Merge pull request #34 from xtr-dev/dev

Add fromName field support to emails collection
Fix security vulnerabilities in fromName field handling
2025-12-10 16:23:23 +00:00 · 2025-09-14 00:10:22 +02:00 · 2025-09-14 00:07:53 +02:00 · 2025-09-14 00:06:14 +02:00 · 2025-09-14 00:03:04 +02:00 · 2025-09-13 23:53:56 +02:00
7 changed files with 113 additions and 110 deletions
--- a/CUSTOM-TYPES.md
+++ b/CUSTOM-TYPES.md
@@ -1,93 +0,0 @@
 # Using Custom ID Types
 The mailing plugin now supports both `string` and `number` ID types. By default, it works with the generic `BaseEmailDocument` interface, but you can provide your own types for full type safety.
 ## Usage with Your Generated Types
 When you have your own generated Payload types (e.g., from `payload generate:types`), you can use them with the mailing plugin:
 ```typescript
 import { sendEmail, BaseEmailDocument } from '@xtr-dev/payload-mailing'
 import { Email } from './payload-types' // Your generated types
 // Option 1: Use your specific Email type
 const email = await sendEmail<Email>(payload, {
  template: {
    slug: 'welcome',
    variables: { name: 'John' }
  },
  data: {
    to: 'user@example.com',
    // All your custom fields are now type-safe
  }
 })
 // Option 2: Extend BaseEmailDocument for custom fields
 interface MyEmail extends BaseEmailDocument {
  customField: string
  anotherField?: number
 }
 const customEmail = await sendEmail<MyEmail>(payload, {
  data: {
    to: 'user@example.com',
    subject: 'Hello',
    html: '<p>Hello World</p>',
    customField: 'my value', // Type-safe!
  }
 })
 ```
 ## Compatibility
 The plugin works with:
 - **String IDs**: `id: string`
 - **Number IDs**: `id: number`
 - **Nullable fields**: Fields can be `null`, `undefined`, or have values
 - **Generated types**: Works with `payload generate:types` output
 Your Payload configuration determines which types are used. The plugin automatically adapts to your setup.
 ## Type Definitions
 The base interfaces provided by the plugin:
 ```typescript
 // JSON value type that matches Payload's JSON field type
 type JSONValue = string | number | boolean | { [k: string]: unknown } | unknown[] | null | undefined
 interface BaseEmailDocument {
  id: string | number
  template?: any
  to: string[]
  cc?: string[] | null
  bcc?: string[] | null
  from?: string | null
  replyTo?: string | null
  subject: string
  html: string
  text?: string | null
  variables?: JSONValue  // Supports any JSON-compatible value
  scheduledAt?: string | null
  sentAt?: string | null
  status?: 'pending' | 'processing' | 'sent' | 'failed' | null
  attempts?: number | null
  lastAttemptAt?: string | null
  error?: string | null
  priority?: number | null
  createdAt?: string | null
  updatedAt?: string | null
 }
 interface BaseEmailTemplateDocument {
  id: string | number
  name: string
  slug: string
  subject?: string | null
  content?: any
  createdAt?: string | null
  updatedAt?: string | null
 }
 ```
 These provide a foundation that works with any ID type while maintaining type safety for the core email functionality.
