feat(emails): sales send-out flows + brochures + email-from settings
Phase 7 of the berth-recommender refactor (plan §3.3, §4.8, §4.9, §5.7,
§5.8, §5.9, §11.1, §14.7, §14.9). Adds the rep-driven send-out path for
per-berth PDFs and port-wide brochures, the per-port sales SMTP/IMAP
config + body templates, and the supporting admin UI.
Migration: 0031_brochures_and_document_sends.sql
Schema additions:
- brochures (port-wide, with isDefault marker + archive)
- brochure_versions (versioned uploads, storageKey per §4.7a)
- document_sends (audit log of every rep-initiated send; failures
captured with failedAt + errorReason). berthPdfVersionId is a plain
text column (no FK) — loose-coupled to Phase 6b's berth_pdf_versions
so the two phases stay independent.
§14.7 critical mitigations:
- Body XSS: rep-authored markdown goes through renderEmailBody()
(HTML-escape first, then a tight allowlist of bold/italic/code/link
rules). https:// + mailto: only — javascript:/data: URLs stripped.
Tested against script/img/iframe/svg/onerror polyglots.
- Recipient typo: strict email regex + two-step confirm modal that
shows the exact recipient before send.
- Unresolved merge fields: pre-send dry-run /preview endpoint blocks
submission until findUnresolvedTokens() returns empty.
- SMTP failure: every transport rejection writes a document_sends row
with failedAt + errorReason; UI surfaces the message.
- Hourly per-user rate limit: 50 sends/user/hour via existing
checkRateLimit().
- Size threshold fallback (§11.1): files above
email_attach_threshold_mb (default 15) ship as a 24h signed-URL
download link in the body instead of an attachment. Storage stream
flows directly to nodemailer to avoid buffering 20MB+.
§14.10 critical mitigation:
- SMTP/IMAP passwords encrypted at rest via the existing
EMAIL_CREDENTIAL_KEY (AES-256-GCM). The /api/v1/admin/email/
sales-config GET endpoint never returns the decrypted value — only
a *PassIsSet boolean. PATCH treats empty string as "leave unchanged"
and explicit null as "clear", so the masked-placeholder UI round-
trips without forcing re-entry on every save.
system_settings keys (per-port unless noted):
- sales_from_address, sales_smtp_{host,port,secure,user,pass_encrypted}
- sales_imap_{host,port,user,pass_encrypted}
- sales_auth_method (default app_password)
- noreply_from_address
- email_template_send_berth_pdf_body, email_template_send_brochure_body
- brochure_max_upload_mb (default 50)
- email_attach_threshold_mb (default 15)
UI surfaces (per §5.7, §5.8, §5.9):
- <SendDocumentDialog> shared 2-step compose+confirm flow.
- <SendBerthPdfDialog>, <SendDocumentsDialog>, <SendFromInterestButton>
wrappers per detail page.
- /[portSlug]/admin/brochures: list, upload (direct-to-storage
presigned PUT for the 20MB+ files per §11.1), default toggle,
archive.
- /[portSlug]/admin/email extended with <SalesEmailConfigCard>:
SMTP + IMAP creds, body templates, threshold/max settings.
Storage: every upload + download goes through getStorageBackend() —
no direct minio imports, per Phase 6a contract.
Tests: 1145 vitest passing (+ 50 new in
markdown-email-sanitization.test.ts, document-sends-validators.test.ts,
sales-email-config-validators.test.ts).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 03:38:47 +02:00
|
|
|
/**
|
|
|
|
|
* Phase 7 §14.7 critical mitigation: body markdown XSS sanitization.
|
|
|
|
|
*
|
|
|
|
|
* Every code path that turns rep-authored markdown into the email's
|
|
|
|
|
* `html` body is required to go through `renderEmailBody()`. These tests
|
|
|
|
|
* are the canary — if any future change to the renderer lets a known XSS
|
|
|
|
|
* payload through, the test breaks before the change ships.
