chahine/rebreak-monorepo
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
rebreak-monorepo/backend/server/api/mail/scan-internal.post.ts
chahinebrini 8075c8e79c feat(mail): outlook-OAuth scan + daemon initial-sweep + page polish v4 
USP-Confirmed: Outlook-OAuth Casino-Bonus-Mail wurde end-to-end gefiltert
(User-verifiziert). Mit dieser Welle ist der Daemon plus alle Scan-Pfade
OAuth-aware.

Backend — Mail-Stack (mo):

- backend/server/utils/mail-auth.ts NEU: zentraler resolveImapAuth-Helper
  kapselt OAuth-vs-AppPassword-Entscheidung. 5-min-Token-Expiry-Puffer,
  race-condition-sicheres Refresh via refreshAndSaveTokens.
- scan.post.ts + scan-internal.post.ts nutzen jetzt resolveImapAuth statt
  decrypt(passwordEncrypted). Vorher: Outlook-Connections wurden still
  übersprungen weil passwordEncrypted='' → decrypt failed. Cron + manueller
  Scan-Button funktionieren jetzt für OAuth-Connections.
- imap-idle: Initial-Sweep via triggerScan(conn) direkt nach Connect-Success.
  Neue Outlook-Connections kriegen sofort einen Full-Folder-Scan statt bis
  zu 30 Min Cron-Lag zu warten. scan-internal scannt ohnehin schon alle
  Folders via imap.list() (Junk, Spam, Archive, Custom) — Multi-Folder-
  Anforderung ist damit erfüllt.

Frontend — Mail-Page Polish v4 (rebreak-native-ui):

- MailDistributionChart: Donut zurück auf 200px (240 wuchs auch in der
  Breite und quetschte die Legend), "Live"-Pill-Header komplett raus
  (paddingTop von 16 auf 13 reduziert für tighteres Layout)
- mail.tsx Page-Hierarchie: "Mehr Infos"-Collapsible wandert von unter
  der Postfach-Liste direkt unter den Hero-Donut. Sub-Beschreibung
  "Blockiert — letzte 30 Tage" entfernt — Title reicht.
- Account-Card Expanded: adaptive Bar-Chart über Connection-Age
  (too-new <24h zeigt Empty-State, 1-14d Day-Buckets via Backend
  ?connectionId=, 15-90d client-Week-Aggregation, >90d Month)
- Account-Card Expanded: Scan-Button "Jetzt scannen" mit Refresh-Icon
  (Memory: kein Pen-Icon, refresh ok). Spinner während Scan, Feedback
  mit Blocked-Count nach Success.

Eskalations-Hinweis (nicht in dieser Welle):
- POST /api/mail/scan akzeptiert noch keinen connectionId-Filter →
  Scan-Button-Tap scannt aktuell alle Connections statt nur die
  angeklickte. Kleiner Folge-Patch, nicht blocking.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 23:55:18 +02:00

