aa67a09b80
New internal/mailer/ package:
- Sender interface with two impls: SMTPSender (production, reads
smtp_config at send time so admin edits apply without restart;
uses stdlib net/smtp + STARTTLS) and FakeSender (test/concurrent-
safe call recorder).
- Embedded text + HTML templates for the password reset email,
rendered via stdlib text/template + html/template. The HTML
uses the FabledSword forest-teal accent color.
- ErrNotConfigured surfaces when smtp_config.enabled is false or
required fields are empty; callers like the future forgot-password
handler will treat this as "log and pretend success" to avoid
user-enumeration leaks.
Three admin endpoints under RequireAdmin:
- GET /api/admin/smtp-config — returns the singleton; password
field is masked ("***" or "").
- PUT /api/admin/smtp-config — updates settings. Validates
host + from_address are non-empty when enabled=true. Empty
password in the request preserves the stored value (so the
operator doesn't have to re-enter it on every save).
- POST /api/admin/smtp-config/test — sends a real test email to
the calling admin's email. 400 if admin has no email; 500 with
the error message on send failure (so the operator can debug
config without grep-then-trace through logs).
Tests cover the password-mask, password-preservation-on-empty,
enabled-requires-host-and-from validation, and the no-email-on-file
rejection. Mailer unit tests cover the fake recorder and template
rendering. The "real SMTP send" path needs a live server and isn't
covered in CI; the FakeSender covers that role for downstream tests.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
138 lines
3.9 KiB
Go
138 lines
3.9 KiB
Go
package api
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"os"
|
|
"testing"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
|
|
"git.fabledsword.com/bvandeusen/minstrel/internal/auth"
|
|
)
|
|
|
|
func newAdminSMTPRouter(h *handlers) chi.Router {
|
|
r := chi.NewRouter()
|
|
r.Route("/api/admin", func(admin chi.Router) {
|
|
admin.Use(auth.RequireAdmin())
|
|
admin.Get("/smtp-config", h.handleGetSMTPConfig)
|
|
admin.Put("/smtp-config", h.handleUpdateSMTPConfig)
|
|
admin.Post("/smtp-config/test", h.handleTestSMTPConfig)
|
|
})
|
|
return r
|
|
}
|
|
|
|
func TestSMTPConfig_GetMasksPassword(t *testing.T) {
|
|
if os.Getenv("MINSTREL_TEST_DATABASE_URL") == "" {
|
|
t.Skip("MINSTREL_TEST_DATABASE_URL not set")
|
|
}
|
|
h, pool := testHandlers(t)
|
|
admin := seedUser(t, pool, "smtpadmin", "pw", true)
|
|
|
|
// Seed a non-empty password.
|
|
if _, err := pool.Exec(context.Background(),
|
|
"UPDATE smtp_config SET password = 'secret' WHERE id = true"); err != nil {
|
|
t.Fatalf("seed: %v", err)
|
|
}
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/api/admin/smtp-config", nil)
|
|
req = withUser(req, admin)
|
|
rec := httptest.NewRecorder()
|
|
newAdminSMTPRouter(h).ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("status = %d, want 200", rec.Code)
|
|
}
|
|
var resp smtpConfigResp
|
|
if err := json.Unmarshal(rec.Body.Bytes(), &resp); err != nil {
|
|
t.Fatalf("decode: %v", err)
|
|
}
|
|
if resp.Password != "***" {
|
|
t.Errorf("password = %q, want \"***\"", resp.Password)
|
|
}
|
|
}
|
|
|
|
func TestSMTPConfig_UpdatePreservesPasswordWhenEmpty(t *testing.T) {
|
|
if os.Getenv("MINSTREL_TEST_DATABASE_URL") == "" {
|
|
t.Skip("MINSTREL_TEST_DATABASE_URL not set")
|
|
}
|
|
h, pool := testHandlers(t)
|
|
admin := seedUser(t, pool, "smtpupd", "pw", true)
|
|
|
|
// Seed a known password.
|
|
if _, err := pool.Exec(context.Background(),
|
|
"UPDATE smtp_config SET password = 'original' WHERE id = true"); err != nil {
|
|
t.Fatalf("seed: %v", err)
|
|
}
|
|
|
|
body := `{
|
|
"enabled": true,
|
|
"host": "smtp.example.com",
|
|
"port": 587,
|
|
"username": "u",
|
|
"password": "",
|
|
"from_address": "from@example.com",
|
|
"from_name": "T",
|
|
"use_tls": true
|
|
}`
|
|
req := httptest.NewRequest(http.MethodPut, "/api/admin/smtp-config",
|
|
bytes.NewReader([]byte(body)))
|
|
req = withUser(req, admin)
|
|
rec := httptest.NewRecorder()
|
|
newAdminSMTPRouter(h).ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusNoContent {
|
|
t.Fatalf("status = %d, want 204; body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
|
|
// Password preserved?
|
|
var pass string
|
|
if err := pool.QueryRow(context.Background(),
|
|
"SELECT password FROM smtp_config WHERE id = true").Scan(&pass); err != nil {
|
|
t.Fatalf("verify: %v", err)
|
|
}
|
|
if pass != "original" {
|
|
t.Errorf("password = %q, want \"original\" (preserved when empty in request)", pass)
|
|
}
|
|
}
|
|
|
|
func TestSMTPConfig_UpdateValidatesEnabled(t *testing.T) {
|
|
if os.Getenv("MINSTREL_TEST_DATABASE_URL") == "" {
|
|
t.Skip("MINSTREL_TEST_DATABASE_URL not set")
|
|
}
|
|
h, pool := testHandlers(t)
|
|
admin := seedUser(t, pool, "smtpvalid", "pw", true)
|
|
|
|
body := `{"enabled": true, "host": "", "from_address": "", "port": 587, "use_tls": true}`
|
|
req := httptest.NewRequest(http.MethodPut, "/api/admin/smtp-config",
|
|
bytes.NewReader([]byte(body)))
|
|
req = withUser(req, admin)
|
|
rec := httptest.NewRecorder()
|
|
newAdminSMTPRouter(h).ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusBadRequest {
|
|
t.Errorf("status = %d, want 400 (missing host + from_address with enabled=true)", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestSMTPConfig_TestRequiresEmail(t *testing.T) {
|
|
if os.Getenv("MINSTREL_TEST_DATABASE_URL") == "" {
|
|
t.Skip("MINSTREL_TEST_DATABASE_URL not set")
|
|
}
|
|
h, pool := testHandlers(t)
|
|
// Admin without email on file.
|
|
admin := seedUser(t, pool, "noemail", "pw", true)
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "/api/admin/smtp-config/test", nil)
|
|
req = withUser(req, admin)
|
|
rec := httptest.NewRecorder()
|
|
newAdminSMTPRouter(h).ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusBadRequest {
|
|
t.Errorf("status = %d, want 400 (no email on file)", rec.Code)
|
|
}
|
|
}
|