strapi-plugin-magic-mail 2.6.7 → 2.7.0

package/dist/server/index.js

@@ -89,19 +89,23 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
   try {
     const licenseGuardService = strapi2.plugin("magic-mail").service("license-guard");
     setTimeout(async () => {
-      const licenseStatus = await licenseGuardService.initialize();
-      if (!licenseStatus.valid && licenseStatus.demo) {
-        log.error("╔════════════════════════════════════════════════════════════════╗");
-        log.error("║  [ERROR] MAGICMAIL - NO VALID LICENSE                         ║");
-        log.error("║                                                                ║");
-        log.error("║  This plugin requires a valid license to operate.             ║");
-        log.error("║  Please activate your license via Admin UI:                   ║");
-        log.error("║  Go to MagicMail → License tab                                ║");
-        log.error("║                                                                ║");
-        log.error('║  Click "Generate Free License" to get started!                ║');
-        log.error("╚════════════════════════════════════════════════════════════════╝");
-      } else if (licenseStatus.gracePeriod) {
-        log.warn("[WARNING] Running on grace period (license server unreachable)");
+      try {
+        const licenseStatus = await licenseGuardService.initialize();
+        if (!licenseStatus.valid && licenseStatus.demo) {
+          log.error("╔════════════════════════════════════════════════════════════════╗");
+          log.error("║  [ERROR] MAGICMAIL - NO VALID LICENSE                         ║");
+          log.error("║                                                                ║");
+          log.error("║  This plugin requires a valid license to operate.             ║");
+          log.error("║  Please activate your license via Admin UI:                   ║");
+          log.error("║  Go to MagicMail -> License tab                               ║");
+          log.error("║                                                                ║");
+          log.error('║  Click "Generate Free License" to get started!                ║');
+          log.error("╚════════════════════════════════════════════════════════════════╝");
+        } else if (licenseStatus.gracePeriod) {
+          log.warn("[WARNING] Running on grace period (license server unreachable)");
+        }
+      } catch (err) {
+        log.error("[ERROR] License initialization failed:", err.message);
       }
     }, 2e3);
     const accountManager2 = strapi2.plugin("magic-mail").service("account-manager");
@@ -140,14 +144,14 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
     const hourlyResetInterval = setInterval(async () => {
       try {
         if (!strapi2 || !strapi2.plugin) {
-          console.warn("Strapi not available for hourly reset");
+          strapi2.log.warn("[magic-mail] Strapi not available for hourly reset");
           return;
         }
         const accountMgr = strapi2.plugin("magic-mail").service("account-manager");
         await accountMgr.resetCounters("hourly");
         log.info("[RESET] Hourly counters reset");
       } catch (err) {
-        console.error("Hourly reset error:", err.message);
+        strapi2.log.error("[magic-mail] Hourly reset error:", err.message);
       }
     }, 60 * 60 * 1e3);
     if (!commonjsGlobal.magicMailIntervals) commonjsGlobal.magicMailIntervals = {};
@@ -158,7 +162,7 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
     setTimeout(async () => {
       try {
         if (!strapi2 || !strapi2.plugin) {
-          console.warn("Strapi not available for daily reset");
+          strapi2.log.warn("[magic-mail] Strapi not available for daily reset");
           return;
         }
         const accountMgr = strapi2.plugin("magic-mail").service("account-manager");
@@ -167,19 +171,19 @@ var bootstrap$1 = async ({ strapi: strapi2 }) => {
         const dailyResetInterval = setInterval(async () => {
           try {
             if (!strapi2 || !strapi2.plugin) {
-              console.warn("Strapi not available for daily reset");
+              strapi2.log.warn("[magic-mail] Strapi not available for daily reset");
               return;
             }
             const accountMgr2 = strapi2.plugin("magic-mail").service("account-manager");
             await accountMgr2.resetCounters("daily");
             log.info("[RESET] Daily counters reset");
           } catch (err) {
-            console.error("Daily reset error:", err.message);
+            strapi2.log.error("[magic-mail] Daily reset error:", err.message);
           }
         }, 24 * 60 * 60 * 1e3);
         commonjsGlobal.magicMailIntervals.daily = dailyResetInterval;
       } catch (err) {
-        console.error("Initial daily reset error:", err.message);
+        strapi2.log.error("[magic-mail] Initial daily reset error:", err.message);
       }
     }, msUntilMidnight);
     log.info("[SUCCESS] Counter reset schedules initialized");
@@ -447,7 +451,7 @@ const attributes$5 = {
     type: "string"
   },
   accountId: {
-    type: "integer"
+    type: "string"
   },
   accountName: {
     type: "string"
@@ -876,62 +880,75 @@ var contentTypes$1 = {
     schema: pluginSettings$4
