Matt
4b5f85cb7d
Bundles the prior session's 50-task fix sweep (Documenso v2 + EOI/signing-
progress redesign + env-to-admin migration + dev-mode banner) with the
2026-05-18 audit fix wave (3 CRITICAL, 14 HIGH, 28 MEDIUM, 6 LOW).
CRITICAL (3):
- C-01 interest-berths INNER JOIN -> LEFT JOIN so hard-deleted berths
no longer silently drop interest links
- C-02 /setup added to PUBLIC_PATHS; fresh-deploy bootstrap loop fixed
- C-03 generic PATCH /interests/[id] no longer accepts pipelineStage —
callers must go through /stage with the override-guard chain
HIGH (14/15):
- H-01 explicit ON DELETE on previously-implicit NO ACTION FKs across
interests/documents/reservations/reminders/invoices (migration 0070)
- H-02 login page reads ?redirect= param with same-origin guard
- H-03 CRM invite token moves to URL fragment so it never lands in
nginx access logs / Referer headers
- H-04 Retry-After header on sign-in-by-identifier 429 (RFC 6585 §4)
- H-05 toggleAccount writes an audit row
- H-06 upsertSetting masks any value whose key ends with _encrypted
- H-07 archiveClient cascade fires per-interest audit rows
- H-08 createSalesTransporter applies SMTP_TIMEOUTS
- H-09 AppShell stable children — viewport flip across breakpoint no
longer destroys in-progress form drafts
- H-10 portal documents page swaps Unicode glyph status icons for
Lucide CheckCircle2/XCircle/Circle + aria-labels
- H-12 list components swap alert(...) for toast.warning(...)
- H-13 5 icon-only buttons gain aria-label
- H-14 parseBody treats empty bodies as {}
- H-15 admin layout renders a 403 panel instead of silent bounce
- H-11 not applicable — mobile-search-overlay IS a mobile bottom-sheet
MEDIUM (28+):
- M-MT01-05 defense-in-depth port_id/parent-id filters on UPDATE/DELETE
WHEREs across custom-fields, notes (all 6 entity types x update +
delete), client-contacts, yacht ownerClient lookup, webhook reads
- M-D01 documents-hub realtime event-name typo (file:created -> uploaded)
- M-EM01 portal-auth emails thread through portId
- M-EM02 sendEmail accepts cc/bcc params
- M-EM04 notification_digest catalog key
- M-IN01 portal presigned download URLs use 4h TTL
- M-IN02 OpenAI client lazy-instantiated
- M-IN04 stale pdfme refs updated to pdf-lib AcroForm
- M-IN05 umami.testConnection returns tagged union
- M-L01 reservations tenure_type unified with berths
- M-L02 report-generators canonicalize stage values
- M-AU01 audit log placeholder copy fixed
- M-AU04 outcome_set / outcome_cleared distinct audit verbs
- M-NEW-2 activity feed entity name+type separator
- M-R01 portal allowlist narrowed + portal_session backstop in proxy
- M-SC02 companies archived partial index
- M-SC04 audit_logs.searchText documented as DB-managed
- M-S01 storage_s3_access_key_encrypted admin field
- M-U01 audit log empty state uses <EmptyState>
- M-U09 invoice delete dialog -> <AlertDialog>
- M-U10 toast.success on ClientForm + InterestForm create/edit
- M-U11 settings-form-card logo preview alt text
- M-U14 mobile topbar title on clients/yachts/interests/berths
- M-U15 Invoices in mobile More-sheet
LOW (6/8):
- L-AU01 severity defaults for security-relevant verbs
- L-AU02 +13 missing actions in admin audit filter
- L-AU03 +7 missing entity types in admin audit filter
- L-AU04 dead listAuditLogs stubbed
- L-D02 CLAUDE.md Owner-wins chain tightened
Bonus — Document detail polish (#67 partial, 3/6 deliverables):
- state-aware action button per signer
- watcher Add UI with display-name resolution
- cleanSignerName cleanup
Prior session work bundled in:
- Documenso v2 webhook + envelope-ID normalization + sequential signing
- SigningProgress UI redesign (avatars, per-signer state, timestamps)
- env->admin settings registry + RegistryDrivenForm + encrypted creds
- Embedded-signing card + Test connection + setup help
- Dev-mode EMAIL_REDIRECT_TO banner
- Pipeline rules admin page
- Sales email config card
- Audit log details Sheet
- EOI tab: Finalising badge, absolute timestamps, sequential indicator
- Notes pipeline_stage_at_creation (migration 0069)
- Documenso numeric ID dual-key webhook (migration 0068)
- Dimensions criterion copy (migration 0067)
Tests: 1374/1374 vitest pass. tsc clean. lint clean.
