feat(emails): sales send-out flows + brochures + email-from settings

Phase 7 of the berth-recommender refactor (plan §3.3, §4.8, §4.9, §5.7, §5.8, §5.9, §11.1, §14.7, §14.9). Adds the rep-driven send-out path for per-berth PDFs and port-wide brochures, the per-port sales SMTP/IMAP config + body templates, and the supporting admin UI. Migration: 0031_brochures_and_document_sends.sql Schema additions: - brochures (port-wide, with isDefault marker + archive) - brochure_versions (versioned uploads, storageKey per §4.7a) - document_sends (audit log of every rep-initiated send; failures captured with failedAt + errorReason). berthPdfVersionId is a plain text column (no FK) — loose-coupled to Phase 6b's berth_pdf_versions so the two phases stay independent. §14.7 critical mitigations: - Body XSS: rep-authored markdown goes through renderEmailBody() (HTML-escape first, then a tight allowlist of bold/italic/code/link rules). https:// + mailto: only — javascript:/data: URLs stripped. Tested against script/img/iframe/svg/onerror polyglots. - Recipient typo: strict email regex + two-step confirm modal that shows the exact recipient before send. - Unresolved merge fields: pre-send dry-run /preview endpoint blocks submission until findUnresolvedTokens() returns empty. - SMTP failure: every transport rejection writes a document_sends row with failedAt + errorReason; UI surfaces the message. - Hourly per-user rate limit: 50 sends/user/hour via existing checkRateLimit(). - Size threshold fallback (§11.1): files above email_attach_threshold_mb (default 15) ship as a 24h signed-URL download link in the body instead of an attachment. Storage stream flows directly to nodemailer to avoid buffering 20MB+. §14.10 critical mitigation: - SMTP/IMAP passwords encrypted at rest via the existing EMAIL_CREDENTIAL_KEY (AES-256-GCM). The /api/v1/admin/email/ sales-config GET endpoint never returns the decrypted value — only a *PassIsSet boolean. PATCH treats empty string as "leave unchanged" and explicit null as "clear", so the masked-placeholder UI round- trips without forcing re-entry on every save. system_settings keys (per-port unless noted): - sales_from_address, sales_smtp_{host,port,secure,user,pass_encrypted} - sales_imap_{host,port,user,pass_encrypted} - sales_auth_method (default app_password) - noreply_from_address - email_template_send_berth_pdf_body, email_template_send_brochure_body - brochure_max_upload_mb (default 50) - email_attach_threshold_mb (default 15) UI surfaces (per §5.7, §5.8, §5.9): - <SendDocumentDialog> shared 2-step compose+confirm flow. - <SendBerthPdfDialog>, <SendDocumentsDialog>, <SendFromInterestButton> wrappers per detail page. - /[portSlug]/admin/brochures: list, upload (direct-to-storage presigned PUT for the 20MB+ files per §11.1), default toggle, archive. - /[portSlug]/admin/email extended with <SalesEmailConfigCard>: SMTP + IMAP creds, body templates, threshold/max settings. Storage: every upload + download goes through getStorageBackend() — no direct minio imports, per Phase 6a contract. Tests: 1145 vitest passing (+ 50 new in markdown-email-sanitization.test.ts, document-sends-validators.test.ts, sales-email-config-validators.test.ts). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 03:38:47 +02:00
parent 249ffe3e4a
commit a0091e4ca6
32 changed files with 15129 additions and 0 deletions
--- a/tests/unit/document-sends-validators.test.ts
+++ b/tests/unit/document-sends-validators.test.ts
@@ -0,0 +1,142 @@
+/**
+ * Phase 7 — validator-level guarantees for the send-out flow.
+ *
+ * §14.7 mitigation: recipient typo (the strict email regex is the first
+ * line of defense; the confirmation modal is the second).
