letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions 1 Packages Projects Releases Wiki Activity
Files
c90876abad778d83448b13f35aa442d22bbad8ae
pn-new-crm/src/lib/services/port-config.ts
Matt Ciaccio 63c4073e64 fix(audit-verification): regressions found in post-Tier-6 review 
Two parallel reviews of the Tier 0–6 work surfaced one CRITICAL
regression and a handful of remaining cross-tenant gaps that the
original audit didn't enumerate. All fixed here:

CRITICAL
* document-reminders.processReminderQueue — the new bulk-fetch
  leftJoin to documentTemplates was scoped on `templateType` alone.
  Templates of the same type exist in every port; the cartesian
  explosion would have fired one Documenso reminder PER matching
  template-row per cron tick (a 5-port deploy = 5 reminders to the
  same signer per cycle). Added eq(documentTemplates.portId, portId)
  to the join.
* All five remaining Documenso webhook handlers (RecipientSigned /
  Completed / Opened / Rejected / Cancelled) accept and require an
  optional portId now, with a shared resolveWebhookDocument() helper
  that refuses to mutate when the lookup is ambiguous across tenants
  without a resolved port. Tier 5's port-scoping was applied only to
  Expired; the route now forwards the matched portId to every
  handler. Tightens the WHERE clauses on subsequent UPDATEs to (id,
  portId) for defense-in-depth.

HIGH
* verifyDocumensoSecret rejects when `expected` is empty —
  timingSafeEqual(0-bytes, 0-bytes) was returning true, so a dev env
  with a blank DOCUMENSO_WEBHOOK_SECRET would accept a request whose
  X-Documenso-Secret header was also missing/empty.
  listDocumensoWebhookSecrets skips the env entry when blank.
* /api/public/health — the website-intake-secret comparison was a
  string `===` (not constant-time). Switched to timingSafeEqual via
  Buffer.from().

MEDIUM
* server.ts SIGTERM ordering — Socket.io closes BEFORE the HTTP
  drain so long-poll websockets stop holding the server open past
  the compose stop_grace_period.
* /api/v1/me PATCH preferences merge — allow-list filter on the
  merged JSONB so legacy rows from the old .passthrough() era stop
  silently re-shipping their bloat to disk.

Migration fixes (deploy-blocking)
* 0041 referenced `port_role_overrides.permissions` (column is
  `permission_overrides`) — overrides are partial JSONB and don't
  need backfilling at all (deepMerge resolves edit from the base
  role). Removed the override UPDATEs entirely.
* 0042 switched all FK + CHECK adds to NOT VALID + VALIDATE so the
  brief table-lock phase is decoupled from the row-scan validation,
  giving a cleaner abort-and-restart story if a constraint catches
  dirty production data. Added a pre-cleanup UPDATE for
  invoices.billing_entity_id = '' rows (backfills from clientName,
  falls back to the row id) so the new non-empty CHECK passes on a
  dirty table.

Test status: 1175/1175 vitest, tsc clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 21:19:39 +02:00

310 lines
12 KiB
TypeScript
Raw Blame History

/**
* Typed accessors for port-level configuration with env-fallback.
*
* Settings are stored in the `system_settings` table keyed by (key, portId).
* The functions in this module resolve a port's effective configuration for
* a given domain (email, Documenso, branding, reminders) by reading the
* port-scoped row first, falling back to the global row, and finally to the
* env var when neither is set.
*/
import { env } from '@/lib/env';
import { getSetting } from '@/lib/services/settings.service';
// ─── Setting key constants ───────────────────────────────────────────────────
export const SETTING_KEYS = {
// Email
emailFromName: 'email_from_name',
emailFromAddress: 'email_from_address',
emailReplyTo: 'email_reply_to',
emailSignatureHtml: 'email_signature_html',
emailFooterHtml: 'email_footer_html',
emailAllowPersonalAccountSends: 'email_allow_personal_account_sends',
smtpHostOverride: 'smtp_host_override',
smtpPortOverride: 'smtp_port_override',
smtpUserOverride: 'smtp_user_override',
smtpPassOverride: 'smtp_pass_override',
// Documenso / EOI
documensoApiUrlOverride: 'documenso_api_url_override',
documensoApiKeyOverride: 'documenso_api_key_override',
documensoApiVersionOverride: 'documenso_api_version_override',
documensoEoiTemplateId: 'documenso_eoi_template_id',
// Documenso template recipient slot IDs are per-Documenso-instance
// numeric values, so they have to follow the per-port template config.
// Falling back to env keeps single-tenant deploys working.
documensoClientRecipientId: 'documenso_client_recipient_id',
documensoDeveloperRecipientId: 'documenso_developer_recipient_id',
documensoApprovalRecipientId: 'documenso_approval_recipient_id',
// Per-port Documenso webhook secret — two ports pointed at different
// Documenso instances cannot share the global env secret. The receiver
// resolves the matching port by trying each enabled secret with a
// timing-safe comparison.
documensoWebhookSecret: 'documenso_webhook_secret',
eoiDefaultPathway: 'eoi_default_pathway',
// Branding
brandingLogoUrl: 'branding_logo_url',
brandingPrimaryColor: 'branding_primary_color',
brandingAppName: 'branding_app_name',
brandingEmailHeaderHtml: 'branding_email_header_html',
brandingEmailFooterHtml: 'branding_email_footer_html',
// Reminders (port-level defaults)
reminderDefaultDays: 'reminder_default_days',
reminderDefaultEnabled: 'reminder_default_enabled',
reminderDigestEnabled: 'reminder_digest_enabled',
reminderDigestTime: 'reminder_digest_time',
reminderDigestTimezone: 'reminder_digest_timezone',
} as const;
// ─── Helper ──────────────────────────────────────────────────────────────────
async function readSetting<T>(key: string, portId: string): Promise<T | null> {
const setting = await getSetting(key, portId);
if (!setting) return null;
return setting.value as T;
}
// ─── Email ──────────────────────────────────────────────────────────────────
export interface PortEmailConfig {
fromName: string;
fromAddress: string;
replyTo: string | null;
signatureHtml: string | null;
footerHtml: string | null;
smtpHost: string;
smtpPort: number;
smtpUser: string | null;
smtpPass: string | null;
/**
* When false, only the system (port-config) sender identity is allowed.
* When true, admins/users may send via their connected personal email
* account. Defaults to false for safety.
*/
allowPersonalAccountSends: boolean;
}
export async function getPortEmailConfig(portId: string): Promise<PortEmailConfig> {
const [
fromName,
fromAddress,
replyTo,
signatureHtml,
footerHtml,
smtpHost,
smtpPort,
smtpUser,
smtpPass,
allowPersonalAccountSends,
] = await Promise.all([
readSetting<string>(SETTING_KEYS.emailFromName, portId),
readSetting<string>(SETTING_KEYS.emailFromAddress, portId),
readSetting<string>(SETTING_KEYS.emailReplyTo, portId),
readSetting<string>(SETTING_KEYS.emailSignatureHtml, portId),
readSetting<string>(SETTING_KEYS.emailFooterHtml, portId),
readSetting<string>(SETTING_KEYS.smtpHostOverride, portId),
readSetting<number>(SETTING_KEYS.smtpPortOverride, portId),
readSetting<string>(SETTING_KEYS.smtpUserOverride, portId),
readSetting<string>(SETTING_KEYS.smtpPassOverride, portId),
readSetting<boolean>(SETTING_KEYS.emailAllowPersonalAccountSends, portId),
]);
// Parse env.SMTP_FROM into name + address if no port override
let envFromName = 'Port Nimara CRM';
let envFromAddress = `noreply@${env.SMTP_HOST}`;
if (env.SMTP_FROM) {
const match = env.SMTP_FROM.match(/^(.+?)\s*<(.+)>$/);
if (match) {
envFromName = match[1]!.trim();
envFromAddress = match[2]!.trim();
} else {
envFromAddress = env.SMTP_FROM;
}
}
return {
fromName: fromName ?? envFromName,
fromAddress: fromAddress ?? envFromAddress,
replyTo: replyTo ?? null,
signatureHtml: signatureHtml ?? null,
footerHtml: footerHtml ?? null,
smtpHost: smtpHost ?? env.SMTP_HOST,
smtpPort: smtpPort ?? env.SMTP_PORT,
smtpUser: smtpUser ?? env.SMTP_USER ?? null,
smtpPass: smtpPass ?? env.SMTP_PASS ?? null,
allowPersonalAccountSends: allowPersonalAccountSends ?? false,
};
}
// ─── Documenso ──────────────────────────────────────────────────────────────
export type EoiPathway = 'documenso-template' | 'inapp';
export type DocumensoApiVersion = 'v1' | 'v2';
export interface PortDocumensoConfig {
apiUrl: string;
apiKey: string;
apiVersion: DocumensoApiVersion;
eoiTemplateId: number;
defaultPathway: EoiPathway;
/** Documenso template recipient slot IDs (per-instance numeric). */
clientRecipientId: number;
developerRecipientId: number;
approvalRecipientId: number;
}
function toIntOrNull(raw: unknown): number | null {
if (typeof raw === 'number' && Number.isFinite(raw)) return raw;
if (typeof raw === 'string' && raw.trim()) {
const n = Number(raw);
return Number.isFinite(n) ? n : null;
}
return null;
}
export async function getPortDocumensoConfig(portId: string): Promise<PortDocumensoConfig> {
const [
apiUrl,
apiKey,
apiVersion,
eoiTemplateId,
clientRecipientId,
developerRecipientId,
approvalRecipientId,
defaultPathway,
] = await Promise.all([
readSetting<string>(SETTING_KEYS.documensoApiUrlOverride, portId),
readSetting<string>(SETTING_KEYS.documensoApiKeyOverride, portId),
readSetting<DocumensoApiVersion>(SETTING_KEYS.documensoApiVersionOverride, portId),
readSetting<string | number>(SETTING_KEYS.documensoEoiTemplateId, portId),
readSetting<string | number>(SETTING_KEYS.documensoClientRecipientId, portId),
readSetting<string | number>(SETTING_KEYS.documensoDeveloperRecipientId, portId),
readSetting<string | number>(SETTING_KEYS.documensoApprovalRecipientId, portId),
readSetting<EoiPathway>(SETTING_KEYS.eoiDefaultPathway, portId),
]);
return {
apiUrl: apiUrl ?? env.DOCUMENSO_API_URL,
apiKey: apiKey ?? env.DOCUMENSO_API_KEY,
apiVersion: apiVersion ?? env.DOCUMENSO_API_VERSION,
eoiTemplateId: toIntOrNull(eoiTemplateId) ?? env.DOCUMENSO_TEMPLATE_ID_EOI,
clientRecipientId: toIntOrNull(clientRecipientId) ?? env.DOCUMENSO_CLIENT_RECIPIENT_ID,
developerRecipientId: toIntOrNull(developerRecipientId) ?? env.DOCUMENSO_DEVELOPER_RECIPIENT_ID,
approvalRecipientId: toIntOrNull(approvalRecipientId) ?? env.DOCUMENSO_APPROVAL_RECIPIENT_ID,
defaultPathway: defaultPathway ?? 'documenso-template',
};
}
/**
* List every (portId, webhookSecret) pair configured across the platform,
* plus a wildcard-port entry for the global env secret. The Documenso
* webhook receiver iterates the list with `timingSafeEqual` until it
* finds a match, then dispatches with the resolved portId.
*
* `null` portId in the returned array means "matches but no port was