See docs/AUDIT-FIX-WAVE-2026-05-18.md for the full progress report and
the user-input items still pending.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
184 lines
6.6 KiB
TypeScript
184 lines
6.6 KiB
TypeScript
import nodemailer, { type Transporter } from 'nodemailer';
|
||
|
||
import { env } from '@/lib/env';
|
||
import { logger } from '@/lib/logger';
|
||
import { getPortEmailConfig, type PortEmailConfig } from '@/lib/services/port-config';
|
||
|
||
/**
|
||
* Creates and returns a new Nodemailer SMTP transporter using env defaults.
|
||
* For port-scoped configuration use {@link createPortTransporter} instead.
|
||
*
|
||
* A new instance is created on each call so the factory can be used in
|
||
* contexts where connection pooling is managed externally (e.g. per-request
|
||
* in serverless, or once at worker startup).
|
||
*/
|
||
// Nodemailer's default `connectionTimeout` is 2 minutes and there is no
|
||
// `socketTimeout`, so a hung SMTP server would hold a BullMQ `email`
|
||
// worker concurrency slot for up to 2 min × 5 retry attempts = 10 min
|
||
// per job. With concurrency 5, all slots can be starved by a single
|
||
// flaky upstream. Explicit timeouts cap the worst case under a minute.
|
||
export const SMTP_TIMEOUTS = {
|
||
connectionTimeout: 10_000,
|
||
greetingTimeout: 10_000,
|
||
socketTimeout: 30_000,
|
||
} as const;
|
||
|
||
export function createTransporter(): Transporter {
|
||
return nodemailer.createTransport({
|
||
host: env.SMTP_HOST,
|
||
port: env.SMTP_PORT,
|
||
// Implicitly secure when port is 465; STARTTLS for all other ports.
|
||
secure: env.SMTP_PORT === 465,
|
||
...SMTP_TIMEOUTS,
|
||
...(env.SMTP_USER && env.SMTP_PASS
|
||
? { auth: { user: env.SMTP_USER, pass: env.SMTP_PASS } }
|
||
: {}),
|
||
});
|
||
}
|
||
|
||
function createTransporterFromConfig(cfg: PortEmailConfig): Transporter {
|
||
return nodemailer.createTransport({
|
||
host: cfg.smtpHost,
|
||
port: cfg.smtpPort,
|
||
secure: cfg.smtpPort === 465,
|
||
...SMTP_TIMEOUTS,
|
||
...(cfg.smtpUser && cfg.smtpPass ? { auth: { user: cfg.smtpUser, pass: cfg.smtpPass } } : {}),
|
||
});
|
||
}
|
||
|
||
export interface EmailAttachmentRef {
|
||
fileId: string;
|
||
filename?: string;
|
||
}
|
||
|
||
export interface SendEmailOptions {
|
||
to: string | string[];
|
||
subject: string;
|
||
html: string;
|
||
from?: string;
|
||
/** When provided, port-level email settings override env defaults. */
|
||
portId?: string;
|
||
text?: string;
|
||
/**
|
||
* File attachments to fetch from MinIO and attach to the message.
|
||
* Resolution + cross-port enforcement happens via `resolveAttachments`
|
||
* before the SMTP call.
|
||
*/
|
||
attachments?: EmailAttachmentRef[];
|
||
}
|
||
|
||
/**
|
||
* Resolve attachment refs to nodemailer attachment payloads. Reads each file
|
||
* from MinIO and enforces port-isolation: an attachment that doesn't belong
|
||
* to `portId` throws ForbiddenError. Returns an empty array when no refs
|
||
* are provided.
|
||
*/
|
||
async function resolveAttachments(
|
||
refs: EmailAttachmentRef[] | undefined,
|
||
portId: string | undefined,
|
||
): Promise<Array<{ filename: string; content: Buffer; contentType?: string }>> {
|
||
if (!refs || refs.length === 0) return [];
|
||
const { db } = await import('@/lib/db');
|
||
const { files } = await import('@/lib/db/schema/documents');
|
||
const { eq } = await import('drizzle-orm');
|
||
const { ForbiddenError, NotFoundError } = await import('@/lib/errors');
|
||
// Pluggable storage backend (s3 OR filesystem). Direct MinIO imports
|
||
// break the filesystem-mode deployment path documented in CLAUDE.md.