|
|
|
|
|
*/
|
|
|
|
|
import { describe, expect, it } from 'vitest';
|
|
|
|
|
|
|
|
|
|
import {
|
|
|
|
|
EMAIL_BODY_MAX_BYTES,
|
|
|
|
|
expandMergeTokens,
|
|
|
|
|
extractTokens,
|
|
|
|
|
findUnresolvedTokens,
|
|
|
|
|
renderEmailBody,
|
|
|
|
|
} from '@/lib/utils/markdown-email';
|
|
|
|
|
|
|
|
|
|
describe('renderEmailBody — XSS payload coverage', () => {
|
|
|
|
|
it('escapes <script> tags so they render as text, not active script', () => {
|
|
|
|
|
const html = renderEmailBody('Hi <script>alert(1)</script> there');
|
|
|
|
|
expect(html).not.toContain('<script>');
|
|
|
|
|
expect(html).toContain('<script>');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('escapes onerror handlers in img tags', () => {
|
|
|
|
|
const html = renderEmailBody('<img src=x onerror=alert(1)>');
|
|
|
|
|
expect(html).not.toContain('<img');
|
|
|
|
|
expect(html).toContain('<img');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('strips javascript: URLs from markdown links', () => {
|
|
|
|
|
const html = renderEmailBody('[click](javascript:alert(1))');
|
|
|
|
|
expect(html).not.toContain('javascript:');
|
|
|
|
|
expect(html).not.toContain('<a ');
|
|
|
|
|
// Falls back to rendering the link text as plain.
|
|
|
|
|
expect(html).toContain('click');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('strips data: URLs from markdown links', () => {
|
|
|
|
|
const html = renderEmailBody('[bad](data:text/html,<script>alert(1)</script>)');
|
|
|
|
|
expect(html).not.toContain('<a ');
|
|
|
|
|
expect(html).not.toContain('<script');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('allows https:// URLs in markdown links', () => {
|
|
|
|
|
const html = renderEmailBody('[example](https://example.com)');
|
|
|
|
|
expect(html).toContain('<a href="https://example.com"');
|
|
|
|
|
expect(html).toContain('rel="noopener noreferrer"');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('allows mailto: URLs in markdown links', () => {
|
|
|
|
|
const html = renderEmailBody('[reach me](mailto:hi@example.com)');
|
|
|
|
|
expect(html).toContain('<a href="mailto:hi@example.com"');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('escapes <iframe> tags', () => {
|
|
|
|
|
const html = renderEmailBody('<iframe src="https://evil.com"></iframe>');
|
|
|
|
|
expect(html).not.toContain('<iframe');
|
|
|
|
|
expect(html).toContain('<iframe');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('escapes <style> blocks', () => {
|
|
|
|
|
const html = renderEmailBody('<style>body{background:red}</style>');
|
|
|
|
|
expect(html).not.toContain('<style');
|
|
|
|
|
expect(html).toContain('<style');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('escapes attribute-style XSS attempts (no live <svg> tag survives)', () => {
|
|
|
|
|
const html = renderEmailBody('"><svg onload=alert(1)>');
|
|
|
|
|
// The literal "<svg" must never appear unescaped — the angle bracket is
|
|
|
|
|
// what the browser parses, not the word "onload".
|
|
|
|
|
expect(html).not.toContain('<svg');
|
|
|
|
|
expect(html).toContain('<svg');
|
|
|
|
|
expect(html).toContain('"');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('escapes the polyglot from CWE-79 reference samples', () => {
|
|
|
|
|
const polyglot = `'\`<img src=x onerror=alert(1)>"<svg/onload=alert(1)>"`;
|
|
|
|
|
const html = renderEmailBody(polyglot);
|
|
|
|
|
// Only unescaped tags can fire handlers; we just need to be sure no
|
|
|
|
|
// unescaped `<` survives.
