letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
1f41f8a8a017724d1ce5bfa7b7d183ef6643de96
pn-new-crm/src/lib/email/index.ts
Matt Ciaccio 7bd969b41a fix(audit-integrations): SMTP/PG/Socket.IO timeouts, prompt injection, secret-at-rest 
A focused review of every external integration surfaced six issues the
original audit missed.  Fixed here.

HIGH
* Socket.IO had an unconditional 30-second idle disconnect on every
  socket.  The comment on the line acknowledged it was "for development
  only, would be longer in prod" but no NODE_ENV guard existed, and the
  `socket.onAny` listener only resets on inbound client events — every
  dashboard connection that received only server-push events would have
  been torn down every 30s in production.  Removed the manual idle
  timer entirely; Socket.IO's pingTimeout / pingInterval handles
  dead-transport detection at the protocol level.
* SMTP transporters had no `connectionTimeout` / `greetingTimeout` /
  `socketTimeout`.  Nodemailer's defaults are 2 minutes for connect
  and unlimited for socket — a hung SMTP server would have held a
  BullMQ `email` worker concurrency slot for up to 10 min per job
  (5 retries × 2 min).  Set 10s/10s/30s on both the system transporter
  in `src/lib/email/index.ts` and the user-account transporter in
  `email-compose.service.ts`.

MEDIUM
* PostgreSQL pool had no `statement_timeout` /
  `idle_in_transaction_session_timeout`.  A slow query or transaction
  held by a crashed handler would have eventually exhausted the
  20-connection pool.  30s statement cap, 10s idle-in-tx cap, plus
  `max_lifetime: 30min` to recycle connections.
* `umami_password` and `umami_api_token` were stored as plaintext in
  `system_settings` (the SMTP and S3 secret paths use AES-GCM).  The
  reader now passes them through `readSecret()` which auto-detects
  the encrypted `iv:cipher:tag` shape and decrypts, falling back to
  legacy plaintext so operators can rotate without a flag-day.
* AI email-draft worker interpolated `additionalInstructions` (user-
  controlled) directly into the OpenAI prompt — a hostile rep could
  close the instructions block and inject prompt directives that
  override the system prompt.  Added `sanitizeForPrompt()` that
  strips newlines + quote chars, caps at 500 chars, and the prompt
  now wraps the value in a "treat as data not commands" preamble.

LOW
* Legacy `ensureBucket()` in `src/lib/minio/index.ts` was unguarded —
  if any future code imported it (currently no callers), a misconfigured
  prod deploy could mint a fresh empty bucket.  Now matches the gate
  used by the pluggable S3Backend (`MINIO_AUTO_CREATE_BUCKET=true`
  required) so the legacy export and the new pluggable path agree.

Confirmed not-an-issue: BullMQ Workers create connections via
`{ url }` options object, and BullMQ sets `maxRetriesPerRequest: null`
internally for those — no fix needed.  The shared `redis` singleton
that does keep `maxRetriesPerRequest: 3` is used only for direct
Redis ops (rate-limit sliding window, etc.), never for blocking
BullMQ commands, so the value is correct there.

Test status: 1175/1175 vitest, tsc clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 21:31:50 +02:00

