1// Package webaccount provides a web app for users to view and change their account

2// settings, and to import/export email.

3package webaccount

5import (

6 "bytes"

7 "context"

8 cryptorand "crypto/rand"

9 "encoding/base64"

10 "encoding/json"

11 "encoding/pem"

12 "errors"

13 "fmt"

14 "io"

15 "log/slog"

16 "net/http"

17 "net/url"

18 "os"

19 "path/filepath"

20 "strings"

21 "time"

23 _ "embed"

25 "github.com/mjl-/bstore"

26 "github.com/mjl-/sherpa"

27 "github.com/mjl-/sherpadoc"

28 "github.com/mjl-/sherpaprom"

30 "github.com/mjl-/mox/admin"

31 "github.com/mjl-/mox/config"

32 "github.com/mjl-/mox/mlog"

33 "github.com/mjl-/mox/mox-"

34 "github.com/mjl-/mox/moxvar"

35 "github.com/mjl-/mox/queue"

36 "github.com/mjl-/mox/smtp"

37 "github.com/mjl-/mox/store"

38 "github.com/mjl-/mox/webapi"

39 "github.com/mjl-/mox/webauth"

40 "github.com/mjl-/mox/webhook"

41 "github.com/mjl-/mox/webops"

42)

44var pkglog = mlog.New("webaccount", nil)

46//go:embed api.json

47var accountapiJSON []byte

49//go:embed account.html

50var accountHTML []byte

52//go:embed account.js

53var accountJS []byte

55var webaccountFile = &mox.WebappFile{

56 HTML: accountHTML,

57 JS: accountJS,

58 HTMLPath: filepath.FromSlash("webaccount/account.html"),

59 JSPath: filepath.FromSlash("webaccount/account.js"),

60 CustomStem: "webaccount",

61}

63var accountDoc = mustParseAPI("account", accountapiJSON)

65func mustParseAPI(api string, buf []byte) (doc sherpadoc.Section) {

66 err := json.Unmarshal(buf, &doc)

67 if err != nil {

68 pkglog.Fatalx("parsing webaccount api docs", err, slog.String("api", api))

69 }

70 return doc

71}

73var sherpaHandlerOpts *sherpa.HandlerOpts

75func makeSherpaHandler(cookiePath string, isForwarded bool) (http.Handler, error) {

76 return sherpa.NewHandler("/api/", moxvar.Version, Account{cookiePath, isForwarded}, &accountDoc, sherpaHandlerOpts)

77}

79func init() {

80 collector, err := sherpaprom.NewCollector("moxaccount", nil)

81 if err != nil {

82 pkglog.Fatalx("creating sherpa prometheus collector", err)

83 }

85 sherpaHandlerOpts = &sherpa.HandlerOpts{Collector: collector, AdjustFunctionNames: "none", NoCORS: true}

86 // Just to validate.

87 _, err = makeSherpaHandler("", false)

88 if err != nil {

89 pkglog.Fatalx("sherpa handler", err)

90 }

92 mox.NewWebaccountHandler = func(basePath string, isForwarded bool) http.Handler {

93 return http.HandlerFunc(Handler(basePath, isForwarded))

94 }

95}

97// Handler returns a handler for the webaccount endpoints, customized for the

98// cookiePath.

99func Handler(cookiePath string, isForwarded bool) func(w http.ResponseWriter, r *http.Request) {

100 sh, err := makeSherpaHandler(cookiePath, isForwarded)

101 return func(w http.ResponseWriter, r *http.Request) {

102 if err != nil {

103 http.Error(w, "500 - internal server error - cannot handle requests", http.StatusInternalServerError)

104 return

105 }

106 handle(sh, isForwarded, w, r)

107 }

108}

109

110func xcheckf(ctx context.Context, err error, format string, args ...any) {

111 if err == nil {

112 return

113 }

114 // If caller tried saving a config that is invalid, or because of a bad request, cause a user error.

