Adding upstream version 0.28.1.

Signed-off-by: Daniel Baumann <daniel@debian.org>

mails/base.go

@@ -0,0 +1,33 @@
+// Package mails implements various helper methods for sending common
+// emails like forgotten password, verification, etc.
+package mails
+
+import (
+	"bytes"
+	"text/template"
+)
+
+// resolveTemplateContent resolves inline html template strings.
+func resolveTemplateContent(data any, content ...string) (string, error) {
+	if len(content) == 0 {
+		return "", nil
+	}
+
+	t := template.New("inline_template")
+
+	var parseErr error
+	for _, v := range content {
+		t, parseErr = t.Parse(v)
+		if parseErr != nil {
+			return "", parseErr
+		}
+	}
+
+	var wr bytes.Buffer
+
+	if executeErr := t.Execute(&wr, data); executeErr != nil {
+		return "", executeErr
+	}
+
+	return wr.String(), nil
+}

mails/record.go

@@ -0,0 +1,296 @@
+package mails
+
+import (
+	"html"
+	"html/template"
+	"net/mail"
+	"slices"
+
+	"github.com/pocketbase/pocketbase/core"
+	"github.com/pocketbase/pocketbase/mails/templates"
+	"github.com/pocketbase/pocketbase/tools/mailer"
+)
+
+// SendRecordAuthAlert sends a new device login alert to the specified auth record.
+func SendRecordAuthAlert(app core.App, authRecord *core.Record) error {
+	mailClient := app.NewMailClient()
+
+	subject, body, err := resolveEmailTemplate(app, authRecord, authRecord.Collection().AuthAlert.EmailTemplate, nil)
+	if err != nil {
+		return err
+	}
+
+	message := &mailer.Message{
+		From: mail.Address{
+			Name:    app.Settings().Meta.SenderName,
+			Address: app.Settings().Meta.SenderAddress,
+		},
+		To:      []mail.Address{{Address: authRecord.Email()}},
+		Subject: subject,
+		HTML:    body,
+	}
+
+	event := new(core.MailerRecordEvent)
+	event.App = app
+	event.Mailer = mailClient
+	event.Message = message
+	event.Record = authRecord
+
+	return app.OnMailerRecordAuthAlertSend().Trigger(event, func(e *core.MailerRecordEvent) error {
+		return e.Mailer.Send(e.Message)
+	})
+}
+
+// SendRecordOTP sends OTP email to the specified auth record.
+//
+// This method will also update the "sentTo" field of the related OTP record to the mail sent To address (if the OTP exists and not already assigned).
+func SendRecordOTP(app core.App, authRecord *core.Record, otpId string, pass string) error {
+	mailClient := app.NewMailClient()
+
+	subject, body, err := resolveEmailTemplate(app, authRecord, authRecord.Collection().OTP.EmailTemplate, map[string]any{
+		core.EmailPlaceholderOTPId: otpId,
+		core.EmailPlaceholderOTP:   pass,
+	})
+	if err != nil {
+		return err
+	}
+
+	message := &mailer.Message{
+		From: mail.Address{
+			Name:    app.Settings().Meta.SenderName,
+			Address: app.Settings().Meta.SenderAddress,
+		},
+		To:      []mail.Address{{Address: authRecord.Email()}},
+		Subject: subject,
+		HTML:    body,
+	}
+
+	event := new(core.MailerRecordEvent)
+	event.App = app
+	event.Mailer = mailClient
+	event.Message = message
+	event.Record = authRecord
+	event.Meta = map[string]any{
+		"otpId":    otpId,
+		"password": pass,
+	}
+
+	return app.OnMailerRecordOTPSend().Trigger(event, func(e *core.MailerRecordEvent) error {
+		err := e.Mailer.Send(e.Message)
+		if err != nil {
+			return err
+		}
+
+		var toAddress string
+		if len(e.Message.To) > 0 {
+			toAddress = e.Message.To[0].Address
+		}
+		if toAddress == "" {
+			return nil
+		}
+
+		otp, err := e.App.FindOTPById(otpId)
+		if err != nil {
+			e.App.Logger().Warn(
+				"Unable to find OTP to update its sentTo field (either it was already deleted or the id is nonexisting)",
+				"error", err,
+				"otpId", otpId,
+			)
+			return nil
+		}
+
+		if otp.SentTo() != "" {
+			return nil // was already sent to another target
+		}
+
+		otp.SetSentTo(toAddress)
+		if err = e.App.Save(otp); err != nil {
+			e.App.Logger().Error(
+				"Failed to update OTP sentTo field",
+				"error", err,
+				"otpId", otpId,
+				"to", toAddress,
+			)
+		}
+
+		return nil
+	})
+}
+
+// SendRecordPasswordReset sends a password reset request email to the specified auth record.
+func SendRecordPasswordReset(app core.App, authRecord *core.Record) error {
+	token, tokenErr := authRecord.NewPasswordResetToken()
+	if tokenErr != nil {
+		return tokenErr
+	}
+
+	mailClient := app.NewMailClient()
+
+	subject, body, err := resolveEmailTemplate(app, authRecord, authRecord.Collection().ResetPasswordTemplate, map[string]any{
+		core.EmailPlaceholderToken: token,
+	})
+	if err != nil {
+		return err
+	}
+
+	message := &mailer.Message{
