22 "github.com/mjl-/mox/message"
23 "github.com/mjl-/mox/mlog"
24 "github.com/mjl-/mox/mox-"
25 "github.com/mjl-/mox/queue"
26 "github.com/mjl-/mox/store"
27 "github.com/mjl-/mox/webapi"
30var ctxbg = context.Background()
32func tcheckf(t *testing.T, err error, format string, args ...any) {
35 t.Fatalf("%s: %s", fmt.Sprintf(format, args...), err)
39func tcompare(t *testing.T, got, expect any) {
41 if !reflect.DeepEqual(got, expect) {
42 t.Fatalf("got:\n%#v\nexpected:\n%#v", got, expect)
46func terrcode(t *testing.T, err error, code string) {
49 t.Fatalf("no error, expected error with code %q", code)
51 if xerr, ok := err.(webapi.Error); !ok {
52 t.Fatalf("got %v, expected webapi error with code %q", err, code)
53 } else if xerr.Code != code {
54 t.Fatalf("got error code %q, expected %q", xerr.Code, code)
58func TestServer(t *testing.T) {
60 os.RemoveAll("../testdata/webapisrv/data")
62 mox.ConfigStaticPath = filepath.FromSlash("../testdata/webapisrv/mox.conf")
63 mox.MustLoadConfig(true, false)
64 err := store.Init(ctxbg)
65 tcheckf(t, err, "store init")
68 tcheckf(t, err, "store close")
70 defer store.Switchboard()()
72 tcheckf(t, err, "queue init")
73 defer queue.Shutdown()
75 log := mlog.New("webapisrv", nil)
76 acc, err := store.OpenAccount(log, "mjl", false)
77 tcheckf(t, err, "open account")
78 const pw0 = "te\u0301st \u00a0\u2002\u200a" // NFD and various unicode spaces.
79 const pw1 = "tést " // PRECIS normalized, with NFC.
80 err = acc.SetPassword(log, pw0)
81 tcheckf(t, err, "set password")
84 log.Check(err, "closing account")
88 s := NewServer(100*1024, "/webapi/", false).(server)
89 hs := httptest.NewServer(s)
92 // server expects the mount path to be stripped already.
93 client := webapi.Client{BaseURL: hs.URL + "/v0/", Username: "mjl@mox.example", Password: pw0}
95 testHTTPHdrsBody := func(s server, method, path string, headers map[string]string, body string, expCode int, expTooMany bool, expCT, expErrCode string) {
98 r := httptest.NewRequest(method, path, strings.NewReader(body))
99 for k, v := range headers {
102 w := httptest.NewRecorder()
105 if res.StatusCode != http.StatusTooManyRequests || !expTooMany {
106 tcompare(t, res.StatusCode, expCode)
109 tcompare(t, res.Header.Get("Content-Type"), expCT)
111 if expErrCode != "" {
112 dec := json.NewDecoder(res.Body)
113 dec.DisallowUnknownFields()
114 var apierr webapi.Error
115 err := dec.Decode(&apierr)
116 tcheckf(t, err, "decoding json error")
117 tcompare(t, apierr.Code, expErrCode)
120 testHTTP := func(method, path string, expCode int, expCT string) {
122 testHTTPHdrsBody(s, method, path, nil, "", expCode, false, expCT, "")
125 testHTTP("GET", "/", http.StatusSeeOther, "")
126 testHTTP("POST", "/", http.StatusMethodNotAllowed, "")
127 testHTTP("GET", "/v0/", http.StatusOK, "text/html; charset=utf-8")
128 testHTTP("GET", "/other/", http.StatusNotFound, "")
129 testHTTP("GET", "/v0/Send", http.StatusOK, "text/html; charset=utf-8")
130 testHTTP("GET", "/v0/MessageRawGet", http.StatusOK, "text/html; charset=utf-8")
131 testHTTP("GET", "/v0/Bogus", http.StatusNotFound, "")
132 testHTTP("PUT", "/v0/Send", http.StatusMethodNotAllowed, "")
133 testHTTP("POST", "/v0/Send", http.StatusUnauthorized, "")
136 // Missing auth doesn't trigger auth rate limiter.
