payload-plugin-newsletter 0.1.1 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/CHANGELOG.md +56 -0
  2. package/README.md +61 -2
  3. package/dist/.tsbuildinfo +1 -1
  4. package/dist/collections/NewsletterSettings.d.ts +4 -0
  5. package/dist/collections/NewsletterSettings.d.ts.map +1 -0
  6. package/dist/collections/Subscribers.d.ts.map +1 -1
  7. package/dist/endpoints/preferences.d.ts.map +1 -1
  8. package/dist/endpoints/subscribe.d.ts.map +1 -1
  9. package/dist/endpoints/unsubscribe.d.ts.map +1 -1
  10. package/dist/endpoints/verify-magic-link.d.ts.map +1 -1
  11. package/dist/index.d.ts.map +1 -1
  12. package/dist/src/collections/NewsletterSettings.js +390 -0
  13. package/dist/src/collections/NewsletterSettings.js.map +1 -0
  14. package/dist/src/collections/Subscribers.js +4 -39
  15. package/dist/src/collections/Subscribers.js.map +1 -1
  16. package/dist/src/components/MagicLinkVerify.js +1 -1
  17. package/dist/src/components/MagicLinkVerify.js.map +1 -1
  18. package/dist/src/endpoints/preferences.js +16 -4
  19. package/dist/src/endpoints/preferences.js.map +1 -1
  20. package/dist/src/endpoints/subscribe.js +14 -3
  21. package/dist/src/endpoints/subscribe.js.map +1 -1
  22. package/dist/src/endpoints/unsubscribe.js +10 -2
  23. package/dist/src/endpoints/unsubscribe.js.map +1 -1
  24. package/dist/src/endpoints/verify-magic-link.js +13 -3
  25. package/dist/src/endpoints/verify-magic-link.js.map +1 -1
  26. package/dist/src/index.js +18 -12
  27. package/dist/src/index.js.map +1 -1
  28. package/dist/src/templates/NewsletterTemplate.js.map +1 -1
  29. package/dist/src/templates/WelcomeTemplate.js.map +1 -1
  30. package/dist/src/types/index.js.map +1 -1
  31. package/dist/src/utils/access.js +56 -0
  32. package/dist/src/utils/access.js.map +1 -0
  33. package/dist/templates/NewsletterTemplate.d.ts.map +1 -1
  34. package/dist/templates/WelcomeTemplate.d.ts.map +1 -1
  35. package/dist/types/index.d.ts +16 -0
  36. package/dist/types/index.d.ts.map +1 -1
  37. package/dist/utils/access.d.ts +15 -0
  38. package/dist/utils/access.d.ts.map +1 -0
  39. package/package.json +7 -3
  40. package/CLAUDE.md +0 -110
  41. package/dist/globals/EmailSettings.d.ts +0 -4
  42. package/dist/globals/EmailSettings.d.ts.map +0 -1
  43. package/dist/src/globals/EmailSettings.js +0 -252
  44. package/dist/src/globals/EmailSettings.js.map +0 -1
package/CHANGELOG.md CHANGED
@@ -5,6 +5,58 @@ All notable changes to this project will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [0.3.1] - 2025-06-15
9
+
10
+ ### Security
11
+ - **CRITICAL**: Fixed access control vulnerability where any authenticated user could read, update, or delete any subscriber
12
+ - **CRITICAL**: Fixed access control vulnerability where any authenticated user could modify newsletter settings
13
+ - Added proper admin role checking with support for multiple admin patterns
14
+ - Added configurable admin check function for custom authentication setups
15
+
16
+ ### Added
17
+ - New `access.isAdmin` configuration option for custom admin authentication
18
+ - Flexible admin detection supporting common patterns (roles, isAdmin, role, admin)
19
+ - Access control utility functions for consistent security
20
+
21
+ ### Changed
22
+ - All collection access controls now properly validate admin status
23
+ - Improved security documentation with custom admin configuration examples
24
+
25
+ ## [0.3.0] - 2025-06-15
26
+
27
+ ### Added
28
+ - Comprehensive security improvements to respect Payload access control
29
+ - Synthetic user pattern for subscriber self-service operations
30
+ - Admin verification for newsletter settings modifications
31
+ - Security documentation in README
32
+
33
+ ### Changed
34
+ - All API endpoints now properly implement `overrideAccess` and `user` parameters
35
+ - Preferences endpoint now ensures subscribers can only access their own data
36
+ - Unsubscribe endpoint validates ownership through tokens
37
+ - Magic link verification uses synthetic users for updates
38
+ - Newsletter settings modifications now require admin authentication
39
+
40
+ ### Security
41
+ - Implemented proper access control for all Payload Local API operations
42
+ - Added user context validation for authenticated endpoints
43
+ - Restricted settings access to admin users only
44
+ - Enhanced protection against unauthorized data access
45
+
46
+ ## [0.2.0] - 2025-06-15
47
+
48
+ ### Changed
49
+ - **BREAKING**: Changed newsletter settings from a global to a collection
50
+ - Allows multiple configurations (e.g., dev/staging/prod)
51
+ - Only one configuration can be active at a time
52
+ - Migrate existing settings by creating a new configuration in the collection
53
+ - Updated README to clarify the settings collection usage
54
+
55
+ ### Added
56
+ - Support for multiple email configurations
57
+ - Automatic deactivation of other configs when activating one
58
+ - Configuration name field for better organization
59
+
8
60
  ## [0.1.1] - 2025-06-15
9
61
 
