26 "github.com/mjl-/bstore"
27 "github.com/mjl-/sherpa"
29 "github.com/mjl-/mox/config"
30 "github.com/mjl-/mox/dns"
31 "github.com/mjl-/mox/mlog"
32 "github.com/mjl-/mox/mox-"
33 "github.com/mjl-/mox/queue"
34 "github.com/mjl-/mox/store"
35 "github.com/mjl-/mox/webauth"
36 "github.com/mjl-/mox/webhook"
39var ctxbg = context.Background()
43 webauth.BadAuthDelay = 0
46func tcheck(t *testing.T, err error, msg string) {
49 t.Fatalf("%s: %s", msg, err)
53func readBody(r io.Reader) string {
54 buf, err := io.ReadAll(r)
56 return fmt.Sprintf("read error: %s", err)
58 return fmt.Sprintf("data: %q", buf)
61func tneedErrorCode(t *testing.T, code string, fn func()) {
68 t.Fatalf("expected sherpa user error, saw success")
70 if err, ok := x.(*sherpa.Error); !ok {
72 t.Fatalf("expected sherpa error, saw %#v", x)
73 } else if err.Code != code {
75 t.Fatalf("expected sherpa error code %q, saw other sherpa error %#v", code, err)
82func tcompare(t *testing.T, got, expect any) {
84 if !reflect.DeepEqual(got, expect) {
85 t.Fatalf("got:\n%#v\nexpected:\n%#v", got, expect)
89func TestAccount(t *testing.T) {
90 os.RemoveAll("../testdata/httpaccount/data")
91 mox.ConfigStaticPath = filepath.FromSlash("../testdata/httpaccount/mox.conf")
92 mox.ConfigDynamicPath = filepath.Join(filepath.Dir(mox.ConfigStaticPath), "domains.conf")
93 mox.MustLoadConfig(true, false)
94 log := mlog.New("webaccount", nil)
95 acc, err := store.OpenAccount(log, "mjl☺")
96 tcheck(t, err, "open account")
97 err = acc.SetPassword(log, "test1234")
98 tcheck(t, err, "set password")
101 tcheck(t, err, "closing account")
104 defer store.Switchboard()()
106 api := Account{cookiePath: "/account/"}
107 apiHandler, err := makeSherpaHandler(api.cookiePath, false)
108 tcheck(t, err, "sherpa handler")
110 // Record HTTP response to get session cookie for login.
111 respRec := httptest.NewRecorder()
112 reqInfo := requestInfo{"", "", "", respRec, &http.Request{RemoteAddr: "127.0.0.1:1234"}}
113 ctx := context.WithValue(ctxbg, requestInfoCtxKey, reqInfo)
115 // Missing login token.
116 tneedErrorCode(t, "user:error", func() { api.Login(ctx, "", "mjl☺@mox.example", "test1234") })
118 // Login with loginToken.
119 loginCookie := &http.Cookie{Name: "webaccountlogin"}
120 loginCookie.Value = api.LoginPrep(ctx)
121 reqInfo.Request.Header = http.Header{"Cookie": []string{loginCookie.String()}}
123 csrfToken := api.Login(ctx, loginCookie.Value, "mjl☺@mox.example", "test1234")
124 var sessionCookie *http.Cookie
125 for _, c := range respRec.Result().Cookies() {
126 if c.Name == "webaccountsession" {
131 if sessionCookie == nil {
132 t.Fatalf("missing session cookie")
135 // Valid loginToken, but bad credentials.