137 testHTTP("POST", "/v0/Send", http.StatusUnauthorized, "")
141 expCode := http.StatusUnauthorized
144 expCode = http.StatusTooManyRequests
146 testHTTPHdrsBody(s, "POST", "/v0/Send", map[string]string{"Authorization": "Basic " + base64.StdEncoding.EncodeToString([]byte("mjl@mox.example:badpassword"))}, "", expCode, tooMany, "", "")
150 // Cannot login to disabled account.
151 acc2, err := store.OpenAccount(log, "disabled", false)
152 tcheckf(t, err, "open account")
153 err = acc2.SetPassword(log, "test1234")
154 tcheckf(t, err, "set password")
156 tcheckf(t, err, "close account")
157 testHTTPHdrsBody(s, "POST", "/v0/Send", map[string]string{"Authorization": "Basic " + base64.StdEncoding.EncodeToString([]byte("disabled@mox.example:test1234"))}, "", http.StatusUnauthorized, false, "", "")
158 testHTTPHdrsBody(s, "POST", "/v0/Send", map[string]string{"Authorization": "Basic " + base64.StdEncoding.EncodeToString([]byte("disabled@mox.example:bogus"))}, "", http.StatusUnauthorized, false, "", "")
160 // Request with missing X-Forwarded-For.
161 sfwd := NewServer(100*1024, "/webapi/", true).(server)
162 testHTTPHdrsBody(sfwd, "POST", "/v0/Send", map[string]string{"Authorization": "Basic " + base64.StdEncoding.EncodeToString([]byte("mjl@mox.example:badpassword"))}, "", http.StatusInternalServerError, false, "", "")
164 // Body must be form, not JSON.
165 authz := "Basic " + base64.StdEncoding.EncodeToString([]byte("mjl@mox.example:"+pw1))
166 testHTTPHdrsBody(s, "POST", "/v0/Send", map[string]string{"Content-Type": "application/json", "Authorization": authz}, "{}", http.StatusBadRequest, false, "application/json; charset=utf-8", "protocol")
167 testHTTPHdrsBody(s, "POST", "/v0/Send", map[string]string{"Content-Type": "multipart/form-data", "Authorization": authz}, "not formdata", http.StatusBadRequest, false, "application/json; charset=utf-8", "protocol")
168 formAuth := map[string]string{
169 "Content-Type": "application/x-www-form-urlencoded",
170 "Authorization": authz,
172 testHTTPHdrsBody(s, "POST", "/v0/Send", formAuth, "not encoded\n\n", http.StatusBadRequest, false, "application/json; charset=utf-8", "protocol")
173 // Missing "request".
174 testHTTPHdrsBody(s, "POST", "/v0/Send", formAuth, "", http.StatusBadRequest, false, "application/json; charset=utf-8", "protocol")
175 // "request" must be JSON.
176 testHTTPHdrsBody(s, "POST", "/v0/Send", formAuth, "request=notjson", http.StatusBadRequest, false, "application/json; charset=utf-8", "protocol")
177 // "request" must be JSON object.
178 testHTTPHdrsBody(s, "POST", "/v0/Send", formAuth, "request=[]", http.StatusBadRequest, false, "application/json; charset=utf-8", "protocol")
180 // Send message. Look for the message in the queue.
183 sendReq := webapi.SendRequest{
184 Message: webapi.Message{
185 From: []webapi.NameAddress{{Name: "møx", Address: "mjl@mox.example"}},
186 To: []webapi.NameAddress{{Name: "móx", Address: "mjl+to@mox.example"}, {Address: "mjl+to2@mox.example"}},
187 CC: []webapi.NameAddress{{Name: "möx", Address: "mjl+cc@mox.example"}},
188 BCC: []webapi.NameAddress{{Name: "møx", Address: "mjl+bcc@mox.example"}},
189 ReplyTo: []webapi.NameAddress{{Name: "reply1", Address: "mox+reply1@mox.example"}, {Name: "reply2", Address: "mox+reply2@mox.example"}},