10
62
  ### Fixed
@@ -38,6 +90,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
38
90
  - Domain restriction options
39
91
  - Input validation and sanitization
40
92
 
93
+ [0.3.1]: https://github.com/aniketpanjwani/payload-plugin-email-newsletter/releases/tag/v0.3.1
94
+ [0.3.0]: https://github.com/aniketpanjwani/payload-plugin-email-newsletter/releases/tag/v0.3.0
95
+ [0.2.0]: https://github.com/aniketpanjwani/payload-plugin-email-newsletter/releases/tag/v0.2.0
96
+ [0.1.1]: https://github.com/aniketpanjwani/payload-plugin-email-newsletter/releases/tag/v0.1.1
41
97
  [0.1.0]: https://github.com/aniketpanjwani/payload-plugin-email-newsletter/releases/tag/v0.1.0
42
98
 
43
99
  ---
package/README.md CHANGED
@@ -64,7 +64,7 @@ export default buildConfig({
64
64
 
65
65
  The plugin automatically adds:
66
66
  - A `subscribers` collection to manage your subscribers
67
- - A `newsletter-settings` global for email configuration
67
+ - A `newsletter-settings` collection for email configurations (supports multiple environments)
68
68
  - API endpoints for subscription and authentication
69
69
  - Newsletter scheduling fields to your articles (optional)
70
70
 
@@ -111,12 +111,32 @@ Subscribers can be managed through the Payload admin panel at `/admin/collection
111
111
 
112
112
  ### Email Settings
113
113
 
114
- After setup, configure email settings at `/admin/globals/newsletter-settings` in your admin panel. You can:
114
+ After setup, configure email settings at `/admin/collections/newsletter-settings` in your admin panel. You can:
115
+ - Create multiple configurations (e.g., for different environments or purposes)
116
+ - Set one configuration as active at a time
115
117
  - Switch between email providers
116
118
  - Update API keys and settings
117
119
  - Customize email templates
118
120
  - Set subscription preferences
119
121
 
122
+ **Note**: Only one configuration can be active at a time. The plugin will use the active configuration for sending emails.
123
+
124
+ ## Initial Setup
125
+
126
+ After installing the plugin, you'll need to:
127
+
128
+ 1. **Create an email configuration**:
129
+ - Go to `/admin/collections/newsletter-settings`
130
+ - Click "Create New"
131
+ - Give it a name (e.g., "Production" or "Development")
132
+ - Configure your email provider settings
133
+ - Set it as "Active"
134
+ - Save
135
+
136
+ 2. **Start collecting subscribers**:
137
+ - Subscribers will appear in `/admin/collections/subscribers`
138
+ - Use the provided React components or API endpoints
139
+
120
140
  ## Configuration Options
121
141
 
122
142
  ### Minimal Configuration
@@ -394,6 +414,45 @@ newsletterPlugin({
394
414
  - Check the email provider's dashboard for errors
395
415
  - Ensure from address is verified with your provider
396
416
 
417
+ ## Security
418
+
419
+ ### Access Control
420
+
421
+ Starting from v0.3.0, the plugin implements proper access control for all operations:
422
+
423
+ - **Subscriber data**: Users can only access and modify their own data via magic link authentication
424
+ - **Newsletter settings**: Only admin users can modify email provider settings and configurations
425
+ - **API endpoints**: All endpoints respect Payload's access control rules
426
+
427
+ #### Custom Admin Check
428
+
429
+ The plugin supports multiple admin authentication patterns out of the box:
430
+ - `user.roles.includes('admin')` - Role-based
431
+ - `user.isAdmin === true` - Boolean field
432
+ - `user.role === 'admin'` - Single role field
433
+ - `user.admin === true` - Admin boolean
434
+
435
+ If your setup uses a different pattern, configure a custom admin check:
436
+
437
+ ```typescript
438
+ newsletterPlugin({
439
+ access: {
440
+ isAdmin: (user) => {
441
+ // Your custom logic
442
+ return user.customAdminField === true
443
+ }
444
+ },
445
+ // ... other config
446
+ })
447
+ ```
448
+
449
+ ### Best Practices
450
+
451
+ - Always use environment variables for sensitive data (API keys, JWT secrets)
452
+ - Enable double opt-in for GDPR compliance
453
+ - Configure allowed domains to prevent spam subscriptions
454
+ - Set reasonable rate limits for subscriptions per IP
455
+
397
456
  ## Migration Guide
398
457
 
399
458
  Coming from another newsletter system? The plugin stores subscribers in a standard Payload collection, making it easy to import existing data: