#35

Author: TTHProjects

src/app/api/admin/smtp-settings/test/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getCurrentUser } from "@/lib/auth";
-import { getSmtpSettings, isSmtpEnabled, sendMail } from "@/lib/mail";
+import { buildSmtpTestMail, getSmtpSettings, isSmtpEnabled, sendMail } from "@/lib/mail";
 import { writeAuditLog } from "@/lib/audit";
 
 export async function POST(req: NextRequest) {
@@ -26,15 +26,17 @@ export async function POST(req: NextRequest) {
   }
 
   try {
+    const smtpTestMail = buildSmtpTestMail({
+      host: smtp.host,
+      port: smtp.port,
+      secure: smtp.secure,
+      fromEmail: smtp.fromEmail,
+    });
     await sendMail({
       to: target,
-      subject: "ServerCommander SMTP Test",
-      text:
-        `This is a test email from ServerCommander.\n\n` +
-        `Host: ${smtp.host}\n` +
-        `Port: ${smtp.port}\n` +
-        `Encrypted transport: ${smtp.secure ? "enabled" : "disabled"}\n` +
-        `From: ${smtp.fromEmail}`,
+      subject: smtpTestMail.subject,
+      text: smtpTestMail.text,
+      html: smtpTestMail.html,
     });
 
     await writeAuditLog(

src/app/api/auth/login/route.ts

@@ -5,7 +5,7 @@ import { createSession, setSessionCookie } from "@/lib/auth";
 import { writeAuditLog } from "@/lib/audit";
 import { getLoginRateLimit } from "@/lib/rate-limit";
 import { issueAuthCode } from "@/lib/auth-codes";
-import { isSmtpEnabled, sendMail } from "@/lib/mail";
+import { buildLoginCodeMail, isSmtpEnabled, sendMail } from "@/lib/mail";
 
 export async function POST(req: NextRequest) {
   try {
@@ -98,10 +98,16 @@ export async function POST(req: NextRequest) {
       }
 
       const challenge = await issueAuthCode(user.id, "LOGIN_2FA", 300);
+      const loginCodeMail = buildLoginCodeMail({
+        displayName: user.displayName ?? user.username,
+        code: challenge.code,
+        minutesValid: 5,
+      });
       await sendMail({
         to: user.email,
-        subject: "ServerCommander Login Code",
-        text: `Hello ${user.displayName ?? user.username},\n\nYour login code is: ${challenge.code}\n\nThis code expires in 5 minutes.\n\nIf you did not request this login, contact your administrator.`,
+        subject: loginCodeMail.subject,
+        text: loginCodeMail.text,
+        html: loginCodeMail.html,
       });
 
       return NextResponse.json({

src/app/api/auth/password-reset/request/route.ts

@@ -1,7 +1,7 @@
 import { NextRequest, NextResponse } from "next/server";
 import { db } from "@/lib/db";
 import { issueAuthCode } from "@/lib/auth-codes";
-import { isSmtpEnabled, sendMail } from "@/lib/mail";
+import { buildPasswordResetCodeMail, isSmtpEnabled, sendMail } from "@/lib/mail";
 
 export async function POST(req: NextRequest) {
   try {
@@ -32,10 +32,16 @@ export async function POST(req: NextRequest) {
     }
 
     const challenge = await issueAuthCode(user.id, "PASSWORD_RESET", 600);
+    const resetMail = buildPasswordResetCodeMail({
+      displayName: user.displayName ?? user.username,
+      code: challenge.code,
+      minutesValid: 10,
+    });
     await sendMail({
       to: user.email,
-      subject: "ServerCommander Password Reset Code",
-      text: `Hello ${user.displayName ?? user.username},\n\nYour password reset code is: ${challenge.code}\n\nThis code expires in 10 minutes.`,
+      subject: resetMail.subject,
+      text: resetMail.text,
+      html: resetMail.html,
     });
 
     return NextResponse.json({ success: true, routedToCodeEntry: true });

src/app/api/users/route.ts

@@ -3,7 +3,7 @@ import { getCurrentUser } from "@/lib/auth";
 import { db } from "@/lib/db";
 import bcrypt from "bcryptjs";
 import { writeAuditLog } from "@/lib/audit";
-import { isSmtpEnabled, sendMail } from "@/lib/mail";
+import { buildWelcomeCredentialsMail, isSmtpEnabled, sendMail } from "@/lib/mail";
 import { randomBytes } from "crypto";
 
 function generateTemporaryPassword(length = 14): string {
@@ -65,16 +65,20 @@ export async function POST(req: NextRequest) {
   if (currentUser.role !== "ADMIN") return NextResponse.json({ error: "Forbidden" }, { status: 403 });
 