115 if errors.Is(err, mox.ErrConfig) || errors.Is(err, admin.ErrRequest) {

116 xcheckuserf(ctx, err, format, args...)

117 }

118

119 msg := fmt.Sprintf(format, args...)

120 errmsg := fmt.Sprintf("%s: %s", msg, err)

121 pkglog.WithContext(ctx).Errorx(msg, err)

122 code := "server:error"

123 if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {

124 code = "user:error"

125 }

126 panic(&sherpa.Error{Code: code, Message: errmsg})

127}

128

129func xcheckuserf(ctx context.Context, err error, format string, args ...any) {

130 if err == nil {

131 return

132 }

133 msg := fmt.Sprintf(format, args...)

134 errmsg := fmt.Sprintf("%s: %s", msg, err)

135 pkglog.WithContext(ctx).Errorx(msg, err)

136 panic(&sherpa.Error{Code: "user:error", Message: errmsg})

137}

138

139// Account exports web API functions for the account web interface. All its

140// methods are exported under api/. Function calls require valid HTTP

141// Authentication credentials of a user.

142type Account struct {

143 cookiePath string // From listener, for setting authentication cookies.

144 isForwarded bool // From listener, whether we look at X-Forwarded-* headers.

145}

146

147func handle(apiHandler http.Handler, isForwarded bool, w http.ResponseWriter, r *http.Request) {

148 ctx := context.WithValue(r.Context(), mlog.CidKey, mox.Cid())

149 log := pkglog.WithContext(ctx).With(slog.String("userauth", ""))

150

151 // Without authentication. The token is unguessable.

152 if r.URL.Path == "/importprogress" {

153 if r.Method != "GET" {

154 http.Error(w, "405 - method not allowed - get required", http.StatusMethodNotAllowed)

155 return

156 }

157

158 q := r.URL.Query()

159 token := q.Get("token")

160 if token == "" {

161 http.Error(w, "400 - bad request - missing token", http.StatusBadRequest)

162 return

163 }

164

165 flusher, ok := w.(http.Flusher)

166 if !ok {

167 log.Error("internal error: ResponseWriter not a http.Flusher")

168 http.Error(w, "500 - internal error - cannot access underlying connection", 500)

169 return

170 }

171

172 l := importListener{token, make(chan importEvent, 100), make(chan bool, 1)}

173 importers.Register <- &l

174 ok = <-l.Register

175 if !ok {

176 http.Error(w, "400 - bad request - unknown token, import may have finished more than a minute ago", http.StatusBadRequest)

177 return

178 }

179 defer func() {

180 importers.Unregister <- &l

181 }()

182

183 h := w.Header()

184 h.Set("Content-Type", "text/event-stream")

185 h.Set("Cache-Control", "no-cache")

186 _, err := w.Write([]byte(": keepalive\n\n"))

187 if err != nil {

188 return

189 }

190 flusher.Flush()

191

192 cctx := r.Context()

193 for {

194 select {

195 case e := <-l.Events:

196 _, err := w.Write(e.SSEMsg)

197 flusher.Flush()

198 if err != nil {

199 return

200 }

201

202 case <-cctx.Done():

203 return

204 }

205 }

206 }

207

208 // HTML/JS can be retrieved without authentication.

209 if r.URL.Path == "/" {

210 switch r.Method {

211 case "GET", "HEAD":

212 webaccountFile.Serve(ctx, log, w, r)

213 default:

214 http.Error(w, "405 - method not allowed - use get", http.StatusMethodNotAllowed)

215 }

216 return

217 } else if r.URL.Path == "/licenses.txt" {

218 switch r.Method {

219 case "GET", "HEAD":

220 mox.LicensesWrite(w)

221 default:

222 http.Error(w, "405 - method not allowed - use get", http.StatusMethodNotAllowed)

223 }

224 return

225 }

226

227 isAPI := strings.HasPrefix(r.URL.Path, "/api/")

228 // Only allow POST for calls, they will not work cross-domain without CORS.