|
|
|
|
|
expect(html).not.toContain('<img');
|
|
|
|
|
expect(html).not.toContain('<svg');
|
|
|
|
|
expect(html).toContain('<img');
|
|
|
|
|
expect(html).toContain('<svg');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('rejects bodies above 50KB', () => {
|
|
|
|
|
const huge = 'x'.repeat(EMAIL_BODY_MAX_BYTES + 1);
|
|
|
|
|
expect(() => renderEmailBody(huge)).toThrow(/maximum length/);
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
describe('renderEmailBody — markdown rules', () => {
|
|
|
|
|
it('renders **bold** as <strong>', () => {
|
|
|
|
|
expect(renderEmailBody('this is **bold**')).toContain('<strong>bold</strong>');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('renders *italic* as <em>', () => {
|
|
|
|
|
expect(renderEmailBody('this is *italic*')).toContain('<em>italic</em>');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('renders `code` spans', () => {
|
|
|
|
|
expect(renderEmailBody('use `apiFetch`')).toContain('<code>apiFetch</code>');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('splits paragraphs on blank lines', () => {
|
|
|
|
|
const out = renderEmailBody('para one\n\npara two');
|
|
|
|
|
expect(out).toContain('<p>para one</p>');
|
|
|
|
|
expect(out).toContain('<p>para two</p>');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('converts single newlines to <br>', () => {
|
|
|
|
|
const out = renderEmailBody('line one\nline two');
|
|
|
|
|
expect(out).toContain('line one<br>line two');
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
describe('merge token helpers', () => {
|
|
|
|
|
it('extracts tokens from a body', () => {
|
|
|
|
|
const tokens = extractTokens('Hi {{client.fullName}} re {{berth.mooringNumber}}.');
|
|
|
|
|
expect(tokens).toEqual(['{{client.fullName}}', '{{berth.mooringNumber}}']);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('expands tokens that have values', () => {
|
|
|
|
|
const out = expandMergeTokens('Hi {{client.fullName}}', {
|
|
|
|
|
'{{client.fullName}}': 'Jane Doe',
|
|
|
|
|
});
|
|
|
|
|
expect(out).toBe('Hi Jane Doe');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('leaves unresolved tokens intact', () => {
|
|
|
|
|
const out = expandMergeTokens('Hi {{client.fullName}} {{missing}}', {
|
|
|
|
|
'{{client.fullName}}': 'Jane',
|
|
|
|
|
});
|
|
|
|
|
expect(out).toBe('Hi Jane {{missing}}');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('reports unresolved tokens', () => {
|
|
|
|
|
const unresolved = findUnresolvedTokens('Hi {{a}} {{b}} {{c}}', {
|
|
|
|
|
'{{a}}': 'value',
|
|
|
|
|
});
|
|
|
|
|
expect(unresolved).toEqual(['{{b}}', '{{c}}']);
|
|
|
|
|
});
|
fix(audit-v2): platform-wide post-merge hardening across 5 domains
Five-domain audit (security, routes, DB, integrations, UI/UX) ran after
the cf37d09 merge. Critical + high-impact items landed here; deferred
medium/low items indexed in docs/audit-final-deferred.md (now organised
into a "Audit-final v2" section).
Security:
- Storage proxy tokens now bind to op (`'get'` vs `'put'`). A long-lived
download URL minted by `presignDownload` for an emailed brochure can no
longer be replayed against the proxy PUT to overwrite the original
storage object. `verifyProxyToken` requires `expectedOp` and rejects
mismatches; legacy tokens missing `op` fail-closed. Regression tests
added.
- Markdown email merge values are now markdown-escaped (`[`, `]`, `(`,
`)`, `*`, `_`, `\`, backticks, braces) before substitution into the
rep-authored body. A malicious value like `[click here](https://evil)`
stored in `client.fullName` no longer survives `escapeHtml` to render
as a real `<a href>` in the outbound email. Phishing-via-merge-field
closed; regression tests added.