190 MessageID: "<random@localhost>",
191 References: []string{"<messageid0@localhost>", "<messageid1@localhost>"},
193 Subject: "¡hello world!",
195 HTML: `<html><img src="cid:x" /></html>`, // Newline will be added.
197 Extra: map[string]string{"a": "123"},
198 Headers: [][2]string{{"x-custom", "header"}},
199 AlternativeFiles: []webapi.File{
202 ContentType: "text/calendar",
203 Data: base64.StdEncoding.EncodeToString([]byte("ics data...")),
206 InlineFiles: []webapi.File{
209 ContentType: "image/png",
211 Data: base64.StdEncoding.EncodeToString([]byte("png data")),
214 AttachedFiles: []webapi.File{
216 Data: base64.StdEncoding.EncodeToString([]byte("%PDF-")), // Should be detected as PDF.
223 sendResp, err := client.Send(ctxbg, sendReq)
224 tcheckf(t, err, "send message")
225 tcompare(t, sendResp.MessageID, sendReq.Message.MessageID)
226 tcompare(t, len(sendResp.Submissions), 2+1+1) // 2 to, 1 cc, 1 bcc
227 subs := sendResp.Submissions
228 tcompare(t, subs[0].Address, "mjl+to@mox.example")
229 tcompare(t, subs[1].Address, "mjl+to2@mox.example")
230 tcompare(t, subs[2].Address, "mjl+cc@mox.example")
231 tcompare(t, subs[3].Address, "mjl+bcc@mox.example")
232 tcompare(t, subs[3].QueueMsgID, subs[0].QueueMsgID+3)
233 tcompare(t, subs[0].FromID, "")
234 // todo: look in queue for parameters. parse the message.
236 // Send a custom multipart/form-data POST, with different request parameters, and
238 var sb strings.Builder
239 mp := multipart.NewWriter(&sb)
240 fdSendReq := webapi.SendRequest{
241 Message: webapi.Message{
242 To: []webapi.NameAddress{{Address: "møx@mox.example"}},
243 // Let server assign date, message-id.
247 // Don't let server add its own user-agent.
248 Headers: [][2]string{{"User-Agent", "test"}},
250 sendReqBuf, err := json.Marshal(fdSendReq)
251 tcheckf(t, err, "send request")
252 mp.WriteField("request", string(sendReqBuf))
254 // One alternative file.
255 pw, err := mp.CreateFormFile("alternativefile", "test.ics")
256 tcheckf(t, err, "create alternative ics file")
257 _, err = fmt.Fprint(pw, "ICS...")
258 tcheckf(t, err, "write ics")
261 pw, err = mp.CreateFormFile("inlinefile", "test.pdf")
262 tcheckf(t, err, "create inline pdf file")
263 _, err = fmt.Fprint(pw, "%PDF-")
264 tcheckf(t, err, "write pdf")
265 pw, err = mp.CreateFormFile("inlinefile", "test.pdf")
266 tcheckf(t, err, "create second inline pdf file")
267 _, err = fmt.Fprint(pw, "%PDF-")
268 tcheckf(t, err, "write second pdf")
271 fh := textproto.MIMEHeader{}
272 fh.Set("Content-Disposition", `form-data; name="attachedfile"; filename="test.pdf"`)
273 fh.Set("Content-ID", "<testpdf>")
274 pw, err = mp.CreatePart(fh)
275 tcheckf(t, err, "create attached pdf file")
276 _, err = fmt.Fprint(pw, "%PDF-")
277 tcheckf(t, err, "write attached pdf")
278 fdct := mp.FormDataContentType()
280 tcheckf(t, err, "close multipart")
282 // Perform custom POST.
283 req, err := http.NewRequest("POST", hs.URL+"/v0/Send", strings.NewReader(sb.String()))
284 tcheckf(t, err, "new request")
285 req.Header.Set("Content-Type", fdct)
286 // Use a unique MAIL FROM id when delivering.
287 req.Header.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("mjl+fromid@mox.example:"+pw1)))
288 resp, err := http.DefaultClient.Do(req)
289 tcheckf(t, err, "request multipart/form-data")
290 tcompare(t, resp.StatusCode, http.StatusOK)
291 var sendRes webapi.SendResult
292 err = json.NewDecoder(resp.Body).Decode(&sendRes)
293 tcheckf(t, err, "parse send response")
294 tcompare(t, sendRes.MessageID != "", true)
295 tcompare(t, len(sendRes.Submissions), 1)
296 tcompare(t, sendRes.Submissions[0].FromID != "", true)
298 // Trigger various error conditions.