229 if isAPI && r.URL.Path != "/api/" && r.Method != "POST" {

230 http.Error(w, "405 - method not allowed - use post", http.StatusMethodNotAllowed)

231 return

232 }

233

234 var loginAddress, accName string

235 var sessionToken store.SessionToken

236 // All other URLs, except the login endpoint require some authentication.

237 if r.URL.Path != "/api/LoginPrep" && r.URL.Path != "/api/Login" {

238 var ok bool

239 isExport := r.URL.Path == "/export"

240 requireCSRF := isAPI || r.URL.Path == "/import" || isExport

241 accName, sessionToken, loginAddress, ok = webauth.Check(ctx, log, webauth.Accounts, "webaccount", isForwarded, w, r, isAPI, requireCSRF, isExport)

242 if !ok {

243 // Response has been written already.

244 return

245 }

246 }

247

248 if isAPI {

249 reqInfo := requestInfo{loginAddress, accName, sessionToken, w, r}

250 ctx = context.WithValue(ctx, requestInfoCtxKey, reqInfo)

251 apiHandler.ServeHTTP(w, r.WithContext(ctx))

252 return

253 }

254

255 switch r.URL.Path {

256 case "/export":

257 webops.Export(log, accName, w, r)

258

259 case "/import":

260 if r.Method != "POST" {

261 http.Error(w, "405 - method not allowed - post required", http.StatusMethodNotAllowed)

262 return

263 }

264

265 f, _, err := r.FormFile("file")

266 if err != nil {

267 if errors.Is(err, http.ErrMissingFile) {

268 http.Error(w, "400 - bad request - missing file", http.StatusBadRequest)

269 } else {

270 http.Error(w, "500 - internal server error - "+err.Error(), http.StatusInternalServerError)

271 }

272 return

273 }

274 defer func() {

275 err := f.Close()

276 log.Check(err, "closing form file")

277 }()

278 skipMailboxPrefix := r.FormValue("skipMailboxPrefix")

279 tmpf, err := os.CreateTemp("", "mox-import")

280 if err != nil {

281 http.Error(w, "500 - internal server error - "+err.Error(), http.StatusInternalServerError)

282 return

283 }

284 defer func() {

285 if tmpf != nil {

286 store.CloseRemoveTempFile(log, tmpf, "upload")

287 }

288 }()

289 if _, err := io.Copy(tmpf, f); err != nil {

290 log.Errorx("copying import to temporary file", err)

291 http.Error(w, "500 - internal server error - "+err.Error(), http.StatusInternalServerError)

292 return

293 }

294 token, isUserError, err := importStart(log, accName, tmpf, skipMailboxPrefix)

295 if err != nil {

296 log.Errorx("starting import", err, slog.Bool("usererror", isUserError))

297 if isUserError {

298 http.Error(w, "400 - bad request - "+err.Error(), http.StatusBadRequest)

299 } else {

300 http.Error(w, "500 - internal server error - "+err.Error(), http.StatusInternalServerError)

301 }

302 return

303 }

304 tmpf = nil // importStart is now responsible for cleanup.

305

306 w.Header().Set("Content-Type", "application/json")

307 _ = json.NewEncoder(w).Encode(ImportProgress{Token: token})

308

309 default:

310 http.NotFound(w, r)

311 }

312}

313

314// ImportProgress is returned after uploading a file to import.

315type ImportProgress struct {

316 // For fetching progress, or cancelling an import.

317 Token string

318}

319

320type ctxKey string

321

322var requestInfoCtxKey ctxKey = "requestInfo"

323

324type requestInfo struct {

325 LoginAddress string

326 AccountName string

327 SessionToken store.SessionToken

328 Response http.ResponseWriter

329 Request *http.Request // For Proto and TLS connection state during message submit.

330}

331

332// LoginPrep returns a login token, and also sets it as cookie. Both must be

333// present in the call to Login.

