strapi-plugin-magic-mail 2.9.0 → 2.9.2

package/dist/server/index.js

@@ -1007,6 +1007,10 @@ const attributes = {
     type: "boolean",
     "default": true,
     configurable: false
+  },
+  trackingFallbackUrl: {
+    type: "string",
+    configurable: false
   }
 };
 const require$$7 = {
@@ -48884,7 +48888,11 @@ const schemas = {
     defaultFromName: headerSafe.optional(),
     defaultFromEmail: emailString.optional().or(z2.literal("")),
     unsubscribeUrl: z2.string().url().optional().or(z2.literal("")),
-    enableUnsubscribeHeader: z2.boolean().optional()
+    enableUnsubscribeHeader: z2.boolean().optional(),
+    // Where to redirect the recipient when a tracking link is no longer
+    // resolvable (e.g. retention cleanup removed the row). If empty the
+    // tracker renders a static HTML fallback page instead.
+    trackingFallbackUrl: z2.string().url().optional().or(z2.literal(""))
   }),
   // ── Content-API send payloads ───────────────────────────────────────────
   // Bounded attachments to prevent OOM from huge base64 payloads.
@@ -49344,7 +49352,7 @@ var oauthState = {
   verifyAndConsumeState: verifyAndConsumeState$1
 };
 const { createState, verifyAndConsumeState } = oauthState;
-function escapeHtml(str2) {
+function escapeHtml$1(str2) {
   return String(str2 || "").replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
 }
 function escapeJs(str2) {
@@ -49409,7 +49417,7 @@ var oauth$3 = {
           </head>
           <body>
             <div class="error">[ERROR] OAuth Authorization Failed</div>
-            <p>Error: ${escapeHtml(error2)}</p>
+            <p>Error: ${escapeHtml$1(error2)}</p>
             <p>You can close this window and try again.</p>
             <script>
               setTimeout(() => window.close(), 3000);
@@ -49520,7 +49528,7 @@ var oauth$3 = {
           </head>
           <body>
             <div class="error">[ERROR] OAuth Authorization Failed</div>
-            <p>Error: ${escapeHtml(error2)}</p>
+            <p>Error: ${escapeHtml$1(error2)}</p>
             <p>You can close this window and try again.</p>
             <script>
               setTimeout(() => window.close(), 3000);
@@ -49628,7 +49636,7 @@ var oauth$3 = {
           </head>
           <body>
             <div class="error">[ERROR] OAuth Authorization Failed</div>
-            <p>Error: ${escapeHtml(error2)}</p>
+            <p>Error: ${escapeHtml$1(error2)}</p>
             <p>You can close this window and try again.</p>
             <script>
               setTimeout(() => window.close(), 3000);
@@ -50711,6 +50719,52 @@ var emailDesigner$3 = ({ strapi: strapi2 }) => ({
 const EMAIL_LOG_UID$1 = "plugin::magic-mail.email-log";
 const EMAIL_EVENT_UID$1 = "plugin::magic-mail.email-event";
 const EMAIL_ACCOUNT_UID$1 = "plugin::magic-mail.email-account";
+const escapeHtml = (value) => String(value ?? "").replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+const renderTrackingFallbackHtml = (reason, fallbackUrl) => {
+  const safeReason = escapeHtml(reason);
+  const safeUrl = fallbackUrl ? escapeHtml(fallbackUrl) : "";
+  const refreshMeta = fallbackUrl ? `<meta http-equiv="refresh" content="3;url=${safeUrl}">` : "";
+  const manualLink = fallbackUrl ? `<p style="margin-top:24px;font-size:14px;color:#6b7280;">
+         You will be redirected in a few seconds. If nothing happens,
+         <a href="${safeUrl}" style="color:#4f46e5;">click here</a>.
+       </p>` : `<p style="margin-top:24px;font-size:14px;color:#6b7280;">
+         You can safely close this tab.