251 lines
8.9 KiB
TypeScript
Raw Blame History

import { ImapFlow } from "imapflow";
import {
getMailConnections,
deleteOldMailBlocked,
getAlreadyBlockedUidSet,
insertMailBlocked,
upsertMailBlockedStat,
updateMailConnectionScanStats,
} from "../../db/mail";
import { getBlocklistedDomainsSet } from "../../db/domains";
import { getProfile } from "../../db/profile";
import { getPlanLimits } from "../../utils/plan-features";
import { resolveProviderMeta } from "../../utils/imap-providers";
import { resolveImapAuth } from "../../utils/mail-auth";
// Single-Source-of-Truth (Mo's Finding #4)
// @ts-expect-error — .mjs ohne types, GAMBLING_KEYWORDS ist string[]
import { GAMBLING_KEYWORDS } from "../../utils/gambling-keywords.mjs";
/**
* POST /api/mail/scan-internal
* Called by cron or IMAP proxy. Scans ALL mailbox folders.
* Free: only custom domains + keywords. Pro/Legend: global blocklist + custom.
*/
export default defineEventHandler(async (event) => {
const secret = getHeader(event, "x-admin-secret");
const adminSecret = process.env.NUXT_ADMIN_SECRET || process.env.ADMIN_SECRET;
if (!secret || !adminSecret || secret !== adminSecret) {
throw createError({ statusCode: 401, message: "Unauthorized" });
}
const body = (await readBody(event)) as { userId?: string };
const userId = body?.userId;
if (!userId)
throw createError({ statusCode: 400, message: "userId missing" });
const connections = await getMailConnections(userId);
if (connections.length === 0) return { ok: true, scanned: 0, blocked: 0, skippedNoConsent: 0 };
// Consent-Gate (DSGVO Art. 9): Cron ist NICHT user-initiiert — Art. 9-Daten dürfen
// ohne explizite Einwilligung nicht verarbeitet werden. Connections ohne consent_at überspringen.
const skippedNoConsent = connections.filter((c) => !c.consentAt).length;
const eligibleConnections = connections.filter((c) => c.consentAt);
if (skippedNoConsent > 0) {
console.log(
`[scan-internal] skipping ${skippedNoConsent} connections for userId=${userId} — no consent_at (pending re-consent)`,
);
}
if (eligibleConnections.length === 0) {
return { ok: true, scanned: 0, blocked: 0, skippedNoConsent };
}
// Plan-aware blocklist
// Grace-Period: wenn globalBlocklistGraceUntil noch in der Zukunft liegt,
// behandeln wir den User als 'full' auch wenn sein Plan 'curated' sagt.
const profile = await getProfile(userId);
const limits = getPlanLimits(profile?.plan ?? "free");
const inGrace =
profile?.globalBlocklistGraceUntil != null &&
new Date(profile.globalBlocklistGraceUntil) > new Date();
const includeGlobal = limits.globalBlocklist === "full" || inGrace;
await deleteOldMailBlocked(userId);
let totalScanned = 0;
let totalBlocked = 0;
// scan-internal läuft im Cron-Context (kein User-Event). useRuntimeConfig(event)
// funktioniert hier weil event die Admin-Auth-Request-Referenz ist. Falls der
// Daemon triggerScan() direkt ohne echten HTTP-Request aufruft, fällt der
// process.env-Fallback ein — beide Quellen zeigen auf dieselbe Azure Client-ID.
const config = useRuntimeConfig(event);
const msClientId: string = config.msOauthClientId as string || process.env.MS_OAUTH_CLIENT_ID || "";
for (const connection of eligibleConnections) {
// resolveImapAuth() wählt automatisch den richtigen Auth-Pfad:
// oauth2_microsoft → Access-Token (mit proaktivem Refresh falls abgelaufen)
// alle anderen → App-Password decrypt
let imapAuth: { user: string; accessToken: string } | { user: string; pass: string };
try {
imapAuth = await resolveImapAuth(connection, msClientId);
} catch {
continue;
}
// useStarttls=true → STARTTLS (secure=false + requireTLS=true)
// rejectUnauthorized=false → self-signed Certs zulassen (nur Custom-IMAP)
const useImplicitTls = !connection.useStarttls;
const imap = new ImapFlow({