334func (w Account) LoginPrep(ctx context.Context) string {

335 log := pkglog.WithContext(ctx)

336 reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)

337

338 var data [8]byte

339 _, err := cryptorand.Read(data[:])

340 xcheckf(ctx, err, "generate token")

341 loginToken := base64.RawURLEncoding.EncodeToString(data[:])

342

343 webauth.LoginPrep(ctx, log, "webaccount", w.cookiePath, w.isForwarded, reqInfo.Response, reqInfo.Request, loginToken)

344

345 return loginToken

346}

347

348// Login returns a session token for the credentials, or fails with error code

349// "user:badLogin". Call LoginPrep to get a loginToken.

350func (w Account) Login(ctx context.Context, loginToken, username, password string) store.CSRFToken {

351 log := pkglog.WithContext(ctx)

352 reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)

353

354 csrfToken, err := webauth.Login(ctx, log, webauth.Accounts, "webaccount", w.cookiePath, w.isForwarded, reqInfo.Response, reqInfo.Request, loginToken, username, password)

355 if _, ok := err.(*sherpa.Error); ok {

356 panic(err)

357 }

358 xcheckf(ctx, err, "login")

359 return csrfToken

360}

361

362// Logout invalidates the session token.

363func (w Account) Logout(ctx context.Context) {

364 log := pkglog.WithContext(ctx)

365 reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)

366

367 err := webauth.Logout(ctx, log, webauth.Accounts, "webaccount", w.cookiePath, w.isForwarded, reqInfo.Response, reqInfo.Request, reqInfo.AccountName, reqInfo.SessionToken)

368 xcheckf(ctx, err, "logout")

369}

370

371// SetPassword saves a new password for the account, invalidating the previous password.

372// Sessions are not interrupted, and will keep working. New login attempts must use the new password.

373// Password must be at least 8 characters.

374func (Account) SetPassword(ctx context.Context, password string) {

375 log := pkglog.WithContext(ctx)

376 if len(password) < 8 {

377 panic(&sherpa.Error{Code: "user:error", Message: "password must be at least 8 characters"})

378 }

379

380 reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)

381 acc, err := store.OpenAccount(log, reqInfo.AccountName)

382 xcheckf(ctx, err, "open account")

383 defer func() {

384 err := acc.Close()

385 log.Check(err, "closing account")

386 }()

387

388 // Retrieve session, resetting password invalidates it.

389 ls, err := store.SessionUse(ctx, log, reqInfo.AccountName, reqInfo.SessionToken, "")

390 xcheckf(ctx, err, "get session")

391

392 err = acc.SetPassword(log, password)

393 xcheckf(ctx, err, "setting password")

394

395 // Session has been invalidated. Add it again.

396 err = store.SessionAddToken(ctx, log, &ls)

397 xcheckf(ctx, err, "restoring session after password reset")

398}

399

400// Account returns information about the account.

401// StorageUsed is the sum of the sizes of all messages, in bytes.

402// StorageLimit is the maximum storage that can be used, or 0 if there is no limit.

403func (Account) Account(ctx context.Context) (account config.Account, storageUsed, storageLimit int64, suppressions []webapi.Suppression) {

404 log := pkglog.WithContext(ctx)

405 reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)

406

407 acc, err := store.OpenAccount(log, reqInfo.AccountName)

408 xcheckf(ctx, err, "open account")

409 defer func() {

410 err := acc.Close()

411 log.Check(err, "closing account")

412 }()

413

414 var accConf config.Account

415 acc.WithRLock(func() {

416 accConf, _ = acc.Conf()

417

418 storageLimit = acc.QuotaMessageSize()

419 err := acc.DB.Read(ctx, func(tx *bstore.Tx) error {

420 du := store.DiskUsage{ID: 1}

421 err := tx.Get(&du)

422 storageUsed = du.MessageSize

423 return err

424 })

425 xcheckf(ctx, err, "get disk usage")

426 })

427

428 suppressions, err = queue.SuppressionList(ctx, reqInfo.AccountName)

429 xcheckf(ctx, err, "list suppressions")

430

431 return accConf, storageUsed, storageLimit, suppressions

432}

433

434// AccountSaveFullName saves the full name (used as display name in email messages)

435// for the account.