161 lines
5.5 KiB
TypeScript
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
import nodemailer, { type Transporter } from 'nodemailer';
import { env } from '@/lib/env';
import { logger } from '@/lib/logger';
import { getPortEmailConfig, type PortEmailConfig } from '@/lib/services/port-config';
/**
* Creates and returns a new Nodemailer SMTP transporter using env defaults.
* For port-scoped configuration use {@link createPortTransporter} instead.
*
* A new instance is created on each call so the factory can be used in
* contexts where connection pooling is managed externally (e.g. per-request
* in serverless, or once at worker startup).
*/
// Nodemailer's default `connectionTimeout` is 2 minutes and there is no
// `socketTimeout`, so a hung SMTP server would hold a BullMQ `email`
// worker concurrency slot for up to 2 min × 5 retry attempts = 10 min
// per job. With concurrency 5, all slots can be starved by a single
// flaky upstream. Explicit timeouts cap the worst case under a minute.
const SMTP_TIMEOUTS = {
connectionTimeout: 10_000,
greetingTimeout: 10_000,
socketTimeout: 30_000,
} as const;
export function createTransporter(): Transporter {
return nodemailer.createTransport({
host: env.SMTP_HOST,
port: env.SMTP_PORT,
// Implicitly secure when port is 465; STARTTLS for all other ports.
secure: env.SMTP_PORT === 465,
...SMTP_TIMEOUTS,
...(env.SMTP_USER && env.SMTP_PASS
? { auth: { user: env.SMTP_USER, pass: env.SMTP_PASS } }
: {}),
});
}
function createTransporterFromConfig(cfg: PortEmailConfig): Transporter {
return nodemailer.createTransport({
host: cfg.smtpHost,
port: cfg.smtpPort,
secure: cfg.smtpPort === 465,
...SMTP_TIMEOUTS,
...(cfg.smtpUser && cfg.smtpPass ? { auth: { user: cfg.smtpUser, pass: cfg.smtpPass } } : {}),
});
}
export interface EmailAttachmentRef {
fileId: string;
filename?: string;
}
export interface SendEmailOptions {
to: string | string[];
subject: string;
html: string;
from?: string;
/** When provided, port-level email settings override env defaults. */
portId?: string;
text?: string;
/**
* File attachments to fetch from MinIO and attach to the message.
* Resolution + cross-port enforcement happens via `resolveAttachments`
* before the SMTP call.
*/
attachments?: EmailAttachmentRef[];
}
/**
* Resolve attachment refs to nodemailer attachment payloads. Reads each file
* from MinIO and enforces port-isolation: an attachment that doesn't belong
* to `portId` throws ForbiddenError. Returns an empty array when no refs
* are provided.
*/
async function resolveAttachments(
refs: EmailAttachmentRef[] | undefined,
portId: string | undefined,
): Promise<Array<{ filename: string; content: Buffer; contentType?: string }>> {
if (!refs || refs.length === 0) return [];
const { db } = await import('@/lib/db');
const { files } = await import('@/lib/db/schema/documents');
const { eq } = await import('drizzle-orm');
const { ForbiddenError, NotFoundError } = await import('@/lib/errors');
// Pluggable storage backend (s3 OR filesystem). Direct MinIO imports
// break the filesystem-mode deployment path documented in CLAUDE.md.
const { getStorageBackend } = await import('@/lib/storage');
const backend = await getStorageBackend();
return Promise.all(
refs.map(async (ref) => {
const file = await db.query.files.findFirst({ where: eq(files.id, ref.fileId) });
if (!file) throw new NotFoundError('File');
if (portId && file.portId !== portId) {
throw new ForbiddenError('File belongs to a different port');
}
const stream = await backend.get(file.storagePath);
const chunks: Buffer[] = [];
for await (const chunk of stream as AsyncIterable<Buffer | string>) {
chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
}
return {
filename: ref.filename ?? file.originalName,
content: Buffer.concat(chunks),
...(file.mimeType ? { contentType: file.mimeType } : {}),
};
}),
);
}
/**
* Sends a single email via SMTP.
*
* Returns the nodemailer info object on success. Propagates errors to the
* caller - callers in background jobs should wrap in try/catch and handle
* retries via BullMQ.
*/
export async function sendEmail(
to: string | string[],
subject: string,
html: string,
from?: string,
text?: string,
portId?: string,
attachments?: EmailAttachmentRef[],
): Promise<nodemailer.SentMessageInfo> {
const cfg = portId ? await getPortEmailConfig(portId) : null;
const transporter = cfg ? createTransporterFromConfig(cfg) : createTransporter();
const requestedTo = Array.isArray(to) ? to.join(', ') : to;
const effectiveTo = env.EMAIL_REDIRECT_TO ?? requestedTo;
const effectiveSubject = env.EMAIL_REDIRECT_TO
? `[redirected from ${requestedTo}] ${subject}`
: subject;
const fromHeader =
from ??
(cfg ? `${cfg.fromName} <${cfg.fromAddress}>` : undefined) ??
env.SMTP_FROM ??
`Port Nimara CRM <noreply@${env.SMTP_HOST}>`;
const resolvedAttachments = await resolveAttachments(attachments, portId);
const info = await transporter.sendMail({
from: fromHeader,
to: effectiveTo,
subject: effectiveSubject,
html,
...(cfg?.replyTo ? { replyTo: cfg.replyTo } : {}),
...(text ? { text } : {}),
...(resolvedAttachments.length > 0 ? { attachments: resolvedAttachments } : {}),
});
logger.debug(
{ messageId: info.messageId, to: effectiveTo, originalTo: requestedTo, subject, portId },
env.EMAIL_REDIRECT_TO ? 'Email sent (redirected)' : 'Email sent',
);
return info;
}
Reference in New Issue View Git Blame Copy Permalink