emailengine-app 2.71.0 → 2.72.1

package/.github/workflows/codeql.yml

@@ -22,6 +22,9 @@ on:
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
+    # Skip release-please's auto-generated release PR: it only changes CHANGELOG/version,
+    # so there is no new code to scan. (Matches the guard in test.yml.)
+    if: ${{ !startsWith(github.ref_name, 'release-please--') && !startsWith(github.head_ref, 'release-please--') }}
     # Runner size impacts CodeQL analysis time. To learn more, please see:
     #   - https://gh.io/recommended-hardware-resources-for-running-codeql
     #   - https://gh.io/supported-runners-and-hardware-resources

package/.github/workflows/e2e.yml

@@ -0,0 +1,56 @@
+name: E2E Tests
+
+# Browser-driven happy-path end-to-end suite (test/e2e), kept separate from the unit and
+# integration tiers so it is easy to re-run on its own and has its own requirements: it drives a
+# real browser (Playwright/Chromium) and reaches external services (Ethereal for the test mailbox,
+# postalsys.com for the 14-day trial). The trial rate limit is bypassed for the e2e serviceUrl
+# (https://e2e.emailengine.app/) - see the postalsys-web trial allowlist.
+
+on:
+    workflow_dispatch:
+    push:
+        branches: [master]
+
+permissions:
+    contents: read
+
+concurrency:
+    group: e2e-${{ github.ref }}
+    cancel-in-progress: true
+
+jobs:
+    e2e:
+        name: E2E (Playwright)
+        timeout-minutes: 20
+        runs-on: ubuntu-24.04
+        services:
+            redis:
+                image: redis
+                options: >-
+                    --health-cmd "redis-cli ping"
+                    --health-interval 10s
+                    --health-timeout 5s
+                    --health-retries 5
+                ports:
+                    - 6379:6379
+        steps:
+            - uses: actions/checkout@v6
+            - name: Use Node.js 24
+              uses: actions/setup-node@v6
+              with:
+                  node-version: 24
+                  cache: npm
+            - run: npm install
+            - name: Install Playwright browser
+              run: npx playwright install --with-deps chromium
+            - name: Run e2e tests
+              run: npm run test:e2e
+              env:
+                  NODE_ENV: e2e
+            - name: Upload Playwright report
+              uses: actions/upload-artifact@v4
+              if: ${{ !cancelled() }}
+              with:
+                  name: playwright-report
+                  path: playwright-report/
+                  retention-days: 7

package/.github/workflows/test.yml

@@ -12,8 +12,13 @@ concurrency:
     cancel-in-progress: true
 
 jobs:
+    # Skip CI for release-please's auto-generated release PR / branch: it only bumps the
+    # version + CHANGELOG (no code change), so re-running the suite is wasted work. This is
+    # gated per job rather than with [skip ci] in the release commit, because that text would
+    # ride the squash-merge into master and skip the Manage Release run, breaking releases.
     license_check:
         name: License Compliance Check
+        if: ${{ !startsWith(github.ref_name, 'release-please--') && !startsWith(github.head_ref, 'release-please--') }}
         runs-on: ubuntu-24.04
         # Service containers to run with `container-job`
         steps:
@@ -32,6 +37,7 @@ jobs:
 
     lint:
         name: Lint
+        if: ${{ !startsWith(github.ref_name, 'release-please--') && !startsWith(github.head_ref, 'release-please--') }}
         runs-on: ubuntu-24.04
         timeout-minutes: 10
         steps:
@@ -48,6 +54,7 @@ jobs:
 
     unit:
         name: Unit Tests
+        if: ${{ !startsWith(github.ref_name, 'release-please--') && !startsWith(github.head_ref, 'release-please--') }}
         timeout-minutes: 10
         runs-on: ubuntu-24.04
         # Service containers to run with `container-job`
@@ -95,6 +102,7 @@ jobs:
 
     integration:
         name: Integration Tests
+        if: ${{ !startsWith(github.ref_name, 'release-please--') && !startsWith(github.head_ref, 'release-please--') }}
         timeout-minutes: 15 # Increased timeout for Gmail API tests
         runs-on: ubuntu-24.04
         # Service containers to run with `container-job`

