internxt · jzunigax2 · Mar 31, 2026 · Mar 31, 2026 · Apr 16, 2026 · sg-gs
@@ -0,0 +1,90 @@
+'use strict';
+
+const { v4 } = require('uuid');
+
+const LIMIT_LABEL = 'mail-access';
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+  async up(queryInterface) {
+    const transaction = await queryInterface.sequelize.transaction();
+    try {
+      const disabledLimitId = v4();
+      const enabledLimitId = v4();
+
+      await queryInterface.bulkInsert(
+        'limits',
+        [
+          {
+            id: disabledLimitId,
+            label: LIMIT_LABEL,
+            type: 'boolean',
+            value: 'false',
+            created_at: new Date(),
+            updated_at: new Date(),
+          },
+          {
+            id: enabledLimitId,
+            label: LIMIT_LABEL,
+            type: 'boolean',
+            value: 'true',
+            created_at: new Date(),
+            updated_at: new Date(),
+          },
+        ],
+        { transaction },
+      );
+
+      const [tiers] = await queryInterface.sequelize.query(
+        `SELECT id, label FROM tiers`,
+        { transaction },
+      );
+
+      const tierLimitRelations = tiers.map((tier) => ({
+        id: v4(),
+        tier_id: tier.id,
+        limit_id: disabledLimitId,
+        created_at: new Date(),
+        updated_at: new Date(),
+      }));
+
+      await queryInterface.bulkInsert('tiers_limits', tierLimitRelations, {
+        transaction,
+      });
+
+      await transaction.commit();
+    } catch (error) {
+      await transaction.rollback();
+      throw error;
+    }
+  },
+
+  async down(queryInterface) {
+    const transaction = await queryInterface.sequelize.transaction();
+    try {
+      const [limits] = await queryInterface.sequelize.query(
+        `SELECT id FROM limits WHERE label = :limitLabel`,
+        { replacements: { limitLabel: LIMIT_LABEL }, transaction },
+      );
+
+      const limitIds = limits.map((l) => l.id);
+
+      if (limitIds.length > 0) {
+        await queryInterface.sequelize.query(
+          `DELETE FROM tiers_limits WHERE limit_id IN (:limitIds)`,
+          { replacements: { limitIds }, transaction },
+        );
+      }
+
+      await queryInterface.sequelize.query(
+        `DELETE FROM limits WHERE label = :limitLabel`,
+        { replacements: { limitLabel: LIMIT_LABEL }, transaction },
+      );
+
+      await transaction.commit();
+    } catch (error) {
+      await transaction.rollback();
+      throw error;
+    }
+  },
+};
@@ -33,6 +33,7 @@ import { AuthGuard } from './modules/auth/auth.guard';
 import { CacheManagerModule } from './modules/cache-manager/cache-manager.module';
 import { ReferralModule } from './modules/referral/referral.module';
 import { HealthModule } from './infrastructure/health/health.module';
+import { MailModule } from './modules/mail/mail.module';
 
 const isCronjobInstance = process.env.EXECUTE_JOBS === 'true';
 const appName = isCronjobInstance ? 'drive-server-cronjob' : 'drive-server';
@@ -152,6 +153,7 @@ const appName = isCronjobInstance ? 'drive-server-cronjob' : 'drive-server';
     CacheManagerModule,
     ReferralModule,
     HealthModule,
+    MailModule,
   ],
   controllers: [],
   providers: [

@@ -30,6 +30,7 @@ export enum AuditAction {
   AccountReset = 'account-reset',
   AccountRecovery = 'account-recovery',
   AccountDeactivated = 'account-deactivated',
+  MailSetup = 'mail-setup',
   // Workspace actions
   WorkspaceCreated = 'workspace-created',
   WorkspaceDeleted = 'workspace-deleted',
@@ -48,6 +49,7 @@ export const AUDIT_ENTITY_ACTIONS: Record<AuditEntityType, AuditAction[]> = {
     AuditAction.AccountReset,
     AuditAction.AccountRecovery,
     AuditAction.AccountDeactivated,
+    AuditAction.MailSetup,
   ],
   [AuditEntityType.Workspace]: [
     AuditAction.WorkspaceCreated,