+       </p>`;
+  return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width,initial-scale=1">
+    ${refreshMeta}
+    <title>Link unavailable</title>
+    <style>
+      body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif; background:#f9fafb; margin:0; padding:40px 20px; color:#111827; }
+      .card { max-width: 480px; margin: 60px auto; background:#fff; border-radius: 12px; padding: 32px; box-shadow: 0 1px 3px rgba(0,0,0,0.08); text-align:center; }
+      h1 { font-size: 22px; margin: 0 0 12px; }
+      p  { font-size: 15px; line-height: 1.5; color:#374151; }
+    </style>
+  </head>
+  <body>
+    <main class="card">
+      <h1>This link is no longer available</h1>
+      <p>${safeReason}</p>
+      ${manualLink}
+    </main>
+  </body>
+</html>`;
+};
+const respondWithTrackingFallback = async (ctx, reason) => {
+  let fallbackUrl = null;
+  try {
+    const settings = await strapi.plugin("magic-mail").service("plugin-settings").getSettings();
+    fallbackUrl = settings?.trackingFallbackUrl || null;
+  } catch (err) {
+    strapi.log.debug(`[magic-mail] Could not load tracking fallback setting: ${err.message}`);
+  }
+  ctx.status = 410;
+  ctx.type = "text/html; charset=utf-8";
+  ctx.body = renderTrackingFallbackHtml(reason, fallbackUrl);
+};
 var analytics$3 = ({ strapi: strapi2 }) => ({
   /**
    * Tracking pixel endpoint
@@ -50731,7 +50785,18 @@ var analytics$3 = ({ strapi: strapi2 }) => ({
     ctx.body = pixel;
   },
   /**
-   * Click tracking endpoint with open-redirect protection
+   * Click tracking endpoint with open-redirect protection.
+   *
+   * Resolves the destination URL exclusively from the database — never
+   * from query parameters — so the endpoint cannot be used as an open
+   * redirect. When the URL is no longer resolvable (retention cleanup
+   * deleted the row, the hash is wrong, the stored URL is malformed),
+   * the end-user used to receive a Strapi JSON error envelope, which is
+   * the single biggest UX regression in any tracking setup. Now the
+   * user sees a branded HTML fallback page that either redirects to the
+   * admin-configured `trackingFallbackUrl` or apologises and invites
+   * them to close the tab.
+   *
    * GET /magic-mail/track/click/:emailId/:linkHash/:recipientHash
    */
   async trackClick(ctx) {
@@ -50744,15 +50809,25 @@ var analytics$3 = ({ strapi: strapi2 }) => ({
       strapi2.log.error("[magic-mail] Error getting original URL:", err.message);
     }
     if (!url) {
-      return ctx.badRequest("Invalid or expired tracking link");
+      return respondWithTrackingFallback(
+        ctx,
+        "The page behind this link is no longer tracked. It may have been removed by our retention policy."
+      );
     }
     try {
       const parsed = new URL(url);
       if (!["http:", "https:"].includes(parsed.protocol)) {
-        return ctx.badRequest("Invalid URL protocol");
+        strapi2.log.warn(`[magic-mail] Blocked non-http(s) tracking URL for email ${emailId}`);
+        return respondWithTrackingFallback(
+          ctx,
+          "This link points to an unsupported destination and cannot be opened for your safety."
+        );
       }
     } catch {
-      return ctx.badRequest("Invalid URL format");
+      return respondWithTrackingFallback(
+        ctx,
+        "This link is no longer valid."
