2016-05-28 05:05:27 +08:00
|
|
|
/* eslint global-require: 0 */
|
|
|
|
|
|
|
|
import crypto from 'crypto';
|
2017-06-25 11:34:01 +08:00
|
|
|
import {CommonProviderSettings} from 'imap-provider-settings';
|
2016-11-30 04:29:28 +08:00
|
|
|
import {
|
|
|
|
NylasAPIRequest,
|
2017-08-07 05:18:04 +08:00
|
|
|
IdentityStore,
|
2016-11-30 04:29:28 +08:00
|
|
|
RegExpUtils,
|
2017-07-04 02:44:28 +08:00
|
|
|
MailsyncProcess,
|
2016-11-30 04:29:28 +08:00
|
|
|
} from 'nylas-exports';
|
2016-11-24 03:48:58 +08:00
|
|
|
|
2017-08-01 11:20:01 +08:00
|
|
|
const {makeRequest, rootURLForServer} = NylasAPIRequest;
|
2017-07-04 02:44:28 +08:00
|
|
|
|
2016-11-24 03:48:58 +08:00
|
|
|
const IMAP_FIELDS = new Set([
|
|
|
|
"imap_host",
|
|
|
|
"imap_port",
|
|
|
|
"imap_username",
|
|
|
|
"imap_password",
|
[*] Revamp SSL options (including user-facing)
Summary:
Previously, the generic IMAP auth screen presented one security option to
users: "Require SSL". This was ambiguous and difficult to translate into
the correct security options behind the scenes, causing confusion and problems
connecting some accounts.
This patch does the following:
* Separates security settings for IMAP and SMTP, as these different protocols
may also require different SSL/TLS settings
* Reworks the generic IMAP auth page to allow specifying security settings
with higher fidelity. We looked at various different email apps and decided
that the best solution to this problem was to allow more detailed
specification of security settings and to ease the burden of more options
by having sane defaults that work correctly in the majority of cases.
This new screen allows users to pick from "SSL / TLS", "STARTTLS", or "none"
for the security settings for a protocol, and also to instruct us that
they're OK with us using known insecure SSL settings to connect to their
server by checking a checkbox.
We default to port 993 / SSL/TLS for IMAP and port 587 / STARTTLS for SMTP.
These are the most common settings for providers these days and will work
for most folks.
* Significantly tightens our default security. Now that we can allow folks to
opt-in to bad security, by default we should protect folks as best we can.
* Removes some now-unnecessary jank like specifying the SSLv3 "cipher"
in some custom SMTP configs. I don't think this was actually necessary
as SSLv3 is a protocol and not a valid cipher, but these custom
configs may have been necessary because of how the ssl_required flag was
linked between IMAP and SMTP before (and thus to specify different
settings for SMTP you'd have to override the SMTP config).
* Removes hard-coding of Gmail & Office365 settings in several
locations. (This was a major headache while working on the patch.)
This depends on version 2.0.1 of imap-provider-settings, which has major
breaking changes from version 1.0. See commit for more info:
https://github.com/nylas/imap-provider-settings/commit/9851054f9153476b6896d04893a40b4febc8986e
Among other things, I did a serious audit of the settings in this file and
"upgraded" a few servers which weren't using the SSL-enabled ports for their
provider to the secure ones. Hurray for nmap and openssl.
Test Plan: manual
Reviewers: evan, mark, juan, halla
Reviewed By: juan, halla
Differential Revision: https://phab.nylas.com/D4316
2017-04-06 08:34:13 +08:00
|
|
|
"imap_security",
|
|
|
|
"imap_allow_insecure_ssl",
|
2016-11-24 03:48:58 +08:00
|
|
|
"smtp_host",
|
|
|
|
"smtp_port",
|
|
|
|
"smtp_username",
|
|
|
|
"smtp_password",
|
[*] Revamp SSL options (including user-facing)
Summary:
Previously, the generic IMAP auth screen presented one security option to
users: "Require SSL". This was ambiguous and difficult to translate into
the correct security options behind the scenes, causing confusion and problems
connecting some accounts.
This patch does the following:
* Separates security settings for IMAP and SMTP, as these different protocols
may also require different SSL/TLS settings
* Reworks the generic IMAP auth page to allow specifying security settings
with higher fidelity. We looked at various different email apps and decided
that the best solution to this problem was to allow more detailed
specification of security settings and to ease the burden of more options
by having sane defaults that work correctly in the majority of cases.