   const body = await req.json();
-  const { username, email, displayName, permissions } = body;
+  const { username, email, permissions } = body;
 
   if (!username) {
     return NextResponse.json({ error: "username is required" }, { status: 400 });
   }
 
   const smtpEnabled = await isSmtpEnabled();
+  if (!smtpEnabled) {
+    return NextResponse.json({ error: "SMTP must be configured before creating users" }, { status: 400 });
+  }
+
   const normalizedEmail = typeof email === "string" ? email.trim().toLowerCase() : "";
-  if (smtpEnabled && !normalizedEmail) {
-    return NextResponse.json({ error: "email is required while SMTP is enabled" }, { status: 400 });
+  if (!normalizedEmail) {
+    return NextResponse.json({ error: "email is required" }, { status: 400 });
   }
 
   const existing = await db.user.findUnique({ where: { username } });
@@ -95,9 +99,9 @@ export async function POST(req: NextRequest) {
   const newUser = await db.user.create({
     data: {
       username,
-      email: normalizedEmail || null,
+      email: normalizedEmail,
       passwordHash,
-      displayName: displayName ?? null,
+      displayName: null,
       role: "USER",
       mustChangePassword: true,
       permissions: permissions
@@ -131,19 +135,22 @@ export async function POST(req: NextRequest) {
     req
   );
 
-  if (smtpEnabled && normalizedEmail) {
-    await sendMail({
-      to: normalizedEmail,
-      subject: "Welcome to ServerCommander",
-      text: `Hello ${displayName?.trim() || username},\n\nYour ServerCommander account has been created.\n\nUsername: ${username}\nTemporary password: ${temporaryPassword}\n\nAt first login you must set your own password.`,
-    });
-  }
+  const welcomeMail = buildWelcomeCredentialsMail({
+    displayName: username,
+    username,
+    temporaryPassword,
+  });
+  await sendMail({
+    to: normalizedEmail,
+    subject: welcomeMail.subject,
+    text: welcomeMail.text,
+    html: welcomeMail.html,
+  });
 
   return NextResponse.json(
     {
       user: { id: newUser.id, username: newUser.username },
-      temporaryPassword: smtpEnabled ? undefined : temporaryPassword,
-      mailSent: smtpEnabled && !!normalizedEmail,
+      mailSent: true,
     },
     { status: 201 }
   );

src/components/users/UsersTable.tsx

@@ -576,8 +576,7 @@ function CreateGroupModal({ onClose, onCreated }: { onClose: () => void; onCreat
 
 function CreateUserModal({ onClose, onCreated }: { onClose: () => void; onCreated: () => void }) {
   const [username, setUsername] = useState("");
-  const [password, setPassword] = useState("");
-  const [displayName, setDisplayName] = useState("");
+  const [email, setEmail] = useState("");
   const [error, setError] = useState("");
   const [loading, setLoading] = useState(false);
 
@@ -588,7 +587,7 @@ function CreateUserModal({ onClose, onCreated }: { onClose: () => void; onCreate
     const res = await fetch("/api/users", {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ username, password, displayName: displayName || undefined }),
+      body: JSON.stringify({ username, email }),
     });
     setLoading(false);
     if (res.ok) {
@@ -605,8 +604,10 @@ function CreateUserModal({ onClose, onCreated }: { onClose: () => void; onCreate
         <h2 className="text-lg font-bold mb-4">Create User</h2>
         <form onSubmit={handleCreate} className="space-y-4">
           <Field label="Username" value={username} onChange={setUsername} required />
-          <Field label="Display Name (optional)" value={displayName} onChange={setDisplayName} />
-          <Field label="Password" value={password} onChange={setPassword} type="password" required />
+          <Field label="Email" value={email} onChange={setEmail} type="email" required />
+          <p className="text-xs text-muted-foreground">
+            A secure temporary password is generated automatically and sent to this email address.
+          </p>
           {error && <p className="text-sm text-destructive">{error}</p>}
           <div className="flex gap-3 pt-2">
             <button type="button" onClick={onClose} className="flex-1 rounded-lg border border-border px-4 py-2.5 text-sm hover:bg-accent transition">

src/lib/mail.ts

@@ -5,9 +5,168 @@ import { decryptSecret } from "@/lib/secrets";
 export type MailPayload = {
   to: string;
   subject: string;
-  text: string;
+  text?: string;
+  html?: string;
 };
 