   }
 };
+function stripAttachmentPaths(body) {
+  if (body.attachments && Array.isArray(body.attachments)) {
+    body.attachments = body.attachments.map(({ path: path2, ...safe }) => safe);
+  }
+  return body;
+}
 var controller$1 = {
   /**
    * Send email via MagicMail router
    */
   async send(ctx) {
     try {
+      const body = stripAttachmentPaths({ ...ctx.request.body });
+      if (!body || !body.to) {
+        return ctx.badRequest("Recipient (to) is required");
+      }
       const emailRouter2 = strapi.plugin("magic-mail").service("email-router");
-      const result = await emailRouter2.send(ctx.request.body);
+      const result = await emailRouter2.send(body);
       ctx.body = {
         success: true,
         ...result
       };
     } catch (err) {
-      strapi.log.error("[magic-mail] Error sending email:", err);
-      ctx.throw(500, err.message || "Failed to send email");
+      strapi.log.error("[magic-mail] Error sending email:", err.message);
+      ctx.throw(err.status || 500, err.message || "Failed to send email");
     }
   },
   /**
    * Send message via Email or WhatsApp (unified API)
-   * POST /api/magic-mail/send-message
-   * Body: { channel: 'email' | 'whatsapp' | 'auto', to, phoneNumber, subject, message, ... }
    */
   async sendMessage(ctx) {
     try {
+      const body = stripAttachmentPaths({ ...ctx.request.body });
+      if (!body || !body.to && !body.phoneNumber) {
+        return ctx.badRequest("Recipient (to or phoneNumber) is required");
+      }
       const emailRouter2 = strapi.plugin("magic-mail").service("email-router");
-      const result = await emailRouter2.sendMessage(ctx.request.body);
+      const result = await emailRouter2.sendMessage(body);
       ctx.body = {
         success: true,
         ...result
       };
     } catch (err) {
-      strapi.log.error("[magic-mail] Error sending message:", err);
-      ctx.throw(500, err.message || "Failed to send message");
+      strapi.log.error("[magic-mail] Error sending message:", err.message);
+      ctx.throw(err.status || 500, err.message || "Failed to send message");
     }
   },
   /**
    * Send WhatsApp message
-   * POST /api/magic-mail/send-whatsapp
-   * Body: { phoneNumber, message, templateId?, templateData? }
    */
   async sendWhatsApp(ctx) {
     try {
+      const body = stripAttachmentPaths({ ...ctx.request.body });
+      if (!body || !body.phoneNumber) {
+        return ctx.badRequest("Phone number is required");
+      }
       const emailRouter2 = strapi.plugin("magic-mail").service("email-router");
-      const result = await emailRouter2.sendWhatsApp(ctx.request.body);
+      const result = await emailRouter2.sendWhatsApp(body);
       ctx.body = {
         success: true,
         ...result
       };
     } catch (err) {
-      strapi.log.error("[magic-mail] Error sending WhatsApp:", err);
-      ctx.throw(500, err.message || "Failed to send WhatsApp message");
+      strapi.log.error("[magic-mail] Error sending WhatsApp:", err.message);
+      ctx.throw(err.status || 500, err.message || "Failed to send WhatsApp message");
     }
   },
   /**
    * Get WhatsApp connection status
-   * GET /api/magic-mail/whatsapp/status
    */
   async getWhatsAppStatus(ctx) {
     try {
@@ -942,7 +959,8 @@ var controller$1 = {
         data: status
       };
     } catch (err) {
-      strapi.log.error("[magic-mail] Error getting WhatsApp status:", err);
+      strapi.log.error("[magic-mail] Error getting WhatsApp status:", err.message);
+      ctx.status = 503;
       ctx.body = {
         success: false,
         data: {
@@ -955,14 +973,12 @@ var controller$1 = {
   },
   /**
    * Check if phone number is on WhatsApp
-   * GET /api/magic-mail/whatsapp/check/:phoneNumber
    */
   async checkWhatsAppNumber(ctx) {
     try {
       const { phoneNumber } = ctx.params;
       if (!phoneNumber) {
-        ctx.throw(400, "Phone number is required");
-        return;
+        return ctx.badRequest("Phone number is required");
       }
       const emailRouter2 = strapi.plugin("magic-mail").service("email-router");
       const result = await emailRouter2.checkWhatsAppNumber(phoneNumber);
@@ -971,8 +987,8 @@ var controller$1 = {
         data: result
       };
     } catch (err) {
-      strapi.log.error("[magic-mail] Error checking WhatsApp number:", err);
-      ctx.throw(500, err.message || "Failed to check phone number");
+      strapi.log.error("[magic-mail] Error checking WhatsApp number:", err.message);
+      ctx.throw(err.status || 500, err.message || "Failed to check phone number");
     }
   }
 };
@@ -1030,12 +1046,15 @@ var accounts$1 = {
       const { accountId } = ctx.params;
       const accountManager2 = strapi.plugin("magic-mail").service("account-manager");
       const account = await accountManager2.getAccountWithDecryptedConfig(accountId);
+      if (!account) {
+        return ctx.notFound("Email account not found");
+      }
       ctx.body = {
         data: account
       };
     } catch (err) {
-      strapi.log.error("[magic-mail] Error getting account:", err);
-      ctx.throw(500, "Error fetching email account");
+      strapi.log.error("[magic-mail] Error getting account:", err.message);
+      ctx.throw(err.status || 500, err.message || "Error fetching email account");
