src/app/api/email/verify-credentials/route.ts

import { NextRequest, NextResponse } from 'next/server'
import nodemailer from 'nodemailer'
import { checkRateLimit } from '@/lib/rate-limit'

const MAIL_DOMAIN = process.env.POSTE_MAIL_DOMAIN || 'monaco-opc.com'
const SMTP_HOST = process.env.SMTP_HOST || 'localhost'
const SMTP_PORT = parseInt(process.env.SMTP_PORT || '587')

export async function POST(request: NextRequest): Promise<NextResponse> {
  const ip = request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() || 'unknown'
  const rateLimit = checkRateLimit(`email-verify:${ip}`, 5, 15 * 60 * 1000)

  if (!rateLimit.success) {
    return NextResponse.json(
      { error: 'Too many attempts. Please try again later.' },
      { status: 429 }
    )
  }

  try {
    const body = await request.json()
    const { email, password } = body as { email: string; password: string }

    if (!email || !password) {
      return NextResponse.json(
        { error: 'Email and password are required.' },
        { status: 400 }
      )
    }

    const emailLower = email.toLowerCase().trim()

    if (!emailLower.endsWith(`@${MAIL_DOMAIN}`)) {
      return NextResponse.json(
        { error: `Email must be an @${MAIL_DOMAIN} address.` },
        { status: 400 }
      )
    }

    const transporter = nodemailer.createTransport({
      host: SMTP_HOST,
      port: SMTP_PORT,
      secure: SMTP_PORT === 465,
      auth: {
        user: emailLower,
        pass: password,
      },
      connectionTimeout: 10000,
      greetingTimeout: 10000,
    })

    try {
      await transporter.verify()
      return NextResponse.json({ valid: true })
    } catch {
      return NextResponse.json({ valid: false, error: 'Invalid email or password.' })
    } finally {
      transporter.close()
    }
  } catch {
    return NextResponse.json(
      { error: 'Invalid request.' },
      { status: 400 }
    )
  }
}
Add email password change feature and fix nginx config - Add public page at /email/change-password for Poste.io mailbox password management - Add API routes for SMTP credential verification and Poste.io password change - Rewrite nginx config as HTTP-only (certbot --nginx will add SSL) - Add Poste.io admin API env vars to docker-compose and env templates Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 16:15:08 +01:00			`import { NextRequest, NextResponse } from 'next/server'`
			`import nodemailer from 'nodemailer'`
			`import { checkRateLimit } from '@/lib/rate-limit'`

			`const MAIL_DOMAIN = process.env.POSTE_MAIL_DOMAIN \|\| 'monaco-opc.com'`
			`const SMTP_HOST = process.env.SMTP_HOST \|\| 'localhost'`
			`const SMTP_PORT = parseInt(process.env.SMTP_PORT \|\| '587')`

			`export async function POST(request: NextRequest): Promise<NextResponse> {`
			`const ip = request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() \|\| 'unknown'`
			const rateLimit = checkRateLimit(`email-verify:${ip}`, 5, 15 * 60 * 1000)

			`if (!rateLimit.success) {`
			`return NextResponse.json(`
			`{ error: 'Too many attempts. Please try again later.' },`
			`{ status: 429 }`
			`)`
			`}`

			`try {`
			`const body = await request.json()`
			`const { email, password } = body as { email: string; password: string }`

			`if (!email \|\| !password) {`
			`return NextResponse.json(`
			`{ error: 'Email and password are required.' },`
			`{ status: 400 }`
			`)`
			`}`

			`const emailLower = email.toLowerCase().trim()`

			if (!emailLower.endsWith(`@${MAIL_DOMAIN}`)) {
			`return NextResponse.json(`
			{ error: `Email must be an @${MAIL_DOMAIN} address.` },
			`{ status: 400 }`
			`)`
			`}`

			`const transporter = nodemailer.createTransport({`
			`host: SMTP_HOST,`
			`port: SMTP_PORT,`
			`secure: SMTP_PORT === 465,`
			`auth: {`
			`user: emailLower,`
			`pass: password,`
			`},`
			`connectionTimeout: 10000,`
			`greetingTimeout: 10000,`
			`})`

			`try {`
			`await transporter.verify()`
			`return NextResponse.json({ valid: true })`
			`} catch {`
			`return NextResponse.json({ valid: false, error: 'Invalid email or password.' })`
			`} finally {`
			`transporter.close()`
			`}`
			`} catch {`
			`return NextResponse.json(`
			`{ error: 'Invalid request.' },`
			`{ status: 400 }`
			`)`
			`}`
			`}`