Add email password change feature and fix nginx config

- Add public page at /email/change-password for Poste.io mailbox password management - Add API routes for SMTP credential verification and Poste.io password change - Rewrite nginx config as HTTP-only (certbot --nginx will add SSL) - Add Poste.io admin API env vars to docker-compose and env templates Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-30 16:15:08 +01:00
parent d5398e93a0
commit 8c598ba3ee
7 changed files with 607 additions and 21 deletions
--- a/src/app/api/email/verify-credentials/route.ts
+++ b/src/app/api/email/verify-credentials/route.ts
@@ -0,0 +1,66 @@
+import { NextRequest, NextResponse } from 'next/server'
+import nodemailer from 'nodemailer'
+import { checkRateLimit } from '@/lib/rate-limit'
+
+const MAIL_DOMAIN = process.env.POSTE_MAIL_DOMAIN || 'monaco-opc.com'
+const SMTP_HOST = process.env.SMTP_HOST || 'localhost'
+const SMTP_PORT = parseInt(process.env.SMTP_PORT || '587')
+
+export async function POST(request: NextRequest): Promise<NextResponse> {
+  const ip = request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() || 'unknown'
+  const rateLimit = checkRateLimit(`email-verify:${ip}`, 5, 15 * 60 * 1000)
+
+  if (!rateLimit.success) {
+    return NextResponse.json(
+      { error: 'Too many attempts. Please try again later.' },
+      { status: 429 }
+    )
+  }
+
+  try {
+    const body = await request.json()
+    const { email, password } = body as { email: string; password: string }
+
+    if (!email || !password) {
+      return NextResponse.json(
+        { error: 'Email and password are required.' },
+        { status: 400 }
+      )
+    }
+
+    const emailLower = email.toLowerCase().trim()
+
+    if (!emailLower.endsWith(`@${MAIL_DOMAIN}`)) {
+      return NextResponse.json(
+        { error: `Email must be an @${MAIL_DOMAIN} address.` },
+        { status: 400 }
+      )
+    }
+
+    const transporter = nodemailer.createTransport({
+      host: SMTP_HOST,
+      port: SMTP_PORT,
+      secure: SMTP_PORT === 465,
+      auth: {
+        user: emailLower,
+        pass: password,
+      },
+      connectionTimeout: 10000,
+      greetingTimeout: 10000,
+    })
+
+    try {
+      await transporter.verify()
+      return NextResponse.json({ valid: true })
+    } catch {
+      return NextResponse.json({ valid: false, error: 'Invalid email or password.' })
+    } finally {
+      transporter.close()
+    }
+  } catch {
+    return NextResponse.json(
+      { error: 'Invalid request.' },
+      { status: 400 }
+    )
+  }
+}