feat: implement mail account provisioning and recovery email functionality

- Added migration to include recovery_email field in users table.
- Introduced Mail module with MailService and MailController for handling mail account creation.
- Implemented MailUseCases to manage mail account provisioning and validation.
- Updated user model to support recovery email and added necessary DTOs for mail account creation.
- Enhanced audit logging to track mail setup actions.

Author: jzunigax2

migrations/20260330153847-add-recovery-email-to-users.js

@@ -0,0 +1,16 @@
+'use strict';
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+  async up(queryInterface, Sequelize) {
+    await queryInterface.addColumn('users', 'recovery_email', {
+      type: Sequelize.STRING,
+      allowNull: true,
+      defaultValue: null,
+    });
+  },
+
+  async down(queryInterface) {
+    await queryInterface.removeColumn('users', 'recovery_email');
+  },
+};

migrations/20260330160219-add-mail-access-limit.js

@@ -0,0 +1,90 @@
+'use strict';
+
+const { v4 } = require('uuid');
+
+const LIMIT_LABEL = 'mail-access';
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+  async up(queryInterface) {
+    const transaction = await queryInterface.sequelize.transaction();
+    try {
+      const disabledLimitId = v4();
+      const enabledLimitId = v4();
+
+      await queryInterface.bulkInsert(
+        'limits',
+        [
+          {
+            id: disabledLimitId,
+            label: LIMIT_LABEL,
+            type: 'boolean',
+            value: 'false',
+            created_at: new Date(),
+            updated_at: new Date(),
+          },
+          {
+            id: enabledLimitId,
+            label: LIMIT_LABEL,
+            type: 'boolean',
+            value: 'true',
+            created_at: new Date(),
+            updated_at: new Date(),
+          },
+        ],
+        { transaction },
+      );
+
+      const [tiers] = await queryInterface.sequelize.query(
+        `SELECT id, label FROM tiers`,
+        { transaction },
+      );
+
+      const tierLimitRelations = tiers.map((tier) => ({
+        id: v4(),
+        tier_id: tier.id,
+        limit_id: disabledLimitId,
+        created_at: new Date(),
+        updated_at: new Date(),
+      }));
+
+      await queryInterface.bulkInsert('tiers_limits', tierLimitRelations, {
+        transaction,
+      });
+
+      await transaction.commit();
+    } catch (error) {
+      await transaction.rollback();
+      throw error;
+    }
+  },
+
+  async down(queryInterface) {
+    const transaction = await queryInterface.sequelize.transaction();
+    try {
+      const [limits] = await queryInterface.sequelize.query(
+        `SELECT id FROM limits WHERE label = :limitLabel`,
+        { replacements: { limitLabel: LIMIT_LABEL }, transaction },
+      );
+
+      const limitIds = limits.map((l) => l.id);
+
+      if (limitIds.length > 0) {
+        await queryInterface.sequelize.query(
+          `DELETE FROM tiers_limits WHERE limit_id IN (:limitIds)`,
+          { replacements: { limitIds }, transaction },
+        );
+      }
+
+      await queryInterface.sequelize.query(
+        `DELETE FROM limits WHERE label = :limitLabel`,
+        { replacements: { limitLabel: LIMIT_LABEL }, transaction },
+      );
+
+      await transaction.commit();
+    } catch (error) {
+      await transaction.rollback();
+      throw error;
+    }
+  },
+};

src/app.module.ts

@@ -32,6 +32,7 @@ import { getClientIdFromHeaders } from './common/decorators/client.decorator';
 import { AuthGuard } from './modules/auth/auth.guard';
 import { CacheManagerModule } from './modules/cache-manager/cache-manager.module';
 import { ReferralModule } from './modules/referral/referral.module';
+import { MailModule } from './modules/mail/mail.module';
 
 const isCronjobInstance = process.env.EXECUTE_JOBS === 'true';
 const appName = isCronjobInstance ? 'drive-server-cronjob' : 'drive-server';
@@ -150,6 +151,7 @@ const appName = isCronjobInstance ? 'drive-server-cronjob' : 'drive-server';
     GatewayModule,
     CacheManagerModule,
     ReferralModule,
+    MailModule,
   ],
   controllers: [],
   providers: [

src/common/audit-logs/audit-logs.attributes.ts

@@ -30,6 +30,7 @@ export enum AuditAction {
   AccountReset = 'account-reset',
   AccountRecovery = 'account-recovery',
   AccountDeactivated = 'account-deactivated',
+  MailSetup = 'mail-setup',
   // Workspace actions
   WorkspaceCreated = 'workspace-created',
   WorkspaceDeleted = 'workspace-deleted',
@@ -47,6 +48,7 @@ export const AUDIT_ENTITY_ACTIONS: Record<AuditEntityType, AuditAction[]> = {
     AuditAction.AccountReset,
     AuditAction.AccountRecovery,
     AuditAction.AccountDeactivated,
+    AuditAction.MailSetup,
   ],
   [AuditEntityType.Workspace]: [
     AuditAction.WorkspaceCreated,

