a0091e4ca6
Phase 7 of the berth-recommender refactor (plan §3.3, §4.8, §4.9, §5.7,
§5.8, §5.9, §11.1, §14.7, §14.9). Adds the rep-driven send-out path for
per-berth PDFs and port-wide brochures, the per-port sales SMTP/IMAP
config + body templates, and the supporting admin UI.
Migration: 0031_brochures_and_document_sends.sql
Schema additions:
- brochures (port-wide, with isDefault marker + archive)
- brochure_versions (versioned uploads, storageKey per §4.7a)
- document_sends (audit log of every rep-initiated send; failures
captured with failedAt + errorReason). berthPdfVersionId is a plain
text column (no FK) — loose-coupled to Phase 6b's berth_pdf_versions
so the two phases stay independent.
§14.7 critical mitigations:
- Body XSS: rep-authored markdown goes through renderEmailBody()
(HTML-escape first, then a tight allowlist of bold/italic/code/link
rules). https:// + mailto: only — javascript:/data: URLs stripped.
Tested against script/img/iframe/svg/onerror polyglots.
- Recipient typo: strict email regex + two-step confirm modal that
shows the exact recipient before send.
- Unresolved merge fields: pre-send dry-run /preview endpoint blocks
submission until findUnresolvedTokens() returns empty.
- SMTP failure: every transport rejection writes a document_sends row
with failedAt + errorReason; UI surfaces the message.
- Hourly per-user rate limit: 50 sends/user/hour via existing
checkRateLimit().
- Size threshold fallback (§11.1): files above
email_attach_threshold_mb (default 15) ship as a 24h signed-URL
download link in the body instead of an attachment. Storage stream
flows directly to nodemailer to avoid buffering 20MB+.
§14.10 critical mitigation:
- SMTP/IMAP passwords encrypted at rest via the existing
EMAIL_CREDENTIAL_KEY (AES-256-GCM). The /api/v1/admin/email/
sales-config GET endpoint never returns the decrypted value — only
a *PassIsSet boolean. PATCH treats empty string as "leave unchanged"
and explicit null as "clear", so the masked-placeholder UI round-
trips without forcing re-entry on every save.
system_settings keys (per-port unless noted):
- sales_from_address, sales_smtp_{host,port,secure,user,pass_encrypted}
- sales_imap_{host,port,user,pass_encrypted}
- sales_auth_method (default app_password)
- noreply_from_address
- email_template_send_berth_pdf_body, email_template_send_brochure_body
- brochure_max_upload_mb (default 50)
- email_attach_threshold_mb (default 15)
UI surfaces (per §5.7, §5.8, §5.9):
- <SendDocumentDialog> shared 2-step compose+confirm flow.
- <SendBerthPdfDialog>, <SendDocumentsDialog>, <SendFromInterestButton>
wrappers per detail page.
- /[portSlug]/admin/brochures: list, upload (direct-to-storage
presigned PUT for the 20MB+ files per §11.1), default toggle,
archive.
- /[portSlug]/admin/email extended with <SalesEmailConfigCard>:
SMTP + IMAP creds, body templates, threshold/max settings.
Storage: every upload + download goes through getStorageBackend() —
no direct minio imports, per Phase 6a contract.
Tests: 1145 vitest passing (+ 50 new in
markdown-email-sanitization.test.ts, document-sends-validators.test.ts,
sales-email-config-validators.test.ts).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
143 lines
3.9 KiB
TypeScript
143 lines
3.9 KiB
TypeScript
/**
|
|
* Phase 7 — validator-level guarantees for the send-out flow.
|
|
*
|
|
* §14.7 mitigation: recipient typo (the strict email regex is the first
|
|
* line of defense; the confirmation modal is the second).