package/.ncurc.js

@@ -1,30 +1,30 @@
 module.exports = {
     upgrade: true,
-    // Keep joi within the 17.x major (hapi-swagger's peer dependency requires joi 17.x).
-    // Using a target function instead of a blanket reject so joi still receives 17.x security patches.
-    target: name => (name === 'joi' ? 'minor' : 'latest'),
+    // Packages capped inside their current major: the next major is ESM-only (this codebase is
+    // CommonJS and is bundled into a binary with pkg) or it breaks a peer dependency. Using 'minor'
+    // instead of a blanket reject so these still receive security/patch updates within the safe
+    // major instead of being frozen at one exact version. Verified against Node 20 (Docker) 2026-06-17.
+    target: name => (['joi', 'nanoid', 'ical.js', 'gettext-parser', 'xgettext-template', 'chai', 'undici', 'marked'].includes(name) ? 'minor' : 'latest'),
+    //   joi               - hapi-swagger (repo archived 2026-02-04) peer-requires joi 17.x; permanent ceiling
+    //   nanoid            - 4.x dropped the CommonJS require export (ESM-only)
+    //   ical.js           - 2.x is ESM-only
+    //   gettext-parser    - 8.x is ESM-only
+    //   xgettext-template - 6.x is ESM-only (translation build tool)
+    //   chai              - 5.x is ESM-only (only used by the vendored imap-core tests)
+    //   undici            - 8.x requires Node >=22.19 and crashes at require() on Node 20; EmailEngine supports Node 20+
+    //   marked            - 16.x dropped the CommonJS build (ESM-only, needs require(esm)/Node >=20.19); 15.x is the
+    //                       last require()-compatible line. 15.0.12 verified on Node 20-24 and in a yao/pkg node24 build.
     reject: [
-        // Block package upgrades that moved to ESM
-        'nanoid',
-        'gettext-parser',
-        'xgettext-template',
-        'chai',
-        'js-beautify',
-        'ical.js',
+        // 8.16+ pulls apache-arrow (ESM) into the pkg bundle; 9.x drops it but is a major bump for
+        // the deprecated, default-off Document Store. Even the 8.19 minor is unsafe to bundle.
         '@elastic/elasticsearch',
 
-        'pino-pretty',
-
-        // no support for Node 16
-        'marked',
-
-        // some kind of CVE in later versions. Only needed for license reference, so the actual version does not matter anyway
+        // v4.x adds vulnerable jquery + bootstrap runtime dependencies; v3.3.7 has none. Used only
+        // for the generated software-license listing, never executed at runtime.
         'startbootstrap-sb-admin-2',
 
         // @asamuzakjp/css-color >=4.1.2 pulls in @csstools/* v4 which are pure ESM and break pkg bundling
-        '@asamuzakjp/css-color',
-
-        // undici >=8.0.0 requires Node >=22.19.0; pin to last Node 20-compatible release
-        'undici'
+        // (transitive via @postalsys/email-text-tools -> jsdom -> cssstyle; also pinned in package.json "overrides").
+        '@asamuzakjp/css-color'
     ]
 };

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [2.72.1](https://github.com/postalsys/emailengine/compare/v2.72.0...v2.72.1) (2026-06-19)
+
+
+### Bug Fixes
+
+* log expected API client errors (4xx) at warn instead of error ([c51e347](https://github.com/postalsys/emailengine/commit/c51e3476e346f321af845905a89141bf07a83421))
+
+## [2.72.0](https://github.com/postalsys/emailengine/compare/v2.71.0...v2.72.0) (2026-06-18)
+
+
+### Features
+
+* adopt pre-existing Gmail Pub/Sub resources with ownership tracking ([fe43fad](https://github.com/postalsys/emailengine/commit/fe43fadad624025a56139382428256eb810f9e08))
+
 ## [2.71.0](https://github.com/postalsys/emailengine/compare/v2.70.0...v2.71.0) (2026-06-15)
 