     }
   },
   /**
@@ -1046,33 +1065,40 @@ var accounts$1 = {
       const { accountId } = ctx.params;
       const accountManager2 = strapi.plugin("magic-mail").service("account-manager");
       const account = await accountManager2.updateAccount(accountId, ctx.request.body);
+      if (!account) {
+        return ctx.notFound("Email account not found");
+      }
       ctx.body = {
         data: account,
         message: "Email account updated successfully"
       };
     } catch (err) {
-      strapi.log.error("[magic-mail] Error updating account:", err);
-      ctx.throw(500, err.message || "Error updating email account");
+      strapi.log.error("[magic-mail] Error updating account:", err.message);
+      ctx.throw(err.status || 500, err.message || "Error updating email account");
     }
   },
   /**
-   * Test email account
+   * Test email account with validation
    */
   async test(ctx) {
     try {
       const { accountId } = ctx.params;
-      const { testEmail, priority, type, unsubscribeUrl } = ctx.request.body;
+      const { testEmail, to, priority, type, unsubscribeUrl } = ctx.request.body;
+      const recipientEmail = testEmail || to;
+      if (!recipientEmail) {
+        return ctx.badRequest("testEmail is required");
+      }
       const testOptions = {
         priority: priority || "normal",
         type: type || "transactional",
         unsubscribeUrl: unsubscribeUrl || null
       };
       const accountManager2 = strapi.plugin("magic-mail").service("account-manager");
-      const result = await accountManager2.testAccount(accountId, testEmail, testOptions);
+      const result = await accountManager2.testAccount(accountId, recipientEmail, testOptions);
       ctx.body = result;
     } catch (err) {
-      strapi.log.error("[magic-mail] Error testing account:", err);
-      ctx.throw(500, "Error testing email account");
+      strapi.log.error("[magic-mail] Error testing account:", err.message);
+      ctx.throw(err.status || 500, err.message || "Error testing email account");
     }
   },
   /**
@@ -1172,6 +1198,12 @@ var accounts$1 = {
     }
   }
 };
+function escapeHtml(str) {
+  return String(str || "").replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+}
+function escapeJs(str) {
+  return String(str || "").replace(/\\/g, "\\\\").replace(/'/g, "\\'").replace(/"/g, '\\"').replace(/\n/g, "\\n").replace(/\r/g, "\\r");
+}
 var oauth$3 = {
   /**
    * Initiate Gmail OAuth flow
@@ -1217,7 +1249,7 @@ var oauth$3 = {
           </head>
           <body>
             <div class="error">[ERROR] OAuth Authorization Failed</div>
-            <p>Error: ${error}</p>
+            <p>Error: ${escapeHtml(error)}</p>
             <p>You can close this window and try again.</p>
             <script>
               setTimeout(() => window.close(), 3000);
@@ -1258,15 +1290,15 @@ var oauth$3 = {
               // Send data to parent window
               window.opener.postMessage({
                 type: 'gmail-oauth-success',
-                code: '${code}',
-                state: '${state}'
+                code: '${escapeJs(code)}',
+                state: '${escapeJs(state)}'
               }, window.location.origin);
               
               setTimeout(() => window.close(), 1500);
             } else {
               // Fallback: redirect to admin panel
               setTimeout(() => {
-                window.location.href = '/admin/plugins/magic-mail?oauth_code=${code}&oauth_state=${state}';
+                window.location.href = '/admin/plugins/magic-mail?oauth_code=' + encodeURIComponent('${escapeJs(code)}') + '&oauth_state=' + encodeURIComponent('${escapeJs(state)}');
               }, 2000);
             }
           <\/script>
@@ -1326,7 +1358,7 @@ var oauth$3 = {
           </head>
           <body>
             <div class="error">[ERROR] OAuth Authorization Failed</div>
-            <p>Error: ${error}</p>
+            <p>Error: ${escapeHtml(error)}</p>
             <p>You can close this window and try again.</p>
             <script>
               setTimeout(() => window.close(), 3000);
@@ -1367,15 +1399,15 @@ var oauth$3 = {
               // Send data to parent window
               window.opener.postMessage({
                 type: 'microsoft-oauth-success',
-                code: '${code}',
-                state: '${state}'
+                code: '${escapeJs(code)}',
+                state: '${escapeJs(state)}'
               }, window.location.origin);
               
               setTimeout(() => window.close(), 1500);
             } else {
               // Fallback: redirect to admin panel
               setTimeout(() => {
-                window.location.href = '/admin/plugins/magic-mail?oauth_code=${code}&oauth_state=${state}';
+                window.location.href = '/admin/plugins/magic-mail?oauth_code=' + encodeURIComponent('${escapeJs(code)}') + '&oauth_state=' + encodeURIComponent('${escapeJs(state)}');
               }, 2000);
             }
           <\/script>
@@ -1431,7 +1463,7 @@ var oauth$3 = {
           </head>
           <body>
             <div class="error">[ERROR] OAuth Authorization Failed</div>
-            <p>Error: ${error}</p>
+            <p>Error: ${escapeHtml(error)}</p>
             <p>You can close this window and try again.</p>
             <script>
               setTimeout(() => window.close(), 3000);
@@ -1472,15 +1504,15 @@ var oauth$3 = {
               // Send data to parent window
               window.opener.postMessage({
                 type: 'yahoo-oauth-success',
-                code: '${code}',
-                state: '${state}'
+                code: '${escapeJs(code)}',
+                state: '${escapeJs(state)}'
               }, window.location.origin);
               
               setTimeout(() => window.close(), 1500);
             } else {
               // Fallback: redirect to admin panel
               setTimeout(() => {
-                window.location.href = '/admin/plugins/magic-mail?oauth_code=${code}&oauth_state=${state}';
+                window.location.href = '/admin/plugins/magic-mail?oauth_code=' + encodeURIComponent('${escapeJs(code)}') + '&oauth_state=' + encodeURIComponent('${escapeJs(state)}');
               }, 2000);
             }
           <\/script>
@@ -1583,6 +1615,16 @@ var oauth$3 = {
   }
 };
 const ROUTING_RULE_UID = "plugin::magic-mail.routing-rule";
+const ALLOWED_RULE_FIELDS = ["name", "conditions", "accountName", "priority", "isActive", "matchType", "matchField", "matchValue", "description"];
+function sanitizeRuleData(body) {
+  const data = {};
+  for (const field of ALLOWED_RULE_FIELDS) {
+    if (body[field] !== void 0) {
+      data[field] = body[field];
+    }
+  }
+  return data;
+}
 var routingRules$1 = {
   /**
    * Get all routing rules
@@ -1590,15 +1632,14 @@ var routingRules$1 = {
   async getAll(ctx) {
     try {
       const rules = await strapi.documents(ROUTING_RULE_UID).findMany({
-        sort: [{ priority: "desc" }]
+        sort: [{ priority: "asc" }]
       });
       ctx.body = {
-        data: rules,
-        meta: { count: rules.length }
+        data: rules
       };
     } catch (err) {
-      strapi.log.error("[magic-mail] Error getting routing rules:", err);
-      ctx.throw(500, "Error fetching routing rules");
+      strapi.log.error("[magic-mail] Error getting routing rules:", err.message);
+      ctx.throw(err.status || 500, err.message || "Error fetching routing rules");
     }
   },
   /**
@@ -1611,18 +1652,18 @@ var routingRules$1 = {
         documentId: ruleId
       });
       if (!rule) {
-        ctx.throw(404, "Routing rule not found");
+        return ctx.notFound("Routing rule not found");
       }
       ctx.body = {
         data: rule
       };
     } catch (err) {
-      strapi.log.error("[magic-mail] Error getting routing rule:", err);
-      ctx.throw(500, "Error fetching routing rule");
+      strapi.log.error("[magic-mail] Error getting routing rule:", err.message);
+      ctx.throw(err.status || 500, err.message || "Error fetching routing rule");
     }
   },
   /**
-   * Create new routing rule
+   * Create new routing rule with input sanitization
    */
   async create(ctx) {
     try {
@@ -1630,31 +1671,34 @@ var routingRules$1 = {
       const currentRules = await strapi.documents(ROUTING_RULE_UID).count();
       const maxRules = await licenseGuard2.getMaxRoutingRules();
       if (maxRules !== -1 && currentRules >= maxRules) {
-        ctx.throw(403, `Routing rule limit reached (${maxRules}). Upgrade to Advanced license for unlimited rules.`);
-        return;
+        return ctx.forbidden(`Routing rule limit reached (${maxRules}). Upgrade to Advanced license for unlimited rules.`);
       }
-      const rule = await strapi.documents(ROUTING_RULE_UID).create({
-        data: ctx.request.body
-      });
+      const data = sanitizeRuleData(ctx.request.body);
+      const rule = await strapi.documents(ROUTING_RULE_UID).create({ data });
       ctx.body = {
         data: rule,
         message: "Routing rule created successfully"
       };
       strapi.log.info(`[magic-mail] [SUCCESS] Routing rule created: ${rule.name}`);
     } catch (err) {
-      strapi.log.error("[magic-mail] Error creating routing rule:", err);
+      strapi.log.error("[magic-mail] Error creating routing rule:", err.message);
       ctx.throw(err.status || 500, err.message || "Error creating routing rule");
     }
   },
   /**
-   * Update routing rule
+   * Update routing rule with existence check and input sanitization
    */
   async update(ctx) {
     try {
       const { ruleId } = ctx.params;
+      const existing = await strapi.documents(ROUTING_RULE_UID).findOne({ documentId: ruleId });
+      if (!existing) {
+        return ctx.notFound("Routing rule not found");
+      }
+      const data = sanitizeRuleData(ctx.request.body);
       const rule = await strapi.documents(ROUTING_RULE_UID).update({
         documentId: ruleId,
-        data: ctx.request.body
+        data
       });
       ctx.body = {
         data: rule,
@@ -1662,16 +1706,20 @@ var routingRules$1 = {
       };
       strapi.log.info(`[magic-mail] [SUCCESS] Routing rule updated: ${rule.name}`);
     } catch (err) {
-      strapi.log.error("[magic-mail] Error updating routing rule:", err);
-      ctx.throw(500, err.message || "Error updating routing rule");
+      strapi.log.error("[magic-mail] Error updating routing rule:", err.message);
+      ctx.throw(err.status || 500, err.message || "Error updating routing rule");