+      );
     }
     try {
       await strapi2.plugin("magic-mail").service("analytics").recordClick(emailId, linkHash, recipientHash, url, ctx.request);
@@ -51493,16 +51568,24 @@ var controllers$1 = {
   whatsapp: whatsapp$2,
   pluginSettings: pluginSettings$2
 };
+const PLUGIN_ACCESS_ACTION = "plugin::magic-mail.access";
+const adminPolicy = () => [
+  "admin::isAuthenticatedAdmin",
+  {
+    name: "admin::hasPermissions",
+    config: { actions: [PLUGIN_ACCESS_ACTION] }
+  }
+];
 var admin$1 = {
   type: "admin",
   routes: [
-    // Account Management
+    // ─────────────────────── Account Management ───────────────────────
     {
       method: "GET",
       path: "/accounts",
       handler: "accounts.getAll",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get all email accounts"
       }
     },
@@ -51511,7 +51594,7 @@ var admin$1 = {
       path: "/accounts/:accountId",
       handler: "accounts.getOne",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get single email account with decrypted config"
       }
     },
@@ -51520,7 +51603,7 @@ var admin$1 = {
       path: "/accounts",
       handler: "accounts.create",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Create email account"
       }
     },
@@ -51529,7 +51612,7 @@ var admin$1 = {
       path: "/accounts/:accountId",
       handler: "accounts.update",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Update email account"
       }
     },
@@ -51538,7 +51621,7 @@ var admin$1 = {
       path: "/accounts/:accountId/test",
       handler: "accounts.test",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Test email account"
       }
     },
@@ -51547,7 +51630,7 @@ var admin$1 = {
       path: "/test-strapi-service",
       handler: "accounts.testStrapiService",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Test Strapi Email Service integration (MagicMail intercept)"
       }
     },
@@ -51556,17 +51639,17 @@ var admin$1 = {
       path: "/accounts/:accountId",
       handler: "accounts.delete",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Delete email account"
       }
     },
-    // Routing Rules
+    // ─────────────────────── Routing Rules ───────────────────────
     {
       method: "GET",
       path: "/routing-rules",
       handler: "routingRules.getAll",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get all routing rules"
       }
     },
@@ -51575,7 +51658,7 @@ var admin$1 = {
       path: "/routing-rules/:ruleId",
       handler: "routingRules.getOne",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get single routing rule"
       }
     },
@@ -51584,7 +51667,7 @@ var admin$1 = {
       path: "/routing-rules",
       handler: "routingRules.create",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Create routing rule"
       }
     },
@@ -51593,7 +51676,7 @@ var admin$1 = {
       path: "/routing-rules/:ruleId",
       handler: "routingRules.update",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Update routing rule"
       }
     },
@@ -51602,23 +51685,21 @@ var admin$1 = {
       path: "/routing-rules/:ruleId",
       handler: "routingRules.delete",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Delete routing rule"
       }
     },
-    // OAuth Routes - Gmail
-    // The /auth endpoints are admin-only (they produce OAuth URLs for the
-    // currently-authenticated admin). The /callback endpoints must stay
-    // public because the upstream OAuth provider (Google/Microsoft/Yahoo)
-    // cannot send a bearer token on the redirect back — security is
-    // enforced by the signed, one-time-use state parameter that callback
-    // + token exchange verify.
+    // ─────────────────────── OAuth – Gmail ───────────────────────
+    // /auth endpoints are admin-only (they generate the OAuth URL for
+    // the currently-authenticated admin). /callback MUST remain public
+    // because Google/Microsoft/Yahoo can't send a bearer token on the
+    // redirect — security is enforced by the signed single-use state.
