feat(emails): sales send-out flows + brochures + email-from settings
Phase 7 of the berth-recommender refactor (plan §3.3, §4.8, §4.9, §5.7,
§5.8, §5.9, §11.1, §14.7, §14.9). Adds the rep-driven send-out path for
per-berth PDFs and port-wide brochures, the per-port sales SMTP/IMAP
config + body templates, and the supporting admin UI.
Migration: 0031_brochures_and_document_sends.sql
Schema additions:
- brochures (port-wide, with isDefault marker + archive)
- brochure_versions (versioned uploads, storageKey per §4.7a)
- document_sends (audit log of every rep-initiated send; failures
captured with failedAt + errorReason). berthPdfVersionId is a plain
text column (no FK) — loose-coupled to Phase 6b's berth_pdf_versions
so the two phases stay independent.
§14.7 critical mitigations:
- Body XSS: rep-authored markdown goes through renderEmailBody()
(HTML-escape first, then a tight allowlist of bold/italic/code/link
rules). https:// + mailto: only — javascript:/data: URLs stripped.
Tested against script/img/iframe/svg/onerror polyglots.
- Recipient typo: strict email regex + two-step confirm modal that
shows the exact recipient before send.
- Unresolved merge fields: pre-send dry-run /preview endpoint blocks
submission until findUnresolvedTokens() returns empty.
- SMTP failure: every transport rejection writes a document_sends row
with failedAt + errorReason; UI surfaces the message.
- Hourly per-user rate limit: 50 sends/user/hour via existing
checkRateLimit().
- Size threshold fallback (§11.1): files above
email_attach_threshold_mb (default 15) ship as a 24h signed-URL
download link in the body instead of an attachment. Storage stream
flows directly to nodemailer to avoid buffering 20MB+.
§14.10 critical mitigation:
- SMTP/IMAP passwords encrypted at rest via the existing
EMAIL_CREDENTIAL_KEY (AES-256-GCM). The /api/v1/admin/email/
sales-config GET endpoint never returns the decrypted value — only
a *PassIsSet boolean. PATCH treats empty string as "leave unchanged"
and explicit null as "clear", so the masked-placeholder UI round-
trips without forcing re-entry on every save.
system_settings keys (per-port unless noted):
- sales_from_address, sales_smtp_{host,port,secure,user,pass_encrypted}
- sales_imap_{host,port,user,pass_encrypted}
- sales_auth_method (default app_password)
- noreply_from_address
- email_template_send_berth_pdf_body, email_template_send_brochure_body
- brochure_max_upload_mb (default 50)
- email_attach_threshold_mb (default 15)
UI surfaces (per §5.7, §5.8, §5.9):
- <SendDocumentDialog> shared 2-step compose+confirm flow.
- <SendBerthPdfDialog>, <SendDocumentsDialog>, <SendFromInterestButton>
wrappers per detail page.
- /[portSlug]/admin/brochures: list, upload (direct-to-storage
presigned PUT for the 20MB+ files per §11.1), default toggle,
archive.
- /[portSlug]/admin/email extended with <SalesEmailConfigCard>:
SMTP + IMAP creds, body templates, threshold/max settings.
Storage: every upload + download goes through getStorageBackend() —
no direct minio imports, per Phase 6a contract.
Tests: 1145 vitest passing (+ 50 new in
markdown-email-sanitization.test.ts, document-sends-validators.test.ts,
sales-email-config-validators.test.ts).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 03:38:47 +02:00
|
|
|
import { NextResponse } from 'next/server';
|
|
|
|
|
|
|
|
|
|
import { withAuth, withPermission } from '@/lib/api/helpers';
|
|
|
|
|
import { parseBody } from '@/lib/api/route-helpers';
|
|
|
|
|
import { errorResponse } from '@/lib/errors';
|
|
|
|
|
import {
|
|
|
|
|
getSalesEmailConfig,
|
|
|
|
|
getSalesImapConfig,
|
|
|
|
|
getSalesContentConfig,
|
|
|
|
|
redactSalesConfigForResponse,
|
|
|
|
|
updateSalesEmailConfig,
|
|
|
|
|
} from '@/lib/services/sales-email-config.service';
|
|
|
|
|
import { updateSalesEmailConfigSchema } from '@/lib/validators/sales-email-config';
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* GET /api/v1/admin/email/sales-config
|
|
|
|
|
*
|
|
|
|
|
* Returns the redacted view of the sales-email config. Per §14.10
|
2026-05-05 04:07:03 +02:00
|
|
|
* reps can't see the decrypted password — the response only carries
|
|
|
|
|
* `*PassIsSet` boolean markers via `redactSalesConfigForResponse`.
|
|
|
|
|
*
|
|
|
|
|
* Today this endpoint is admin-only because it's consumed only by the
|
|
|
|
|
* admin UI panel (`src/components/admin/sales-email-config-card.tsx`).
|
|
|
|
|
* A future rep-facing surface that needs the from-address or body
|
|
|
|
|
* templates can split into a separate `/email/sales-config/preview`
|
|
|
|
|
* endpoint scoped to `email.view` — keeping the admin endpoint locked
|
|
|
|
|
* to `manage_settings` avoids accidentally widening secret-adjacent
|
|
|
|
|
* surfaces (e.g. the SMTP host name itself can be a leak vector).
|
feat(emails): sales send-out flows + brochures + email-from settings
Phase 7 of the berth-recommender refactor (plan §3.3, §4.8, §4.9, §5.7,
§5.8, §5.9, §11.1, §14.7, §14.9). Adds the rep-driven send-out path for
per-berth PDFs and port-wide brochures, the per-port sales SMTP/IMAP
config + body templates, and the supporting admin UI.
