redlight/server/config/mailer.js

import nodemailer from 'nodemailer';
import { log } from './logger.js';

let transporter;

// Escape HTML special characters to prevent injection in email bodies
function escapeHtml(str) {
  if (!str) return '';
  return String(str)
    .replace(/&/g, '&')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&#39;');
}

export function initMailer() {
  const host = process.env.SMTP_HOST;
  const port = parseInt(process.env.SMTP_PORT || '587', 10);
  const user = process.env.SMTP_USER;
  const pass = process.env.SMTP_PASS;

  if (!host || !user || !pass) {
    log.mailer.warn('SMTP not configured – email verification disabled');
    return false;
  }

  transporter = nodemailer.createTransport({
    host,
    port,
    secure: port === 465,
    auth: { user, pass },
    connectionTimeout: 10_000,  // 10 s to establish TCP connection
    greetingTimeout: 10_000,   // 10 s to receive SMTP greeting
    socketTimeout: 15_000,     // 15 s of inactivity before abort
  });

  log.mailer.info('SMTP mailer configured');
  return true;
}

export function isMailerConfigured() {
  return !!transporter;
}

/**
 * Send the verification email with a clickable link.
 * @param {string} to      – recipient email
 * @param {string} name    – user's display name
 * @param {string} verifyUrl – full verification URL
 * @param {string} appName  – branding app name (default "Redlight")
 */
// S3: sanitize name for use in email From header (strip quotes, newlines, control chars)
function sanitizeHeaderValue(str) {
  return String(str).replace(/["\\\r\n\x00-\x1f]/g, '').trim().slice(0, 100);
}

export async function sendVerificationEmail(to, name, verifyUrl, appName = 'Redlight') {
  if (!transporter) {
    throw new Error('SMTP not configured');
  }

  const from = process.env.SMTP_FROM || process.env.SMTP_USER;
  const headerAppName = sanitizeHeaderValue(appName);
  const safeName = escapeHtml(name);
  const safeAppName = escapeHtml(appName);

  await transporter.sendMail({
    from: `"${headerAppName}" <${from}>`,
    to,
    subject: `${headerAppName} – Verify your email`,
    html: `
      <div style="font-family:Arial,sans-serif;max-width:520px;margin:0 auto;padding:32px;background:#1e1e2e;color:#cdd6f4;border-radius:12px;">
        <h2 style="color:#cba6f7;margin-top:0;">Hey ${safeName} 👋</h2>
        <p>Please verify your email address by clicking the button below:</p>
        <p style="text-align:center;margin:28px 0;">
          <a href="${verifyUrl}"
             style="display:inline-block;background:#cba6f7;color:#1e1e2e;padding:12px 32px;border-radius:8px;text-decoration:none;font-weight:bold;">
            Verify Email
          </a>
        </p>
        <p style="font-size:13px;color:#7f849c;">
          Or copy this link in your browser:<br/>
          <a href="${verifyUrl}" style="color:#89b4fa;word-break:break-all;">${escapeHtml(verifyUrl)}</a>
        </p>
        <p style="font-size:13px;color:#7f849c;">This link is valid for 24 hours.</p>
        <hr style="border:none;border-top:1px solid #313244;margin:24px 0;"/>
        <p style="font-size:12px;color:#585b70;">If you didn't register, please ignore this email.</p>
      </div>
    `,
    text: `Hey ${name},\n\nPlease verify your email: ${verifyUrl}\n\nThis link is valid for 24 hours.\n\n– ${appName}`,
  });
}

/**
 * Send a federation meeting invitation email.
 * @param {string} to          – recipient email
 * @param {string} name        – recipient display name
 * @param {string} fromUser    – sender federated address (user@domain)
 * @param {string} roomName    – name of the invited room
 * @param {string} message     – optional personal message
 * @param {string} inboxUrl    – URL to the federation inbox
 * @param {string} appName     – branding app name (default "Redlight")
 */
export async function sendFederationInviteEmail(to, name, fromUser, roomName, message, inboxUrl, appName = 'Redlight') {
  if (!transporter) return; // silently skip if SMTP not configured

  const from = process.env.SMTP_FROM || process.env.SMTP_USER;
  const headerAppName = sanitizeHeaderValue(appName);
  const safeName = escapeHtml(name);
  const safeFromUser = escapeHtml(fromUser);
  const safeRoomName = escapeHtml(roomName);
  const safeMessage = message ? escapeHtml(message) : null;
  const safeAppName = escapeHtml(appName);