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@xtr-dev/payload-mailing",
-  "version": "0.1.15",
+  "version": "0.1.18",
  "description": "Template-based email system with scheduling and job processing for PayloadCMS",
  "type": "module",
  "main": "dist/index.js",
--- a/src/collections/Emails.ts
+++ b/src/collections/Emails.ts
@@ -49,6 +49,13 @@ const Emails: CollectionConfig = {
        description: 'Sender email address (optional, uses default if not provided)',
      },
    },
    {
      name: 'fromName',
      type: 'text',
      admin: {
        description: 'Sender display name (optional, e.g., "John Doe" for "John Doe <john@example.com>")',
      },
    },
    {
      name: 'replyTo',
      type: 'text',
--- a/src/jobs/sendEmailTask.ts
+++ b/src/jobs/sendEmailTask.ts
@@ -15,7 +15,10 @@ export interface SendEmailTaskInput {
  to: string | string[]
  cc?: string | string[]
  bcc?: string | string[]
-  scheduledAt?: string // ISO date string
+  from?: string
  fromName?: string
  replyTo?: string
  scheduledAt?: string | Date // ISO date string or Date object
  priority?: number
  // Allow any additional fields that users might have in their email collection
@@ -39,7 +42,7 @@ function transformTaskInputToSendEmailOptions(taskInput: SendEmailTaskInput) {
  }
  // Standard email fields that should be copied to data
-  const standardFields = ['to', 'cc', 'bcc', 'subject', 'html', 'text', 'scheduledAt', 'priority']
+  const standardFields = ['to', 'cc', 'bcc', 'from', 'fromName', 'replyTo', 'subject', 'html', 'text', 'scheduledAt', 'priority']
  // Template-specific fields that should not be copied to data
  const templateFields = ['templateSlug', 'variables']
@@ -135,6 +138,30 @@ export const sendEmailJob = {
        description: 'Optional comma-separated list of BCC email addresses'
      }
    },
    {
      name: 'from',
      type: 'text' as const,
      label: 'From Email',
      admin: {
        description: 'Optional sender email address (uses default if not provided)'
      }
    },
    {
      name: 'fromName',
      type: 'text' as const,
      label: 'From Name',
      admin: {
        description: 'Optional sender display name (e.g., "John Doe")'
      }
    },
    {
      name: 'replyTo',
      type: 'text' as const,
      label: 'Reply To',
      admin: {
        description: 'Optional reply-to email address'
      }
    },
    {
      name: 'scheduledAt',
      type: 'date' as const,
--- a/src/sendEmail.ts
+++ b/src/sendEmail.ts
@@ -100,6 +100,34 @@ export const sendEmail = async <TEmail extends BaseEmailDocument = BaseEmailDocu
    emailData.from = validated && validated.length > 0 ? validated[0] : undefined
  }
  // Sanitize fromName to prevent header injection
  if (emailData.fromName && emailData.fromName !== null) {
    emailData.fromName = emailData.fromName
      .trim()
      // Remove/replace newlines and carriage returns to prevent header injection
      .replace(/[\r\n]/g, ' ')
      // Remove control characters (except space and printable characters)
      .replace(/[\x00-\x1F\x7F-\x9F]/g, '')
      // Note: We don't escape quotes here as that's handled in MailingService
  }
  // Normalize Date objects to ISO strings for consistent database storage
  if (emailData.scheduledAt instanceof Date) {
    emailData.scheduledAt = emailData.scheduledAt.toISOString()
  }
  if (emailData.sentAt instanceof Date) {
    emailData.sentAt = emailData.sentAt.toISOString()
  }
  if (emailData.lastAttemptAt instanceof Date) {
    emailData.lastAttemptAt = emailData.lastAttemptAt.toISOString()
  }
  if (emailData.createdAt instanceof Date) {
    emailData.createdAt = emailData.createdAt.toISOString()
  }
  if (emailData.updatedAt instanceof Date) {
    emailData.updatedAt = emailData.updatedAt.toISOString()
  }
  // Create the email in the collection with proper typing
  const email = await payload.create({
    collection: collectionSlug,
--- a/src/services/MailingService.ts
+++ b/src/services/MailingService.ts
@@ -63,15 +63,39 @@ export class MailingService implements IMailingService {
    }
  }
  /**
   * Sanitizes a display name for use in email headers to prevent header injection
   * and ensure proper formatting
   */
  private sanitizeDisplayName(name: string): string {
    return name
      .trim()
      // Remove/replace newlines and carriage returns to prevent header injection
      .replace(/[\r\n]/g, ' ')
      // Remove control characters (except space and printable characters)
      .replace(/[\x00-\x1F\x7F-\x9F]/g, '')
      // Escape quotes to prevent malformed headers
      .replace(/"/g, '\\"')
  }
  /**
   * Formats an email address with optional display name
   */
  private formatEmailAddress(email: string, displayName?: string | null): string {
    if (displayName && displayName.trim()) {
      const sanitizedName = this.sanitizeDisplayName(displayName)