src/config/configuration.ts

@@ -70,6 +70,9 @@ export default () => ({
     payments: {
       url: process.env.PAYMENTS_API_URL,
     },
+    mail: {
+      url: process.env.MAIL_API_URL,
+    },
   },
   apn: {
     url: process.env.APN_URL,

src/externals/mail/mail.module.ts

@@ -0,0 +1,12 @@
+import { Module } from '@nestjs/common';
+import { ConfigModule } from '@nestjs/config';
+import { HttpClientModule } from '../http/http.module';
+import { MailService } from './mail.service';
+
+@Module({
+  imports: [ConfigModule, HttpClientModule],
+  controllers: [],
+  providers: [MailService],
+  exports: [MailService],
+})
+export class MailServiceModule {}

src/externals/mail/mail.service.ts

@@ -0,0 +1,63 @@
+import { Inject, Injectable } from '@nestjs/common';
+import { sign } from 'jsonwebtoken';
+import { ConfigService } from '@nestjs/config';
+import { HttpClient } from '../http/http.service';
+
+interface CreateAccountPayload {
+  userId: string;
+  address: string;
+  domain: string;
+  displayName: string;
+}
+
+interface CreateAccountResponse {
+  address: string;
+  domain: string;
+}
+
+function signToken(duration: string, secret: string, isDevelopment?: boolean) {
+  return sign({}, Buffer.from(secret, 'base64').toString('utf8'), {
+    algorithm: 'RS256',
+    expiresIn: duration,
+    ...(isDevelopment ? { allowInsecureKeySizes: true } : null),
+  });
+}
+
+@Injectable()
+export class MailService {
+  constructor(
+    @Inject(ConfigService)
+    private readonly configService: ConfigService,
+    @Inject(HttpClient)
+    private readonly httpClient: HttpClient,
+  ) {}
+
+  private getAuthHeaders() {
+    const isDevelopment = this.configService.get('isDevelopment');
+    const jwt = signToken(
+      '5m',
+      this.configService.get('secrets.gateway'),
+      isDevelopment,
+    );
+
+    return {
+      'Content-Type': 'application/json',
+      Authorization: `Bearer ${jwt}`,
+    };
+  }
+
+  async createAccount(
+    payload: CreateAccountPayload,
+  ): Promise<CreateAccountResponse> {
+    const baseUrl = this.configService.get('apis.mail.url');
+    const headers = this.getAuthHeaders();
+
+    const res = await this.httpClient.post(
+      `${baseUrl}/gateway/accounts`,
+      payload,
+      { headers },
+    );
+
+    return res.data;
+  }
+}

src/modules/feature-limit/limits.enum.ts

@@ -11,6 +11,7 @@ export enum LimitLabels {
   RcloneAccess = 'rclone-access',
   TrashRetentionDays = 'trash-retention-days',
   ReferralAccess = 'referral-access',
+  MailAccess = 'mail-access',
 }
 
 export enum LimitTypes {

src/modules/mail/dto/create-mail-account.dto.ts

@@ -0,0 +1,24 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsNotEmpty, IsString } from 'class-validator';
+
+export class CreateMailAccountDto {
+  @ApiProperty({ example: 'john' })
+  @IsNotEmpty()
+  @IsString()
+  address: string;
+
+  @ApiProperty({ example: 'inxt.eu' })
+  @IsNotEmpty()
+  @IsString()
+  domain: string;
+
+  @ApiProperty({ example: 'John Doe' })
+  @IsNotEmpty()
+  @IsString()
+  displayName: string;
+
+  @ApiProperty({ description: 'Encrypted password for re-authentication' })
+  @IsNotEmpty()
+  @IsString()
+  password: string;
+}

src/modules/mail/mail.controller.ts

@@ -0,0 +1,30 @@
+import { Body, Controller, HttpCode, HttpStatus, Post } from '@nestjs/common';
+import { ApiBearerAuth, ApiOkResponse, ApiOperation } from '@nestjs/swagger';
+import { User as UserDecorator } from '../auth/decorators/user.decorator';
+import { User } from '../user/user.domain';
+import { MailUseCases } from './mail.usecase';
+import { CreateMailAccountDto } from './dto/create-mail-account.dto';
+import { AuditLog } from '../../common/audit-logs/decorators/audit-log.decorator';
+import { AuditAction } from '../../common/audit-logs/audit-logs.attributes';
+
+@Controller('mail')
+export class MailController {
+  constructor(private readonly mailUseCases: MailUseCases) {}
+
+  @Post('accounts')
+  @HttpCode(HttpStatus.CREATED)
+  @ApiOperation({ summary: 'Provision a mail account for the user' })
+  @ApiBearerAuth()
+  @AuditLog({
+    action: AuditAction.MailSetup,
+    metadata: (_req, res) => ({
+      address: res.address,
+    }),
+  })
+  async createMailAccount(
+    @UserDecorator() user: User,
+    @Body() createMailAccountDto: CreateMailAccountDto,
+  ) {
+    return this.mailUseCases.createMailAccount(user, createMailAccountDto);
+  }
+}