|
||
const { getStorageBackend } = await import('@/lib/storage');
|
||
const backend = await getStorageBackend();
|
||
|
||
return Promise.all(
|
||
refs.map(async (ref) => {
|
||
const file = await db.query.files.findFirst({ where: eq(files.id, ref.fileId) });
|
||
if (!file) throw new NotFoundError('File');
|
||
if (portId && file.portId !== portId) {
|
||
throw new ForbiddenError('File belongs to a different port');
|
||
}
|
||
const stream = await backend.get(file.storagePath);
|
||
const chunks: Buffer[] = [];
|
||
for await (const chunk of stream as AsyncIterable<Buffer | string>) {
|
||
chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
|
||
}
|
||
return {
|
||
filename: ref.filename ?? file.originalName,
|
||
content: Buffer.concat(chunks),
|
||
...(file.mimeType ? { contentType: file.mimeType } : {}),
|
||
};
|
||
}),
|
||
);
|
||
}
|
||
|
||
/**
|
||
* Sends a single email via SMTP.
|
||
*
|
||
* Returns the nodemailer info object on success. Propagates errors to the
|
||
* caller - callers in background jobs should wrap in try/catch and handle
|
||
* retries via BullMQ.
|
||
*/
|
||
export async function sendEmail(
|
||
to: string | string[],
|
||
subject: string,
|
||
html: string,
|
||
from?: string,
|
||
text?: string,
|
||
portId?: string,
|
||
attachments?: EmailAttachmentRef[],
|
||
// M-EM02: optional CC / BCC. Mirror the same EMAIL_REDIRECT_TO scrub
|
||
// as `to` so dev-mode redirects don't accidentally leak a CC outside
|
||
// the safety net.
|
||
cc?: string | string[],
|
||
bcc?: string | string[],
|
||
): Promise<nodemailer.SentMessageInfo> {
|
||
const cfg = portId ? await getPortEmailConfig(portId) : null;
|
||
const transporter = cfg ? createTransporterFromConfig(cfg) : createTransporter();
|
||
|
||
const requestedTo = Array.isArray(to) ? to.join(', ') : to;
|
||
const effectiveTo = env.EMAIL_REDIRECT_TO ?? requestedTo;
|
||
const effectiveSubject = env.EMAIL_REDIRECT_TO
|
||
? `[redirected from ${requestedTo}] ${subject}`
|
||
: subject;
|
||
// CC/BCC dropped entirely under EMAIL_REDIRECT_TO — the redirect target
|
||
// already gets the message; CCing additional recipients would defeat
|
||
// the dev safety net.
|
||
const effectiveCc = env.EMAIL_REDIRECT_TO ? undefined : cc;
|
||
const effectiveBcc = env.EMAIL_REDIRECT_TO ? undefined : bcc;
|
||
|
||
const fromHeader =
|
||
from ??
|
||
(cfg ? `${cfg.fromName} <${cfg.fromAddress}>` : undefined) ??
|
||
env.SMTP_FROM ??
|
||
`Port Nimara CRM <noreply@${env.SMTP_HOST}>`;
|
||
|
||
const resolvedAttachments = await resolveAttachments(attachments, portId);
|
||
|
||
const info = await transporter.sendMail({
|
||
from: fromHeader,
|
||
to: effectiveTo,
|
||
subject: effectiveSubject,
|
||
html,
|
||
...(cfg?.replyTo ? { replyTo: cfg.replyTo } : {}),
|
||
...(text ? { text } : {}),
|
||
...(effectiveCc ? { cc: effectiveCc } : {}),
|
||
...(effectiveBcc ? { bcc: effectiveBcc } : {}),
|
||
...(resolvedAttachments.length > 0 ? { attachments: resolvedAttachments } : {}),
|
||
});
|
||
|
||
// When EMAIL_REDIRECT_TO is set we elevate to `warn` so the dev-only
|
||
// safety net is visible in any logger config. Prod boot already refuses
|
||
// when both are set (see env.ts superRefine) — this catches the dev /
|
||
// staging window where someone left it in a .env by mistake.
|
||
if (env.EMAIL_REDIRECT_TO) {
|
||
logger.warn(
|
||
{ messageId: info.messageId, to: effectiveTo, originalTo: requestedTo, subject, portId },
|
||
'Email sent (REDIRECTED via EMAIL_REDIRECT_TO — recipient overridden)',
|
||
);
|
||
} else {
|
||
logger.debug(
|
||
{ messageId: info.messageId, to: effectiveTo, originalTo: requestedTo, subject, portId },
|
||
'Email sent',
|
||
);
|
||
}
|
||
|
||
return info;
|
||
}
|