+function escapeHtml(value: string): string {
+  return value
+    .replace(/&/g, "&")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/\"/g, "&quot;")
+    .replace(/'/g, "&#39;");
+}
+
+function wrapMailHtml(title: string, contentHtml: string, footer?: string): string {
+  return `<!doctype html>
+<html lang="en">
+  <body style="margin:0;padding:0;background:#f3f6fb;font-family:'Segoe UI',Arial,sans-serif;color:#0f172a;">
+    <table role="presentation" cellpadding="0" cellspacing="0" width="100%" style="padding:28px 12px;">
+      <tr>
+        <td align="center">
+          <table role="presentation" cellpadding="0" cellspacing="0" width="100%" style="max-width:620px;background:#ffffff;border:1px solid #dbe4f0;border-radius:14px;overflow:hidden;">
+            <tr>
+              <td style="padding:20px 24px;background:linear-gradient(120deg,#0f172a,#1e293b);color:#ffffff;">
+                <h1 style="margin:0;font-size:20px;line-height:1.2;font-weight:700;">ServerCommander</h1>
+                <p style="margin:8px 0 0 0;font-size:13px;opacity:0.9;">${escapeHtml(title)}</p>
+              </td>
+            </tr>
+            <tr>
+              <td style="padding:24px;">
+                ${contentHtml}
+              </td>
+            </tr>
+            <tr>
+              <td style="padding:14px 24px;background:#f8fafc;border-top:1px solid #e2e8f0;color:#475569;font-size:12px;line-height:1.5;">
+                ${escapeHtml(footer ?? "Automatic security message from ServerCommander.")}
+              </td>
+            </tr>
+          </table>
+        </td>
+      </tr>
+    </table>
+  </body>
+</html>`;
+}
+
+export function buildWelcomeCredentialsMail(input: {
+  displayName: string;
+  username: string;
+  temporaryPassword: string;
+}): { subject: string; text: string; html: string } {
+  const subject = "Welcome to ServerCommander";
+  const text = [
+    `Hello ${input.displayName},`,
+    "",
+    "Your ServerCommander account has been created.",
+    `Username: ${input.username}`,
+    `Temporary password: ${input.temporaryPassword}`,
+    "",
+    "At first login you must change your password.",
+  ].join("\n");
+
+  const html = wrapMailHtml(
+    "Your account is ready",
+    `<p style="margin:0 0 12px 0;font-size:15px;">Hello ${escapeHtml(input.displayName)},</p>
+     <p style="margin:0 0 16px 0;font-size:14px;color:#334155;">Your ServerCommander account was created. Use these initial credentials:</p>
+     <table role="presentation" cellpadding="0" cellspacing="0" width="100%" style="border:1px solid #e2e8f0;border-radius:10px;background:#f8fafc;">
+       <tr><td style="padding:12px 14px;font-size:13px;color:#475569;">Username</td><td style="padding:12px 14px;font-size:14px;font-weight:600;color:#0f172a;">${escapeHtml(input.username)}</td></tr>
+       <tr><td style="padding:12px 14px;font-size:13px;color:#475569;border-top:1px solid #e2e8f0;">Temporary password</td><td style="padding:12px 14px;font-size:14px;font-weight:600;color:#0f172a;border-top:1px solid #e2e8f0;">${escapeHtml(input.temporaryPassword)}</td></tr>
+     </table>
+     <p style="margin:16px 0 0 0;font-size:13px;color:#334155;">You will be asked to change this password at first login.</p>`,
+    "Do not share this email. If this account was not expected, contact an administrator immediately."
+  );
+
+  return { subject, text, html };
+}
+
+export function buildLoginCodeMail(input: {
+  displayName: string;
+  code: string;
+  minutesValid: number;
+}): { subject: string; text: string; html: string } {
+  const subject = "ServerCommander Login Code";
+  const text = [
+    `Hello ${input.displayName},`,
+    "",
+    `Your login code is: ${input.code}`,
+    `This code expires in ${input.minutesValid} minutes.`,
+    "",
+    "If you did not request this login, contact your administrator.",
+  ].join("\n");
+
+  const html = wrapMailHtml(
+    "Two-factor authentication",
+    `<p style="margin:0 0 12px 0;font-size:15px;">Hello ${escapeHtml(input.displayName)},</p>
+     <p style="margin:0 0 14px 0;font-size:14px;color:#334155;">Use this one-time login code:</p>
