="col-form-label">Account identifier (optional):</label>
+                        <input type="text" class="form-control" id="service-account-id" name="account"
+                            placeholder="e.g., account_123">
+                        <small class="form-text text-muted">Leave blank to auto-generate. Existing accounts with this ID
+                            will be updated.</small>
+                    </div>
+                </div>
+                <div class="modal-footer">
+                    <button type="button" class="btn btn-secondary" data-dismiss="modal">Cancel</button>
+                    <button type="submit" class="btn btn-primary btn-icon-split">
+                        <span class="icon text-white-50">
+                            <i class="fas fa-user-plus"></i>
+                        </span>
+                        <span class="text">Add account</span>
+                    </button>
+                </div>
+            </form>
+        </div>
+    </div>
+</div>
+
+<script>
+    document.addEventListener('DOMContentLoaded', () => {
+        $('#addServiceAccountModal').on('shown.bs.modal', () => {
+            document.getElementById('service-account-name').focus();
+        });
+    });
+</script>
+{{/if}}
+
+<script>
+    document.addEventListener('DOMContentLoaded', () => {
+        const appId = "{{app.id}}";
+        const stepsElm = document.getElementById('verify-steps');
+        const pendingElm = document.getElementById('verify-pending');
+        const errorElm = document.getElementById('verify-error');
+        const verdictElm = document.getElementById('verify-verdict');
+        const runBtn = document.getElementById('verify-run-btn');
+        const accountInput = document.getElementById('verify-account');
+
+        const ICONS = {
+            ok: '<i class="fas fa-check-circle text-success fa-fw"></i>',
+            fail: '<i class="fas fa-times-circle text-danger fa-fw"></i>',
+            skip: '<i class="fas fa-minus-circle text-muted fa-fw"></i>'
+        };
+
+        const esc = str => {
+            let div = document.createElement('div');
+            div.textContent = str == null ? '' : String(str);
+            return div.innerHTML;
+        };
+
+        const renderResult = data => {
+            stepsElm.innerHTML = '';
+            (data.steps || []).forEach(step => {
+                let li = document.createElement('li');
+                li.className = 'list-group-item';
+                let html = `${ICONS[step.status] || ''} <strong>${esc(step.label)}</strong>`;
+                if (step.message) {
+                    html += `<div class="small text-muted ml-4">${esc(step.message)}</div>`;
+                }
+                if (step.hint) {
+                    html += `<div class="small text-info ml-4"><i class="fas fa-lightbulb fa-fw"></i> ${esc(step.hint)}</div>`;
+                }
+                li.innerHTML = html;
+                stepsElm.appendChild(li);
+            });
+
+            let failed = (data.steps || []).some(s => s.status === 'fail');
+            verdictElm.className = 'mb-3 alert ' + (failed ? 'alert-danger' : 'alert-success');
+            verdictElm.textContent = failed
+                ? 'Setup has problems - review the failing step(s) below.'
+                : 'Setup verified - all checks passed.';
+            verdictElm.classList.remove('d-none');
+        };
+
+        const runVerify = async account => {
+            errorElm.classList.add('d-none');
+            verdictElm.classList.add('d-none');
+            stepsElm.innerHTML = '';
+            pendingElm.classList.remove('d-none');
+            runBtn.disabled = true;
+            try {
+                let res = await fetch(`/admin/config/oauth/verify/${encodeURIComponent(appId)}`, {
+                    method: 'post',
+                    headers: { 'content-type': 'application/json' },
+                    body: JSON.stringify({
+                        crumb: document.getElementById('verify-crumb').value,
+                        account: account || '',
+                        testConnection: true
+                    })
+                });
+                let data = await res.json();
+                if (!res.ok) {
+                    throw new Error(data.error || `HTTP ${res.status}`);
+                }
+                renderResult(data);
+            } catch (err) {
+                errorElm.querySelector('.error-message').textContent = err.message;
+                errorElm.classList.remove('d-none');
+            } finally {
+                pendingElm.classList.add('d-none');
+                runBtn.disabled = false;
+            }
+        };
+
+        $('#verifySetupModal').on('shown.bs.modal', () => {
+            // Auto-run the no-mailbox checks (config + signing chain) on open.
+            runVerify(accountInput.value.trim());
+        });
+
+        runBtn.addEventListener('click', () => runVerify(accountInput.value.trim()));
+        accountInput.addEventListener('keydown', e => {
+            if (e.key === 'Enter') {
+                e.preventDefault();
+                runVerify(accountInput.value.trim());
+            }
+        });
+    });
+</script>
+
 <script>
     document.addEventListener('DOMContentLoaded', () => {
         // not set up by default as this element has a different data-toggle