+ */
+import { describe, expect, it } from 'vitest';
+
+import {
+  sendBerthPdfSchema,
+  sendBrochureSchema,
+  previewBodySchema,
+  listSendsQuerySchema,
+} from '@/lib/validators/document-sends';
+import { createBrochureSchema, registerBrochureVersionSchema } from '@/lib/validators/brochures';
+
+describe('sendBerthPdfSchema', () => {
+  it('requires either clientId or email', () => {
+    const r = sendBerthPdfSchema.safeParse({
+      berthId: 'b1',
+      recipient: { interestId: 'i1' },
+    });
+    expect(r.success).toBe(false);
+  });
+
+  it('accepts clientId-only recipient', () => {
+    const r = sendBerthPdfSchema.safeParse({
+      berthId: 'b1',
+      recipient: { clientId: 'c1' },
+    });
+    expect(r.success).toBe(true);
+  });
+
+  it('rejects an obviously bad email', () => {
+    const r = sendBerthPdfSchema.safeParse({
+      berthId: 'b1',
+      recipient: { email: 'not an email' },
+    });
+    expect(r.success).toBe(false);
+  });
+
+  it('caps custom body length at 50KB', () => {
+    const r = sendBerthPdfSchema.safeParse({
+      berthId: 'b1',
+      recipient: { clientId: 'c1' },
+      customBodyMarkdown: 'x'.repeat(60_000),
+    });
+    expect(r.success).toBe(false);
+  });
+});
+
+describe('sendBrochureSchema', () => {
+  it('allows brochureId to be omitted (defaults at service level)', () => {
+    const r = sendBrochureSchema.safeParse({
+      recipient: { clientId: 'c1' },
+    });
+    expect(r.success).toBe(true);
+  });
+});
+
+describe('previewBodySchema', () => {
+  it('requires documentKind', () => {
+    const r = previewBodySchema.safeParse({ recipient: { clientId: 'c1' } });
+    expect(r.success).toBe(false);
+  });
+
+  it('accepts a minimal preview payload', () => {
+    const r = previewBodySchema.safeParse({
+      documentKind: 'berth_pdf',
+      recipient: { clientId: 'c1' },
+      berthId: 'b1',
+    });
+    expect(r.success).toBe(true);
+  });
+});
+
+describe('listSendsQuerySchema', () => {
+  it('coerces limit from string', () => {
+    const r = listSendsQuerySchema.safeParse({ limit: '50' });
+    expect(r.success).toBe(true);
+    if (r.success) expect(r.data.limit).toBe(50);
+  });
+
+  it('rejects out-of-range limit', () => {
+    const r = listSendsQuerySchema.safeParse({ limit: '99999' });
+    expect(r.success).toBe(false);
+  });
+});
+
+describe('createBrochureSchema', () => {
+  it('requires a non-empty label', () => {
+    const r = createBrochureSchema.safeParse({ label: '   ' });
+    expect(r.success).toBe(false);
+  });
+
+  it('caps label at 120 chars', () => {
+    const r = createBrochureSchema.safeParse({ label: 'a'.repeat(200) });
+    expect(r.success).toBe(false);
+  });
+});
+
+describe('registerBrochureVersionSchema', () => {
+  it('rejects path-traversal in storageKey', () => {
+    const r = registerBrochureVersionSchema.safeParse({
+      storageKey: '../etc/passwd',
+      fileName: 'b.pdf',
+      fileSizeBytes: 100,
+      contentSha256: 'a'.repeat(64),
+    });
+    expect(r.success).toBe(false);
+  });
+
+  it('rejects malformed sha256', () => {
+    const r = registerBrochureVersionSchema.safeParse({
+      storageKey: 'port/brochures/abc/x.pdf',
+      fileName: 'b.pdf',
+      fileSizeBytes: 100,
+      contentSha256: 'NOTHEX',
+    });
+    expect(r.success).toBe(false);
+  });
+
+  it('rejects upload over 100MB', () => {
+    const r = registerBrochureVersionSchema.safeParse({
+      storageKey: 'port/brochures/abc/x.pdf',
+      fileName: 'b.pdf',
+      fileSizeBytes: 200 * 1024 * 1024,
+      contentSha256: 'a'.repeat(64),
+    });
+    expect(r.success).toBe(false);
+  });
+
+  it('accepts a valid payload', () => {
+    const r = registerBrochureVersionSchema.safeParse({
+      storageKey: 'port/brochures/abc/x.pdf',
+      fileName: 'b.pdf',
+      fileSizeBytes: 1024,
+      contentSha256: 'a'.repeat(64),
+    });
+    expect(r.success).toBe(true);
+  });
+});
--- a/tests/unit/markdown-email-sanitization.test.ts
+++ b/tests/unit/markdown-email-sanitization.test.ts
@@ -0,0 +1,146 @@
+/**
+ * Phase 7 §14.7 critical mitigation: body markdown XSS sanitization.