     }
   },
   /**
-   * Delete routing rule
+   * Delete routing rule with existence check
    */
   async delete(ctx) {
     try {
       const { ruleId } = ctx.params;
+      const existing = await strapi.documents(ROUTING_RULE_UID).findOne({ documentId: ruleId });
+      if (!existing) {
+        return ctx.notFound("Routing rule not found");
+      }
       await strapi.documents(ROUTING_RULE_UID).delete({
         documentId: ruleId
       });
@@ -1680,8 +1728,8 @@ var routingRules$1 = {
       };
       strapi.log.info(`[magic-mail] Routing rule deleted: ${ruleId}`);
     } catch (err) {
-      strapi.log.error("[magic-mail] Error deleting routing rule:", err);
-      ctx.throw(500, "Error deleting routing rule");
+      strapi.log.error("[magic-mail] Error deleting routing rule:", err.message);
+      ctx.throw(err.status || 500, err.message || "Error deleting routing rule");
     }
   }
 };
@@ -1828,7 +1876,6 @@ function requireFeatures() {
      */
     hasFeature(licenseData, featureName) {
       if (!licenseData) {
-        console.log(`[features.js] [WARNING]  No license data → using FREE tier`);
         return this.free.features.includes(featureName);
       }
       let isEnterprise = false;
@@ -1854,20 +1901,15 @@ function requireFeatures() {
         isPremium = true;
       }
       if (isEnterprise && this.enterprise.features.includes(featureName)) {
-        console.log(`[features.js] [SUCCESS] ENTERPRISE tier has feature "${featureName}"`);
         return true;
       }
       if (isAdvanced && this.advanced.features.includes(featureName)) {
-        console.log(`[features.js] [SUCCESS] ADVANCED tier has feature "${featureName}"`);
         return true;
       }
       if (isPremium && this.premium.features.includes(featureName)) {
-        console.log(`[features.js] [SUCCESS] PREMIUM tier has feature "${featureName}"`);
         return true;
       }
-      const inFree = this.free.features.includes(featureName);
-      console.log(`[features.js] ${inFree ? "[SUCCESS]" : "[ERROR]"} FREE tier check for "${featureName}": ${inFree}`);
-      return inFree;
+      return this.free.features.includes(featureName);
     },
     /**
      * Get max allowed accounts for license tier
@@ -1976,7 +2018,7 @@ var license$1 = ({ strapi: strapi2 }) => ({
         valid: verification.valid,
         demo: false,
         data: {
-          licenseKey,
+          licenseKey: licenseKey ? licenseKey.substring(0, 8) + "..." + licenseKey.substring(licenseKey.length - 4) : null,
           email: license2?.email || null,
           firstName: license2?.firstName || null,
           lastName: license2?.lastName || null,
@@ -2057,7 +2099,6 @@ var license$1 = ({ strapi: strapi2 }) => ({
       const license2 = await licenseGuard2.getCurrentLicense();
       ctx.body = {
         success: true,
-        rawLicense: license2,
         detectedFlags: {
           featurePremium: license2?.featurePremium,
           featureAdvanced: license2?.featureAdvanced,
@@ -2138,7 +2179,7 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
         data: templates
       });
     } catch (error) {
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2156,7 +2197,7 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
         data: template
       });
     } catch (error) {
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2173,7 +2214,7 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
       if (error.message.includes("limit reached") || error.message.includes("already exists")) {
         return ctx.badRequest(error.message);
       }
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2191,7 +2232,7 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
       if (error.message.includes("not found")) {
         return ctx.notFound(error.message);
       }
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2206,7 +2247,7 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
         message: "Template deleted successfully"
       });
     } catch (error) {
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2221,7 +2262,7 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
         data: versions
       });
     } catch (error) {
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2239,7 +2280,7 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
       if (error.message.includes("not found")) {
         return ctx.notFound(error.message);
       }
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2260,7 +2301,7 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
       if (error.message.includes("does not belong")) {
         return ctx.badRequest(error.message);
       }
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2278,7 +2319,7 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
       if (error.message.includes("not found")) {
         return ctx.notFound(error.message);
       }
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2297,7 +2338,7 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
       if (error.message.includes("not found")) {
         return ctx.notFound(error.message);
       }
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2315,7 +2356,7 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