|
|
*/
|
|
import { describe, expect, it } from 'vitest';
|
|
|
|
import {
|
|
sendBerthPdfSchema,
|
|
sendBrochureSchema,
|
|
previewBodySchema,
|
|
listSendsQuerySchema,
|
|
} from '@/lib/validators/document-sends';
|
|
import { createBrochureSchema, registerBrochureVersionSchema } from '@/lib/validators/brochures';
|
|
|
|
describe('sendBerthPdfSchema', () => {
|
|
it('requires either clientId or email', () => {
|
|
const r = sendBerthPdfSchema.safeParse({
|
|
berthId: 'b1',
|
|
recipient: { interestId: 'i1' },
|
|
});
|
|
expect(r.success).toBe(false);
|
|
});
|
|
|
|
it('accepts clientId-only recipient', () => {
|
|
const r = sendBerthPdfSchema.safeParse({
|
|
berthId: 'b1',
|
|
recipient: { clientId: 'c1' },
|
|
});
|
|
expect(r.success).toBe(true);
|
|
});
|
|
|
|
it('rejects an obviously bad email', () => {
|
|
const r = sendBerthPdfSchema.safeParse({
|
|
berthId: 'b1',
|
|
recipient: { email: 'not an email' },
|
|
});
|
|
expect(r.success).toBe(false);
|
|
});
|
|
|
|
it('caps custom body length at 50KB', () => {
|
|
const r = sendBerthPdfSchema.safeParse({
|
|
berthId: 'b1',
|
|
recipient: { clientId: 'c1' },
|
|
customBodyMarkdown: 'x'.repeat(60_000),
|
|
});
|
|
expect(r.success).toBe(false);
|
|
});
|
|
});
|
|
|
|
describe('sendBrochureSchema', () => {
|
|
it('allows brochureId to be omitted (defaults at service level)', () => {
|
|
const r = sendBrochureSchema.safeParse({
|
|
recipient: { clientId: 'c1' },
|
|
});
|
|
expect(r.success).toBe(true);
|
|
});
|
|
});
|
|
|
|
describe('previewBodySchema', () => {
|
|
it('requires documentKind', () => {
|
|
const r = previewBodySchema.safeParse({ recipient: { clientId: 'c1' } });
|
|
expect(r.success).toBe(false);
|
|
});
|
|
|
|
it('accepts a minimal preview payload', () => {
|
|
const r = previewBodySchema.safeParse({
|
|
documentKind: 'berth_pdf',
|
|
recipient: { clientId: 'c1' },
|
|
berthId: 'b1',
|
|
});
|
|
expect(r.success).toBe(true);
|
|
});
|
|
});
|
|
|
|
describe('listSendsQuerySchema', () => {
|
|
it('coerces limit from string', () => {
|
|
const r = listSendsQuerySchema.safeParse({ limit: '50' });
|
|
expect(r.success).toBe(true);
|
|
if (r.success) expect(r.data.limit).toBe(50);
|
|
});
|
|
|
|
it('rejects out-of-range limit', () => {
|
|
const r = listSendsQuerySchema.safeParse({ limit: '99999' });
|
|
expect(r.success).toBe(false);
|
|
});
|
|
});
|
|
|
|
describe('createBrochureSchema', () => {
|
|
it('requires a non-empty label', () => {
|
|
const r = createBrochureSchema.safeParse({ label: ' ' });
|
|
expect(r.success).toBe(false);
|
|
});
|
|
|
|
it('caps label at 120 chars', () => {
|
|
const r = createBrochureSchema.safeParse({ label: 'a'.repeat(200) });
|
|
expect(r.success).toBe(false);
|
|
});
|
|
});
|
|
|
|
describe('registerBrochureVersionSchema', () => {
|
|
it('rejects path-traversal in storageKey', () => {
|
|
const r = registerBrochureVersionSchema.safeParse({
|
|
storageKey: '../etc/passwd',
|
|
fileName: 'b.pdf',
|
|
fileSizeBytes: 100,
|
|
contentSha256: 'a'.repeat(64),
|
|
});
|
|
expect(r.success).toBe(false);
|
|
});
|
|
|
|
it('rejects malformed sha256', () => {
|
|
const r = registerBrochureVersionSchema.safeParse({
|
|
storageKey: 'port/brochures/abc/x.pdf',
|
|
fileName: 'b.pdf',
|
|
fileSizeBytes: 100,
|
|
contentSha256: 'NOTHEX',
|
|
});
|
|
expect(r.success).toBe(false);
|
|
});
|
|
|
|
it('rejects upload over 100MB', () => {
|
|
const r = registerBrochureVersionSchema.safeParse({
|
|
storageKey: 'port/brochures/abc/x.pdf',
|
|
fileName: 'b.pdf',
|
|
fileSizeBytes: 200 * 1024 * 1024,
|
|
contentSha256: 'a'.repeat(64),
|
|
});
|
|
expect(r.success).toBe(false);
|
|
});
|
|
|
|
it('accepts a valid payload', () => {
|
|
const r = registerBrochureVersionSchema.safeParse({
|
|
storageKey: 'port/brochures/abc/x.pdf',
|
|
fileName: 'b.pdf',
|
|
fileSizeBytes: 1024,
|
|
contentSha256: 'a'.repeat(64),
|
|
});
|
|
expect(r.success).toBe(true);
|
|
});
|
|
});
|