+ *
+ * Every code path that turns rep-authored markdown into the email's
+ * `html` body is required to go through `renderEmailBody()`. These tests
+ * are the canary — if any future change to the renderer lets a known XSS
+ * payload through, the test breaks before the change ships.
+ */
+import { describe, expect, it } from 'vitest';
+
+import {
+  EMAIL_BODY_MAX_BYTES,
+  expandMergeTokens,
+  extractTokens,
+  findUnresolvedTokens,
+  renderEmailBody,
+} from '@/lib/utils/markdown-email';
+
+describe('renderEmailBody — XSS payload coverage', () => {
+  it('escapes <script> tags so they render as text, not active script', () => {
+    const html = renderEmailBody('Hi <script>alert(1)</script> there');
+    expect(html).not.toContain('<script>');
+    expect(html).toContain('&lt;script&gt;');
+  });
+
+  it('escapes onerror handlers in img tags', () => {
+    const html = renderEmailBody('<img src=x onerror=alert(1)>');
+    expect(html).not.toContain('<img');
+    expect(html).toContain('&lt;img');
+  });
+
+  it('strips javascript: URLs from markdown links', () => {
+    const html = renderEmailBody('[click](javascript:alert(1))');
+    expect(html).not.toContain('javascript:');
+    expect(html).not.toContain('<a ');
+    // Falls back to rendering the link text as plain.
+    expect(html).toContain('click');
+  });
+
+  it('strips data: URLs from markdown links', () => {
+    const html = renderEmailBody('[bad](data:text/html,<script>alert(1)</script>)');
+    expect(html).not.toContain('<a ');
+    expect(html).not.toContain('<script');
+  });
+
+  it('allows https:// URLs in markdown links', () => {
+    const html = renderEmailBody('[example](https://example.com)');
+    expect(html).toContain('<a href="https://example.com"');
+    expect(html).toContain('rel="noopener noreferrer"');
+  });
+
+  it('allows mailto: URLs in markdown links', () => {
+    const html = renderEmailBody('[reach me](mailto:hi@example.com)');
+    expect(html).toContain('<a href="mailto:hi@example.com"');
+  });
+
+  it('escapes <iframe> tags', () => {
+    const html = renderEmailBody('<iframe src="https://evil.com"></iframe>');
+    expect(html).not.toContain('<iframe');
+    expect(html).toContain('&lt;iframe');
+  });
+
+  it('escapes <style> blocks', () => {
+    const html = renderEmailBody('<style>body{background:red}</style>');
+    expect(html).not.toContain('<style');
+    expect(html).toContain('&lt;style');
+  });
+
+  it('escapes attribute-style XSS attempts (no live <svg> tag survives)', () => {
+    const html = renderEmailBody('"><svg onload=alert(1)>');
+    // The literal "<svg" must never appear unescaped — the angle bracket is
+    // what the browser parses, not the word "onload".
+    expect(html).not.toContain('<svg');
+    expect(html).toContain('&lt;svg');
+    expect(html).toContain('&quot;');
+  });
+
+  it('escapes the polyglot from CWE-79 reference samples', () => {
+    const polyglot = `'\`<img src=x onerror=alert(1)>"<svg/onload=alert(1)>"`;
+    const html = renderEmailBody(polyglot);
+    // Only unescaped tags can fire handlers; we just need to be sure no
+    // unescaped `<` survives.