+		From: mail.Address{
+			Name:    app.Settings().Meta.SenderName,
+			Address: app.Settings().Meta.SenderAddress,
+		},
+		To:      []mail.Address{{Address: authRecord.Email()}},
+		Subject: subject,
+		HTML:    body,
+	}
+
+	event := new(core.MailerRecordEvent)
+	event.App = app
+	event.Mailer = mailClient
+	event.Message = message
+	event.Record = authRecord
+	event.Meta = map[string]any{"token": token}
+
+	return app.OnMailerRecordPasswordResetSend().Trigger(event, func(e *core.MailerRecordEvent) error {
+		return e.Mailer.Send(e.Message)
+	})
+}
+
+// SendRecordVerification sends a verification request email to the specified auth record.
+func SendRecordVerification(app core.App, authRecord *core.Record) error {
+	token, tokenErr := authRecord.NewVerificationToken()
+	if tokenErr != nil {
+		return tokenErr
+	}
+
+	mailClient := app.NewMailClient()
+
+	subject, body, err := resolveEmailTemplate(app, authRecord, authRecord.Collection().VerificationTemplate, map[string]any{
+		core.EmailPlaceholderToken: token,
+	})
+	if err != nil {
+		return err
+	}
+
+	message := &mailer.Message{
+		From: mail.Address{
+			Name:    app.Settings().Meta.SenderName,
+			Address: app.Settings().Meta.SenderAddress,
+		},
+		To:      []mail.Address{{Address: authRecord.Email()}},
+		Subject: subject,
+		HTML:    body,
+	}
+
+	event := new(core.MailerRecordEvent)
+	event.App = app
+	event.Mailer = mailClient
+	event.Message = message
+	event.Record = authRecord
+	event.Meta = map[string]any{"token": token}
+
+	return app.OnMailerRecordVerificationSend().Trigger(event, func(e *core.MailerRecordEvent) error {
+		return e.Mailer.Send(e.Message)
+	})
+}
+
+// SendRecordChangeEmail sends a change email confirmation email to the specified auth record.
+func SendRecordChangeEmail(app core.App, authRecord *core.Record, newEmail string) error {
+	token, tokenErr := authRecord.NewEmailChangeToken(newEmail)
+	if tokenErr != nil {
+		return tokenErr
+	}
+
+	mailClient := app.NewMailClient()
+
+	subject, body, err := resolveEmailTemplate(app, authRecord, authRecord.Collection().ConfirmEmailChangeTemplate, map[string]any{
+		core.EmailPlaceholderToken: token,
+	})
+	if err != nil {
+		return err
+	}
+
+	message := &mailer.Message{
+		From: mail.Address{
+			Name:    app.Settings().Meta.SenderName,
+			Address: app.Settings().Meta.SenderAddress,
+		},
+		To:      []mail.Address{{Address: newEmail}},
+		Subject: subject,
+		HTML:    body,
+	}
+
+	event := new(core.MailerRecordEvent)
+	event.App = app
+	event.Mailer = mailClient
+	event.Message = message
+	event.Record = authRecord
+	event.Meta = map[string]any{
+		"token":    token,
+		"newEmail": newEmail,
+	}
+
+	return app.OnMailerRecordEmailChangeSend().Trigger(event, func(e *core.MailerRecordEvent) error {
+		return e.Mailer.Send(e.Message)
+	})
+}
+
+var nonescapeTypes = []string{
+	core.FieldTypeAutodate,
+	core.FieldTypeDate,
+	core.FieldTypeBool,
+	core.FieldTypeNumber,
+}
+
+func resolveEmailTemplate(
+	app core.App,
+	authRecord *core.Record,
+	emailTemplate core.EmailTemplate,
+	placeholders map[string]any,
+) (subject string, body string, err error) {
+	if placeholders == nil {
+		placeholders = map[string]any{}
+	}
+
+	// register default system placeholders
+	if _, ok := placeholders[core.EmailPlaceholderAppName]; !ok {
+		placeholders[core.EmailPlaceholderAppName] = app.Settings().Meta.AppName
+	}
+	if _, ok := placeholders[core.EmailPlaceholderAppURL]; !ok {
+		placeholders[core.EmailPlaceholderAppURL] = app.Settings().Meta.AppURL
+	}
+
+	// register default auth record placeholders
+	for _, field := range authRecord.Collection().Fields {
+		if field.GetHidden() {
+			continue
+		}
+
+		fieldPlacehodler := "{RECORD:" + field.GetName() + "}"
+		if _, ok := placeholders[fieldPlacehodler]; !ok {
+			val := authRecord.GetString(field.GetName())
+
+			// note: the escaping is not strictly necessary but for just in case
+			// the user decide to store and render the email as plain html
+			if !slices.Contains(nonescapeTypes, field.Type()) {
+				val = html.EscapeString(val)
+			}
+
+			placeholders[fieldPlacehodler] = val
+		}
+	}
+
+	subject, rawBody := emailTemplate.Resolve(placeholders)
+
+	params := struct {
+		HTMLContent template.HTML
+	}{
+		HTMLContent: template.HTML(rawBody),
+	}
+
+	body, err = resolveTemplateContent(params, templates.Layout, templates.HTMLBody)
+	if err != nil {
+		return "", "", err
+	}
+
+	return subject, body, nil
+}

mails/record_test.go

@@ -0,0 +1,168 @@
+package mails_test
+
+import (
+	"html"
+	"strings"
+	"testing"
+
+	"github.com/pocketbase/pocketbase/mails"
+	"github.com/pocketbase/pocketbase/tests"
+)
+
+func TestSendRecordAuthAlert(t *testing.T) {
+	t.Parallel()
+
+	testApp, _ := tests.NewTestApp()
+	defer testApp.Cleanup()
+
+	user, _ := testApp.FindFirstRecordByData("users", "email", "test@example.com")
+
+	// to test that it is escaped
+	user.Set("name", "<p>"+user.GetString("name")+"</p>")
+
+	err := mails.SendRecordAuthAlert(testApp, user)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if testApp.TestMailer.TotalSend() != 1 {
+		t.Fatalf("Expected one email to be sent, got %d", testApp.TestMailer.TotalSend())
+	}
+
+	expectedParts := []string{
+		html.EscapeString(user.GetString("name")) + "{RECORD:tokenKey}", // public and private record placeholder checks
+		"login to your " + testApp.Settings().Meta.AppName + " account from a new location",
+		"If this was you",
+		"If this wasn't you",
+	}
+	for _, part := range expectedParts {
+		if !strings.Contains(testApp.TestMailer.LastMessage().HTML, part) {
+			t.Fatalf("Couldn't find %s \nin\n %s", part, testApp.TestMailer.LastMessage().HTML)
+		}
+	}
+}
+
+func TestSendRecordPasswordReset(t *testing.T) {
+	t.Parallel()
+
+	testApp, _ := tests.NewTestApp()
+	defer testApp.Cleanup()
+
+	user, _ := testApp.FindFirstRecordByData("users", "email", "test@example.com")
+
+	// to test that it is escaped
+	user.Set("name", "<p>"+user.GetString("name")+"</p>")
+
+	err := mails.SendRecordPasswordReset(testApp, user)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if testApp.TestMailer.TotalSend() != 1 {
+		t.Fatalf("Expected one email to be sent, got %d", testApp.TestMailer.TotalSend())
+	}
+
+	expectedParts := []string{
+		html.EscapeString(user.GetString("name")) + "{RECORD:tokenKey}", // the record name as {RECORD:name}
+		"http://localhost:8090/_/#/auth/confirm-password-reset/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.",
+	}
+	for _, part := range expectedParts {
+		if !strings.Contains(testApp.TestMailer.LastMessage().HTML, part) {
+			t.Fatalf("Couldn't find %s \nin\n %s", part, testApp.TestMailer.LastMessage().HTML)
+		}
+	}
+}
+
+func TestSendRecordVerification(t *testing.T) {
+	t.Parallel()
+
+	testApp, _ := tests.NewTestApp()
+	defer testApp.Cleanup()
+
+	user, _ := testApp.FindFirstRecordByData("users", "email", "test@example.com")
+
+	// to test that it is escaped
+	user.Set("name", "<p>"+user.GetString("name")+"</p>")
+
+	err := mails.SendRecordVerification(testApp, user)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if testApp.TestMailer.TotalSend() != 1 {
+		t.Fatalf("Expected one email to be sent, got %d", testApp.TestMailer.TotalSend())
+	}
+
+	expectedParts := []string{
+		html.EscapeString(user.GetString("name")) + "{RECORD:tokenKey}", // the record name as {RECORD:name}
+		"http://localhost:8090/_/#/auth/confirm-verification/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.",
+	}
+	for _, part := range expectedParts {
+		if !strings.Contains(testApp.TestMailer.LastMessage().HTML, part) {
+			t.Fatalf("Couldn't find %s \nin\n %s", part, testApp.TestMailer.LastMessage().HTML)
+		}
+	}
+}
+
+func TestSendRecordChangeEmail(t *testing.T) {
+	t.Parallel()
+
+	testApp, _ := tests.NewTestApp()
+	defer testApp.Cleanup()
+
+	user, _ := testApp.FindFirstRecordByData("users", "email", "test@example.com")
+
+	// to test that it is escaped
+	user.Set("name", "<p>"+user.GetString("name")+"</p>")
+
+	err := mails.SendRecordChangeEmail(testApp, user, "new_test@example.com")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if testApp.TestMailer.TotalSend() != 1 {
+		t.Fatalf("Expected one email to be sent, got %d", testApp.TestMailer.TotalSend())
+	}
+
+	expectedParts := []string{
+		html.EscapeString(user.GetString("name")) + "{RECORD:tokenKey}", // the record name as {RECORD:name}
+		"http://localhost:8090/_/#/auth/confirm-email-change/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.",
+	}
+	for _, part := range expectedParts {
+		if !strings.Contains(testApp.TestMailer.LastMessage().HTML, part) {
+			t.Fatalf("Couldn't find %s \nin\n %s", part, testApp.TestMailer.LastMessage().HTML)
+		}
+	}
+}
+
+func TestSendRecordOTP(t *testing.T) {
+	t.Parallel()
+
+	testApp, _ := tests.NewTestApp()
+	defer testApp.Cleanup()
+
+	user, _ := testApp.FindFirstRecordByData("users", "email", "test@example.com")
+
+	// to test that it is escaped
+	user.Set("name", "<p>"+user.GetString("name")+"</p>")
+
+	err := mails.SendRecordOTP(testApp, user, "test_otp_id", "test_otp_code")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if testApp.TestMailer.TotalSend() != 1 {
+		t.Fatalf("Expected one email to be sent, got %d", testApp.TestMailer.TotalSend())
+	}
+
+	expectedParts := []string{
+		html.EscapeString(user.GetString("name")) + "{RECORD:tokenKey}", // the record name as {RECORD:name}
+		"one-time password",
+		"test_otp_code",
+	}
+	for _, part := range expectedParts {
+		if !strings.Contains(testApp.TestMailer.LastMessage().HTML, part) {
+			t.Fatalf("Couldn't find %s \nin\n %s", part, testApp.TestMailer.LastMessage().HTML)
+		}
+	}
+}