This new screen allows users to pick from "SSL / TLS", "STARTTLS", or "none"
for the security settings for a protocol, and also to instruct us that
they're OK with us using known insecure SSL settings to connect to their
server by checking a checkbox.
We default to port 993 / SSL/TLS for IMAP and port 587 / STARTTLS for SMTP.
These are the most common settings for providers these days and will work
for most folks.
* Significantly tightens our default security. Now that we can allow folks to
opt-in to bad security, by default we should protect folks as best we can.
* Removes some now-unnecessary jank like specifying the SSLv3 "cipher"
in some custom SMTP configs. I don't think this was actually necessary
as SSLv3 is a protocol and not a valid cipher, but these custom
configs may have been necessary because of how the ssl_required flag was
linked between IMAP and SMTP before (and thus to specify different
settings for SMTP you'd have to override the SMTP config).
* Removes hard-coding of Gmail & Office365 settings in several
locations. (This was a major headache while working on the patch.)
This depends on version 2.0.1 of imap-provider-settings, which has major
breaking changes from version 1.0. See commit for more info:
https://github.com/nylas/imap-provider-settings/commit/9851054f9153476b6896d04893a40b4febc8986e
Among other things, I did a serious audit of the settings in this file and
"upgraded" a few servers which weren't using the SSL-enabled ports for their
provider to the secure ones. Hurray for nmap and openssl.
Test Plan: manual
Reviewers: evan, mark, juan, halla
Reviewed By: juan, halla
Differential Revision: https://phab.nylas.com/D4316
2017-04-06 08:34:13 +08:00
|
|
|
"smtp_security",
|
|
|
|
"smtp_allow_insecure_ssl",
|
2016-11-24 03:48:58 +08:00
|
|
|
]);
|
2016-05-28 05:05:27 +08:00
|
|
|
|
2016-06-02 21:45:48 +08:00
|
|
|
function base64url(inBuffer) {
|
|
|
|
let buffer;
|
|
|
|
if (typeof inBuffer === "string") {
|
|
|
|
buffer = new Buffer(inBuffer);
|
|
|
|
} else if (inBuffer instanceof Buffer) {
|
|
|
|
buffer = inBuffer;
|
|
|
|
} else {
|
|
|
|
throw new Error(`${inBuffer} must be a string or Buffer`)
|
|
|
|
}
|
|
|
|
return buffer.toString('base64')
|
2016-05-28 05:05:27 +08:00
|
|
|
.replace(/\+/g, '-') // Convert '+' to '-'
|
|
|
|
.replace(/\//g, '_'); // Convert '/' to '_'
|
|
|
|
}
|
|
|
|
|
2017-08-01 11:20:01 +08:00
|
|
|
export function makeGmailOAuthRequest(sessionKey) {
|
|
|
|
return makeRequest({
|
|
|
|
server: 'accounts',
|
|
|
|
path: `/auth/gmail/token?key=${sessionKey}`,
|
|
|
|
method: 'GET',
|
|
|
|
auth: false,
|
2016-05-28 05:05:27 +08:00
|
|
|
});
|
2017-01-19 09:44:22 +08:00
|
|
|
}
|
|
|
|
|
2017-08-30 03:17:45 +08:00
|
|
|
export async function authIMAPForGmail(serverTokenResponse) {
|
2017-09-06 04:37:40 +08:00
|
|
|
// At this point, the Mailspring server has retrieved the Gmail token,
|
2017-08-30 03:17:45 +08:00
|
|
|
// created an account object in the database and tested it. All we
|
|
|
|
// need to do is save it locally, since we're confident Gmail will be
|
|
|
|
// accessible from the local sync worker.
|
|
|
|
const {id, email_address, provider, connection_settings, account_token, xoauth_refresh_token, name} = serverTokenResponse;
|
|
|
|
|
|
|
|
// Todo: clean up the serialization so this translation from K2 JSON isn't necessary.