  await transporter.sendMail({
    from: `"${headerAppName}" <${from}>`,
    to,
    subject: `${headerAppName} - Meeting invitation from ${sanitizeHeaderValue(fromUser)}`,
    html: `
      <div style="font-family:Arial,sans-serif;max-width:520px;margin:0 auto;padding:32px;background:#1e1e2e;color:#cdd6f4;border-radius:12px;">
        <h2 style="color:#cba6f7;margin-top:0;">Hey ${safeName} 👋</h2>
        <p>You have received a meeting invitation from <strong style="color:#cdd6f4;">${safeFromUser}</strong>.</p>
        <div style="background:#313244;border-radius:8px;padding:16px;margin:20px 0;">
          <p style="margin:0 0 8px 0;font-size:13px;color:#7f849c;">Room:</p>
          <p style="margin:0;font-size:16px;font-weight:bold;color:#cdd6f4;">${safeRoomName}</p>
          ${safeMessage ? `<p style="margin:12px 0 0 0;font-size:13px;color:#a6adc8;font-style:italic;">&quot;${safeMessage}&quot;</p>` : ''}
        </div>
        <p style="text-align:center;margin:28px 0;">
          <a href="${inboxUrl}"
             style="display:inline-block;background:#cba6f7;color:#1e1e2e;padding:12px 32px;border-radius:8px;text-decoration:none;font-weight:bold;">
            View Invitation
          </a>
        </p>
        <hr style="border:none;border-top:1px solid #313244;margin:24px 0;"/>
        <p style="font-size:12px;color:#585b70;">Open the link above to accept or decline the invitation.</p>
      </div>
    `,
    text: `Hey ${name},\n\nYou have received a meeting invitation from ${fromUser}.\nRoom: ${roomName}${message ? `\nMessage: "${message}"` : ''}\n\nView invitation: ${inboxUrl}\n\n– ${appName}`,
  });
}

/**
 * Send a calendar event invitation email (federated).
 */
export async function sendCalendarInviteEmail(to, name, fromUser, title, startTime, endTime, description, inboxUrl, appName = 'Redlight') {
  if (!transporter) return;

  const from = process.env.SMTP_FROM || process.env.SMTP_USER;
  const headerAppName = sanitizeHeaderValue(appName);
  const safeName = escapeHtml(name);
  const safeFromUser = escapeHtml(fromUser);
  const safeTitle = escapeHtml(title);
  const safeDesc = description ? escapeHtml(description) : null;

  const formatDate = (iso) => {
    try { return new Date(iso).toLocaleString('en-GB', { dateStyle: 'full', timeStyle: 'short' }); }
    catch { return iso; }
  };

  await transporter.sendMail({
    from: `"${headerAppName}" <${from}>`,
    to,
    subject: `${headerAppName} - Calendar invitation from ${sanitizeHeaderValue(fromUser)}`,
    html: `
      <div style="font-family:Arial,sans-serif;max-width:520px;margin:0 auto;padding:32px;background:#1e1e2e;color:#cdd6f4;border-radius:12px;">
        <h2 style="color:#cba6f7;margin-top:0;">Hey ${safeName} 👋</h2>
        <p>You have received a calendar invitation from <strong style="color:#cdd6f4;">${safeFromUser}</strong>.</p>
        <div style="background:#313244;border-radius:8px;padding:16px;margin:20px 0;">
          <p style="margin:0 0 4px 0;font-size:15px;font-weight:bold;color:#cdd6f4;">${safeTitle}</p>
          <p style="margin:6px 0 0 0;font-size:13px;color:#a6adc8;">🕐 ${escapeHtml(formatDate(startTime))} – ${escapeHtml(formatDate(endTime))}</p>
          ${safeDesc ? `<p style="margin:10px 0 0 0;font-size:13px;color:#a6adc8;font-style:italic;">&quot;${safeDesc}&quot;</p>` : ''}
        </div>
        <p style="text-align:center;margin:28px 0;">
          <a href="${inboxUrl}"
             style="display:inline-block;background:#cba6f7;color:#1e1e2e;padding:12px 32px;border-radius:8px;text-decoration:none;font-weight:bold;">
            View Invitation
          </a>
        </p>
        <hr style="border:none;border-top:1px solid #313244;margin:24px 0;"/>
        <p style="font-size:12px;color:#585b70;">Open the link above to accept or decline the invitation.</p>
      </div>
    `,
    text: `Hey ${name},\n\nYou have received a calendar invitation from ${fromUser}.\nEvent: ${title}\nTime: ${formatDate(startTime)} \u2013 ${formatDate(endTime)}${description ? `\n\n"${description}"` : ''}\n\nView invitation: ${inboxUrl}\n\n\u2013 ${appName}`,
  });
}