       if (error.message.includes("requires")) {
         return ctx.forbidden(error.message);
       }
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2336,7 +2377,7 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
       if (error.message.includes("requires")) {
         return ctx.forbidden(error.message);
       }
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2350,7 +2391,7 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
         data: stats
       });
     } catch (error) {
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2365,7 +2406,7 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
         data: template
       });
     } catch (error) {
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2380,7 +2421,7 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
         data: template
       });
     } catch (error) {
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2409,8 +2450,8 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
       ctx.set("Content-Disposition", `attachment; filename="${fileName}"`);
       ctx.send(fileContent);
     } catch (error) {
-      strapi2.log.error("[magic-mail] Error downloading template:", error);
-      ctx.throw(500, error);
+      strapi2.log.error("[magic-mail] Error downloading template:", error.message);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2428,7 +2469,7 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
       if (error.message.includes("not found")) {
         return ctx.notFound(error.message);
       }
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2489,7 +2530,11 @@ var analytics$3 = ({ strapi: strapi2 }) => ({
    */
   async trackOpen(ctx) {
     const { emailId, recipientHash } = ctx.params;
-    await strapi2.plugin("magic-mail").service("analytics").recordOpen(emailId, recipientHash, ctx.request);
+    try {
+      await strapi2.plugin("magic-mail").service("analytics").recordOpen(emailId, recipientHash, ctx.request);
+    } catch (err) {
+      strapi2.log.error("[magic-mail] Error recording open event:", err.message);
+    }
     const pixel = Buffer.from(
       "R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7",
       "base64"
@@ -2498,20 +2543,34 @@ var analytics$3 = ({ strapi: strapi2 }) => ({
     ctx.body = pixel;
   },
   /**
-   * Click tracking endpoint
+   * Click tracking endpoint with open-redirect protection
    * GET /magic-mail/track/click/:emailId/:linkHash/:recipientHash
    */
   async trackClick(ctx) {
     const { emailId, linkHash, recipientHash } = ctx.params;
-    let { url } = ctx.query;
-    if (!url) {
+    let url;
+    try {
       const analyticsService = strapi2.plugin("magic-mail").service("analytics");
       url = await analyticsService.getOriginalUrlFromHash(emailId, linkHash);
+    } catch (err) {
+      strapi2.log.error("[magic-mail] Error getting original URL:", err.message);
     }
     if (!url) {
-      return ctx.badRequest("Missing target URL");
+      return ctx.badRequest("Invalid or expired tracking link");
+    }
+    try {
+      const parsed = new URL(url);
+      if (!["http:", "https:"].includes(parsed.protocol)) {
+        return ctx.badRequest("Invalid URL protocol");
+      }
+    } catch {
+      return ctx.badRequest("Invalid URL format");
+    }
+    try {
+      await strapi2.plugin("magic-mail").service("analytics").recordClick(emailId, linkHash, recipientHash, url, ctx.request);
+    } catch (err) {
+      strapi2.log.error("[magic-mail] Error recording click event:", err.message);
     }
-    await strapi2.plugin("magic-mail").service("analytics").recordClick(emailId, linkHash, recipientHash, url, ctx.request);
     ctx.redirect(url);
   },
   /**
@@ -2535,7 +2594,7 @@ var analytics$3 = ({ strapi: strapi2 }) => ({
         data: stats
       });
     } catch (error) {
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2561,7 +2620,7 @@ var analytics$3 = ({ strapi: strapi2 }) => ({
         ...result
       });
     } catch (error) {
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2580,7 +2639,7 @@ var analytics$3 = ({ strapi: strapi2 }) => ({
         data: emailLog2
       });
     } catch (error) {
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2597,7 +2656,7 @@ var analytics$3 = ({ strapi: strapi2 }) => ({
         data: activity
       });
     } catch (error) {
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2671,8 +2730,8 @@ var analytics$3 = ({ strapi: strapi2 }) => ({
         }
       });
     } catch (error) {
-      strapi2.log.error("[magic-mail] Debug error:", error);
-      ctx.throw(500, error);
+      strapi2.log.error("[magic-mail] Debug error:", error.message);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2701,8 +2760,8 @@ var analytics$3 = ({ strapi: strapi2 }) => ({
         message: "Email log deleted successfully"
       });
     } catch (error) {
-      strapi2.log.error("[magic-mail] Error deleting email log:", error);
-      ctx.throw(500, error);
+      strapi2.log.error("[magic-mail] Error deleting email log:", error.message);
+      ctx.throw(500, error.message);
     }
   },
   /**
@@ -2744,8 +2803,8 @@ var analytics$3 = ({ strapi: strapi2 }) => ({
         deletedCount: emailLogs.length
       });
     } catch (error) {
-      strapi2.log.error("[magic-mail] Error clearing email logs:", error);