 

package/config/e2e.toml

@@ -0,0 +1,35 @@
+# End-to-end overrides, merged over default.toml by @zone-eu/wild-config when NODE_ENV=e2e.
+# Boots a fresh EmailEngine for the Playwright happy-path suite (test/e2e): enable auth,
+# activate a 14-day trial (hits postalsys.com), register an Ethereal account, send + read back.
+#
+# Uses an isolated Redis DB so the suite can flush it for a clean fresh-instance run without
+# touching dev (db 9), test (db 13), or default (db 8) data. No preparedToken / preparedPassword /
+# preparedLicense here on purpose - the suite enables auth and activates the trial through the UI.
+
+# JSON formatted settings, seeded on startup.
+# serviceUrl is the recognizable e2e URL that postalsys-web allowlists to skip the trial rate
+# limit. It is only used as the trial request's `url`; the browser and API talk to 127.0.0.1:7099.
+settings = '''
+{
+  "serviceUrl": "https://e2e.emailengine.app/",
+  "ignoreMailCertErrors": true
+}
+'''
+
+[service]
+# Fixed encryption secret for the throwaway e2e instance (Redis is flushed on every run).
+secret = "e2e encryption secret"
+
+[workers]
+imap = 1
+
+[log]
+level = "warn"
+
+[dbs]
+# Isolated Redis DB for e2e; flushed before each run by test/e2e/flush-redis.js
+redis = "redis://127.0.0.1:6379/14"
+
+[api]
+host = "127.0.0.1"
+port = 7099

package/data/google-crawlers.json

@@ -1,5 +1,5 @@
 {
-    "creationTime": "2026-06-15T14:45:58.000000",
+    "creationTime": "2026-06-19T14:46:02.000000",
     "prefixes": [
         {
             "ipv6Prefix": "2001:4860:4801:2008::/64"

package/lib/api-routes/route-helpers.js

@@ -9,14 +9,20 @@ const Boom = require('@hapi/boom');
 // machine-readable err.code. This function ALWAYS throws and never returns a value, so callers use it
 // as the final statement inside a catch block: `catch (err) { handleError(request, err); }`.
 function handleError(request, err) {
-    request.logger.error({ msg: 'API request failed', err });
-    if (Boom.isBoom(err)) {
-        throw err;
-    }
     // Lower-level libraries (e.g. ImapFlow) flag "this server lacks the required capability" with a
     // machine code but no HTTP status. Surface it as a 422 client error instead of a generic 500 - the
     // request is well-formed, the account just cannot satisfy it (e.g. label search on non-Gmail IMAP).
-    let statusCode = err.statusCode || (err.code === 'MissingServerExtension' ? 422 : 500);
+    let isBoom = Boom.isBoom(err);
+    let statusCode = isBoom ? err.output.statusCode : err.statusCode || (err.code === 'MissingServerExtension' ? 422 : 500);
+
+    // Log expected client errors (4xx, e.g. a 404 from an existence-check probe) at warn so they do not
+    // flood the error stream, while genuine server faults (5xx) stay at error.
+    let logLevel = statusCode >= 400 && statusCode < 500 ? 'warn' : 'error';
+    request.logger[logLevel]({ msg: 'API request failed', statusCode, err });
+
+    if (isBoom) {
+        throw err;
+    }
     const error = Boom.boomify(err, { statusCode });
     if (err.code) {
         error.output.payload.code = err.code;

package/lib/auth-token.js

@@ -0,0 +1,83 @@
+'use strict';
+
+// Shared token validation for the SMTP and IMAP-proxy submission servers. Both
+// servers accept a 64-char hex API token as the password and apply the same
+// checks (account binding, scope, IP allowlist). The logic lives here so the two
+// auth handlers (lib/smtp-auth.js, lib/imap-proxy-auth.js) cannot drift apart -
+// a token security-policy change is made once and applies to both surfaces.
+
+const logger = require('./logger');
+const tokens = require('./tokens');
+const { matchIp } = require('./utils/network');
+
+// Reason-specific denial messages, shared verbatim by both auth handlers. The
+// generic "failed to authenticate" fallback and any protocol-specific error
+// decoration are left to each caller.
+const REASON_MESSAGES = {
+    username: 'Access denied, invalid username',
+    scope: 'Access denied, invalid scope',
+    ip: 'Access denied, traffic not accepted from this IP'
+};
+
+/**
+ * Validates a 64-char hex API token supplied as a server password.
+ *
+ * Performs the token lookup plus the account-binding, scope and IP-allowlist
+ * checks. Does NOT throw - the caller maps the returned reason to its own
+ * protocol-specific error (SMTP and IMAP use different response shapes).
+ *
+ * @param {Object} opts
+ * @param {String} opts.password - supplied password (candidate token)
+ * @param {String} opts.account - username the client authenticated as
+ * @param {String} opts.requiredScope - scope the token must hold ('smtp' | 'imap-proxy')
+ * @param {String} opts.remoteAddress - client IP, checked against token restrictions
+ * @returns {Promise<{authenticated: Boolean, reason: (null|'username'|'scope'|'ip')}>}
+ */
+async function validateAuthToken({ password, account, requiredScope, remoteAddress }) {
+    if (!/^[0-9a-f]{64}$/i.test(password)) {
+        return { authenticated: false, reason: null };
+    }
+
+    let tokenData;
+    try {
+        tokenData = await tokens.get(password, false, { log: true, remoteAddress });
+    } catch (err) {
+        logger.error({ msg: 'Failed to fetch token', err });
+    }
+
+    if (!tokenData) {
+        return { authenticated: false, reason: null };
+    }
+
+    if (tokenData.account && tokenData.account !== account) {
+        return { authenticated: false, reason: 'username' };
+    }
+
+    if (tokenData.scopes && !tokenData.scopes.includes(requiredScope) && !tokenData.scopes.includes('*')) {
+        logger.error({
+            msg: 'Trying to use invalid scope for a token',
+            tokenAccount: tokenData.account,
+            tokenId: tokenData.id,
+            account,
+            requestedScope: requiredScope,
+            scopes: tokenData.scopes
+        });
+        return { authenticated: false, reason: 'scope' };
+    }
+
+    if (tokenData.restrictions && tokenData.restrictions.addresses && !matchIp(remoteAddress, tokenData.restrictions.addresses)) {
+        logger.error({
+            msg: 'Trying to use invalid IP for a token',
+            tokenAccount: tokenData.account,
+            tokenId: tokenData.id,
+            account,
+            remoteAddress,
+            addressAllowlist: tokenData.restrictions.addresses
+        });
+        return { authenticated: false, reason: 'ip' };
+    }
+
+    return { authenticated: true, reason: null };
+}
+
+module.exports = { validateAuthToken, REASON_MESSAGES };

package/lib/delivery-error.js

@@ -0,0 +1,62 @@
+'use strict';
+
+// Classification of outbound delivery errors for the submit worker.
+//
+// This logic lives in its own module so it can be unit tested without booting
+// the BullMQ submit worker (workers/submit.js connects to Redis and expects a
+// worker-thread parentPort at require time).
+
+// Nodemailer/SMTP error codes that represent permanent failures. A message that
+// fails with one of these will fail again on every retry, so the job is
+// discarded instead of being retried.
+const NON_RETRYABLE_CODES = new Set([
+    'EAUTH', // authentication failed
+    'ENOAUTH', // no credentials provided
+    'EOAUTH2', // OAuth2 token failure
+    'ETLS', // TLS handshake failed
+    'EENVELOPE', // invalid sender/recipients
+    'EMESSAGE', // message content error
+    'EPROTOCOL' // SMTP protocol mismatch
+]);
+
+/**
+ * Determines whether a delivery error is permanent (must not be retried).
+ *
+ * An error is permanent when either:
+ *   - the SMTP status code is a 5xx other than 503 (503 is treated as a
+ *     transient "try again later" response), or
+ *   - the error carries one of the NON_RETRYABLE_CODES.
+ *
+ * @param {Object} err - Error thrown during submission
+ * @param {Number} [err.statusCode] - SMTP/HTTP status code
+ * @param {String} [err.code] - Nodemailer error code
+ * @returns {Boolean} True if the error should never be retried
+ */
+function isPermanentDeliveryError(err) {
+    if (!err) {
+        return false;
+    }
+    const isPermanentSmtp = err.statusCode >= 500 && err.statusCode !== 503;
+    const isPermanentCode = NON_RETRYABLE_CODES.has(err.code);
+    return isPermanentSmtp || isPermanentCode;
+}
+
+/**
+ * Determines whether the submit worker should discard a job (stop retrying).
+ *
+ * A job is discarded only when the error is permanent AND there are still
+ * attempts remaining. When attempts are already exhausted, BullMQ will fail the
+ * job naturally, so there is nothing to discard.
+ *
+ * @param {Object} err - Error thrown during submission
+ * @param {Object} job - BullMQ job
+ * @param {Number} job.attemptsMade - Attempts already made
+ * @param {Object} job.opts - Job options
+ * @param {Number} job.opts.attempts - Configured max attempts
+ * @returns {Boolean} True if the job should be discarded
+ */
+function shouldDiscardJob(err, job) {
+    return isPermanentDeliveryError(err) && job.attemptsMade < job.opts.attempts;
+}
+
+module.exports = { NON_RETRYABLE_CODES, isPermanentDeliveryError, shouldDiscardJob };

