Add SMTP and Webhook configuration with Admin UI #12

Merged

Copilot merged 6 commits from copilot/finish-smtp-webhook-docs into main

2025-11-05 07:33:31 -06:00

Copilot commented

2025-11-04 16:11:25 -06:00

(Migrated from github.com)

Backend

Settings storage: New system_settings table with AES-256-CTR encryption for sensitive values
Settings API: /api/settings endpoints for CRUD operations, SMTP/webhook testing
Invitation delivery: Updated invitation route to send via configured SMTP or webhook
Shared encryption utility: Centralized encryption/decryption in /backend/utils/encryption.js

// Invitation now automatically uses configured method
if (method === 'smtp') {
  notificationResult = await sendInvitationEmail(email, invitationLink, role);
} else if (method === 'webhook') {
  notificationResult = await sendWebhookNotification(email, invitationLink, role);
}

Frontend

Settings page: /settings route with tabbed interface for SMTP and Webhook config
Test functionality: Live connection testing before saving configurations
Admin Dashboard: Added "System Settings" button linking to settings page
Form validation: Client-side JSON validation for webhook headers

Security

Dependencies: Upgraded nodemailer to 7.0.10 and axios to 1.12.0 (fixes CVEs)
XSS protection: HTML escaping in email templates
SSRF mitigation: URL validation blocking private networks, enforcing timeouts/no-redirects
Environment requirements: SETTINGS_ENCRYPTION_KEY required for encrypted storage, BASE_URL recommended to prevent host header injection

Documentation

SMTP_WEBHOOK_GUIDE.md: Provider setup (Gmail, SendGrid, Mailgun, Discord, Slack), troubleshooting
TESTING_SMTP_WEBHOOK.md: Step-by-step testing checklist
README.md: Updated with security requirements and configuration notes

Environment Variables

Required additions to .env:

SETTINGS_ENCRYPTION_KEY=<64-char-hex>  # Generate: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
BASE_URL=https://your-domain.com       # Required in production

Original prompt

Let's finish the SMTP and Webook Documentation and implementation. SMTP and Webhooks should be able to be configured through the Admin UI.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Implements admin-configurable SMTP and Webhook integrations for automated user invitations, addressing the requirement to finish SMTP and Webhook documentation and enable configuration through the Admin UI. ## Backend - **Settings storage**: New `system_settings` table with AES-256-CTR encryption for sensitive values - **Settings API**: `/api/settings` endpoints for CRUD operations, SMTP/webhook testing - **Invitation delivery**: Updated invitation route to send via configured SMTP or webhook - **Shared encryption utility**: Centralized encryption/decryption in `/backend/utils/encryption.js` ```javascript // Invitation now automatically uses configured method if (method === 'smtp') { notificationResult = await sendInvitationEmail(email, invitationLink, role); } else if (method === 'webhook') { notificationResult = await sendWebhookNotification(email, invitationLink, role); } ``` ## Frontend - **Settings page**: `/settings` route with tabbed interface for SMTP and Webhook config - **Test functionality**: Live connection testing before saving configurations - **Admin Dashboard**: Added "System Settings" button linking to settings page - **Form validation**: Client-side JSON validation for webhook headers ## Security - **Dependencies**: Upgraded `nodemailer` to 7.0.10 and `axios` to 1.12.0 (fixes CVEs) - **XSS protection**: HTML escaping in email templates - **SSRF mitigation**: URL validation blocking private networks, enforcing timeouts/no-redirects - **Environment requirements**: `SETTINGS_ENCRYPTION_KEY` required for encrypted storage, `BASE_URL` recommended to prevent host header injection ## Documentation - **SMTP_WEBHOOK_GUIDE.md**: Provider setup (Gmail, SendGrid, Mailgun, Discord, Slack), troubleshooting - **TESTING_SMTP_WEBHOOK.md**: Step-by-step testing checklist - **README.md**: Updated with security requirements and configuration notes ## Environment Variables Required additions to `.env`: ```env SETTINGS_ENCRYPTION_KEY=<64-char-hex> # Generate: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))" BASE_URL=https://your-domain.com # Required in production ```  <details> <summary>Original prompt</summary> > Let's finish the SMTP and Webook Documentation and implementation. SMTP and Webhooks should be able to be configured through the Admin UI. </details>  --- ✨ Let Copilot coding agent [set things up for you](https://github.com/SluberskiHomeLab/noodlenook/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo.

SluberskiHomeLab (Migrated from github.com) approved these changes

2025-11-05 07:33:24 -06:00