-      ctx.throw(500, error);
+      strapi2.log.error("[magic-mail] Error clearing email logs:", error.message);
+      ctx.throw(500, error.message);
     }
   }
 });
@@ -2968,7 +3027,7 @@ var test$1 = {
     } catch (error) {
       console.error("\n[ERROR] FEHLER:", error.message);
       console.error(error.stack);
-      ctx.throw(500, error);
+      ctx.throw(500, error.message);
     }
   }
 };
@@ -3276,8 +3335,7 @@ var admin$1 = {
       path: "/accounts",
       handler: "accounts.create",
       config: {
-        policies: [],
-        auth: false,
+        policies: ["admin::isAuthenticatedAdmin"],
         description: "Create email account"
       }
     },
@@ -3466,7 +3524,7 @@ var admin$1 = {
       path: "/license/limits",
       handler: "license.getLimits",
       config: {
-        policies: [],
+        policies: ["admin::isAuthenticatedAdmin"],
         description: "Get license limits and available features"
       }
     },
@@ -3475,7 +3533,7 @@ var admin$1 = {
       path: "/license/debug",
       handler: "license.debugLicense",
       config: {
-        policies: [],
+        policies: ["admin::isAuthenticatedAdmin"],
         description: "Debug license data"
       }
     },
@@ -3846,9 +3904,7 @@ var contentApi$1 = {
       path: "/send",
       handler: "controller.send",
       config: {
-        auth: false,
-        // Can be called from anywhere
-        description: "Send email via MagicMail router"
+        description: "Send email via MagicMail router (requires API token)"
       }
     },
     // ============= UNIFIED MESSAGE ROUTE =============
@@ -3857,8 +3913,7 @@ var contentApi$1 = {
       path: "/send-message",
       handler: "controller.sendMessage",
       config: {
-        auth: false,
-        description: "Send message via Email or WhatsApp (unified API)"
+        description: "Send message via Email or WhatsApp (requires API token)"
       }
     },
     // ============= WHATSAPP ROUTES =============
@@ -3867,8 +3922,7 @@ var contentApi$1 = {
       path: "/send-whatsapp",
       handler: "controller.sendWhatsApp",
       config: {
-        auth: false,
-        description: "Send WhatsApp message"
+        description: "Send WhatsApp message (requires API token)"
       }
     },
     {
@@ -3876,8 +3930,7 @@ var contentApi$1 = {
       path: "/whatsapp/status",
       handler: "controller.getWhatsAppStatus",
       config: {
-        auth: false,
-        description: "Get WhatsApp connection status"
+        description: "Get WhatsApp connection status (requires API token)"
       }
     },
     {
@@ -3885,8 +3938,7 @@ var contentApi$1 = {
       path: "/whatsapp/check/:phoneNumber",
       handler: "controller.checkWhatsAppNumber",
       config: {
-        auth: false,
-        description: "Check if phone number is on WhatsApp"
+        description: "Check if phone number is on WhatsApp (requires API token)"
       }
     },
     // ============= TRACKING ROUTES =============
@@ -3925,11 +3977,12 @@ const ALGORITHM = "aes-256-gcm";
 const IV_LENGTH = 16;
 function getEncryptionKey() {
   const envKey = process.env.MAGIC_MAIL_ENCRYPTION_KEY || process.env.APP_KEYS;
-  if (envKey) {
-    return crypto$2.createHash("sha256").update(envKey).digest();
+  if (!envKey) {
+    throw new Error(
+      "[magic-mail] FATAL: No encryption key configured. Set MAGIC_MAIL_ENCRYPTION_KEY or APP_KEYS in your environment variables. Email account credentials cannot be stored securely without a proper key."
+    );
   }
-  console.warn("[magic-mail] [WARNING]  No MAGIC_MAIL_ENCRYPTION_KEY found. Using fallback.");
-  return crypto$2.createHash("sha256").update("magic-mail-default-key").digest();
+  return crypto$2.createHash("sha256").update(envKey).digest();
 }
 function encryptCredentials$2(data) {
   if (!data) return null;
@@ -3943,8 +3996,7 @@ function encryptCredentials$2(data) {
     const authTag = cipher.getAuthTag();
     return { encrypted: `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted}` };
   } catch (err) {
-    console.error("[magic-mail] Encryption failed:", err);
-    throw new Error("Failed to encrypt credentials");
+    throw new Error(`Failed to encrypt credentials: ${err.message}`);
   }
 }
 function decryptCredentials$2(encryptedData) {
@@ -3965,7 +4017,9 @@ function decryptCredentials$2(encryptedData) {
     decrypted += decipher.final("utf8");
     return JSON.parse(decrypted);
   } catch (err) {
-    console.error("[magic-mail] Decryption failed:", err);
+    if (typeof strapi !== "undefined" && strapi.log) {
+      strapi.log.error("[magic-mail] Decryption failed:", err.message);
+    }
     return null;
   }
 }
@@ -5390,8 +5444,8 @@ var accountManager$1 = ({ strapi: strapi2 }) => ({
       dailyLimit = 0,
       hourlyLimit = 0
     } = accountData;
-    console.log("create account", accountData);
-    const encryptedConfig = encryptCredentials$1(config2);
+    strapi2.log.info(`[magic-mail] Creating account: ${name} (${provider})`);
+    const encryptedConfig = config2 ? encryptCredentials$1(config2) : null;
     if (isPrimary) {
       await this.unsetAllPrimary();
     }
@@ -5444,7 +5498,7 @@ var accountManager$1 = ({ strapi: strapi2 }) => ({
       dailyLimit,
       hourlyLimit