package/lib/email-client/gmail-client.js

@@ -257,6 +257,9 @@ class GmailClient extends BaseClient {
 
         this.processingHistory = null;
         this.renewWatchTimer = null;
+        // Set once renewWatch() has logged that the linked Pub/Sub app is missing its topic/IAM
+        // markers, so the warning is emitted once per connection instead of every renewal cycle.
+        this._loggedMissingWatchMarkers = false;
 
         this.cachedLabels = null;
         this.cachedDetailedLabels = null;
@@ -2047,6 +2050,9 @@ class GmailClient extends BaseClient {
                         watchExpiration,
                         watchFailure: null
                     });
+                    // Markers are present and the watch armed - allow the missing-markers warning
+                    // to fire again if the app's markers ever disappear.
+                    this._loggedMissingWatchMarkers = false;
                     this.logger.info({
                         msg: 'Renewed Gmail pubsub watch',
                         account: this.account,
@@ -2067,6 +2073,23 @@ class GmailClient extends BaseClient {
                         err
                     });
                 }
+            } else {
+                // pubSubApp is linked and a renewal is due, but the topic/IAM markers required to
+                // arm the watch are not recorded on the linked Pub/Sub app. This is the silent
+                // failure that leaves Gmail push disabled (e.g. Pub/Sub resources pre-provisioned in
+                // GCP, so ensurePubsub never persisted the markers). Surface it once per connection -
+                // the renewal timer re-fires ~hourly and this branch never updates lastWatch, so an
+                // unguarded warning would otherwise repeat every cycle.
+                if (!this._loggedMissingWatchMarkers) {
+                    this._loggedMissingWatchMarkers = true;
+                    this.logger.warn({
+                        msg: 'Skipping Gmail watch renewal: Pub/Sub app linked but topic/IAM markers are not recorded',
+                        account: this.account,
+                        pubSubApp: accountData._app?.pubSubApp,
+                        hasTopic: !!appData?.pubSubTopic,
+                        hasIamPolicy: !!appData?.pubSubIamPolicy
+                    });
+                }
             }
         }
     }
@@ -3076,4 +3099,13 @@ class GmailClient extends BaseClient {
     }
 }
 
-module.exports = { GmailClient };
+// PageCursor and the label maps are exported for unit testing. The maps are
+// exported as frozen copies so importers (or tests) cannot mutate the live
+// objects used by the running Gmail client.
+module.exports = {
+    GmailClient,
+    PageCursor,
+    SKIP_LABELS: Object.freeze([...SKIP_LABELS]),
+    SYSTEM_LABELS: Object.freeze({ ...SYSTEM_LABELS }),
+    SYSTEM_NAMES: Object.freeze({ ...SYSTEM_NAMES })
+};

package/lib/imap-proxy-auth.js

@@ -0,0 +1,81 @@
+'use strict';
+
+// IMAP proxy authentication. Extracted from lib/imapproxy/imap-server.js so the
+// auth decision can be unit tested without booting the proxy worker (which uses
+// a parentPort at require time). Only the authentication portion is extracted;
+// the backend IMAP connection config is still built by the server.
+
+const logger = require('./logger');
+const settings = require('./settings');
+const { redis } = require('./db');
+const { Account } = require('./account');
+const getSecret = require('./get-secret');
+const { isApiBasedApp } = require('./oauth2-apps');
+const { validateAuthToken, REASON_MESSAGES } = require('./auth-token');
+
+/**
+ * Builds the IMAP proxy authentication handler.
+ *
+ * @param {Object} deps
+ * @param {Function} deps.call - RPC function passed to the Account instance
+ * @returns {Function} async authenticate(auth, session) -> { accountObject, accountData }
+ */
+function createImapProxyAuthHandler({ call }) {
+    return async function authenticate(auth, session) {
+        let account = auth.username;
+
+        let imapPassword = await settings.get('imapProxyServerPassword');
+        if (!imapPassword || auth.password !== imapPassword) {
+            // fall back to API token authentication
+            let result = await validateAuthToken({
+                password: auth.password,
+                account: auth.username,
+                requiredScope: 'imap-proxy',
+                remoteAddress: session.remoteAddress
+            });
+
+            if (!result.authenticated) {
+                let err = new Error(REASON_MESSAGES[result.reason] || 'Access denied, failed to authenticate user');
+                err.serverResponseCode = 'AUTHENTICATIONFAILED';
+                err.responseStatus = 'NO';
+                throw err;
+            }
+        }
+
+        let accountObject = new Account({ account, redis, call, secret: await getSecret() });
+        let accountData;
+        try {
+            accountData = await accountObject.loadAccountData();
+        } catch (err) {
+            let respErr = new Error('Failed to authenticate user');
+            respErr.serverResponseCode = 'AUTHENTICATIONFAILED';
+            respErr.responseStatus = 'NO';
+
+            if (!err.output || err.output.statusCode !== 404) {
+                // only log non-obvious errors
+                logger.error({ msg: 'Failed to load account data', account: auth.username, err });
+            }
+
+            throw respErr;
+        }
+
+        if (isApiBasedApp(accountData?._app)) {
+            let respErr = new Error('IMAP is not supported for API-based accounts');
+            respErr.authenticationFailed = true;
+            respErr.serverResponseCode = 'ACCOUNTDISABLED';
+            respErr.responseStatus = 'NO';
+            throw respErr;
+        }
+
+        if (!accountData) {
+            let err = new Error('Access denied, failed to authenticate user');
+            err.serverResponseCode = 'AUTHENTICATIONFAILED';
+            err.responseStatus = 'NO';
+            throw err;
+        }
+
+        return { accountObject, accountData };
+    };
+}
+
+module.exports = { createImapProxyAuthHandler };

package/lib/imapproxy/imap-server.js

@@ -4,16 +4,15 @@ const { parentPort } = require('worker_threads');
 
 const config = require('@zone-eu/wild-config');
 const logger = require('../logger');
-const { oauth2Apps, oauth2ProviderData, isApiBasedApp } = require('../oauth2-apps');
+const { oauth2Apps, oauth2ProviderData } = require('../oauth2-apps');
 
 const { getDuration, getBoolean, resolveCredentials, hasEnvValue, readEnvValue, emitChangeEvent, loadTlsConfig } = require('../tools');
-const { matchIp, getLocalAddress } = require('../utils/network');
+const { getLocalAddress } = require('../utils/network');
 
 const { redis } = require('../db');
-const { Account } = require('../account');
+const { createImapProxyAuthHandler } = require('../imap-proxy-auth');
 const getSecret = require('../get-secret');
 const settings = require('../settings');
-const tokens = require('../tokens');
 
 const { encrypt, decrypt } = require('../encrypt');
 const { Certs } = require('@postalsys/certs');
@@ -150,108 +149,14 @@ class PassThroughLogger extends PassThrough {
     }
 }
 
+// Authentication logic lives in lib/imap-proxy-auth.js so it can be unit tested
+// without booting this worker. call() is injected for the Account instance.
+const authenticateImapProxy = createImapProxyAuthHandler({ call });
+
 async function onAuth(auth, session) {
     let account = auth.username;
 
-    let imapPassword = await settings.get('imapProxyServerPassword');
-    let authPass = false;
-
-    if (!imapPassword || auth.password !== imapPassword) {
-        if (/^[0-9a-f]{64}$/i.test(auth.password)) {
-            // fallback to tokens
-            let tokenData;
-            try {
-                tokenData = await tokens.get(auth.password, false, { log: true, remoteAddress: session.remoteAddress });
-            } catch (err) {
-                logger.error({
-                    msg: 'Failed to fetch token',
-                    err
-                });
-            }
-
-            if (tokenData) {
-                if (tokenData.account && tokenData.account !== auth.username) {
-                    let err = new Error('Access denied, invalid username');
-                    err.serverResponseCode = 'AUTHENTICATIONFAILED';
-                    err.responseStatus = 'NO';
-                    throw err;
-                }
-
-                if (tokenData.scopes && !tokenData.scopes.includes('imap-proxy') && !tokenData.scopes.includes('*')) {
-                    logger.error({
-                        msg: 'Trying to use invalid scope for a token',
-                        tokenAccount: tokenData.account,
-                        tokenId: tokenData.id,
-                        account,
-                        requestedScope: 'imap-proxy',
-                        scopes: tokenData.scopes
-                    });
-
-                    let err = new Error('Access denied, invalid scope');
-                    err.serverResponseCode = 'AUTHENTICATIONFAILED';
-                    err.responseStatus = 'NO';
-                    throw err;
-                }
-
-                if (tokenData.restrictions && tokenData.restrictions.addresses && !matchIp(session.remoteAddress, tokenData.restrictions.addresses)) {
-                    logger.error({
-                        msg: 'Trying to use invalid IP for a token',
-                        tokenAccount: tokenData.account,
-                        tokenId: tokenData.id,
-                        account,
-                        remoteAddress: session.remoteAddress,
-                        addressAllowlist: tokenData.restrictions.addresses
-                    });
-
-                    let err = new Error('Access denied, traffic not accepted from this IP');
-                    err.serverResponseCode = 'AUTHENTICATIONFAILED';
-                    err.responseStatus = 'NO';
-                    throw err;
-                }
-
-                authPass = true;
-            }
-        }
-
-        if (!authPass) {
-            let err = new Error('Access denied, failed to authenticate user');
-            err.serverResponseCode = 'AUTHENTICATIONFAILED';
-            err.responseStatus = 'NO';
-            throw err;
-        }
-    }
-
-    let accountObject = new Account({ account, redis, call, secret: await getSecret() });
-    let accountData;
-    try {
-        accountData = await accountObject.loadAccountData();
-    } catch (err) {
-        let respErr = new Error('Failed to authenticate user');
-        respErr.serverResponseCode = 'AUTHENTICATIONFAILED';
-        respErr.responseStatus = 'NO';
-
-        if (!err.output || err.output.statusCode !== 404) {
-            // only log non-obvious errors
-            logger.error({ msg: 'Failed to load account data', account: auth.username, err });
-        }
-
-        throw respErr;
-    }
-
-    if (isApiBasedApp(accountData?._app)) {
-        let respErr = new Error('IMAP is not supported for API-based accounts');
-        respErr.authenticationFailed = true;
-        respErr.serverResponseCode = 'ACCOUNTDISABLED';
-        respErr.responseStatus = 'NO';
-        throw respErr;
-    }
-
-    if (!accountData) {
-        let err = new Error('Access denied, failed to authenticate user');
-        err.serverResponseCode = 'AUTHENTICATIONFAILED';
-        err.responseStatus = 'NO';
-        throw err;
-    }
+    let { accountObject, accountData } = await authenticateImapProxy(auth, session);
 
     if (!accountData.imap && !accountData.oauth2) {
         // can not make connection