136 loginCookie.Value = api.LoginPrep(ctx)
137 reqInfo.Request.Header = http.Header{"Cookie": []string{loginCookie.String()}}
138 tneedErrorCode(t, "user:loginFailed", func() { api.Login(ctx, loginCookie.Value, "mjl☺@mox.example", "badauth") })
139 tneedErrorCode(t, "user:loginFailed", func() { api.Login(ctx, loginCookie.Value, "baduser@mox.example", "badauth") })
140 tneedErrorCode(t, "user:loginFailed", func() { api.Login(ctx, loginCookie.Value, "baduser@baddomain.example", "badauth") })
142 type httpHeaders [][2]string
143 ctJSON := [2]string{"Content-Type", "application/json; charset=utf-8"}
145 cookieOK := &http.Cookie{Name: "webaccountsession", Value: sessionCookie.Value}
146 cookieBad := &http.Cookie{Name: "webaccountsession", Value: "AAAAAAAAAAAAAAAAAAAAAA mjl"}
147 hdrSessionOK := [2]string{"Cookie", cookieOK.String()}
148 hdrSessionBad := [2]string{"Cookie", cookieBad.String()}
149 hdrCSRFOK := [2]string{"x-mox-csrf", string(csrfToken)}
150 hdrCSRFBad := [2]string{"x-mox-csrf", "AAAAAAAAAAAAAAAAAAAAAA"}
152 testHTTP := func(method, path string, headers httpHeaders, expStatusCode int, expHeaders httpHeaders, check func(resp *http.Response)) {
155 req := httptest.NewRequest(method, path, nil)
156 for _, kv := range headers {
157 req.Header.Add(kv[0], kv[1])
159 rr := httptest.NewRecorder()
160 rr.Body = &bytes.Buffer{}
161 handle(apiHandler, false, rr, req)
162 if rr.Code != expStatusCode {
163 t.Fatalf("got status %d, expected %d (%s)", rr.Code, expStatusCode, readBody(rr.Body))
167 for _, h := range expHeaders {
168 if resp.Header.Get(h[0]) != h[1] {
169 t.Fatalf("for header %q got value %q, expected %q", h[0], resp.Header.Get(h[0]), h[1])
177 testHTTPAuthAPI := func(method, path string, expStatusCode int, expHeaders httpHeaders, check func(resp *http.Response)) {
179 testHTTP(method, path, httpHeaders{hdrCSRFOK, hdrSessionOK}, expStatusCode, expHeaders, check)
182 userAuthError := func(resp *http.Response, expCode string) {
185 var response struct {
186 Error *sherpa.Error `json:"error"`
188 err := json.NewDecoder(resp.Body).Decode(&response)
189 tcheck(t, err, "parsing response as json")
190 if response.Error == nil {
191 t.Fatalf("expected sherpa error with code %s, no error", expCode)
193 if response.Error.Code != expCode {
194 t.Fatalf("got sherpa error code %q, expected %s", response.Error.Code, expCode)
197 badAuth := func(resp *http.Response) {
199 userAuthError(resp, "user:badAuth")
201 noAuth := func(resp *http.Response) {
203 userAuthError(resp, "user:noAuth")
206 testHTTP("POST", "/api/Bogus", httpHeaders{}, http.StatusOK, nil, noAuth)
207 testHTTP("POST", "/api/Bogus", httpHeaders{hdrCSRFBad}, http.StatusOK, nil, noAuth)
208 testHTTP("POST", "/api/Bogus", httpHeaders{hdrSessionBad}, http.StatusOK, nil, noAuth)
209 testHTTP("POST", "/api/Bogus", httpHeaders{hdrCSRFBad, hdrSessionBad}, http.StatusOK, nil, badAuth)
210 testHTTP("POST", "/api/Bogus", httpHeaders{hdrCSRFOK}, http.StatusOK, nil, noAuth)
211 testHTTP("POST", "/api/Bogus", httpHeaders{hdrSessionOK}, http.StatusOK, nil, noAuth)
212 testHTTP("POST", "/api/Bogus", httpHeaders{hdrCSRFBad, hdrSessionOK}, http.StatusOK, nil, badAuth)
213 testHTTP("POST", "/api/Bogus", httpHeaders{hdrCSRFOK, hdrSessionBad}, http.StatusOK, nil, badAuth)
214 testHTTPAuthAPI("GET", "/api/Types", http.StatusMethodNotAllowed, nil, nil)
215 testHTTPAuthAPI("POST", "/api/Types", http.StatusOK, httpHeaders{ctJSON}, nil)
217 testHTTP("POST", "/import", httpHeaders{}, http.StatusForbidden, nil, nil)
218 testHTTP("POST", "/import", httpHeaders{hdrSessionBad}, http.StatusForbidden, nil, nil)
219 testHTTP("GET", "/export", httpHeaders{}, http.StatusForbidden, nil, nil)
220 testHTTP("GET", "/export", httpHeaders{hdrSessionBad}, http.StatusForbidden, nil, nil)
221 testHTTP("GET", "/export", httpHeaders{hdrSessionOK}, http.StatusForbidden, nil, nil)
223 // SetPassword needs the token.
224 sessionToken := store.SessionToken(strings.SplitN(sessionCookie.Value, " ", 2)[0])
225 reqInfo = requestInfo{"mjl☺@mox.example", "mjl☺", sessionToken, respRec, &http.Request{RemoteAddr: "127.0.0.1:1234"}}
226 ctx = context.WithValue(ctxbg, requestInfoCtxKey, reqInfo)
228 api.SetPassword(ctx, "test1234")
230 err = queue.Init() // For DB.
231 tcheck(t, err, "queue init")
233 account, _, _, _ := api.Account(ctx)
235 // Check we don't see the alias member list.
236 tcompare(t, len(account.Aliases), 1)
237 tcompare(t, account.Aliases[0], config.AddressAlias{
238 SubscriptionAddress: "mjl☺@mox.example",
240 LocalpartStr: "support",
241 Domain: dns.Domain{ASCII: "mox.example"},
246 api.DestinationSave(ctx, "mjl☺@mox.example", account.Destinations["mjl☺@mox.example"], account.Destinations["mjl☺@mox.example"]) // todo: save modified value and compare it afterwards
248 api.AccountSaveFullName(ctx, account.FullName+" changed") // todo: check if value was changed
249 api.AccountSaveFullName(ctx, account.FullName)
253 // Import mbox/maildir tgz/zip.
254 testImport := func(filename string, expect int) {
257 var reqBody bytes.Buffer
258 mpw := multipart.NewWriter(&reqBody)
259 part, err := mpw.CreateFormFile("file", path.Base(filename))
260 tcheck(t, err, "creating form file")
261 buf, err := os.ReadFile(filename)
262 tcheck(t, err, "reading file")
263 _, err = part.Write(buf)
264 tcheck(t, err, "write part")
266 tcheck(t, err, "close multipart writer")
268 r := httptest.NewRequest("POST", "/import", &reqBody)
269 r.Header.Add("Content-Type", mpw.FormDataContentType())
270 r.Header.Add("x-mox-csrf", string(csrfToken))
271 r.Header.Add("Cookie", cookieOK.String())
272 w := httptest.NewRecorder()
273 handle(apiHandler, false, w, r)
274 if w.Code != http.StatusOK {
275 t.Fatalf("import, got status code %d, expected 200: %s", w.Code, w.Body.Bytes())
278 if err := json.Unmarshal(w.Body.Bytes(), &m); err != nil {
279 t.Fatalf("parsing import response: %v", err)
282 l := importListener{m.Token, make(chan importEvent, 100), make(chan bool)}
283 importers.Register <- &l
285 t.Fatalf("register failed")
288 importers.Unregister <- &l
297 switch x := e.Event.(type) {
301 t.Fatalf("unexpected problem: %q", x.Message)
306 t.Fatalf("unexpected aborted import")
308 panic(fmt.Sprintf("missing case for Event %#v", e))
312 t.Fatalf("imported %d messages, expected %d", count, expect)
315 testImport(filepath.FromSlash("../testdata/importtest.mbox.zip"), 2)
316 testImport(filepath.FromSlash("../testdata/importtest.maildir.tgz"), 2)
318 // Check there are messages, with the right flags.
319 acc.DB.Read(ctxbg, func(tx *bstore.Tx) error {
320 _, err = bstore.QueryTx[store.Message](tx).FilterEqual("Expunged", false).FilterIn("Keywords", "other").FilterIn("Keywords", "test").Get()
321 tcheck(t, err, `fetching message with keywords "other" and "test"`)
323 mb, err := acc.MailboxFind(tx, "importtest")
324 tcheck(t, err, "looking up mailbox importtest")
326 t.Fatalf("missing mailbox importtest")
328 sort.Strings(mb.Keywords)
329 if strings.Join(mb.Keywords, " ") != "other test" {
330 t.Fatalf(`expected mailbox keywords "other" and "test", got %v`, mb.Keywords)
333 n, err := bstore.QueryTx[store.Message](tx).FilterEqual("Expunged", false).FilterIn("Keywords", "custom").Count()
334 tcheck(t, err, `fetching message with keyword "custom"`)
336 t.Fatalf(`got %d messages with keyword "custom", expected 2`, n)
339 mb, err = acc.MailboxFind(tx, "maildir")
340 tcheck(t, err, "looking up mailbox maildir")
342 t.Fatalf("missing mailbox maildir")
344 if strings.Join(mb.Keywords, " ") != "custom" {
345 t.Fatalf(`expected mailbox keywords "custom", got %v`, mb.Keywords)
351 testExport := func(format, archive string, expectFiles int) {
354 fields := url.Values{
355 "csrf": []string{string(csrfToken)},
356 "format": []string{format},
357 "archive": []string{archive},
358 "mailbox": []string{""},
359 "recursive": []string{"on"},
361 r := httptest.NewRequest("POST", "/export", strings.NewReader(fields.Encode()))
362 r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
363 r.Header.Add("Cookie", cookieOK.String())
364 w := httptest.NewRecorder()
365 handle(apiHandler, false, w, r)
366 if w.Code != http.StatusOK {
367 t.Fatalf("export, got status code %d, expected 200: %s", w.Code, w.Body.Bytes())
370 if archive == "zip" {
371 buf := w.Body.Bytes()
372 zr, err := zip.NewReader(bytes.NewReader(buf), int64(len(buf)))
373 tcheck(t, err, "reading zip")
374 for _, f := range zr.File {
375 if !strings.HasSuffix(f.Name, "/") {
380 var src io.Reader = w.Body
381 if archive == "tgz" {
382 gzr, err := gzip.NewReader(src)
383 tcheck(t, err, "gzip reader")
386 tr := tar.NewReader(src)
392 tcheck(t, err, "next file in tar")
393 if !strings.HasSuffix(h.Name, "/") {
396 _, err = io.Copy(io.Discard, tr)
397 tcheck(t, err, "reading from tar")
400 if count != expectFiles {
401 t.Fatalf("export, has %d files, expected %d", count, expectFiles)
405 testExport("maildir", "tgz", 6) // 2 mailboxes, each with 2 messages and a dovecot-keyword file
406 testExport("maildir", "zip", 6)
407 testExport("mbox", "tar", 2+6) // 2 imported plus 6 default mailboxes (Inbox, Draft, etc)
408 testExport("mbox", "zip", 2+6)
410 sl := api.SuppressionList(ctx)
411 tcompare(t, len(sl), 0)
413 api.SuppressionAdd(ctx, "mjl@mox.example", true, "testing")
414 tneedErrorCode(t, "user:error", func() { api.SuppressionAdd(ctx, "mjl@mox.example", true, "testing") }) // Duplicate.
415 tneedErrorCode(t, "user:error", func() { api.SuppressionAdd(ctx, "bogus", true, "testing") }) // Bad address.
417 sl = api.SuppressionList(ctx)
418 tcompare(t, len(sl), 1)
420 api.SuppressionRemove(ctx, "mjl@mox.example")
421 tneedErrorCode(t, "user:error", func() { api.SuppressionRemove(ctx, "mjl@mox.example") }) // Absent.
422 tneedErrorCode(t, "user:error", func() { api.SuppressionRemove(ctx, "bogus") }) // Not an address.
425 hookServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
426 fmt.Fprintln(w, "ok")
429 defer hookServer.Close()
431 api.OutgoingWebhookSave(ctx, "http://localhost:1234", "Basic base64", []string{"delivered"})
432 api.OutgoingWebhookSave(ctx, "http://localhost:1234", "Basic base64", []string{})
433 tneedErrorCode(t, "user:error", func() {
434 api.OutgoingWebhookSave(ctx, "http://localhost:1234/outgoing", "Basic base64", []string{"bogus"})
436 tneedErrorCode(t, "user:error", func() { api.OutgoingWebhookSave(ctx, "invalid", "Basic base64", nil) })
437 api.OutgoingWebhookSave(ctx, "", "", nil) // Restore.
439 code, response, errmsg := api.OutgoingWebhookTest(ctx, hookServer.URL, "", webhook.Outgoing{})
440 tcompare(t, code, 200)
441 tcompare(t, response, "ok\n")
442 tcompare(t, errmsg, "")
443 tneedErrorCode(t, "user:error", func() { api.OutgoingWebhookTest(ctx, "bogus", "", webhook.Outgoing{}) })
445 api.IncomingWebhookSave(ctx, "http://localhost:1234", "Basic base64")
446 tneedErrorCode(t, "user:error", func() { api.IncomingWebhookSave(ctx, "invalid", "Basic base64") })
447 api.IncomingWebhookSave(ctx, "", "") // Restore.
449 code, response, errmsg = api.IncomingWebhookTest(ctx, hookServer.URL, "", webhook.Incoming{})
450 tcompare(t, code, 200)
451 tcompare(t, response, "ok\n")
452 tcompare(t, errmsg, "")
453 tneedErrorCode(t, "user:error", func() { api.IncomingWebhookTest(ctx, "bogus", "", webhook.Incoming{}) })
455 api.FromIDLoginAddressesSave(ctx, []string{"mjl☺@mox.example"})
456 api.FromIDLoginAddressesSave(ctx, []string{"mjl☺@mox.example", "mjl☺+fromid@mox.example"})
457 api.FromIDLoginAddressesSave(ctx, []string{})
458 tneedErrorCode(t, "user:error", func() { api.FromIDLoginAddressesSave(ctx, []string{"bogus@other.example"}) })
460 api.KeepRetiredPeriodsSave(ctx, time.Minute, time.Minute)
461 api.KeepRetiredPeriodsSave(ctx, 0, 0) // Restore.
463 api.AutomaticJunkFlagsSave(ctx, true, "^(junk|spam)", "^(inbox|neutral|postmaster|dmarc|tlsrpt|rejects)", "")
464 api.AutomaticJunkFlagsSave(ctx, false, "", "", "")
466 api.RejectsSave(ctx, "Rejects", true)
467 api.RejectsSave(ctx, "Rejects", false)
468 api.RejectsSave(ctx, "", false) // Restore.
471 tneedErrorCode(t, "server:error", func() { api.Logout(ctx) })