mails/templates/html_content.go

@@ -0,0 +1,8 @@
+package templates
+
+// Available variables:
+//
+// ```
+// HTMLContent template.HTML
+// ```
+const HTMLBody = `{{define "content"}}{{.HTMLContent}}{{end}}`

mails/templates/layout.go

@@ -0,0 +1,79 @@
+package templates
+
+const Layout = `
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <meta name="viewport" content="width=device-width,initial-scale=1" />
+    <style>
+        body, html {
+            padding: 0;
+            margin: 0;
+            border: 0;
+            color: #16161a;
+            background: #fff;
+            font-size: 14px;
+            line-height: 20px;
+            font-weight: normal;
+            font-family: Source Sans Pro, sans-serif, emoji;
+        }
+        body {
+            padding: 20px 30px;
+        }
+        strong {
+            font-weight: bold;
+        }
+        em, i {
+            font-style: italic;
+        }
+        p {
+            display: block;
+            margin: 10px 0;
+            font-family: inherit;
+        }
+        small {
+            font-size: 12px;
+            line-height: 16px;
+        }
+        hr {
+            display: block;
+            height: 1px;
+            border: 0;
+            width: 100%;
+            background: #e1e6ea;
+            margin: 10px 0;
+        }
+        a {
+            color: inherit;
+        }
+        .hidden {
+            display: none !important;
+        }
+        .btn {
+            display: inline-block;
+            vertical-align: top;
+            border: 0;
+            cursor: pointer;
+            color: #fff !important;
+            background: #16161a !important;
+            text-decoration: none !important;
+            line-height: 40px;
+            width: auto;
+            min-width: 150px;
+            text-align: center;
+            padding: 0 20px;
+            margin: 5px 0;
+            font-family: Source Sans Pro, sans-serif, emoji;;
+            font-size: 14px;
+            font-weight: bold;
+            border-radius: 6px;
+            box-sizing: border-box;
+        }
+    </style>
+</head>
+<body>
+    {{template "content" .}}
+</body>
+</html>
+`