+    expect(html).not.toContain('<img');
+    expect(html).not.toContain('<svg');
+    expect(html).toContain('&lt;img');
+    expect(html).toContain('&lt;svg');
+  });
+
+  it('rejects bodies above 50KB', () => {
+    const huge = 'x'.repeat(EMAIL_BODY_MAX_BYTES + 1);
+    expect(() => renderEmailBody(huge)).toThrow(/maximum length/);
+  });
+});
+
+describe('renderEmailBody — markdown rules', () => {
+  it('renders **bold** as <strong>', () => {
+    expect(renderEmailBody('this is **bold**')).toContain('<strong>bold</strong>');
+  });
+
+  it('renders *italic* as <em>', () => {
+    expect(renderEmailBody('this is *italic*')).toContain('<em>italic</em>');
+  });
+
+  it('renders `code` spans', () => {
+    expect(renderEmailBody('use `apiFetch`')).toContain('<code>apiFetch</code>');
+  });
+
+  it('splits paragraphs on blank lines', () => {
+    const out = renderEmailBody('para one\n\npara two');
+    expect(out).toContain('<p>para one</p>');
+    expect(out).toContain('<p>para two</p>');
+  });
+
+  it('converts single newlines to <br>', () => {
+    const out = renderEmailBody('line one\nline two');
+    expect(out).toContain('line one<br>line two');
+  });
+});
+
+describe('merge token helpers', () => {
+  it('extracts tokens from a body', () => {
+    const tokens = extractTokens('Hi {{client.fullName}} re {{berth.mooringNumber}}.');
+    expect(tokens).toEqual(['{{client.fullName}}', '{{berth.mooringNumber}}']);
+  });
+
+  it('expands tokens that have values', () => {
+    const out = expandMergeTokens('Hi {{client.fullName}}', {
+      '{{client.fullName}}': 'Jane Doe',
+    });
+    expect(out).toBe('Hi Jane Doe');
+  });
+
+  it('leaves unresolved tokens intact', () => {
+    const out = expandMergeTokens('Hi {{client.fullName}} {{missing}}', {
+      '{{client.fullName}}': 'Jane',
+    });
+    expect(out).toBe('Hi Jane {{missing}}');
+  });
+
+  it('reports unresolved tokens', () => {
+    const unresolved = findUnresolvedTokens('Hi {{a}} {{b}} {{c}}', {
+      '{{a}}': 'value',
+    });
+    expect(unresolved).toEqual(['{{b}}', '{{c}}']);
+  });
+});
--- a/tests/unit/sales-email-config-validators.test.ts
+++ b/tests/unit/sales-email-config-validators.test.ts
@@ -0,0 +1,62 @@
+/**
+ * Phase 7 §14.10 critical mitigation: SMTP/IMAP credential validators.
+ *
+ * Validates the API surface of the sales-config update payload: that
+ * malformed addresses are rejected, that sensible bounds are enforced,
+ * and that the empty-string-means-unchanged convention is preserved by the
+ * validator (the service-layer assumption).
+ */
+import { describe, expect, it } from 'vitest';
+
+import { updateSalesEmailConfigSchema } from '@/lib/validators/sales-email-config';
+
+describe('updateSalesEmailConfigSchema', () => {
+  it('accepts a fully populated payload', () => {
+    const r = updateSalesEmailConfigSchema.safeParse({
+      fromAddress: 'sales@example.com',
+      smtpHost: 'smtp.example.com',
+      smtpPort: 587,
+      smtpSecure: false,
+      smtpUser: 'sales',
+      smtpPass: 'secret',
+      noreplyFromAddress: 'noreply@example.com',
+      templateBerthPdfBody: 'Hi {{client.fullName}}',
+      templateBrochureBody: 'Hi {{client.fullName}}',
+      brochureMaxUploadMb: 50,
+      emailAttachThresholdMb: 15,
+    });
+    expect(r.success).toBe(true);
+  });
+
+  it('accepts empty-string smtpPass (means "leave unchanged")', () => {
+    const r = updateSalesEmailConfigSchema.safeParse({ smtpPass: '' });
+    expect(r.success).toBe(true);
+  });
+
+  it('accepts explicit null smtpPass (means "clear")', () => {
+    const r = updateSalesEmailConfigSchema.safeParse({ smtpPass: null });
+    expect(r.success).toBe(true);
+  });
+
+  it('rejects malformed from address', () => {
+    const r = updateSalesEmailConfigSchema.safeParse({ fromAddress: 'not-an-email' });
+    expect(r.success).toBe(false);
+  });
+
+  it('rejects out-of-range smtp port', () => {
+    const r = updateSalesEmailConfigSchema.safeParse({ smtpPort: 99999 });
+    expect(r.success).toBe(false);
+  });
+
+  it('rejects unknown auth method', () => {
+    const r = updateSalesEmailConfigSchema.safeParse({ authMethod: 'oauth_apple' });
+    expect(r.success).toBe(false);
+  });
+
+  it('caps body templates at 50KB', () => {
+    const r = updateSalesEmailConfigSchema.safeParse({
+      templateBrochureBody: 'x'.repeat(60_000),
+    });
+    expect(r.success).toBe(false);
+  });
+});