package api import ( "context" "encoding/json" "fmt" "net/http" "strconv" "github.com/archivmail/internal/auth" imapstore "github.com/archivmail/internal/imap" pop3store "github.com/archivmail/internal/pop3" "github.com/archivmail/internal/userstore" ) // ── IMAP handlers ───────────────────────────────────────────────────────── func (s *Server) handleListImap(w http.ResponseWriter, r *http.Request) { if s.imapStore == nil { writeError(w, http.StatusServiceUnavailable, "IMAP not configured") return } sess := sessionFromCtx(r.Context()) // SEC-03: Use HasRole to correctly check admin privileges (domain_admin, admin, superadmin). isAdmin := auth.HasRole(sess.Role, userstore.RoleDomainAdmin) accounts, err := s.imapStore.List(r.Context(), sess.Username, isAdmin) if err != nil { writeError(w, http.StatusInternalServerError, "failed to list IMAP accounts") return } if accounts == nil { accounts = []imapstore.Account{} } writeJSON(w, http.StatusOK, accounts) } func (s *Server) handleCreateImap(w http.ResponseWriter, r *http.Request) { if s.imapStore == nil { writeError(w, http.StatusServiceUnavailable, "IMAP not configured") return } var req struct { Name string `json:"name"` Host string `json:"host"` Port int `json:"port"` TLS string `json:"tls"` Username string `json:"username"` Password string `json:"password"` ExcludedFolders []string `json:"excluded_folders"` } if err := json.NewDecoder(r.Body).Decode(&req); err != nil { writeError(w, http.StatusBadRequest, "invalid request body") return } if req.Name == "" || req.Host == "" || req.Username == "" || req.Password == "" { writeError(w, http.StatusBadRequest, "name, host, username and password are required") return } if req.Port <= 0 { req.Port = 993 } if req.TLS == "" { req.TLS = "ssl" } if req.ExcludedFolders == nil { req.ExcludedFolders = []string{} } sess := sessionFromCtx(r.Context()) acc := imapstore.Account{ Owner: sess.Username, Name: req.Name, Host: req.Host, Port: req.Port, TLS: req.TLS, Username: req.Username, ExcludedFolders: req.ExcludedFolders, } created, err := s.imapStore.Create(r.Context(), acc, req.Password) if err != nil { writeError(w, http.StatusInternalServerError, "failed to create IMAP account") return } writeJSON(w, http.StatusCreated, created) } func (s *Server) handleDeleteImap(w http.ResponseWriter, r *http.Request) { if s.imapStore == nil { writeError(w, http.StatusServiceUnavailable, "IMAP not configured") return } idStr := r.PathValue("id") id, err := strconv.ParseInt(idStr, 10, 64) if err != nil { writeError(w, http.StatusBadRequest, "invalid id") return } acc, err := s.imapStore.Get(r.Context(), id) if err != nil { writeError(w, http.StatusNotFound, "account not found") return } sess := sessionFromCtx(r.Context()) if acc.Owner != sess.Username && !auth.HasRole(sess.Role, userstore.RoleDomainAdmin) { writeError(w, http.StatusForbidden, "access denied") return } if err := s.imapStore.Delete(r.Context(), id); err != nil { writeError(w, http.StatusInternalServerError, "failed to delete account") return } writeJSON(w, http.StatusOK, map[string]bool{"ok": true}) } func (s *Server) handleTestImap(w http.ResponseWriter, r *http.Request) { var req struct { Host string `json:"host"` Port int `json:"port"` TLS string `json:"tls"` Username string `json:"username"` Password string `json:"password"` } if err := json.NewDecoder(r.Body).Decode(&req); err != nil { writeError(w, http.StatusBadRequest, "invalid request body") return } if req.Host == "" || req.Username == "" || req.Password == "" { writeError(w, http.StatusBadRequest, "host, username and password are