feat(PROJ-33): IMAP UID-Stabilität + Shared/Personal-Modus

Backend: - storage: uid BIGSERIAL Migration, MailWithUID, GetMailsWithUID, GetMailsByRecipient - tenantstore: imap_mode Spalte, GetIMAPMode, SetIMAPMode - imapserver: stable UIDs aus DB, personal/shared Modus, userEmail in session - api: GET/PUT /api/admin/settings/imap-mode (domain_admin only, double opt-in) Frontend: - IMAPSettingsTab: Modus-Anzeige + Toggle mit Double-Opt-In Dialog - Admin-Panel: IMAP-Tab für domain_admin Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-31 09:46:52 +02:00
parent b6856af2eb
commit 8d0f685fc9
9 changed files with 425 additions and 53 deletions
@@ -0,0 +1,61 @@
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/archivmail/internal/audit"
+)
+
+// handleGetIMAPMode returns the current IMAP mode for the tenant.
+// GET /api/admin/settings/imap-mode
+func (s *Server) handleGetIMAPMode(w http.ResponseWriter, r *http.Request) {
+	tenantID := tenantFromCtx(r.Context())
+	if tenantID == nil {
+		writeError(w, http.StatusBadRequest, "no tenant context")
+		return
+	}
+	mode, err := s.tenantStore.GetIMAPMode(r.Context(), *tenantID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	writeJSON(w, http.StatusOK, map[string]string{"mode": mode})
+}
+
+// handleSetIMAPMode sets the IMAP mode for the tenant.
+// PUT /api/admin/settings/imap-mode
+// Body: { "mode": "shared"|"personal", "confirmed": true }
+func (s *Server) handleSetIMAPMode(w http.ResponseWriter, r *http.Request) {
+	tenantID := tenantFromCtx(r.Context())
+	if tenantID == nil {
+		writeError(w, http.StatusBadRequest, "no tenant context")
+		return
+	}
+	var req struct {
+		Mode      string `json:"mode"`
+		Confirmed bool   `json:"confirmed"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid request body")
+		return
+	}
+	// Double opt-in for shared mode
+	if req.Mode == "shared" && !req.Confirmed {
+		writeError(w, http.StatusBadRequest, "confirmed must be true to enable shared mode")
+		return
+	}
+	if err := s.tenantStore.SetIMAPMode(r.Context(), *tenantID, req.Mode); err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+	sess := sessionFromCtx(r.Context())
+	s.audlog.Log(audit.Entry{
+		EventType: "imap_mode_changed",
+		Username:  sess.Username,
+		IPAddress: s.remoteIP(r),
+		Detail:    "imap_mode set to " + req.Mode,
+		Success:   true,
+	})
+	writeJSON(w, http.StatusOK, map[string]string{"mode": req.Mode})
+}
@@ -173,6 +173,10 @@ func (s *Server) routes() {
 	// PROJ-34: Retention purge — superadmin only
 	s.mux.HandleFunc("POST /api/admin/purge", s.auth(s.requireRole(userstore.RoleSuperAdmin, s.handlePurge)))

+	// PROJ-33: IMAP mode settings — domain_admin only
+	s.mux.HandleFunc("GET /api/admin/settings/imap-mode", s.authAdmin(s.handleGetIMAPMode))
+	s.mux.HandleFunc("PUT /api/admin/settings/imap-mode", s.authAdmin(s.handleSetIMAPMode))
+
 	// Export routes
 	s.mux.HandleFunc("GET /api/export/pdf/{id}", s.auth(s.requireMailAccess(s.handleExportPDF)))
 	s.mux.HandleFunc("POST /api/export/zip", s.auth(s.requireMailAccess(s.handleExportZIP)))