package/views/config/oauth/edit.hbs

@@ -89,6 +89,75 @@
             });
         }
 
+        let externalAccountFileElm = document.getElementById('externalAccountFile');
+        if (externalAccountFileElm) {
+            externalAccountFileElm.addEventListener('click', e => {
+                e.preventDefault();
+                browseFileContents('text').then(jsonStr => {
+                    if (!jsonStr) {
+                        return;
+                    }
+
+                    let data;
+                    try {
+                        data = JSON.parse(jsonStr);
+                    } catch (err) {
+                        return showToast('Selected file is not JSON formatted', 'alert-triangle');
+                    }
+
+                    if (data.type !== 'external_account') {
+                        if (data.type === 'service_account') {
+                            return showToast('This is a service account key file, not a Workload Identity Federation config. Switch to the "Service account key" tab to load it.', 'alert-triangle');
+                        }
+                        return showToast(`Selected file is not an external_account credential config (type: ${data.type || 'missing'})`, 'alert-triangle');
+                    }
+
+                    let impersonationUrl = data.service_account_impersonation_url || '';
+                    let emailMatch = impersonationUrl.match(/\/serviceAccounts\/([^/]+):generateAccessToken$/);
+                    if (emailMatch) {
+                        let derivedEmail = decodeURIComponent(emailMatch[1]);
+                        let emailField = document.getElementById('serviceClientEmail');
+                        if (emailField && !emailField.value) {
+                            emailField.value = derivedEmail;
+                        }
+                    }
+
+                    document.getElementById('externalAccount').value = JSON.stringify(data, null, 2);
+                    return showToast('Loaded external account configuration from file', 'check-circle');
+                }).catch(err => {
+                    console.error(err);
+                    return showToast('Failed to load external account file', 'alert-triangle');
+                });
+            });
+        }
+
+        let authMethodTabs = document.querySelectorAll('.auth-method-tab');
+        let authMethodInput = document.getElementById('authMethod');
+        if (authMethodTabs.length && authMethodInput) {
+            let updateSections = selected => {
+                document.querySelectorAll('.auth-method-section').forEach(section => {
+                    let active = section.classList.contains('auth-method-section-' + selected);
+                    section.classList.toggle('d-none', !active);
+                });
+            };
+            authMethodTabs.forEach(tab => {
+                tab.addEventListener('click', e => {
+                    e.preventDefault();
+                    if (tab.classList.contains('disabled') || tab.classList.contains('active')) {
+                        return;
+                    }
+                    let selected = tab.getAttribute('data-auth-method');
+                    authMethodTabs.forEach(other => {
+                        let isActive = other === tab;
+                        other.classList.toggle('active', isActive);
+                        other.setAttribute('aria-selected', isActive ? 'true' : 'false');
+                    });
+                    authMethodInput.value = selected;
+                    updateSections(selected);
+                });
+            });
+        }
+
     });
 
 </script>

package/views/config/oauth/new.hbs

@@ -87,6 +87,75 @@
             });
         }
 
+        let externalAccountFileElm = document.getElementById('externalAccountFile');
+        if (externalAccountFileElm) {
+            externalAccountFileElm.addEventListener('click', e => {
+                e.preventDefault();
+                browseFileContents('text').then(jsonStr => {
+                    if (!jsonStr) {
+                        return;
+                    }
+
+                    let data;
+                    try {
+                        data = JSON.parse(jsonStr);
+                    } catch (err) {
+                        return showToast('Selected file is not JSON formatted', 'alert-triangle');
+                    }
+
+                    if (data.type !== 'external_account') {
+                        if (data.type === 'service_account') {
+                            return showToast('This is a service account key file, not a Workload Identity Federation config. Switch to the "Service account key" tab to load it.', 'alert-triangle');
+                        }
+                        return showToast(`Selected file is not an external_account credential config (type: ${data.type || 'missing'})`, 'alert-triangle');
+                    }
+
+                    let impersonationUrl = data.service_account_impersonation_url || '';
+                    let emailMatch = impersonationUrl.match(/\/serviceAccounts\/([^/]+):generateAccessToken$/);
+                    if (emailMatch) {
+                        let derivedEmail = decodeURIComponent(emailMatch[1]);
+                        let emailField = document.getElementById('serviceClientEmail');
+                        if (emailField && !emailField.value) {
+                            emailField.value = derivedEmail;
+                        }
+                    }
+
+                    document.getElementById('externalAccount').value = JSON.stringify(data, null, 2);
+                    return showToast('Loaded external account configuration from file', 'check-circle');
+                }).catch(err => {
+                    console.error(err);
+                    return showToast('Failed to load external account file', 'alert-triangle');
+                });
+            });
+        }
+
+        let authMethodTabs = document.querySelectorAll('.auth-method-tab');
+        let authMethodInput = document.getElementById('authMethod');
+        if (authMethodTabs.length && authMethodInput) {
+            let updateSections = selected => {
+                document.querySelectorAll('.auth-method-section').forEach(section => {
+                    let active = section.classList.contains('auth-method-section-' + selected);
+                    section.classList.toggle('d-none', !active);
+                });
+            };
+            authMethodTabs.forEach(tab => {
+                tab.addEventListener('click', e => {
+                    e.preventDefault();
+                    if (tab.classList.contains('disabled') || tab.classList.contains('active')) {
+                        return;
+                    }
+                    let selected = tab.getAttribute('data-auth-method');
+                    authMethodTabs.forEach(other => {
+                        let isActive = other === tab;
+                        other.classList.toggle('active', isActive);
+                        other.setAttribute('aria-selected', isActive ? 'true' : 'false');
+                    });
+                    authMethodInput.value = selected;
+                    updateSections(selected);
+                });
+            });
+        }
+
     });
 
 </script>