299 _, err = client.Send(ctxbg, webapi.SendRequest{
300 Message: webapi.Message{
301 To: []webapi.NameAddress{{Address: "mjl@mox.example"}},
305 terrcode(t, err, "missingBody")
307 _, err = client.Send(ctxbg, webapi.SendRequest{
308 Message: webapi.Message{
309 From: []webapi.NameAddress{{Address: "other@mox.example"}},
310 To: []webapi.NameAddress{{Address: "mjl@mox.example"}},
315 terrcode(t, err, "badFrom")
317 _, err = client.Send(ctxbg, webapi.SendRequest{
318 Message: webapi.Message{
319 From: []webapi.NameAddress{{Address: "mox@mox.example"}, {Address: "mox@mox.example"}},
320 To: []webapi.NameAddress{{Address: "mjl@mox.example"}},
325 terrcode(t, err, "multipleFrom")
327 _, err = client.Send(ctxbg, webapi.SendRequest{Message: webapi.Message{Subject: "test", Text: "hi"}})
328 terrcode(t, err, "noRecipients")
330 _, err = client.Send(ctxbg, webapi.SendRequest{
331 Message: webapi.Message{
332 MessageID: "missingltgt@localhost",
333 To: []webapi.NameAddress{{Address: "møx@mox.example"}},
338 terrcode(t, err, "malformedMessageID")
340 _, err = client.Send(ctxbg, webapi.SendRequest{
341 Message: webapi.Message{
342 MessageID: "missingltgt@localhost",
343 To: []webapi.NameAddress{{Address: "møx@mox.example"}},
348 terrcode(t, err, "malformedMessageID")
350 _, err = client.Send(ctxbg, webapi.SendRequest{
351 Message: webapi.Message{
352 From: []webapi.NameAddress{{Address: "mjl@disabled.example"}},
353 To: []webapi.NameAddress{{Address: "mjl@mox.example"}},
358 terrcode(t, err, "domainDisabled")
360 // todo: messageLimitReached, recipientLimitReached
363 supListRes, err := client.SuppressionList(ctxbg, webapi.SuppressionListRequest{})
364 tcheckf(t, err, "listing suppressions")
365 tcompare(t, len(supListRes.Suppressions), 0)
368 supAddReq := webapi.SuppressionAddRequest{EmailAddress: "Remote.Last-catchall@xn--74h.localhost", Manual: true, Reason: "tests"}
369 _, err = client.SuppressionAdd(ctxbg, supAddReq)
370 tcheckf(t, err, "add address to suppression list")
371 _, err = client.SuppressionAdd(ctxbg, supAddReq)
372 terrcode(t, err, "error") // Already present.
373 supAddReq2 := webapi.SuppressionAddRequest{EmailAddress: "remotelast@☺.localhost", Manual: false, Reason: "tests"}
374 _, err = client.SuppressionAdd(ctxbg, supAddReq2)
375 terrcode(t, err, "error") // Already present, same base address.
376 supAddReq3 := webapi.SuppressionAddRequest{EmailAddress: "not an address"}
377 _, err = client.SuppressionAdd(ctxbg, supAddReq3)
378 terrcode(t, err, "badAddress")
380 supListRes, err = client.SuppressionList(ctxbg, webapi.SuppressionListRequest{})
381 tcheckf(t, err, "listing suppressions")
382 tcompare(t, len(supListRes.Suppressions), 1)
383 supListRes.Suppressions[0].Created = now
384 tcompare(t, supListRes.Suppressions, []webapi.Suppression{
389 BaseAddress: "remotelast@☺.localhost",
390 OriginalAddress: "Remote.Last-catchall@☺.localhost",
396 // SuppressionPresent
397 supPresRes, err := client.SuppressionPresent(ctxbg, webapi.SuppressionPresentRequest{EmailAddress: "not@localhost"})
398 tcheckf(t, err, "address present")
399 tcompare(t, supPresRes.Present, false)
400 supPresRes, err = client.SuppressionPresent(ctxbg, webapi.SuppressionPresentRequest{EmailAddress: "remotelast@xn--74h.localhost"})
401 tcheckf(t, err, "address present")
402 tcompare(t, supPresRes.Present, true)
403 supPresRes, err = client.SuppressionPresent(ctxbg, webapi.SuppressionPresentRequest{EmailAddress: "Remote.Last-catchall@☺.localhost"})
404 tcheckf(t, err, "address present")
405 tcompare(t, supPresRes.Present, true)
406 supPresRes, err = client.SuppressionPresent(ctxbg, webapi.SuppressionPresentRequest{EmailAddress: "not an address"})
407 terrcode(t, err, "badAddress")
410 _, err = client.SuppressionRemove(ctxbg, webapi.SuppressionRemoveRequest{EmailAddress: "remote.LAST+more@☺.LocalHost"})
411 tcheckf(t, err, "remove suppressed address")
412 _, err = client.SuppressionRemove(ctxbg, webapi.SuppressionRemoveRequest{EmailAddress: "remote.LAST+more@☺.LocalHost"})
413 terrcode(t, err, "error") // Absent.
414 _, err = client.SuppressionRemove(ctxbg, webapi.SuppressionRemoveRequest{EmailAddress: "not an address"})
415 terrcode(t, err, "badAddress")
417 supListRes, err = client.SuppressionList(ctxbg, webapi.SuppressionListRequest{})
418 tcheckf(t, err, "listing suppressions")
419 tcompare(t, len(supListRes.Suppressions), 0)
421 // MessageGet, we retrieve the message we sent first.
422 msgRes, err := client.MessageGet(ctxbg, webapi.MessageGetRequest{MsgID: 1})
423 tcheckf(t, err, "remove suppressed address")
424 sentMsg := sendReq.Message
425 sentMsg.Date = msgRes.Message.Date
427 tcompare(t, msgRes.Message, sentMsg)
428 // The structure is: mixed (related (alternative text html) inline-png) attached-pdf).
429 pdfpart := msgRes.Structure.Parts[1]
430 tcompare(t, pdfpart.ContentType, "application/pdf")
431 // structure compared below, parsed again from raw message.
432 // todo: compare Meta
434 _, err = client.MessageGet(ctxbg, webapi.MessageGetRequest{MsgID: 1 + 999})
435 terrcode(t, err, "messageNotFound")
438 r, err := client.MessageRawGet(ctxbg, webapi.MessageRawGetRequest{MsgID: 1})
439 tcheckf(t, err, "get raw message")
441 _, err = io.Copy(&b, r)
443 tcheckf(t, err, "reading raw message")
444 part, err := message.EnsurePart(log.Logger, true, bytes.NewReader(b.Bytes()), int64(b.Len()))
445 tcheckf(t, err, "parsing raw message")
446 structure, err := queue.PartStructure(log, &part)
447 tcheckf(t, err, "part structure")
448 tcompare(t, structure, msgRes.Structure)
450 _, err = client.MessageRawGet(ctxbg, webapi.MessageRawGetRequest{MsgID: 1 + 999})
451 terrcode(t, err, "messageNotFound")
454 // The structure is: mixed (related (alternative text html) inline-png) attached-pdf).
455 r, err = client.MessagePartGet(ctxbg, webapi.MessagePartGetRequest{MsgID: 1, PartPath: []int{0, 0, 1}})
456 tcheckf(t, err, "get message part")
457 tdata(t, r, sendReq.HTML+"\r\n") // Part returns the raw data with \r\n line endings.
460 r, err = client.MessagePartGet(ctxbg, webapi.MessagePartGetRequest{MsgID: 1, PartPath: []int{}})
461 tcheckf(t, err, "get message part")
464 _, err = client.MessagePartGet(ctxbg, webapi.MessagePartGetRequest{MsgID: 1, PartPath: []int{2}})
465 terrcode(t, err, "partNotFound")
467 _, err = client.MessagePartGet(ctxbg, webapi.MessagePartGetRequest{MsgID: 1 + 999, PartPath: []int{}})
468 terrcode(t, err, "messageNotFound")
470 _, err = client.MessageFlagsAdd(ctxbg, webapi.MessageFlagsAddRequest{MsgID: 1, Flags: []string{`\answered`, "$Forwarded", "custom"}})
471 tcheckf(t, err, "add flags")
473 msgRes, err = client.MessageGet(ctxbg, webapi.MessageGetRequest{MsgID: 1})
474 tcheckf(t, err, "get message")
475 tcompare(t, slices.Contains(msgRes.Meta.Flags, `\answered`), true)
476 tcompare(t, slices.Contains(msgRes.Meta.Flags, "$forwarded"), true)
477 tcompare(t, slices.Contains(msgRes.Meta.Flags, "custom"), true)
479 // Setting duplicate flags doesn't make a change.
480 _, err = client.MessageFlagsAdd(ctxbg, webapi.MessageFlagsAddRequest{MsgID: 1, Flags: []string{`\Answered`, "$forwarded", "custom"}})
481 tcheckf(t, err, "add flags")
482 msgRes2, err := client.MessageGet(ctxbg, webapi.MessageGetRequest{MsgID: 1})
483 tcheckf(t, err, "get message")
484 tcompare(t, msgRes.Meta.Flags, msgRes2.Meta.Flags)
486 // Non-existing message gives generic user error.
487 _, err = client.MessageFlagsAdd(ctxbg, webapi.MessageFlagsAddRequest{MsgID: 1 + 999, Flags: []string{`\answered`, "$Forwarded", "custom"}})
488 terrcode(t, err, "messageNotFound")
490 // MessageFlagsRemove
491 _, err = client.MessageFlagsRemove(ctxbg, webapi.MessageFlagsRemoveRequest{MsgID: 1, Flags: []string{`\Answered`, "$forwarded", "custom"}})
492 tcheckf(t, err, "remove")
493 msgRes, err = client.MessageGet(ctxbg, webapi.MessageGetRequest{MsgID: 1})
494 tcheckf(t, err, "get message")
495 tcompare(t, slices.Contains(msgRes.Meta.Flags, `\answered`), false)
496 tcompare(t, slices.Contains(msgRes.Meta.Flags, "$forwarded"), false)
497 tcompare(t, slices.Contains(msgRes.Meta.Flags, "custom"), false)
498 // Can try removing again, no change.
499 _, err = client.MessageFlagsRemove(ctxbg, webapi.MessageFlagsRemoveRequest{MsgID: 1, Flags: []string{`\Answered`, "$forwarded", "custom"}})
500 tcheckf(t, err, "remove")
502 _, err = client.MessageFlagsRemove(ctxbg, webapi.MessageFlagsRemoveRequest{MsgID: 1 + 999, Flags: []string{`\Answered`, "$forwarded", "custom"}})
503 terrcode(t, err, "messageNotFound")
506 tcompare(t, msgRes.Meta.MailboxName, "Sent")
507 _, err = client.MessageMove(ctxbg, webapi.MessageMoveRequest{MsgID: 1, DestMailboxName: "Inbox"})
508 tcheckf(t, err, "move to inbox")
509 msgRes, err = client.MessageGet(ctxbg, webapi.MessageGetRequest{MsgID: 1})
510 tcheckf(t, err, "get message")
511 tcompare(t, msgRes.Meta.MailboxName, "Inbox")
512 _, err = client.MessageMove(ctxbg, webapi.MessageMoveRequest{MsgID: 1, DestMailboxName: "Bogus"})
513 terrcode(t, err, "user")
514 _, err = client.MessageMove(ctxbg, webapi.MessageMoveRequest{MsgID: 1 + 999, DestMailboxName: "Inbox"})
515 terrcode(t, err, "messageNotFound")
518 _, err = client.MessageDelete(ctxbg, webapi.MessageDeleteRequest{MsgID: 1})
519 tcheckf(t, err, "delete message")
520 _, err = client.MessageDelete(ctxbg, webapi.MessageDeleteRequest{MsgID: 1})
521 terrcode(t, err, "user") // No longer.
522 _, err = client.MessageGet(ctxbg, webapi.MessageGetRequest{MsgID: 1})
523 terrcode(t, err, "messageNotFound") // No longer.
524 _, err = client.MessageDelete(ctxbg, webapi.MessageDeleteRequest{MsgID: 1 + 999})
525 terrcode(t, err, "messageNotFound")
528func tdata(t *testing.T, r io.Reader, exp string) {
530 buf, err := io.ReadAll(r)
531 tcheckf(t, err, "reading body")
532 tcompare(t, string(buf), exp)