     } = accountData;
-    const encryptedConfig = encryptCredentials$1(config2);
+    const encryptedConfig = config2 ? encryptCredentials$1(config2) : existingAccount.config;
     if (isPrimary && !existingAccount.isPrimary) {
       await this.unsetAllPrimary();
     }
@@ -5647,7 +5701,7 @@ var oauth$1 = ({ strapi: strapi2 }) => ({
       "https://www.googleapis.com/auth/userinfo.email",
       "openid"
     ].join(" ");
-    const authUrl = `https://accounts.google.com/o/oauth2/v2/auth?client_id=${encodeURIComponent(clientId)}&redirect_uri=${encodeURIComponent(redirectUri)}&response_type=code&scope=${encodeURIComponent(scopes)}&access_type=offline&prompt=consent&state=${state}`;
+    const authUrl = `https://accounts.google.com/o/oauth2/v2/auth?client_id=${encodeURIComponent(clientId)}&redirect_uri=${encodeURIComponent(redirectUri)}&response_type=code&scope=${encodeURIComponent(scopes)}&access_type=offline&prompt=consent&state=${encodeURIComponent(state)}`;
     return authUrl;
   },
   /**
@@ -5727,7 +5781,7 @@ var oauth$1 = ({ strapi: strapi2 }) => ({
     const tokens = await response.json();
     return {
       accessToken: tokens.access_token,
-      expiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+      expiresAt: new Date(Date.now() + (tokens.expires_in || 3600) * 1e3)
     };
   },
   /**
@@ -5756,7 +5810,7 @@ var oauth$1 = ({ strapi: strapi2 }) => ({
       "email"
       // Email address
     ].join(" ");
-    const authUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize?client_id=${encodeURIComponent(clientId)}&redirect_uri=${encodeURIComponent(redirectUri)}&response_type=code&scope=${encodeURIComponent(scopes)}&response_mode=query&prompt=consent&state=${state}`;
+    const authUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize?client_id=${encodeURIComponent(clientId)}&redirect_uri=${encodeURIComponent(redirectUri)}&response_type=code&scope=${encodeURIComponent(scopes)}&response_mode=query&prompt=consent&state=${encodeURIComponent(state)}`;
     strapi2.log.info(`[magic-mail] Microsoft OAuth URL: Using tenant ${tenantId}`);
     return authUrl;
   },
@@ -5897,7 +5951,7 @@ var oauth$1 = ({ strapi: strapi2 }) => ({
       "sdps-r"
       // Read profile
     ].join(" ");
-    const authUrl = `https://api.login.yahoo.com/oauth2/request_auth?client_id=${encodeURIComponent(clientId)}&redirect_uri=${encodeURIComponent(redirectUri)}&response_type=code&scope=${encodeURIComponent(scopes)}&state=${state}`;
+    const authUrl = `https://api.login.yahoo.com/oauth2/request_auth?client_id=${encodeURIComponent(clientId)}&redirect_uri=${encodeURIComponent(redirectUri)}&response_type=code&scope=${encodeURIComponent(scopes)}&state=${encodeURIComponent(state)}`;
     return authUrl;
   },
   /**
@@ -5981,7 +6035,7 @@ var oauth$1 = ({ strapi: strapi2 }) => ({
     const tokens = await response.json();
     return {
       accessToken: tokens.access_token,
-      expiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+      expiresAt: new Date(Date.now() + (tokens.expires_in || 3600) * 1e3)
     };
   },
   /**
@@ -6032,7 +6086,7 @@ var oauth$1 = ({ strapi: strapi2 }) => ({
     return account;
   }
 });
-const version = "2.6.6";
+const version = "2.6.8";
 const require$$2 = {
   version
 };
@@ -6312,8 +6366,8 @@ var licenseGuard$1 = ({ strapi: strapi2 }) => {
         log.info("──────────────────────────────────────────────────────────");
         log.info(`📦 Plugin Store Check:`);
         if (licenseKey) {
-          log.info(`   [SUCCESS] License Key found: ${licenseKey}`);
-          log.info(`   [LICENSE] Key (short): ${licenseKey.substring(0, 10)}...`);
+          const maskedKey = licenseKey.substring(0, 8) + "..." + licenseKey.substring(licenseKey.length - 4);
+          log.info(`   [SUCCESS] License Key found: ${maskedKey}`);
           if (lastValidated) {
             const lastValidatedDate = new Date(lastValidated);
             const hoursAgo = Math.floor((now.getTime() - lastValidatedDate.getTime()) / (1e3 * 60 * 60));
@@ -6419,7 +6473,7 @@ const convertHtmlToText = (html, options2 = { wordwrap: 130 }) => {
     }
     return html.replace(/<[^>]*>/g, "");
   } catch (error) {
-    strapi.log.error("[magic-mail] Error converting HTML to text:", error);
+    console.error("[magic-mail] Error converting HTML to text:", error.message);
     return (html || "").replace(/<[^>]*>/g, "");
   }
 };
@@ -7042,8 +7096,14 @@ var analytics$1 = ({ strapi: strapi2 }) => ({
    * Generate secure hash for recipient (for tracking URLs)
    */
   generateRecipientHash(emailId, recipient) {
+    const secret = process.env.APP_KEYS || process.env.MAGIC_MAIL_ENCRYPTION_KEY;
+    if (!secret) {
+      throw new Error(
+        "[magic-mail] FATAL: No HMAC secret configured. Set APP_KEYS or MAGIC_MAIL_ENCRYPTION_KEY in your environment variables. Tracking hashes cannot be generated securely without a proper key."
+      );
+    }
     const normalized = (recipient || "").trim().toLowerCase();
-    return crypto.createHash("sha256").update(`${emailId}-${normalized}-${process.env.APP_KEYS || "secret"}`).digest("hex").substring(0, 16);
+    return crypto.createHmac("sha256", secret).update(`${emailId}-${normalized}`).digest("hex").substring(0, 32);
   },
   /**
    * Create email log entry