@@ -70,6 +70,9 @@ export default () => ({
     payments: {
       url: process.env.PAYMENTS_API_URL,
     },
+    mail: {
+      url: process.env.MAIL_API_URL,
+    },
   },
   apn: {
     url: process.env.APN_URL,

@@ -0,0 +1,12 @@
+import { Module } from '@nestjs/common';
+import { ConfigModule } from '@nestjs/config';
+import { HttpClientModule } from '../http/http.module';
+import { MailService } from './mail.service';
+
+@Module({
+  imports: [ConfigModule, HttpClientModule],
+  controllers: [],
+  providers: [MailService],
+  exports: [MailService],
+})
+export class MailServiceModule {}
@@ -0,0 +1,91 @@
+import { ConflictException, Inject, Injectable } from '@nestjs/common';
+import { sign } from 'jsonwebtoken';
+import { ConfigService } from '@nestjs/config';
+import { HttpClient } from '../http/http.service';
+
+interface CreateAccountPayload {
+  userId: string;
+  address: string;
+  domain: string;
+  displayName: string;
+}
+
+interface CreateAccountResponse {
+  address: string;
+  domain: string;
+}
+
+function signToken(duration: string, secret: string, isDevelopment?: boolean) {
+  return sign({}, Buffer.from(secret, 'base64').toString('utf8'), {
+    algorithm: 'RS256',
+    expiresIn: duration,
+    ...(isDevelopment ? { allowInsecureKeySizes: true } : null),
+  });
+}
+
+@Injectable()
+export class MailService {
+  constructor(
+    @Inject(ConfigService)
+    private readonly configService: ConfigService,
+    @Inject(HttpClient)
+    private readonly httpClient: HttpClient,
+  ) {}
+
+  private getAuthHeaders() {
+    const isDevelopment = this.configService.get('isDevelopment');
+    const jwt = signToken(
+      '5m',
+      this.configService.get('secrets.gateway'),
+      isDevelopment,
+    );
+
+    return {
+      'Content-Type': 'application/json',
+      Authorization: `Bearer ${jwt}`,
+    };
+  }
+
+  async findUserIdByAddress(address: string): Promise<string | null> {
+    const baseUrl = this.configService.get('apis.mail.url');
+    const headers = this.getAuthHeaders();
+
+    try {
+      const res = await this.httpClient.get(
+        `${baseUrl}/gateway/addresses/${encodeURIComponent(address)}`,
+        { headers },
+      );
+
+      return res.data?.userId ?? null;
+    } catch (error) {
+      if (error?.response?.status === 404) {
+        return null;
+      }
+      throw error;
+    }
+  }
+
+  async createAccount(
+    payload: CreateAccountPayload,
+  ): Promise<CreateAccountResponse> {
+    const baseUrl = this.configService.get('apis.mail.url');
+    const headers = this.getAuthHeaders();
+
+    try {
+      const res = await this.httpClient.post(
+        `${baseUrl}/gateway/accounts`,
+        payload,
+        { headers },
+      );
+
+      return res.data;
+    } catch (error) {
+      if (error?.response?.status === 409) {
+        throw new ConflictException(
+          error.response.data?.message || 'Mail account already exists',
+        );
+      }
+      throw error;
+    }
+  }
+}
@@ -48,6 +48,8 @@ import { FeatureLimitService } from '../feature-limit/feature-limit.service';
 import { PaymentRequiredException } from '../feature-limit/exceptions/payment-required.exception';
 import { Client } from '../../common/decorators/client.decorator';
 import { type ClientEnum } from '../../common/enums/platform.enum';
+import { MailService } from '../../externals/mail/mail.service';
+import { isManagedMailDomain } from './managed-mail-domains';
 