|
|
|
|
return {
|
|
|
|
account: {
|
|
|
|
id,
|
|
|
|
provider,
|
|
|
|
name,
|
|
|
|
emailAddress: email_address,
|
|
|
|
settings: Object.assign({}, connection_settings, {
|
|
|
|
xoauth_refresh_token,
|
|
|
|
}),
|
2016-12-19 12:38:34 +08:00
|
|
|
},
|
2017-08-30 03:17:45 +08:00
|
|
|
cloudToken: account_token,
|
|
|
|
};
|
2016-05-28 05:05:27 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
export function buildGmailSessionKey() {
|
|
|
|
return base64url(crypto.randomBytes(40));
|
|
|
|
}
|
|
|
|
|
|
|
|
export function buildGmailAuthURL(sessionKey) {
|
2017-08-01 11:20:01 +08:00
|
|
|
return `${rootURLForServer('accounts')}/auth/gmail?state=${sessionKey}`;
|
2016-05-28 05:05:27 +08:00
|
|
|
}
|
|
|
|
|
2017-08-01 11:20:01 +08:00
|
|
|
export async function runAuthValidation(accountInfo) {
|
2016-05-28 05:05:27 +08:00
|
|
|
const {username, type, email, name} = accountInfo;
|
|
|
|
|
|
|
|
const data = {
|
2017-08-01 11:20:01 +08:00
|
|
|
id: 'temp',
|
2017-01-15 09:28:09 +08:00
|
|
|
provider: type,
|
2016-05-28 05:05:27 +08:00
|
|
|
name: name,
|
2017-07-04 14:50:37 +08:00
|
|
|
emailAddress: email,
|
2016-05-28 05:05:27 +08:00
|
|
|
settings: Object.assign({}, accountInfo),
|
|
|
|
};
|
|
|
|
|
|
|
|
// handle special case for exchange/outlook/hotmail username field
|
|
|
|
data.settings.username = username || email;
|
|
|
|
|
|
|
|
if (data.settings.imap_port) {
|
2016-10-18 08:59:33 +08:00
|
|
|
data.settings.imap_port /= 1;
|
2016-05-28 05:05:27 +08:00
|
|
|
}
|
|
|
|
if (data.settings.smtp_port) {
|
2016-10-18 08:59:33 +08:00
|
|
|
data.settings.smtp_port /= 1;
|
2016-05-28 05:05:27 +08:00
|
|
|
}
|
2017-07-04 14:50:37 +08:00
|
|
|
|
|
|
|
// Only include the required IMAP fields. Auth validation does not allow extra fields
|
2017-08-31 06:24:30 +08:00
|
|
|
if (type !== "gmail") {
|
2016-11-24 03:48:58 +08:00
|
|
|
for (const key of Object.keys(data.settings)) {
|
|
|
|
if (!IMAP_FIELDS.has(key)) {
|
2017-08-31 06:24:30 +08:00
|
|
|
delete data.settings[key];
|
2016-11-24 03:48:58 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-08-30 03:17:45 +08:00
|
|
|
// Test the account locally - if it succeeds, send it to the server and test it there
|
|
|
|
|
2017-08-09 01:00:07 +08:00
|
|
|
const proc = new MailsyncProcess(NylasEnv.getLoadSettings(), IdentityStore.identity(), data);
|
2017-08-01 11:20:01 +08:00
|
|
|
const {account} = await proc.test();
|
|
|
|
|
|
|
|
delete data.id;
|
2017-07-04 02:44:28 +08:00
|
|
|
|
2017-08-01 11:20:01 +08:00
|
|
|
const {id, account_token} = await makeRequest({
|
|
|
|
server: 'accounts',
|
|
|
|
path: `/auth`,
|
|
|
|
method: 'POST',
|
|
|
|
timeout: 1000 * 180, // Same timeout as server timeout (most requests are faster than 90s, but server validation can be slow in some cases)
|
|
|
|
body: data,
|
|
|
|
auth: false,
|
|
|
|
})
|
|
|
|
|
|
|
|
return {
|
|
|
|
account: Object.assign({}, account, {id}),
|
|
|
|
cloudToken: account_token,
|
|
|
|
};
|
2016-05-28 05:05:27 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
export function isValidHost(value) {
|
|
|
|
return RegExpUtils.domainRegex().test(value) || RegExpUtils.ipAddressRegex().test(value);
|
|
|
|
}
|
|
|
|
|
2017-08-31 06:24:30 +08:00
|
|
|
export function expandAccountInfoWithCommonSettings(accountInfo) {
|
|
|
|
const {email, type} = accountInfo;
|
2016-05-28 05:05:27 +08:00
|
|
|
const domain = email.split('@').pop().toLowerCase();
|
[*] Revamp SSL options (including user-facing)
Summary:
Previously, the generic IMAP auth screen presented one security option to
users: "Require SSL". This was ambiguous and difficult to translate into
the correct security options behind the scenes, causing confusion and problems
connecting some accounts.