host: connection.imapHost,
port: connection.imapPort,
secure: useImplicitTls,
...(connection.useStarttls ? { requireTLS: true } : {}),
auth: imapAuth,
logger: false,
tls: { rejectUnauthorized: connection.rejectUnauthorized ?? true },
});
let scanned = 0;
let newlyBlocked = 0;
try {
await imap.connect();
// Scan ALL mailbox folders (not just hardcoded list)
const mailboxes = await imap.list();
const scannable = mailboxes.filter(
(mb: any) => !mb.flags?.has("\\Noselect"),
);
console.log(
`[scan-internal] ${connection.email} scanning ${scannable.length} folders`,
);
for (const mb of scannable) {
let lock: any;
try {
lock = await imap.getMailboxLock(mb.path);
} catch {
continue;
}
try {
const SCAN_LIMIT = 200;
const status = await imap.status(mb.path, { messages: true });
const msgCount = (status as any).messages ?? 0;
if (msgCount === 0) continue;
const fetchRange =
msgCount > SCAN_LIMIT ? `${msgCount - SCAN_LIMIT + 1}:*` : "1:*";
const allMessages = await imap.fetchAll(fetchRange, {
envelope: true,
});
scanned += allMessages.length;
totalScanned += allMessages.length;
const allUids = allMessages.map(
(m: any) => `${mb.path}:${String(m.uid ?? m.seq)}`,
);
const [blockedDomainSet, alreadyBlockedSet] = await Promise.all([
getBlocklistedDomainsSet(
allMessages
.map(
(m: any) =>
(m.envelope?.from?.[0]?.address ?? "")
.toLowerCase()
.split("@")[1] ?? "",
)
.filter(Boolean),
userId,
includeGlobal,
),
getAlreadyBlockedUidSet(allUids, userId),
]);
const toInsert: Parameters<typeof insertMailBlocked>[0] = [];
const uidsToDelete: string[] = [];
for (const msg of allMessages) {
const from = msg.envelope?.from?.[0];
const senderEmail = (from?.address ?? "").toLowerCase();
const senderName = from?.name ?? null;
const subject = (msg.envelope?.subject ?? "").trim();
const msgDate = msg.envelope?.date ?? new Date();
const uid = `${mb.path}:${String(msg.uid ?? msg.seq)}`;
const haystack = `${senderEmail} ${subject}`.toLowerCase();
const isGamblingKeyword = GAMBLING_KEYWORDS.some((kw) =>
haystack.includes(kw),
);
const senderDomain = senderEmail.split("@")[1] ?? "";
const isBlocklisted = senderDomain
? blockedDomainSet.has(senderDomain)
: false;
if (!isGamblingKeyword && !isBlocklisted) continue;
if (alreadyBlockedSet.has(uid)) continue;
uidsToDelete.push(String(msg.uid));
toInsert.push({
userId,
connectionId: connection.id,
gmailMessageId: uid,
senderEmail: senderEmail || "unbekannt",
senderName,
subject: subject.slice(0, 200) || "(kein Betreff)",
receivedAt: msgDate,
action: "deleted",
});
newlyBlocked++;
}
if (uidsToDelete.length > 0) {
try {
await imap.messageDelete(uidsToDelete.join(","), { uid: true });
} catch {
try {
for (const uid of uidsToDelete) {
await imap
.messageFlagsAdd(uid, ["\\Deleted"], { uid: true })
.catch(() => {});
}
await (imap as any).expunge().catch(() => {});
} catch {
/* ignore */
}
}
console.log(
`[scan-internal] ${connection.email} | ${mb.path} | deleted ${uidsToDelete.length} gambling mails`,
);
}
await insertMailBlocked(toInsert);
// Aggregat-Stats aktualisieren (vor 24h-Cleanup resistent)
if (toInsert.length > 0) {
const providerMeta = resolveProviderMeta(connection.imapHost);
await upsertMailBlockedStat({
userId,
mailConnectionId: connection.id,
provider: providerMeta.provider,
providerLabel: providerMeta.providerLabel,
count: toInsert.length,
});
}
} finally {
lock.release();
}
}
await imap.logout();
} catch {
try {
await imap.logout();
} catch {}
}
totalBlocked += newlyBlocked;
await updateMailConnectionScanStats(
connection.id,
scanned,
newlyBlocked,
connection.emailsBlocked,
connection.emailsScanned,
connection.scanInterval,
);
}
return { ok: true, scanned: totalScanned, blocked: totalBlocked, skippedNoConsent };
});
Reference in New Issue View Git Blame Copy Permalink