/**
 * Notify a user that a federated calendar event they received was deleted by the organiser.
 */
export async function sendCalendarEventDeletedEmail(to, name, fromUser, title, appName = 'Redlight') {
  if (!transporter) return;

  const from = process.env.SMTP_FROM || process.env.SMTP_USER;
  const headerAppName = sanitizeHeaderValue(appName);
  const safeName = escapeHtml(name);
  const safeFromUser = escapeHtml(fromUser);
  const safeTitle = escapeHtml(title);

  await transporter.sendMail({
    from: `"${headerAppName}" <${from}>`,
    to,
    subject: `${headerAppName} – Calendar event cancelled: ${sanitizeHeaderValue(title)}`,
    html: `
      <div style="font-family:Arial,sans-serif;max-width:520px;margin:0 auto;padding:32px;background:#1e1e2e;color:#cdd6f4;border-radius:12px;">
        <h2 style="color:#f38ba8;margin-top:0;">Hey ${safeName} 👋</h2>
        <p>The following calendar event was deleted by the organiser (<strong style="color:#cdd6f4;">${safeFromUser}</strong>) and is no longer available:</p>
        <div style="background:#313244;border-radius:8px;padding:16px;margin:20px 0;border-left:4px solid #f38ba8;">
          <p style="margin:0;font-size:15px;font-weight:bold;color:#cdd6f4;">${safeTitle}</p>
        </div>
        <p style="font-size:13px;color:#7f849c;">The event has been automatically removed from your calendar.</p>
        <hr style="border:none;border-top:1px solid #313244;margin:24px 0;"/>
        <p style="font-size:12px;color:#585b70;">This message was sent automatically by ${escapeHtml(appName)}.</p>
      </div>
    `,
    text: `Hey ${name},\n\nThe calendar event "${title}" by ${fromUser} has been deleted and removed from your calendar.\n\n\u2013 ${appName}`,
  });
}

/**
 * Send a user registration invite email.
 * @param {string} to          – recipient email
 * @param {string} inviteUrl   – full invite registration URL
 * @param {string} appName     – branding app name (default "Redlight")
 */
export async function sendInviteEmail(to, inviteUrl, appName = 'Redlight') {
  if (!transporter) {
    throw new Error('SMTP not configured');
  }

  const from = process.env.SMTP_FROM || process.env.SMTP_USER;
  const headerAppName = sanitizeHeaderValue(appName);
  const safeAppName = escapeHtml(appName);

  await transporter.sendMail({
    from: `"${headerAppName}" <${from}>`,
    to,
    subject: `${headerAppName} – You've been invited`,
    html: `
      <div style="font-family:Arial,sans-serif;max-width:520px;margin:0 auto;padding:32px;background:#1e1e2e;color:#cdd6f4;border-radius:12px;">
        <h2 style="color:#cba6f7;margin-top:0;">You've been invited! 🎉</h2>
        <p>You have been invited to create an account on <strong style="color:#cdd6f4;">${safeAppName}</strong>.</p>
        <p>Click the button below to register:</p>
        <p style="text-align:center;margin:28px 0;">
          <a href="${inviteUrl}"
             style="display:inline-block;background:#cba6f7;color:#1e1e2e;padding:12px 32px;border-radius:8px;text-decoration:none;font-weight:bold;">
            Create Account
          </a>
        </p>
        <p style="font-size:13px;color:#7f849c;">
          Or copy this link in your browser:<br/>
          <a href="${inviteUrl}" style="color:#89b4fa;word-break:break-all;">${escapeHtml(inviteUrl)}</a>
        </p>
        <p style="font-size:13px;color:#7f849c;">This link is valid for 7 days.</p>
        <hr style="border:none;border-top:1px solid #313244;margin:24px 0;"/>
        <p style="font-size:12px;color:#585b70;">If you didn't expect this invitation, you can safely ignore this email.</p>
      </div>
    `,
    text: `You've been invited to create an account on ${appName}.\n\nRegister here: ${inviteUrl}\n\nThis link is valid for 7 days.\n\n– ${appName}`,
  });
}