 @ApiTags('Auth')
 @Controller('auth')
@@ -60,8 +62,19 @@ export class AuthController {
     private readonly twoFactorAuthService: TwoFactorAuthService,
     private readonly authUseCases: AuthUsecases,
     private readonly featureLimitService: FeatureLimitService,
+    private readonly mailService: MailService,
   ) {}
 
+  private async resolveLoginEmail(email: string): Promise<string> {
+    if (!isManagedMailDomain(email)) return email;
+
+    const userId = await this.mailService.findUserIdByAddress(email);
+    if (!userId) return email;
+
+    const user = await this.userUseCases.findByUuid(userId).catch(() => null);
+    return user?.email ?? email;
+  }
+
   @Post('/login')
   @HttpCode(HttpStatus.OK)
   @ApiOperation({
@@ -70,7 +83,7 @@ export class AuthController {
   @ApiOkResponse({ description: 'Retrieve details', type: LoginResponseDto })
   @Public()
   async login(@Body() body: LoginDto): Promise<LoginResponseDto> {
-    const email = body.email.toLowerCase();
+    const email = await this.resolveLoginEmail(body.email.toLowerCase());
 
     const user = await this.userUseCases.findByEmail(email);
 
@@ -128,8 +141,11 @@ export class AuthController {
         revocationKey: body.revocateKey,
       });
 
+      const email = await this.resolveLoginEmail(body.email.toLowerCase());
+
       const result = await this.userUseCases.loginAccess({
         ...body,
+        email,
         keys: { kyber, ecc },
       });
 
@@ -299,8 +315,11 @@ export class AuthController {
         revocationKey: body.revocateKey,
       });
 
+      const email = await this.resolveLoginEmail(body.email.toLowerCase());
+
       const result = await this.userUseCases.loginAccess({
         ...body,
+        email,
         keys: { kyber, ecc },
         platform,
       });

@@ -18,6 +18,7 @@ import { AuthUsecases } from './auth.usecase';
 import { CaptchaService } from '../../externals/captcha/captcha.service';
 import { FeatureLimitModule } from '../feature-limit/feature-limit.module';
 import { AuditLogsModule } from '../../common/audit-logs/audit-logs.module';
+import { MailServiceModule } from '../../externals/mail/mail.module';
 
 @Module({
   imports: [
@@ -41,6 +42,7 @@ import { AuditLogsModule } from '../../common/audit-logs/audit-logs.module';
     CacheManagerModule,
     FeatureLimitModule,
     AuditLogsModule,
+    MailServiceModule,
   ],
   providers: [
     CaptchaService,

@@ -0,0 +1,9 @@
+export const MANAGED_MAIL_DOMAINS: ReadonlySet<string> = new Set([
+  'inxt.eu',
+  'inxt.me',
+]);
+
+export function isManagedMailDomain(email: string): boolean {
+  const domain = email.split('@')[1]?.toLowerCase();
+  return !!domain && MANAGED_MAIL_DOMAINS.has(domain);
+}
@@ -11,6 +11,7 @@ export enum LimitLabels {
   RcloneAccess = 'rclone-access',
   TrashRetentionDays = 'trash-retention-days',
   ReferralAccess = 'referral-access',
+  MailAccess = 'mail-access',
 }
 
 export enum LimitTypes {

@@ -0,0 +1,24 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsNotEmpty, IsString } from 'class-validator';
+
+export class CreateMailAccountDto {
+  @ApiProperty({ example: 'john' })
+  @IsNotEmpty()
+  @IsString()
+  address: string;
+
+  @ApiProperty({ example: 'inxt.eu' })
+  @IsNotEmpty()
+  @IsString()
+  domain: string;
+
+  @ApiProperty({ example: 'John Doe' })
+  @IsNotEmpty()
+  @IsString()
+  displayName: string;
+
+  @ApiProperty({ description: 'Encrypted password for re-authentication' })
+  @IsNotEmpty()
+  @IsString()
+  password: string;
+}