required") return } if req.Port <= 0 { req.Port = 993 } if req.TLS == "" { req.TLS = "ssl" } c, err := imapstore.Connect(req.Host, req.Port, req.TLS) if err != nil { writeJSON(w, http.StatusOK, map[string]interface{}{ "ok": false, "error": fmt.Sprintf("Verbindung fehlgeschlagen: %v", err), }) return } defer c.Close() if err := c.Login(req.Username, req.Password).Wait(); err != nil { writeJSON(w, http.StatusOK, map[string]interface{}{ "ok": false, "error": fmt.Sprintf("Anmeldung fehlgeschlagen: %v", err), }) return } folders, err := imapstore.ListFolders(c) if err != nil { writeJSON(w, http.StatusOK, map[string]interface{}{ "ok": false, "error": fmt.Sprintf("Ordner konnten nicht gelesen werden: %v", err), }) return } writeJSON(w, http.StatusOK, map[string]interface{}{ "ok": true, "folders": folders, }) } func (s *Server) handleStartImport(w http.ResponseWriter, r *http.Request) { if s.imapStore == nil || s.imapImporter == nil { writeError(w, http.StatusServiceUnavailable, "IMAP not configured") return } idStr := r.PathValue("id") id, err := strconv.ParseInt(idStr, 10, 64) if err != nil { writeError(w, http.StatusBadRequest, "invalid id") return } acc, err := s.imapStore.Get(r.Context(), id) if err != nil { writeError(w, http.StatusNotFound, "account not found") return } sess := sessionFromCtx(r.Context()) if acc.Owner != sess.Username && !auth.HasRole(sess.Role, userstore.RoleDomainAdmin) { writeError(w, http.StatusForbidden, "access denied") return } if acc.Status == "running" { writeError(w, http.StatusConflict, "import already running") return } go s.imapImporter.Run(context.Background(), id) // Return current account state (status will switch to "running" shortly) acc.Status = "running" writeJSON(w, http.StatusOK, acc) } func (s *Server) handleImapProgress(w http.ResponseWriter, r *http.Request) { if s.imapStore == nil { writeError(w, http.StatusServiceUnavailable, "IMAP not configured") return } idStr := r.PathValue("id") id, err := strconv.ParseInt(idStr, 10, 64) if err != nil { writeError(w, http.StatusBadRequest, "invalid id") return } acc, err := s.imapStore.Get(r.Context(), id) if err != nil { writeError(w, http.StatusNotFound, "account not found") return } sess := sessionFromCtx(r.Context()) if acc.Owner != sess.Username && !auth.HasRole(sess.Role, userstore.RoleDomainAdmin) { writeError(w, http.StatusForbidden, "access denied") return } writeJSON(w, http.StatusOK, acc) } // handleSyncNow triggers an immediate incremental sync for a single IMAP account. func (s *Server) handleSyncNow(w http.ResponseWriter, r *http.Request) { if s.imapStore == nil || s.imapScheduler == nil { writeError(w, http.StatusServiceUnavailable, "IMAP not configured") return } idStr := r.PathValue("id") id, err := strconv.ParseInt(idStr, 10, 64) if err != nil { writeError(w, http.StatusBadRequest, "invalid id") return } acc, err := s.imapStore.Get(r.Context(), id) if err != nil { writeError(w, http.StatusNotFound, "account not found") return } sess := sessionFromCtx(r.Context()) if acc.Owner != sess.Username && !auth.HasRole(sess.Role, userstore.RoleDomainAdmin) { writeError(w, http.StatusForbidden, "access denied") return } if err := s.imapScheduler.TriggerSync(r.Context(), id); err != nil { s.logger.Error("trigger sync failed", "err", err) writeError(w, http.StatusConflict, "sync already running or failed to start") return } // Return the account with the updated sync_running flag reflected immediately. acc.SyncRunning = true writeJSON(w, http.StatusOK, acc) } // handleUpdateImapInterval updates the automatic sync interval for an IMAP account. func (s *Server) handleUpdateImapInterval(w http.ResponseWriter, r *http.Request) { if s.imapStore == nil { writeError(w, http.StatusServiceUnavailable, "IMAP not configured") return } idStr := r.PathValue("id") id, err := strconv.ParseInt(idStr, 10, 64) if err != nil { writeError(w, http.StatusBadRequest, "invalid id") return } acc, err := s.imapStore.Get(r.Context(), id) if err != nil { writeError(w, http.StatusNotFound, "account not found") return } sess := sessionFromCtx(r.Context()) if acc.Owner != sess.Username && !auth.HasRole(sess.Role, userstore.RoleDomainAdmin) { writeError(w, http.StatusForbidden, "access denied") return } var req struct { SyncIntervalMin int `json:"sync_interval_min"` } if err := json.NewDecoder(r.Body).Decode(&req); err != nil { writeError(w, http.StatusBadRequest, "invalid request body") return } // 0 = disabled; otherwise must be between 5 and 1440 minutes. if req.SyncIntervalMin != 0 && (req.SyncIntervalMin < 5 || req.SyncIntervalMin > 1440) { writeError(w, http.StatusBadRequest, "sync_interval_min must be 0 (disabled) or between 5 and 1440") return } if err := s.imapStore.UpdateSyncInterval(r.Context(), id, req.SyncIntervalMin); err != nil { writeError(w, http.StatusInternalServerError, "failed to update sync interval") return } acc.SyncIntervalMin = req.SyncIntervalMin writeJSON(w, http.StatusOK, acc) } // ── POP3 handlers ────────────────────────────────────────────────────────── func (s *Server) handleListPop3(w http.ResponseWriter, r *http.Request) { if s.pop3Store == nil { writeError(w, http.StatusServiceUnavailable, "POP3 not configured") return } sess := sessionFromCtx(r.Context()) // SEC-03: Use HasRole to correctly check admin privileges (domain_admin, admin, superadmin). isAdmin := auth.HasRole(sess.Role, userstore.RoleDomainAdmin) accounts, err := s.pop3Store.List(r.Context(), sess.Username, isAdmin) if err != nil { writeError(w, http.StatusInternalServerError, "failed to list POP3 accounts") return } if accounts == nil { accounts = []pop3store.Account{} } writeJSON(w, http.StatusOK, accounts) } func (s *Server) handleCreatePop3(w http.ResponseWriter, r *http.Request) { if s.pop3Store == nil { writeError(w, http.StatusServiceUnavailable, "POP3 not configured") return } var req struct { Name string `json:"name"` Host string `json:"host"` Port int `json:"port"` TLS string `json:"tls"` TLSSkipVerify bool `json:"tls_skip_verify"` Username string `json:"username"` Password string `json:"password"` } if err := json.NewDecoder(r.Body).Decode(&req); err != nil { writeError(w, http.StatusBadRequest, "invalid request body") return } if req.Name == "" || req.Host == "" || req.Username == "" || req.Password == "" { writeError(w, http.StatusBadRequest, "name, host, username and password are required") return } if req.Port <= 0 { req.Port = 110 } if req.TLS == "" { req.TLS = "none" } sess := sessionFromCtx(r.Context()) acc := pop3store.Account{ Owner: sess.Username, Name: req.Name, Host: req.Host, Port: req.Port, TLS: req.TLS, TLSSkipVerify: req.TLSSkipVerify, Username: req.Username, } created, err := s.pop3Store.Create(r.Context(), acc, req.Password) if err != nil { writeError(w, http.StatusInternalServerError, "failed to create POP3 account") return } writeJSON(w, http.StatusCreated, created) } func (s *Server) handleDeletePop3(w http.ResponseWriter, r *http.Request) { if s.pop3Store == nil { writeError(w, http.StatusServiceUnavailable, "POP3 not configured") return } idStr := r.PathValue("id") id, err := strconv.ParseInt(idStr, 10, 64) if err != nil { writeError(w, http.StatusBadRequest, "invalid id") return } acc, err := s.pop3Store.Get(r.Context(), id) if err != nil { writeError(w, http.StatusNotFound, "account not found") return } sess := sessionFromCtx(r.Context()) if acc.Owner != sess.Username && !auth.HasRole(sess.Role, userstore.RoleDomainAdmin) { writeError(w, http.StatusForbidden, "access denied") return } if err := s.pop3Store.Delete(r.Context(), id); err != nil { writeError(w, http.StatusInternalServerError, "failed to delete account") return } writeJSON(w, http.StatusOK, map[string]bool{"ok": true}) } func (s *Server) handleTestPop3(w http.ResponseWriter, r *http.Request) { var req struct { Host string `json:"host"` Port int `json:"port"` TLS string `json:"tls"` TLSSkipVerify bool `json:"tls_skip_verify"` Username string `json:"username"` Password string `json:"password"` } if err := json.NewDecoder(r.Body).Decode(&req); err != nil { writeError(w, http.StatusBadRequest, "invalid request body") return } if req.Host == "" || req.Username == "" || req.Password == "" { writeError(w, http.StatusBadRequest, "host, username and password are required") return } if req.Port <= 0 { req.Port = 110 } if req.TLS == "" { req.TLS = "none" } c, err := pop3store.Dial(req.Host, req.Port, req.TLS, req.TLSSkipVerify) if err != nil { writeJSON(w, http.StatusOK, map[string]interface{}{ "ok": false, "message": fmt.Sprintf("Verbindung fehlgeschlagen: %v", err), }) return } defer c.Close() if err := c.Login(req.Username, req.Password); err != nil { writeJSON(w, http.StatusOK, map[string]interface{}{ "ok": false, "message": fmt.Sprintf("Anmeldung fehlgeschlagen: %v", err), }) return } count, totalSize, err := c.Stat() if err != nil { writeJSON(w, http.StatusOK, map[string]interface{}{ "ok": false, "message": fmt.Sprintf("STAT fehlgeschlagen: %v", err), }) return } _ = c.Quit() writeJSON(w, http.StatusOK, map[string]interface{}{ "ok": true, "message": fmt.Sprintf("Verbindung erfolgreich: %d E-Mails", count), "message_count": count, "total_size_bytes": totalSize, }) } func (s *Server) handleStartPop3Import(w http.ResponseWriter, r *http.Request) { if s.pop3Store == nil || s.pop3Importer == nil { writeError(w, http.StatusServiceUnavailable, "POP3 not configured") return } idStr := r.PathValue("id") id, err := strconv.ParseInt(idStr, 10, 64) if err != nil { writeError(w, http.StatusBadRequest, "invalid id") return } acc, err := s.pop3Store.Get(r.Context(), id) if err != nil { writeError(w, http.StatusNotFound, "account not found") return } sess := sessionFromCtx(r.Context()) if acc.Owner != sess.Username && !auth.HasRole(sess.Role, userstore.RoleDomainAdmin) { writeError(w, http.StatusForbidden, "access denied") return } if acc.Status == "running" { writeError(w, http.StatusConflict, "import already running") return } go s.pop3Importer.Run(context.Background(), id) // Return current account state (status will switch to "running" shortly) acc.Status = "running" writeJSON(w, http.StatusOK, acc) } func (s *Server) handlePop3Progress(w http.ResponseWriter, r *http.Request) { if s.pop3Store == nil { writeError(w, http.StatusServiceUnavailable, "POP3 not configured") return } idStr := r.PathValue("id") id, err := strconv.ParseInt(idStr, 10, 64) if err != nil { writeError(w, http.StatusBadRequest, "invalid id") return } acc, err := s.pop3Store.Get(r.Context(), id) if err != nil { writeError(w, http.StatusNotFound, "account not found") return } sess := sessionFromCtx(r.Context()) if acc.Owner != sess.Username && !auth.HasRole(sess.Role, userstore.RoleDomainAdmin) { writeError(w, http.StatusForbidden, "access denied") return } writeJSON(w, http.StatusOK, acc) }