     {
       method: "GET",
       path: "/oauth/gmail/auth",
       handler: "oauth.gmailAuth",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Initiate Gmail OAuth flow"
       }
     },
@@ -51632,13 +51713,13 @@ var admin$1 = {
         description: "Gmail OAuth callback"
       }
     },
-    // OAuth Routes - Microsoft
+    // ─────────────────────── OAuth – Microsoft ───────────────────────
     {
       method: "GET",
       path: "/oauth/microsoft/auth",
       handler: "oauth.microsoftAuth",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Initiate Microsoft OAuth flow"
       }
     },
@@ -51652,13 +51733,13 @@ var admin$1 = {
         description: "Microsoft OAuth callback"
       }
     },
-    // OAuth Routes - Yahoo
+    // ─────────────────────── OAuth – Yahoo ───────────────────────
     {
       method: "GET",
       path: "/oauth/yahoo/auth",
       handler: "oauth.yahooAuth",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Initiate Yahoo OAuth flow"
       }
     },
@@ -51672,23 +51753,23 @@ var admin$1 = {
         description: "Yahoo OAuth callback"
       }
     },
-    // OAuth Routes - Generic
+    // ─────────────────────── OAuth – Generic ───────────────────────
     {
       method: "POST",
       path: "/oauth/create-account",
       handler: "oauth.createOAuthAccount",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Create account from OAuth"
       }
     },
-    // License Routes
+    // ─────────────────────── License ───────────────────────
     {
       method: "GET",
       path: "/license/status",
       handler: "license.getStatus",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get license status"
       }
     },
@@ -51697,7 +51778,7 @@ var admin$1 = {
       path: "/license/auto-create",
       handler: "license.autoCreate",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Auto-create license with admin user data"
       }
     },
@@ -51706,7 +51787,7 @@ var admin$1 = {
       path: "/license/store-key",
       handler: "license.storeKey",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Store and validate existing license key"
       }
     },
@@ -51715,7 +51796,7 @@ var admin$1 = {
       path: "/license/limits",
       handler: "license.getLimits",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get license limits and available features"
       }
     },
@@ -51724,17 +51805,17 @@ var admin$1 = {
       path: "/license/debug",
       handler: "license.debugLicense",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Debug license data"
       }
     },
-    // Email Designer Routes
+    // ─────────────────────── Email Designer ───────────────────────
     {
       method: "GET",
       path: "/designer/templates",
       handler: "emailDesigner.findAll",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get all email templates"
       }
     },
@@ -51743,7 +51824,7 @@ var admin$1 = {
       path: "/designer/templates/:id",
       handler: "emailDesigner.findOne",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get email template by ID"
       }
     },
@@ -51752,7 +51833,7 @@ var admin$1 = {
       path: "/designer/templates",
       handler: "emailDesigner.create",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Create email template"
       }
     },
@@ -51761,7 +51842,7 @@ var admin$1 = {
       path: "/designer/templates/:id",
       handler: "emailDesigner.update",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Update email template"
       }
     },
@@ -51770,7 +51851,7 @@ var admin$1 = {
       path: "/designer/templates/:id",
       handler: "emailDesigner.delete",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Delete email template"
       }
     },
@@ -51779,7 +51860,7 @@ var admin$1 = {
       path: "/designer/templates/:id/versions",
       handler: "emailDesigner.getVersions",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get template versions"
       }
     },
@@ -51788,7 +51869,7 @@ var admin$1 = {
       path: "/designer/templates/:id/versions/:versionId/restore",
       handler: "emailDesigner.restoreVersion",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Restore template from version"
       }
     },
@@ -51797,7 +51878,7 @@ var admin$1 = {
       path: "/designer/templates/:id/versions/:versionId/delete",
       handler: "emailDesigner.deleteVersion",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Delete a single version"
       }
     },
@@ -51806,7 +51887,7 @@ var admin$1 = {
       path: "/designer/templates/:id/versions/delete-all",