436func (Account) AccountSaveFullName(ctx context.Context, fullName string) {

437 reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)

438 err := admin.AccountSave(ctx, reqInfo.AccountName, func(acc *config.Account) {

439 acc.FullName = fullName

440 })

441 xcheckf(ctx, err, "saving account full name")

442}

443

444// DestinationSave updates a destination.

445// OldDest is compared against the current destination. If it does not match, an

446// error is returned. Otherwise newDest is saved and the configuration reloaded.

447func (Account) DestinationSave(ctx context.Context, destName string, oldDest, newDest config.Destination) {

448 reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)

449

450 err := admin.AccountSave(ctx, reqInfo.AccountName, func(conf *config.Account) {

451 curDest, ok := conf.Destinations[destName]

452 if !ok {

453 xcheckuserf(ctx, errors.New("not found"), "looking up destination")

454 }

455 if !curDest.Equal(oldDest) {

456 xcheckuserf(ctx, errors.New("modified"), "checking stored destination")

457 }

458

459 // Keep fields we manage.

460 newDest.DMARCReports = curDest.DMARCReports

461 newDest.HostTLSReports = curDest.HostTLSReports

462 newDest.DomainTLSReports = curDest.DomainTLSReports

463

464 // Make copy of reference values.

465 nd := map[string]config.Destination{}

466 for dn, d := range conf.Destinations {

467 nd[dn] = d

468 }

469 nd[destName] = newDest

470 conf.Destinations = nd

471 })

472 xcheckf(ctx, err, "saving destination")

473}

474

475// ImportAbort aborts an import that is in progress. If the import exists and isn't

476// finished, no changes will have been made by the import.

477func (Account) ImportAbort(ctx context.Context, importToken string) error {

478 req := importAbortRequest{importToken, make(chan error)}

479 importers.Abort <- req

480 return <-req.Response

481}

482

483// Types exposes types not used in API method signatures, such as the import form upload.

484func (Account) Types() (importProgress ImportProgress) {

485 return

486}

487

488// SuppressionList lists the addresses on the suppression list of this account.

489func (Account) SuppressionList(ctx context.Context) (suppressions []webapi.Suppression) {

490 reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)

491 l, err := queue.SuppressionList(ctx, reqInfo.AccountName)

492 xcheckf(ctx, err, "list suppressions")

493 return l

494}

495

496// SuppressionAdd adds an email address to the suppression list.

497func (Account) SuppressionAdd(ctx context.Context, address string, manual bool, reason string) (suppression webapi.Suppression) {

498 reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)

499 addr, err := smtp.ParseAddress(address)

500 xcheckuserf(ctx, err, "parsing address")

501 sup := webapi.Suppression{

502 Account: reqInfo.AccountName,

503 Manual: manual,

504 Reason: reason,

505 }

506 err = queue.SuppressionAdd(ctx, addr.Path(), &sup)

507 if err != nil && errors.Is(err, bstore.ErrUnique) {

508 xcheckuserf(ctx, err, "add suppression")

509 }

510 xcheckf(ctx, err, "add suppression")

511 return sup

512}

513

514// SuppressionRemove removes the email address from the suppression list.

515func (Account) SuppressionRemove(ctx context.Context, address string) {

516 reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)

517 addr, err := smtp.ParseAddress(address)

518 xcheckuserf(ctx, err, "parsing address")

519 err = queue.SuppressionRemove(ctx, reqInfo.AccountName, addr.Path())

520 if err != nil && err == bstore.ErrAbsent {

521 xcheckuserf(ctx, err, "remove suppression")

522 }

523 xcheckf(ctx, err, "remove suppression")

524}

525

526// OutgoingWebhookSave saves a new webhook url for outgoing deliveries. If url

527// is empty, the webhook is disabled. If authorization is non-empty it is used for

528// the Authorization header in HTTP requests. Events specifies the outgoing events

529// to be delivered, or all if empty/nil.

