335945fe2c
- plan-features.ts: globalBlocklist 'curated'|'full' (curated = 30-domain stub,
TODO real ~1-2k HaGeZi subset); maxAppDevices vs maxProtectedDevices split
(legend maxProtectedDevices: 2); mail 1/3/Infinity
- limit-enforcement structured errors on mail/connect, custom-domains/add, devices/enroll
({ error:'plan_limit', resource, current, limit }); approved-own-submissions already
excluded from custom-domain count (slot frees on approval)
- server/utils/downgrade-reconciliation.ts: founding-member exemption; re-upgrade
reactivates paused mail + degraded devices; downgrade pauses newest-N mail accounts
(isActive=false, pausedAt, pausedReason; pre-pause sets nextScanAt=now for a final
sweep — real direct IMAP scan is TODO/stub); degrades excess device profiles
(status='degraded', degradedAt); free → globalBlocklistGraceUntil = now+14d;
custom domains grandfathered
- set-plan.post.ts + stripe/webhook.post.ts: run reconciliation on plan change;
set-plan accepts { foundingMember } for testing
- GET /api/plan/change-preview?to=<plan>: gains/keeps/changes per resource (8 axes),
founding-member → direction 'same'
- me.get.ts: + foundingMember, globalBlocklistGraceUntil, planLimits block
- blocklist + mail-scan honour globalBlocklistGraceUntil (grace → treat as 'full')
- db: countMailConnections/getMailConnections exclude paused; getAllMailConnections;
getDeviceBlocklistMode (active|grace|passthrough|revoked)
- migration 20260511_tier_system_phase2 (profiles.founding_member +
global_blocklist_grace_until; mail_connections.paused_at/paused_reason;
protected_devices.degraded_at). prisma generate + build:backend clean.
TODOs (separate tickets): founding-member auto-counter on signup; real direct IMAP
final-scan (not just nextScanAt nudge); real curated blocklist data + wiring the
stub into the blocklist response for free users.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
201 lines
6.3 KiB
TypeScript
201 lines
6.3 KiB
TypeScript
import { ImapFlow } from "imapflow";
|
|
import {
|
|
getMailConnections,
|
|
deleteOldMailBlocked,
|
|
getAlreadyBlockedUidSet,
|
|
insertMailBlocked,
|
|
updateMailConnectionScanStats,
|
|
} from "../../db/mail";
|
|
import { getBlocklistedDomainsSet } from "../../db/domains";
|
|
import { getProfile } from "../../db/profile";
|
|
import { getPlanLimits } from "../../utils/plan-features";
|
|
// Single-Source-of-Truth (Mo's Finding #4)
|
|
// @ts-expect-error — .mjs ohne types, GAMBLING_KEYWORDS ist string[]
|
|
import { GAMBLING_KEYWORDS } from "../../utils/gambling-keywords.mjs";
|
|
|
|
|
|
/**
|
|
* POST /api/mail/scan
|
|
* Scannt ALLE Ordner (INBOX, Spam, Papierkorb, All Mail …) nach Gambling-Mails.
|
|
* Free-User: nur eigene Domains + Keywords. Pro/Legend: globale Blocklist + eigene.
|
|
*/
|
|
export default defineEventHandler(async (event) => {
|
|
const user = await requireUser(event);
|
|
|
|
const connections = await getMailConnections(user.id);
|
|
if (connections.length === 0) {
|
|
throw createError({
|
|
statusCode: 404,
|
|
message: "Kein Mail-Konto verbunden",
|
|
});
|
|
}
|
|
|
|
// Plan-aware: Free users get only custom domains, Pro/Legend get global blocklist
|
|
const profile = await getProfile(user.id);
|
|
const limits = getPlanLimits(profile?.plan ?? "free");
|
|
// Grace-Period berücksichtigen
|
|
const inGrace =
|
|
profile?.globalBlocklistGraceUntil != null &&
|
|
new Date(profile.globalBlocklistGraceUntil) > new Date();
|
|
const includeGlobal = limits.globalBlocklist === "full" || inGrace;
|
|
|
|
await deleteOldMailBlocked(user.id);
|
|
|
|
let totalScanned = 0;
|
|
let totalBlocked = 0;
|
|
|
|
for (const connection of connections) {
|
|
let password: string;
|
|
try {
|
|
password = decrypt(connection.passwordEncrypted);
|
|
} catch {
|
|
continue;
|
|
}
|
|
|
|
// useStarttls=true → STARTTLS (secure=false + requireTLS=true)
|
|
// rejectUnauthorized=false → self-signed Certs zulassen (nur Custom-IMAP)
