letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
b7e010ff802095b6822f7c53e473f1cd8b5c52fc
pn-new-crm/src/lib/services/document-signing-emails.service.ts
Matt a65aadc530 feat(deps): adopt p-limit for unbounded mass-op fan-outs 
Cap concurrency on two services that were fanning out unbounded
requests to external systems:

1. email-compose.service.ts — attachment resolution. User attaches
   20 files → 20 simultaneous S3/MinIO GETs + 20 buffers in heap.
   Now capped at 4 concurrent reads; peak memory bounded by
   4 × max-attachment-size regardless of attachment count.

2. document-signing-emails.service.ts — sendSigningCompleted fanned
   out one SMTP send per recipient simultaneously. A Sales Contract
   with 10 recipients (client + 5 sellers + 4 witnesses) hit SMTP
   provider connection limits (Mailgun/SES/Postmark all cap concurrent
   connections in the single digits) and dropped overflow silently.
   Now capped at 3 concurrent sends.

Both use `pLimit(N)` from the Sindre Sorhus suite — well-tested at
scale, ~1kb gzip per service. Pattern is established for the
remaining audit-flagged mass-op services (brochures, backup, GDPR
export) to adopt as those files are touched.

Verified: tsc clean, vitest 1293/1293 pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 18:35:56 +02:00