- Middleware now performs an Origin/Referer check on
POST/PUT/PATCH/DELETE to `/api/v1/**`. Defense-in-depth on top of
better-auth's SameSite=Lax cookie. Webhooks/public/auth/portal routes
exempt as they don't carry the session cookie.
Routes:
- Template management routes were calling `withPermission('documents',
'manage', ...)` — but `documents` doesn't have a `manage` action. The
registry has `document_templates.manage`. Every non-superadmin was
getting 403'd on the seven template endpoints. Fixed across the
/admin/templates surface.
- Custom-fields permission resource is hardcoded to `clients` regardless
of which entity (yacht/company/etc.) the values belong to. Documented
as deferred (requires per-entity routes).
DB:
- documentSends: every parent FK (client_id, interest_id, berth_id,
brochure_id, brochure_version_id) now uses ON DELETE SET NULL so the
audit trail outlasts hard-deletes. The denormalized columns
(recipient_email, document_kind, body_markdown, from_address) were
added precisely for this. Migration 0035.
- Polymorphic discriminators on yachts.current_owner_type and
invoices.billing_entity_type now have CHECK constraints — typos like
`'clients'` vs `'client'` were silently inserting unreachable rows
before. Migration 0036.
Integrations:
- Email attachment resolution (`src/lib/email/index.ts`) was importing
MinIO directly instead of `getStorageBackend()`. Filesystem-backend
deployments would have broken every email-with-attachment send. Now
routes through the pluggable abstraction per CLAUDE.md.
- Documenso DOCUMENT_OPENED webhook filter relaxed: v2 may omit
`readStatus` or send lowercase, so an event that was the SIGNAL of an
open was being silently dropped. Now treats any recipient on a
DOCUMENT_OPENED event as opened.
UI/UX:
- Expense detail used to render `receiptFileIds` as opaque UUID badges —
reps couldn't view the receipt they uploaded. Now renders an image
thumbnail (via `/api/v1/files/[id]/preview`) plus a Download link for
PDFs. Closed the "where's my receipt?" loop in the expense flow.
- Expense detail Edit + Archive buttons now `<PermissionGate>` and the
archive mutation surfaces success/error toasts instead of silent 403s.
- Brochures admin: setDefault/archive/create mutations now have onError
toasts (only onSuccess existed before).
- Removed broken bulk-upload link in scan/page (route doesn't exist;
used a raw `<a>` triggering a full reload to a 404).
Test status: 1168/1168 vitest passing. tsc clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 05:51:39 +02:00
|
|
|
|
|
|
|
|
// Audit-final v2: a malicious merge value (e.g. a client.fullName imported
|
|
|
|
|
// from a low-trust source) must NOT inject a link or emphasis into the
|
|
|
|
|
// rendered email body. escapeMergeValue neutralizes the markdown chars
|
|
|
|
|
// inside the value before substitution.
|
|
|
|
|
it('escapes markdown control chars inside merge values', () => {
|
|
|
|
|
const expanded = expandMergeTokens('Hi {{client.fullName}}, welcome.', {
|
|
|
|
|
'{{client.fullName}}': '[click here](https://attacker.tld)',
|
|
|
|
|
});
|
|
|
|
|
// The brackets/parens are now entity-encoded, so the markdown link
|
|
|
|
|
// rule will not fire.
|
|
|
|
|
expect(expanded).not.toContain('[click here](https://attacker.tld)');
|
|
|
|
|
expect(expanded).toContain('[click here]');
|
|
|
|
|
|
|
|
|
|
const html = renderEmailBody(expanded);
|
|
|
|
|
expect(html).not.toContain('<a href="https://attacker.tld');
|
|
|
|
|
// Plain-text version (visible to recipient) still reads normally.