This patch does the following:
* Separates security settings for IMAP and SMTP, as these different protocols
may also require different SSL/TLS settings
* Reworks the generic IMAP auth page to allow specifying security settings
with higher fidelity. We looked at various different email apps and decided
that the best solution to this problem was to allow more detailed
specification of security settings and to ease the burden of more options
by having sane defaults that work correctly in the majority of cases.
This new screen allows users to pick from "SSL / TLS", "STARTTLS", or "none"
for the security settings for a protocol, and also to instruct us that
they're OK with us using known insecure SSL settings to connect to their
server by checking a checkbox.
We default to port 993 / SSL/TLS for IMAP and port 587 / STARTTLS for SMTP.
These are the most common settings for providers these days and will work
for most folks.
* Significantly tightens our default security. Now that we can allow folks to
opt-in to bad security, by default we should protect folks as best we can.
* Removes some now-unnecessary jank like specifying the SSLv3 "cipher"
in some custom SMTP configs. I don't think this was actually necessary
as SSLv3 is a protocol and not a valid cipher, but these custom
configs may have been necessary because of how the ssl_required flag was
linked between IMAP and SMTP before (and thus to specify different
settings for SMTP you'd have to override the SMTP config).
* Removes hard-coding of Gmail & Office365 settings in several
locations. (This was a major headache while working on the patch.)
This depends on version 2.0.1 of imap-provider-settings, which has major
breaking changes from version 1.0. See commit for more info:
https://github.com/nylas/imap-provider-settings/commit/9851054f9153476b6896d04893a40b4febc8986e
Among other things, I did a serious audit of the settings in this file and
"upgraded" a few servers which weren't using the SSL-enabled ports for their
provider to the secure ones. Hurray for nmap and openssl.
Test Plan: manual
Reviewers: evan, mark, juan, halla
Reviewed By: juan, halla
Differential Revision: https://phab.nylas.com/D4316
2017-04-06 08:34:13 +08:00
|
|
|
let template = CommonProviderSettings[domain] || CommonProviderSettings[type] || {};
|
|
|
|
if (template.alias) {
|
|
|
|
template = CommonProviderSettings[template.alias];
|
|
|
|
}
|
2016-05-28 05:05:27 +08:00
|
|
|
|
|
|
|
const usernameWithFormat = (format) => {
|
|
|
|
if (format === 'email') {
|
|
|
|
return email
|
|
|
|
}
|
|
|
|
if (format === 'email-without-domain') {
|
|
|
|
return email.split('@').shift();
|
|
|
|
}
|
|
|
|
return undefined;
|
|
|
|
}
|
|
|
|
|
|
|
|
const defaults = {
|
|
|
|
imap_host: template.imap_host,
|
|
|
|
imap_port: template.imap_port || 993,
|
|
|
|
imap_username: usernameWithFormat(template.imap_user_format),
|
2017-08-31 06:24:30 +08:00
|
|
|
imap_password: accountInfo.password,
|
[*] Revamp SSL options (including user-facing)
Summary:
Previously, the generic IMAP auth screen presented one security option to
users: "Require SSL". This was ambiguous and difficult to translate into
the correct security options behind the scenes, causing confusion and problems
connecting some accounts.
This patch does the following:
* Separates security settings for IMAP and SMTP, as these different protocols
may also require different SSL/TLS settings
* Reworks the generic IMAP auth page to allow specifying security settings
with higher fidelity. We looked at various different email apps and decided
that the best solution to this problem was to allow more detailed
specification of security settings and to ease the burden of more options
by having sane defaults that work correctly in the majority of cases.
This new screen allows users to pick from "SSL / TLS", "STARTTLS", or "none"
for the security settings for a protocol, and also to instruct us that
they're OK with us using known insecure SSL settings to connect to their
server by checking a checkbox.
We default to port 993 / SSL/TLS for IMAP and port 587 / STARTTLS for SMTP.
These are the most common settings for providers these days and will work
for most folks.
* Significantly tightens our default security. Now that we can allow folks to
opt-in to bad security, by default we should protect folks as best we can.