|
|
const useImplicitTls = !connection.useStarttls;
|
|
const imap = new ImapFlow({
|
|
host: connection.imapHost,
|
|
port: connection.imapPort,
|
|
secure: useImplicitTls,
|
|
...(connection.useStarttls ? { requireTLS: true } : {}),
|
|
auth: { user: connection.email, pass: password },
|
|
logger: false,
|
|
tls: { rejectUnauthorized: connection.rejectUnauthorized ?? true },
|
|
});
|
|
|
|
let scanned = 0;
|
|
let newlyBlocked = 0;
|
|
|
|
try {
|
|
await imap.connect();
|
|
|
|
// Scan ALL mailbox folders (not just hardcoded list)
|
|
const mailboxes = await imap.list();
|
|
const scannable = mailboxes.filter(
|
|
(mb: any) => !mb.flags?.has("\\Noselect"),
|
|
);
|
|
|
|
for (const mb of scannable) {
|
|
let lock: any;
|
|
try {
|
|
lock = await imap.getMailboxLock(mb.path);
|
|
} catch {
|
|
continue;
|
|
}
|
|
try {
|
|
const SCAN_LIMIT = 200;
|
|
const status = await imap.status(mb.path, { messages: true });
|
|
const msgCount = (status as any).messages ?? 0;
|
|
if (msgCount === 0) continue;
|
|
|
|
const fetchRange =
|
|
msgCount > SCAN_LIMIT ? `${msgCount - SCAN_LIMIT + 1}:*` : "1:*";
|
|
const allMessages = await imap.fetchAll(fetchRange, {
|
|
envelope: true,
|
|
});
|
|
scanned += allMessages.length;
|
|
totalScanned += allMessages.length;
|
|
|
|
const allUids = allMessages.map(
|
|
(m: any) => `${mb.path}:${String(m.uid ?? m.seq)}`,
|
|
);
|
|
const [blockedDomainSet, alreadyBlockedSet] = await Promise.all([
|
|
getBlocklistedDomainsSet(
|
|
allMessages
|
|
.map(
|
|
(m: any) =>
|
|
(m.envelope?.from?.[0]?.address ?? "")
|
|
.toLowerCase()
|
|
.split("@")[1] ?? "",
|
|
)
|
|
.filter(Boolean),
|
|
user.id,
|
|
includeGlobal,
|
|
),
|
|
getAlreadyBlockedUidSet(allUids, user.id),
|
|
]);
|
|
|
|
const toInsert: Parameters<typeof insertMailBlocked>[0] = [];
|
|
const uidsToDelete: string[] = [];
|
|
|
|
for (const msg of allMessages) {
|
|
const from = msg.envelope?.from?.[0];
|
|
const senderEmail = (from?.address ?? "").toLowerCase();
|
|
const senderName = from?.name ?? null;
|
|
const subject = (msg.envelope?.subject ?? "").trim();
|
|
const msgDate = msg.envelope?.date ?? new Date();
|
|
const uid = `${mb.path}:${String(msg.uid ?? msg.seq)}`;
|
|
|
|
const haystack = `${senderEmail} ${subject}`.toLowerCase();
|
|
const isGamblingKeyword = GAMBLING_KEYWORDS.some((kw) =>
|
|
haystack.includes(kw),
|
|
);
|
|
const senderDomain = senderEmail.split("@")[1] ?? "";
|
|
const isBlocklisted = senderDomain
|
|
? blockedDomainSet.has(senderDomain)
|
|
: false;
|
|
|
|
if (!isGamblingKeyword && !isBlocklisted) continue;
|
|
if (alreadyBlockedSet.has(uid)) continue;
|
|
|
|
uidsToDelete.push(String(msg.uid));
|
|
toInsert.push({
|
|
userId: user.id,
|
|
connectionId: connection.id,
|
|
gmailMessageId: uid,
|
|
senderEmail: senderEmail || "unbekannt",
|
|
senderName,
|
|
subject: subject.slice(0, 200) || "(kein Betreff)",
|
|
receivedAt: msgDate,
|
|
action: "deleted",
|
|
});
|
|
newlyBlocked++;
|
|
}
|
|
|
|
// Permanently delete gambling mails from this folder
|
|
if (uidsToDelete.length > 0) {
|
|
try {
|
|
await imap.messageDelete(uidsToDelete.join(","), { uid: true });
|
|
} catch {
|
|
try {
|
|
for (const uid of uidsToDelete) {
|
|
await imap
|
|
.messageFlagsAdd(uid, ["\\Deleted"], { uid: true })
|
|
.catch(() => {});
|
|
}
|
|
await imap.expunge();
|
|
} catch {
|
|
/* ignore */
|
|
}
|
|
}
|
|
}
|
|
|
|
await insertMailBlocked(toInsert);
|
|
} finally {
|
|
lock.release();
|
|
}
|
|
}
|
|
|
|
await imap.logout();
|
|
} catch {
|
|
try {
|
|
await imap.logout();
|
|
} catch {}
|
|
}
|
|
|
|
totalBlocked += newlyBlocked;
|
|
await updateMailConnectionScanStats(
|
|
connection.id,
|
|
scanned,
|
|
newlyBlocked,
|
|
connection.emailsBlocked,
|
|
connection.emailsScanned,
|
|
connection.scanInterval,
|
|
);
|
|
}
|
|
|
|
return { scanned: totalScanned, blocked: totalBlocked };
|
|
});
|