       handler: "emailDesigner.deleteAllVersions",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Delete all versions for a template"
       }
     },
@@ -51815,7 +51896,7 @@ var admin$1 = {
       path: "/designer/render/:templateReferenceId",
       handler: "emailDesigner.renderTemplate",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Render template with data"
       }
     },
@@ -51824,7 +51905,7 @@ var admin$1 = {
       path: "/designer/export",
       handler: "emailDesigner.exportTemplates",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Export templates (ADVANCED+)"
       }
     },
@@ -51833,7 +51914,7 @@ var admin$1 = {
       path: "/designer/import",
       handler: "emailDesigner.importTemplates",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Import templates (ADVANCED+)"
       }
     },
@@ -51842,7 +51923,7 @@ var admin$1 = {
       path: "/designer/stats",
       handler: "emailDesigner.getStats",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get template statistics"
       }
     },
@@ -51851,7 +51932,7 @@ var admin$1 = {
       path: "/designer/core/:coreEmailType",
       handler: "emailDesigner.getCoreTemplate",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get core email template"
       }
     },
@@ -51860,7 +51941,7 @@ var admin$1 = {
       path: "/designer/core/:coreEmailType",
       handler: "emailDesigner.updateCoreTemplate",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Update core email template"
       }
     },
@@ -51869,7 +51950,7 @@ var admin$1 = {
       path: "/designer/templates/:id/download",
       handler: "emailDesigner.download",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Download template as HTML or JSON"
       }
     },
@@ -51878,7 +51959,7 @@ var admin$1 = {
       path: "/designer/templates/:id/duplicate",
       handler: "emailDesigner.duplicate",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Duplicate template"
       }
     },
@@ -51887,17 +51968,17 @@ var admin$1 = {
       path: "/designer/templates/:id/test-send",
       handler: "emailDesigner.testSend",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Send test email for template"
       }
     },
-    // Analytics & Tracking
+    // ─────────────────────── Analytics & Tracking ───────────────────────
     {
       method: "GET",
       path: "/analytics/stats",
       handler: "analytics.getStats",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get analytics statistics"
       }
     },
@@ -51906,7 +51987,7 @@ var admin$1 = {
       path: "/analytics/emails",
       handler: "analytics.getEmailLogs",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get email logs"
       }
     },
@@ -51915,7 +51996,7 @@ var admin$1 = {
       path: "/analytics/emails/:emailId",
       handler: "analytics.getEmailDetails",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get email details"
       }
     },
@@ -51924,7 +52005,7 @@ var admin$1 = {
       path: "/analytics/users/:userId",
       handler: "analytics.getUserActivity",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get user email activity"
       }
     },
@@ -51933,7 +52014,7 @@ var admin$1 = {
       path: "/analytics/debug",
       handler: "analytics.debug",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Debug analytics state"
       }
     },
@@ -51942,7 +52023,7 @@ var admin$1 = {
       path: "/analytics/emails/:emailId",
       handler: "analytics.deleteEmailLog",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Delete single email log"
       }
     },
@@ -51951,27 +52032,27 @@ var admin$1 = {
       path: "/analytics/emails",
       handler: "analytics.clearAllEmailLogs",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Clear all email logs"
       }
     },
-    // Test Routes (Development)
+    // ─────────────────────── Test (Dev) ───────────────────────
     {
       method: "POST",
       path: "/test/relations",
       handler: "test.testRelations",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Test template-version relations"
       }
     },
-    // WhatsApp Routes
+    // ─────────────────────── WhatsApp ───────────────────────
     {
       method: "GET",
       path: "/whatsapp/available",
       handler: "whatsapp.checkAvailable",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Check if WhatsApp/Baileys is available"
       }
     },
@@ -51980,7 +52061,7 @@ var admin$1 = {
       path: "/whatsapp/status",
       handler: "whatsapp.getStatus",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get WhatsApp connection status"
       }
     },
@@ -51989,7 +52070,7 @@ var admin$1 = {
       path: "/whatsapp/connect",