+     <div style="display:inline-block;padding:12px 18px;border-radius:10px;background:#0f172a;color:#ffffff;font-size:26px;font-weight:700;letter-spacing:4px;">${escapeHtml(input.code)}</div>
+     <p style="margin:14px 0 0 0;font-size:13px;color:#334155;">This code expires in ${input.minutesValid} minutes.</p>`,
+    "Never share this code with anyone."
+  );
+
+  return { subject, text, html };
+}
+
+export function buildPasswordResetCodeMail(input: {
+  displayName: string;
+  code: string;
+  minutesValid: number;
+}): { subject: string; text: string; html: string } {
+  const subject = "ServerCommander Password Reset Code";
+  const text = [
+    `Hello ${input.displayName},`,
+    "",
+    `Your password reset code is: ${input.code}`,
+    `This code expires in ${input.minutesValid} minutes.`,
+  ].join("\n");
+
+  const html = wrapMailHtml(
+    "Password reset request",
+    `<p style="margin:0 0 12px 0;font-size:15px;">Hello ${escapeHtml(input.displayName)},</p>
+     <p style="margin:0 0 14px 0;font-size:14px;color:#334155;">Use this one-time code to reset your password:</p>
+     <div style="display:inline-block;padding:12px 18px;border-radius:10px;background:#0f172a;color:#ffffff;font-size:26px;font-weight:700;letter-spacing:4px;">${escapeHtml(input.code)}</div>
+     <p style="margin:14px 0 0 0;font-size:13px;color:#334155;">This code expires in ${input.minutesValid} minutes.</p>`,
+    "If you did not request a reset, you can ignore this message."
+  );
+
+  return { subject, text, html };
+}
+
+export function buildSmtpTestMail(input: {
+  host: string;
+  port: number;
+  secure: boolean;
+  fromEmail: string;
+}): { subject: string; text: string; html: string } {
+  const subject = "ServerCommander SMTP Test";
+  const transport = input.secure
+    ? (input.port === 465 ? "SSL/TLS (implicit)" : "STARTTLS")
+    : "unencrypted/optional TLS";
+  const text = [
+    "This is a test email from ServerCommander.",
+    "",
+    `Host: ${input.host}`,
+    `Port: ${input.port}`,
+    `Transport: ${transport}`,
+    `From: ${input.fromEmail}`,
+  ].join("\n");
+
+  const html = wrapMailHtml(
+    "SMTP test successful",
+    `<p style="margin:0 0 12px 0;font-size:15px;">This confirms that outgoing email is working.</p>
+     <table role="presentation" cellpadding="0" cellspacing="0" width="100%" style="border:1px solid #e2e8f0;border-radius:10px;background:#f8fafc;">
+       <tr><td style="padding:12px 14px;font-size:13px;color:#475569;">Host</td><td style="padding:12px 14px;font-size:14px;font-weight:600;color:#0f172a;">${escapeHtml(input.host)}</td></tr>
+       <tr><td style="padding:12px 14px;font-size:13px;color:#475569;border-top:1px solid #e2e8f0;">Port</td><td style="padding:12px 14px;font-size:14px;font-weight:600;color:#0f172a;border-top:1px solid #e2e8f0;">${input.port}</td></tr>
+       <tr><td style="padding:12px 14px;font-size:13px;color:#475569;border-top:1px solid #e2e8f0;">Transport</td><td style="padding:12px 14px;font-size:14px;font-weight:600;color:#0f172a;border-top:1px solid #e2e8f0;">${escapeHtml(transport)}</td></tr>
+       <tr><td style="padding:12px 14px;font-size:13px;color:#475569;border-top:1px solid #e2e8f0;">From</td><td style="padding:12px 14px;font-size:14px;font-weight:600;color:#0f172a;border-top:1px solid #e2e8f0;">${escapeHtml(input.fromEmail)}</td></tr>
+     </table>`,
+    "No further action required."
+  );
+
+  return { subject, text, html };
+}
+
 export async function getSmtpSettings() {
   return db.smtpSettings.findUnique({ where: { id: "default" } });
 }
@@ -25,6 +184,9 @@ export async function sendMail(payload: MailPayload): Promise<void> {
   if (!cfg.host || !cfg.port || !cfg.username || !cfg.passwordEnc || !cfg.fromEmail) {
     throw new Error("SMTP config incomplete");
   }
+  if (!payload.text && !payload.html) {
+    throw new Error("Mail payload requires text or html content");
+  }
 
   const useImplicitTls = cfg.secure && cfg.port === 465;
   const requireStartTls = cfg.secure && cfg.port !== 465;
@@ -49,5 +211,6 @@ export async function sendMail(payload: MailPayload): Promise<void> {
     to: payload.to,
     subject: payload.subject,
     text: payload.text,
+    html: payload.html,
   });
 }