* Removes some now-unnecessary jank like specifying the SSLv3 "cipher"
in some custom SMTP configs. I don't think this was actually necessary
as SSLv3 is a protocol and not a valid cipher, but these custom
configs may have been necessary because of how the ssl_required flag was
linked between IMAP and SMTP before (and thus to specify different
settings for SMTP you'd have to override the SMTP config).
* Removes hard-coding of Gmail & Office365 settings in several
locations. (This was a major headache while working on the patch.)
This depends on version 2.0.1 of imap-provider-settings, which has major
breaking changes from version 1.0. See commit for more info:
https://github.com/nylas/imap-provider-settings/commit/9851054f9153476b6896d04893a40b4febc8986e
Among other things, I did a serious audit of the settings in this file and
"upgraded" a few servers which weren't using the SSL-enabled ports for their
provider to the secure ones. Hurray for nmap and openssl.
Test Plan: manual
Reviewers: evan, mark, juan, halla
Reviewed By: juan, halla
Differential Revision: https://phab.nylas.com/D4316
2017-04-06 08:34:13 +08:00
|
|
|
imap_security: template.imap_security || "SSL / TLS",
|
|
|
|
imap_allow_insecure_ssl: template.imap_allow_insecure_ssl || false,
|
2016-05-28 05:05:27 +08:00
|
|
|
smtp_host: template.smtp_host,
|
|
|
|
smtp_port: template.smtp_port || 587,
|
|
|
|
smtp_username: usernameWithFormat(template.smtp_user_format),
|
2017-08-31 06:24:30 +08:00
|
|
|
smtp_password: accountInfo.password,
|
[*] Revamp SSL options (including user-facing)
Summary:
Previously, the generic IMAP auth screen presented one security option to
users: "Require SSL". This was ambiguous and difficult to translate into
the correct security options behind the scenes, causing confusion and problems
connecting some accounts.
This patch does the following:
* Separates security settings for IMAP and SMTP, as these different protocols
may also require different SSL/TLS settings
* Reworks the generic IMAP auth page to allow specifying security settings
with higher fidelity. We looked at various different email apps and decided
that the best solution to this problem was to allow more detailed
specification of security settings and to ease the burden of more options
by having sane defaults that work correctly in the majority of cases.
This new screen allows users to pick from "SSL / TLS", "STARTTLS", or "none"
for the security settings for a protocol, and also to instruct us that
they're OK with us using known insecure SSL settings to connect to their
server by checking a checkbox.
We default to port 993 / SSL/TLS for IMAP and port 587 / STARTTLS for SMTP.
These are the most common settings for providers these days and will work
for most folks.
* Significantly tightens our default security. Now that we can allow folks to
opt-in to bad security, by default we should protect folks as best we can.
* Removes some now-unnecessary jank like specifying the SSLv3 "cipher"
in some custom SMTP configs. I don't think this was actually necessary
as SSLv3 is a protocol and not a valid cipher, but these custom
configs may have been necessary because of how the ssl_required flag was
linked between IMAP and SMTP before (and thus to specify different
settings for SMTP you'd have to override the SMTP config).
* Removes hard-coding of Gmail & Office365 settings in several
locations. (This was a major headache while working on the patch.)
This depends on version 2.0.1 of imap-provider-settings, which has major
breaking changes from version 1.0. See commit for more info:
https://github.com/nylas/imap-provider-settings/commit/9851054f9153476b6896d04893a40b4febc8986e
Among other things, I did a serious audit of the settings in this file and
"upgraded" a few servers which weren't using the SSL-enabled ports for their
provider to the secure ones. Hurray for nmap and openssl.
Test Plan: manual
Reviewers: evan, mark, juan, halla
Reviewed By: juan, halla
Differential Revision: https://phab.nylas.com/D4316
2017-04-06 08:34:13 +08:00
|
|
|
smtp_security: template.smtp_security || "STARTTLS",
|
|
|
|
smtp_allow_insecure_ssl: template.smtp_allow_insecure_ssl || false,
|
2016-05-28 05:05:27 +08:00
|
|
|
}
|
|
|
|
|
2017-08-31 06:24:30 +08:00
|
|
|
return Object.assign({}, accountInfo, defaults);
|
2016-05-28 05:05:27 +08:00
|
|
|
}
|