       handler: "whatsapp.connect",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Connect to WhatsApp (generates QR if needed)"
       }
     },
@@ -51998,7 +52079,7 @@ var admin$1 = {
       path: "/whatsapp/disconnect",
       handler: "whatsapp.disconnect",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Disconnect from WhatsApp"
       }
     },
@@ -52007,7 +52088,7 @@ var admin$1 = {
       path: "/whatsapp/send-test",
       handler: "whatsapp.sendTest",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Send a test WhatsApp message"
       }
     },
@@ -52016,7 +52097,7 @@ var admin$1 = {
       path: "/whatsapp/send-template",
       handler: "whatsapp.sendTemplateMessage",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Send WhatsApp message using template"
       }
     },
@@ -52025,7 +52106,7 @@ var admin$1 = {
       path: "/whatsapp/check-number",
       handler: "whatsapp.checkNumber",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Check if phone number is on WhatsApp"
       }
     },
@@ -52034,7 +52115,7 @@ var admin$1 = {
       path: "/whatsapp/templates",
       handler: "whatsapp.getTemplates",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get all WhatsApp message templates"
       }
     },
@@ -52043,7 +52124,7 @@ var admin$1 = {
       path: "/whatsapp/templates",
       handler: "whatsapp.saveTemplate",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Save a WhatsApp message template"
       }
     },
@@ -52052,7 +52133,7 @@ var admin$1 = {
       path: "/whatsapp/templates/:templateName",
       handler: "whatsapp.deleteTemplate",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Delete a WhatsApp message template"
       }
     },
@@ -52061,17 +52142,17 @@ var admin$1 = {
       path: "/whatsapp/session",
       handler: "whatsapp.getSession",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get WhatsApp session info"
       }
     },
-    // Plugin Settings Routes
+    // ─────────────────────── Plugin Settings ───────────────────────
     {
       method: "GET",
       path: "/settings",
       handler: "pluginSettings.getSettings",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Get plugin settings"
       }
     },
@@ -52080,7 +52161,7 @@ var admin$1 = {
       path: "/settings",
       handler: "pluginSettings.updateSettings",
       config: {
-        policies: ["admin::isAuthenticatedAdmin"],
+        policies: adminPolicy(),
         description: "Update plugin settings"
       }
     }
@@ -63348,7 +63429,7 @@ var oauth$1 = ({ strapi: strapi2 }) => ({
     return account;
   }
 });
-const version = "2.8.4";
+const version = "2.9.1";
 const require$$2 = {
   version
 };
@@ -65232,7 +65313,8 @@ var pluginSettings$1 = ({ strapi: strapi2 }) => ({
             defaultFromName: null,
             defaultFromEmail: null,
             unsubscribeUrl: null,
-            enableUnsubscribeHeader: true
+            enableUnsubscribeHeader: true,
+            trackingFallbackUrl: null
           }
         });
         strapi2.log.info("[magic-mail] [SETTINGS] Created default plugin settings");
@@ -65247,7 +65329,8 @@ var pluginSettings$1 = ({ strapi: strapi2 }) => ({
         defaultFromName: null,
         defaultFromEmail: null,
         unsubscribeUrl: null,
-        enableUnsubscribeHeader: true
+        enableUnsubscribeHeader: true,
+        trackingFallbackUrl: null
       };
     }
   },
@@ -65263,7 +65346,8 @@ var pluginSettings$1 = ({ strapi: strapi2 }) => ({
         trackingBaseUrl: data.trackingBaseUrl?.trim() || null,
         defaultFromName: data.defaultFromName?.trim() || null,
         defaultFromEmail: data.defaultFromEmail?.trim()?.toLowerCase() || null,
-        unsubscribeUrl: data.unsubscribeUrl?.trim() || null
+        unsubscribeUrl: data.unsubscribeUrl?.trim() || null,
+        trackingFallbackUrl: data.trackingFallbackUrl?.trim() || null
       };
       let settings = await strapi2.documents(SETTINGS_UID).findFirst({});
       if (settings) {
@@ -65281,7 +65365,8 @@ var pluginSettings$1 = ({ strapi: strapi2 }) => ({
             defaultFromName: sanitizedData.defaultFromName,
             defaultFromEmail: sanitizedData.defaultFromEmail,
             unsubscribeUrl: sanitizedData.unsubscribeUrl,
-            enableUnsubscribeHeader: sanitizedData.enableUnsubscribeHeader ?? true
+            enableUnsubscribeHeader: sanitizedData.enableUnsubscribeHeader ?? true,
+            trackingFallbackUrl: sanitizedData.trackingFallbackUrl
           }
         });
         strapi2.log.info("[magic-mail] [SETTINGS] Created plugin settings");