274 lines
9.9 KiB
TypeScript
Raw Blame History

/**
* Sends Documenso-related signing emails:
*
* - `sendSigningInvitation` — initial "your turn to sign" email
* (one signer at a time). Used both for the first client
* invitation after generation AND for the cascading "your turn"
* emails when an upstream signer completes.
*
* - `sendSigningReminder` — follow-up nudge for an unsigned signer.
* Rate-limited at the call site (existing
* `sendReminderIfAllowed`); this just dispatches the email.
*
* - `sendSigningCompleted` — sent to all signers (with the signed
* PDF attached) when the document reaches fully-signed.
*
* The service handles two transformations the templates can't:
* 1. **Embedded URL wrapping** — raw Documenso signing URLs get
* rewrapped to `{embeddedSigningHost}/sign/<type>/<token>` so
* clients sign on a branded page rather than Documenso's domain.
* 2. **Per-port branding lookup** — fetches the port's branding
* config (logo, primary color, header/footer HTML) and threads
* it into the email shell.
*
* URL transformation matches the legacy client portal's
* `createEmbeddedSigningUrl` (extract token from path, prepend
* configured host + signer-role segment). Falls back to the raw
* Documenso URL when no `embeddedSigningHost` is configured for the
* port (single-tenant deploys can keep using Documenso's hosted UI).
*/
import pLimit from 'p-limit';
import { sendEmail } from '@/lib/email';
import { getBrandingShell } from '@/lib/email/branding-resolver';
import {
signingCompletedEmail,
signingInvitationEmail,
signingReminderEmail,
} from '@/lib/email/templates/document-signing';
import { getPortDocumensoConfig } from '@/lib/services/port-config';
import { logger } from '@/lib/logger';
// ─── Types ───────────────────────────────────────────────────────────────────
export type DocumentLabel = 'Expression of Interest' | 'Sales Contract' | 'Reservation Agreement';
export type SignerRole = 'client' | 'developer' | 'approver' | 'witness' | 'other';
export interface SigningInvitationArgs {
portId: string;
portName: string;
/** Recipient who's being asked to sign right now. */
recipient: { name: string; email: string };
/** Documenso's raw signing URL (e.g. https://signatures.portnimara.dev/sign/<token>). */
documensoSigningUrl: string;
/** Document type — drives subject line and body copy. */
documentLabel: DocumentLabel;
/** Signer role — drives copy variant + the embedded URL's role segment. */
signerRole: SignerRole;
/** Optional rep-authored note inserted above the CTA. */
customMessage?: string | null;
/** Display name for the closing salutation (defaults to "The {portName} team"). */
senderName?: string | null;
/** Subject override with template tokens. */
subjectOverride?: string | null;
}
export interface SigningReminderArgs extends Omit<SigningInvitationArgs, 'signerRole'> {
signerRole: SignerRole;
/** Human-readable invitation age, e.g. "3 days ago". */
invitedAgo: string;
}
export interface SigningCompletedArgs {
portId: string;
portName: string;
/** All signers — each gets the same email + attached signed PDF. */
recipients: Array<{ name: string; email: string }>;
/** Display name of the linked client (the deal's primary subject). */
clientName: string;
documentLabel: DocumentLabel;
/** Date all parties had signed. */
completedAt: Date;
/**
* MinIO file ref for the fully-signed PDF (already stored by the
* webhook handler before this service is called). The send pipeline
* resolves the ref and attaches the bytes via the existing
* `resolveAttachments` flow, which also enforces port-isolation.
*/
signedPdfFileId: string;
signedPdfFilename: string;
}
// ─── URL transformation ──────────────────────────────────────────────────────
/**
* Wrap a raw Documenso signing URL into our branded embedded format
* `{host}/sign/<role>/<token>`. Returns the raw URL unchanged when
* the port has no `embeddedSigningHost` configured (single-tenant /
* staging deploys skip the wrap).
*
* Example:
* transformSigningUrl(
* 'https://signatures.portnimara.dev/sign/abc123',
* 'https://portnimara.com',
* 'client',
* ) → 'https://portnimara.com/sign/client/abc123'
*/
/**
* Map our internal SignerRole to the URL segment expected by the
* marketing-website signing page (`/sign/<segment>/<token>`). The
* legacy website only routes `client | cc | developer`; approver +
* witness + other all funnel through the `cc` page (which renders the
* same Documenso embed but with passive-recipient copy). See plan
* Risk #5 — fixing this mapping prevents an `approver` invite from
* landing on `/sign/error`.
*/
const ROLE_TO_URL_SEGMENT: Record<SignerRole, 'client' | 'cc' | 'developer' | 'witness'> = {
client: 'client',
developer: 'developer',
approver: 'cc',
witness: 'witness',
other: 'cc',
};
export function transformSigningUrl(
documensoUrl: string,
embeddedSigningHost: string | null,
signerRole: SignerRole,
): string {
if (!embeddedSigningHost || !documensoUrl) return documensoUrl;
const token = documensoUrl.split('/').filter(Boolean).pop();
if (!token) return documensoUrl;
// Trim trailing slashes off the host so we always produce a clean
// single `/` between segments.
const host = embeddedSigningHost.replace(/\/+$/, '');
const urlRole = ROLE_TO_URL_SEGMENT[signerRole];
return `${host}/sign/${urlRole}/${token}`;
}
// ─── Senders ─────────────────────────────────────────────────────────────────
export async function sendSigningInvitation(args: SigningInvitationArgs): Promise<void> {
const [docCfg, branding] = await Promise.all([
getPortDocumensoConfig(args.portId),
getBrandingShell(args.portId),
]);
const signingUrl = transformSigningUrl(
args.documensoSigningUrl,
docCfg.embeddedSigningHost,
args.signerRole,
);
const { subject, html, text } = signingInvitationEmail(
{
recipientName: args.recipient.name,
documentLabel: args.documentLabel,
signerRole: args.signerRole,
signingUrl,
portName: args.portName,
senderName: args.senderName ?? null,
customMessage: args.customMessage ?? null,
},
{
subject: args.subjectOverride ?? null,
branding,
},
);
try {
await sendEmail(args.recipient.email, subject, html, undefined, text, args.portId);
logger.info(
{ portId: args.portId, recipient: args.recipient.email, documentLabel: args.documentLabel },
'Signing invitation sent',
);
} catch (err) {
logger.error(
{ err, portId: args.portId, recipient: args.recipient.email },
'Signing invitation send failed',
);
throw err;
}
}
export async function sendSigningReminder(args: SigningReminderArgs): Promise<void> {
const [docCfg, branding] = await Promise.all([
getPortDocumensoConfig(args.portId),
getBrandingShell(args.portId),
]);
const signingUrl = transformSigningUrl(
args.documensoSigningUrl,
docCfg.embeddedSigningHost,
args.signerRole,
);
const { subject, html, text } = signingReminderEmail(
{
recipientName: args.recipient.name,
documentLabel: args.documentLabel,
signingUrl,
portName: args.portName,
invitedAgo: args.invitedAgo,
customMessage: args.customMessage ?? null,
},
{
subject: args.subjectOverride ?? null,
branding,
},
);
try {
await sendEmail(args.recipient.email, subject, html, undefined, text, args.portId);
logger.info(
{ portId: args.portId, recipient: args.recipient.email, documentLabel: args.documentLabel },
'Signing reminder sent',
);
} catch (err) {
logger.error(
{ err, portId: args.portId, recipient: args.recipient.email },
'Signing reminder send failed',
);
throw err;
}
}
/**
* Send the "all signed" completion email with the finalized PDF
* attached. Sends one email per recipient (rather than a single
* to-list) so the EMAIL_REDIRECT_TO redirect stays cleanly per-message
* and so per-recipient personalization in the body works.
*/
export async function sendSigningCompleted(args: SigningCompletedArgs): Promise<void> {
const branding = await getBrandingShell(args.portId);
// Cap concurrency at 3: a Sales Contract with 10 recipients (client +
// 5 sellers + 4 witnesses) shouldn't fan out 10 simultaneous SMTP
// sends. Most SMTP providers (Mailgun, SES, Postmark) cap concurrent
// connections in the single digits and silently drop the overflow.
const sendLimit = pLimit(3);
await Promise.all(
args.recipients.map((recipient) =>
sendLimit(async () => {
const { subject, html, text } = signingCompletedEmail(
{
recipientName: recipient.name,
documentLabel: args.documentLabel,
clientName: args.clientName,
portName: args.portName,
completedAt: args.completedAt,
},
{ branding },
);
try {
await sendEmail(recipient.email, subject, html, undefined, text, args.portId, [
{ fileId: args.signedPdfFileId, filename: args.signedPdfFilename },
]);
logger.info(
{ portId: args.portId, recipient: recipient.email, documentLabel: args.documentLabel },
'Signing-completed email sent',
);
} catch (err) {
logger.error(
{ err, portId: args.portId, recipient: recipient.email },
'Signing-completed email send failed',
);
// Don't throw — sending to one recipient shouldn't block the others.
}
}),
),
);
}
Reference in New Issue View Git Blame Copy Permalink