Migration: 0031_brochures_and_document_sends.sql
Schema additions:
- brochures (port-wide, with isDefault marker + archive)
- brochure_versions (versioned uploads, storageKey per §4.7a)
- document_sends (audit log of every rep-initiated send; failures
captured with failedAt + errorReason). berthPdfVersionId is a plain
text column (no FK) — loose-coupled to Phase 6b's berth_pdf_versions
so the two phases stay independent.
§14.7 critical mitigations:
- Body XSS: rep-authored markdown goes through renderEmailBody()
(HTML-escape first, then a tight allowlist of bold/italic/code/link
rules). https:// + mailto: only — javascript:/data: URLs stripped.
Tested against script/img/iframe/svg/onerror polyglots.
- Recipient typo: strict email regex + two-step confirm modal that
shows the exact recipient before send.
- Unresolved merge fields: pre-send dry-run /preview endpoint blocks
submission until findUnresolvedTokens() returns empty.
- SMTP failure: every transport rejection writes a document_sends row
with failedAt + errorReason; UI surfaces the message.
- Hourly per-user rate limit: 50 sends/user/hour via existing
checkRateLimit().
- Size threshold fallback (§11.1): files above
email_attach_threshold_mb (default 15) ship as a 24h signed-URL
download link in the body instead of an attachment. Storage stream
flows directly to nodemailer to avoid buffering 20MB+.
§14.10 critical mitigation:
- SMTP/IMAP passwords encrypted at rest via the existing
EMAIL_CREDENTIAL_KEY (AES-256-GCM). The /api/v1/admin/email/
sales-config GET endpoint never returns the decrypted value — only
a *PassIsSet boolean. PATCH treats empty string as "leave unchanged"
and explicit null as "clear", so the masked-placeholder UI round-
trips without forcing re-entry on every save.
system_settings keys (per-port unless noted):
- sales_from_address, sales_smtp_{host,port,secure,user,pass_encrypted}
- sales_imap_{host,port,user,pass_encrypted}
- sales_auth_method (default app_password)
- noreply_from_address
- email_template_send_berth_pdf_body, email_template_send_brochure_body
- brochure_max_upload_mb (default 50)
- email_attach_threshold_mb (default 15)
UI surfaces (per §5.7, §5.8, §5.9):
- <SendDocumentDialog> shared 2-step compose+confirm flow.
- <SendBerthPdfDialog>, <SendDocumentsDialog>, <SendFromInterestButton>
wrappers per detail page.
- /[portSlug]/admin/brochures: list, upload (direct-to-storage
presigned PUT for the 20MB+ files per §11.1), default toggle,
archive.
- /[portSlug]/admin/email extended with <SalesEmailConfigCard>:
SMTP + IMAP creds, body templates, threshold/max settings.
Storage: every upload + download goes through getStorageBackend() —
no direct minio imports, per Phase 6a contract.
Tests: 1145 vitest passing (+ 50 new in
markdown-email-sanitization.test.ts, document-sends-validators.test.ts,
sales-email-config-validators.test.ts).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 03:38:47 +02:00
|
|
|
*/
|
|
|
|
|
export const GET = withAuth(
|
|
|
|
|
withPermission('admin', 'manage_settings', async (_req, ctx) => {
|
|
|
|
|
try {
|
|
|
|
|
const [email, imap, content] = await Promise.all([
|
|
|
|
|
getSalesEmailConfig(ctx.portId),
|
|
|
|
|
getSalesImapConfig(ctx.portId),
|
|
|
|
|
getSalesContentConfig(ctx.portId),
|
|
|
|
|
]);
|
|
|
|
|
const redacted = redactSalesConfigForResponse(email, imap, content);
|
|
|
|
|
return NextResponse.json({ data: redacted });
|
|
|
|
|
} catch (error) {
|
|
|
|
|
return errorResponse(error);
|
|
|
|
|
}
|
|
|
|
|
}),
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* PATCH /api/v1/admin/email/sales-config
|
|
|
|
|
*
|
|
|
|
|
* Per-port admin only. Encrypts SMTP/IMAP passwords via AES-256-GCM before
|
|
|
|
|
* storage; the API never returns decrypted secrets (mirror enforcement on
|
|
|
|
|
* the GET handler).
|
|
|
|
|
*/
|
|
|
|
|
export const PATCH = withAuth(
|
|
|
|
|
withPermission('admin', 'manage_settings', async (req, ctx) => {
|
|
|
|
|
try {
|
|
|
|
|
const input = await parseBody(req, updateSalesEmailConfigSchema);
|
|
|
|
|
await updateSalesEmailConfig(ctx.portId, input, {
|
|
|
|
|
userId: ctx.userId,
|
|
|
|
|
portId: ctx.portId,
|
|
|
|
|
ipAddress: ctx.ipAddress,
|
|
|
|
|
userAgent: ctx.userAgent,
|
|
|
|
|
});
|
|
|
|
|
// Return the freshly-redacted view so the UI can re-render.
|
|
|
|
|
const [email, imap, content] = await Promise.all([
|
|
|
|
|
getSalesEmailConfig(ctx.portId),
|
|
|
|
|
getSalesImapConfig(ctx.portId),
|
|
|
|
|
getSalesContentConfig(ctx.portId),
|
|
|
|
|
]);
|
|
|
|
|
return NextResponse.json({ data: redactSalesConfigForResponse(email, imap, content) });
|
|
|
|
|
} catch (error) {
|
|
|
|
|
return errorResponse(error);
|
|
|
|
|
}
|
|
|
|
|
}),
|
|
|
|
|
);
|