530func (Account) OutgoingWebhookSave(ctx context.Context, url, authorization string, events []string) {

531 reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)

532 err := admin.AccountSave(ctx, reqInfo.AccountName, func(acc *config.Account) {

533 if url == "" {

534 acc.OutgoingWebhook = nil

535 } else {

536 acc.OutgoingWebhook = &config.OutgoingWebhook{URL: url, Authorization: authorization, Events: events}

537 }

538 })

539 xcheckf(ctx, err, "saving account outgoing webhook")

540}

541

542// OutgoingWebhookTest makes a test webhook call to urlStr, with optional

543// authorization. If the HTTP request is made this call will succeed also for

544// non-2xx HTTP status codes.

545func (Account) OutgoingWebhookTest(ctx context.Context, urlStr, authorization string, data webhook.Outgoing) (code int, response string, errmsg string) {

546 log := pkglog.WithContext(ctx)

547

548 xvalidURL(ctx, urlStr)

549 log.Debug("making webhook test call for outgoing message", slog.String("url", urlStr))

550

551 var b bytes.Buffer

552 enc := json.NewEncoder(&b)

553 enc.SetIndent("", "\t")

554 enc.SetEscapeHTML(false)

555 err := enc.Encode(data)

556 xcheckf(ctx, err, "encoding outgoing webhook data")

557

558 code, response, err = queue.HookPost(ctx, log, 1, 1, urlStr, authorization, b.String())

559 if err != nil {

560 errmsg = err.Error()

561 }

562 log.Debugx("result for webhook test call for outgoing message", err, slog.Int("code", code), slog.String("response", response))

563 return code, response, errmsg

564}

565

566// IncomingWebhookSave saves a new webhook url for incoming deliveries. If url is

567// empty, the webhook is disabled. If authorization is not empty, it is used in

568// the Authorization header in requests.

569func (Account) IncomingWebhookSave(ctx context.Context, url, authorization string) {

570 reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)

571 err := admin.AccountSave(ctx, reqInfo.AccountName, func(acc *config.Account) {

572 if url == "" {

573 acc.IncomingWebhook = nil

574 } else {

575 acc.IncomingWebhook = &config.IncomingWebhook{URL: url, Authorization: authorization}

576 }

577 })

578 xcheckf(ctx, err, "saving account incoming webhook")

579}

580

581func xvalidURL(ctx context.Context, s string) {

582 u, err := url.Parse(s)

583 xcheckuserf(ctx, err, "parsing url")

584 if u.Scheme != "http" && u.Scheme != "https" {

585 xcheckuserf(ctx, errors.New("scheme must be http or https"), "parsing url")

586 }

587}

588

589// IncomingWebhookTest makes a test webhook HTTP delivery request to urlStr,

590// with optional authorization header. If the HTTP call is made, this function

591// returns non-error regardless of HTTP status code.

592func (Account) IncomingWebhookTest(ctx context.Context, urlStr, authorization string, data webhook.Incoming) (code int, response string, errmsg string) {

593 log := pkglog.WithContext(ctx)

594

595 xvalidURL(ctx, urlStr)

596 log.Debug("making webhook test call for incoming message", slog.String("url", urlStr))

597

598 var b bytes.Buffer

599 enc := json.NewEncoder(&b)

600 enc.SetEscapeHTML(false)

601 enc.SetIndent("", "\t")

602 err := enc.Encode(data)

603 xcheckf(ctx, err, "encoding incoming webhook data")

604 code, response, err = queue.HookPost(ctx, log, 1, 1, urlStr, authorization, b.String())