|
|
|
|
|
expect(html).toContain('click here');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('escapes nested {{token}} forms in merge values to prevent re-expansion shenanigans', () => {
|
|
|
|
|
const expanded = expandMergeTokens('Hi {{a}}', { '{{a}}': '{{secret_token}}' });
|
|
|
|
|
// Both braces and the underscore are entity-encoded.
|
|
|
|
|
expect(expanded).toContain('{{secret_token}}');
|
|
|
|
|
expect(expanded).not.toContain('{{secret_token}}');
|
|
|
|
|
});
|
feat(emails): sales send-out flows + brochures + email-from settings
Phase 7 of the berth-recommender refactor (plan §3.3, §4.8, §4.9, §5.7,
§5.8, §5.9, §11.1, §14.7, §14.9). Adds the rep-driven send-out path for
per-berth PDFs and port-wide brochures, the per-port sales SMTP/IMAP
config + body templates, and the supporting admin UI.
Migration: 0031_brochures_and_document_sends.sql
Schema additions:
- brochures (port-wide, with isDefault marker + archive)
- brochure_versions (versioned uploads, storageKey per §4.7a)
- document_sends (audit log of every rep-initiated send; failures
captured with failedAt + errorReason). berthPdfVersionId is a plain
text column (no FK) — loose-coupled to Phase 6b's berth_pdf_versions
so the two phases stay independent.
§14.7 critical mitigations:
- Body XSS: rep-authored markdown goes through renderEmailBody()
(HTML-escape first, then a tight allowlist of bold/italic/code/link
rules). https:// + mailto: only — javascript:/data: URLs stripped.
Tested against script/img/iframe/svg/onerror polyglots.
- Recipient typo: strict email regex + two-step confirm modal that
shows the exact recipient before send.
- Unresolved merge fields: pre-send dry-run /preview endpoint blocks
submission until findUnresolvedTokens() returns empty.
- SMTP failure: every transport rejection writes a document_sends row
with failedAt + errorReason; UI surfaces the message.
- Hourly per-user rate limit: 50 sends/user/hour via existing
checkRateLimit().
- Size threshold fallback (§11.1): files above
email_attach_threshold_mb (default 15) ship as a 24h signed-URL
download link in the body instead of an attachment. Storage stream
flows directly to nodemailer to avoid buffering 20MB+.
§14.10 critical mitigation:
- SMTP/IMAP passwords encrypted at rest via the existing
EMAIL_CREDENTIAL_KEY (AES-256-GCM). The /api/v1/admin/email/
sales-config GET endpoint never returns the decrypted value — only
a *PassIsSet boolean. PATCH treats empty string as "leave unchanged"
and explicit null as "clear", so the masked-placeholder UI round-
trips without forcing re-entry on every save.
system_settings keys (per-port unless noted):
- sales_from_address, sales_smtp_{host,port,secure,user,pass_encrypted}
- sales_imap_{host,port,user,pass_encrypted}
- sales_auth_method (default app_password)
- noreply_from_address
- email_template_send_berth_pdf_body, email_template_send_brochure_body
- brochure_max_upload_mb (default 50)
- email_attach_threshold_mb (default 15)
UI surfaces (per §5.7, §5.8, §5.9):
- <SendDocumentDialog> shared 2-step compose+confirm flow.
- <SendBerthPdfDialog>, <SendDocumentsDialog>, <SendFromInterestButton>
wrappers per detail page.
- /[portSlug]/admin/brochures: list, upload (direct-to-storage
presigned PUT for the 20MB+ files per §11.1), default toggle,
archive.
- /[portSlug]/admin/email extended with <SalesEmailConfigCard>:
SMTP + IMAP creds, body templates, threshold/max settings.
Storage: every upload + download goes through getStorageBackend() —
no direct minio imports, per Phase 6a contract.
Tests: 1145 vitest passing (+ 50 new in
markdown-email-sanitization.test.ts, document-sends-validators.test.ts,
sales-email-config-validators.test.ts).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 03:38:47 +02:00
|
|
|
});
|