* resolved" — the caller falls back to the legacy global path.
*/
export interface DocumensoSecretEntry {
portId: string | null;
secret: string;
}
export async function listDocumensoWebhookSecrets(): Promise<DocumensoSecretEntry[]> {
const { db } = await import('@/lib/db');
const { systemSettings } = await import('@/lib/db/schema/system');
const { eq, isNotNull } = await import('drizzle-orm');
const rows = await db
.select({ portId: systemSettings.portId, value: systemSettings.value })
.from(systemSettings)
.where(eq(systemSettings.key, SETTING_KEYS.documensoWebhookSecret));
void isNotNull; // imported for future filters
const out: DocumensoSecretEntry[] = [];
for (const row of rows) {
if (typeof row.value !== 'string' || !row.value || !row.portId) continue;
out.push({ portId: row.portId, secret: row.value });
}
// Append the global env secret as a fallback ONLY when it's a real,
// non-empty value. An empty env secret would otherwise match an empty
// X-Documenso-Secret header (verifyDocumensoSecret guards this too,
// but skipping the entry here keeps the matched-secret loop honest).
if (env.DOCUMENSO_WEBHOOK_SECRET) {
out.push({ portId: null, secret: env.DOCUMENSO_WEBHOOK_SECRET });
}
return out;
}
// ─── Branding ───────────────────────────────────────────────────────────────
export interface PortBrandingConfig {
logoUrl: string | null;
primaryColor: string;
appName: string;
emailHeaderHtml: string | null;
emailFooterHtml: string | null;
}
const DEFAULT_BRANDING: PortBrandingConfig = {
logoUrl: null,
primaryColor: '#1e293b',
appName: 'Port Nimara CRM',
emailHeaderHtml: null,
emailFooterHtml: null,
};
export async function getPortBrandingConfig(portId: string): Promise<PortBrandingConfig> {
const [logoUrl, primaryColor, appName, emailHeaderHtml, emailFooterHtml] = await Promise.all([
readSetting<string>(SETTING_KEYS.brandingLogoUrl, portId),
readSetting<string>(SETTING_KEYS.brandingPrimaryColor, portId),
readSetting<string>(SETTING_KEYS.brandingAppName, portId),
readSetting<string>(SETTING_KEYS.brandingEmailHeaderHtml, portId),
readSetting<string>(SETTING_KEYS.brandingEmailFooterHtml, portId),
]);
return {
logoUrl: logoUrl ?? DEFAULT_BRANDING.logoUrl,
primaryColor: primaryColor ?? DEFAULT_BRANDING.primaryColor,
appName: appName ?? DEFAULT_BRANDING.appName,
emailHeaderHtml: emailHeaderHtml ?? DEFAULT_BRANDING.emailHeaderHtml,
emailFooterHtml: emailFooterHtml ?? DEFAULT_BRANDING.emailFooterHtml,
};
}
// ─── Reminders ──────────────────────────────────────────────────────────────
export interface PortReminderConfig {
defaultDays: number;
defaultEnabled: boolean;
digestEnabled: boolean;
digestTime: string; // 'HH:MM'
digestTimezone: string;
}
const DEFAULT_REMINDER: PortReminderConfig = {
defaultDays: 7,
defaultEnabled: false,
digestEnabled: false,
digestTime: '09:00',
digestTimezone: 'Europe/Warsaw',
};
export async function getPortReminderConfig(portId: string): Promise<PortReminderConfig> {
const [defaultDays, defaultEnabled, digestEnabled, digestTime, digestTimezone] =
await Promise.all([
readSetting<number>(SETTING_KEYS.reminderDefaultDays, portId),
readSetting<boolean>(SETTING_KEYS.reminderDefaultEnabled, portId),
readSetting<boolean>(SETTING_KEYS.reminderDigestEnabled, portId),
readSetting<string>(SETTING_KEYS.reminderDigestTime, portId),
readSetting<string>(SETTING_KEYS.reminderDigestTimezone, portId),
]);
return {
defaultDays: defaultDays ?? DEFAULT_REMINDER.defaultDays,
defaultEnabled: defaultEnabled ?? DEFAULT_REMINDER.defaultEnabled,
digestEnabled: digestEnabled ?? DEFAULT_REMINDER.digestEnabled,
digestTime: digestTime ?? DEFAULT_REMINDER.digestTime,
digestTimezone: digestTimezone ?? DEFAULT_REMINDER.digestTimezone,
};
}
Reference in New Issue View Git Blame Copy Permalink