      return `"${sanitizedName}" <${email}>`
    }
    return email
  }
  private getDefaultFrom(): string {
    const fromEmail = this.config.defaultFrom
    const fromName = this.config.defaultFromName
    // Check if fromName exists, is not empty after trimming, and fromEmail exists
    if (fromName && fromName.trim() && fromEmail) {
-      // Escape quotes in the display name to prevent malformed headers
+      return this.formatEmailAddress(fromEmail, fromName)
      const escapedName = fromName.replace(/"/g, '\\"')
      return `"${escapedName}" <${fromEmail}>`
    }
    return fromEmail || ''
@@ -238,8 +262,16 @@ export class MailingService implements IMailingService {
        id: emailId,
      }) as BaseEmailDocument
      // Combine from and fromName for nodemailer using proper sanitization
      let fromField: string
      if (email.from) {
        fromField = this.formatEmailAddress(email.from, email.fromName)
      } else {
        fromField = this.getDefaultFrom()
      }
      const mailOptions = {
-        from: email.from,
+        from: fromField,
        to: email.to,
        cc: email.cc || undefined,
        bcc: email.bcc || undefined,
--- a/src/types/index.ts
+++ b/src/types/index.ts
@@ -13,20 +13,21 @@ export interface BaseEmailDocument {
  cc?: string[] | null
  bcc?: string[] | null
  from?: string | null
  fromName?: string | null
  replyTo?: string | null
  subject: string
  html: string
  text?: string | null
  variables?: JSONValue
-  scheduledAt?: string | null
+  scheduledAt?: string | Date | null
-  sentAt?: string | null
+  sentAt?: string | Date | null
  status?: 'pending' | 'processing' | 'sent' | 'failed' | null
  attempts?: number | null
-  lastAttemptAt?: string | null
+  lastAttemptAt?: string | Date | null
  error?: string | null
  priority?: number | null
-  createdAt?: string | null
+  createdAt?: string | Date | null
-  updatedAt?: string | null
+  updatedAt?: string | Date | null
 }
 export interface BaseEmailTemplateDocument {
@@ -35,8 +36,8 @@ export interface BaseEmailTemplateDocument {
  slug: string
  subject?: string | null
  content?: any
-  createdAt?: string | null
+  createdAt?: string | Date | null
-  updatedAt?: string | null
+  updatedAt?: string | Date | null
 }
 export type BaseEmail<TEmail extends BaseEmailDocument = BaseEmailDocument, TEmailTemplate extends BaseEmailTemplateDocument = BaseEmailTemplateDocument> = Omit<TEmail, 'id' | 'template'> & {template: Omit<TEmailTemplate, 'id'> | TEmailTemplate['id'] | undefined | null}
@@ -83,16 +84,17 @@ export interface QueuedEmail {
  cc?: string[] | null
  bcc?: string[] | null
  from?: string | null
  fromName?: string | null
  replyTo?: string | null
  subject: string
  html: string
  text?: string | null
  variables?: JSONValue
-  scheduledAt?: string | null
+  scheduledAt?: string | Date | null
-  sentAt?: string | null
+  sentAt?: string | Date | null
  status: 'pending' | 'processing' | 'sent' | 'failed'
  attempts: number
-  lastAttemptAt?: string | null
+  lastAttemptAt?: string | Date | null
  error?: string | null
  priority?: number | null
  createdAt: string
Author	SHA1	Message	Date
Bas	672ab3236a	Merge pull request #34 from xtr-dev/dev Add fromName field support to emails collection	2025-09-14 00:10:22 +02:00
Bas van den Aakster	c7db65980a	Fix security vulnerabilities in fromName field handling - Add sanitizeDisplayName() method to prevent header injection attacks - Remove newlines, carriage returns, and control characters from display names - Fix quote escaping inconsistency between getDefaultFrom() and processEmailItem() - Create formatEmailAddress() helper method for consistent email formatting - Add fromName sanitization in sendEmail() function for input validation - Prevent malformed email headers and potential security issues Security improvements: - Header injection prevention (removes \r\n and control characters) - Consistent quote escaping across all display name usage - Proper sanitization at both input and output stages 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-09-14 00:07:53 +02:00
Bas van den Aakster	624dc12471	Bump package version to 0.1.18 in `package.json`.	2025-09-14 00:06:14 +02:00
Bas van den Aakster	e20ebe27bf	Add fromName field support to emails collection - Add fromName field to Emails collection schema for sender display name - Update BaseEmailDocument and QueuedEmail interfaces to include fromName - Add SendEmailTaskInput support for fromName field in job tasks - Update MailingService to combine fromName and from into proper "Name <email>" format - Add fromName, from, and replyTo fields to job input schema for admin UI - Update field copying logic to handle new sender-related fields Users can now specify a display name for emails (e.g., "John Doe <john@example.com>"). 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-09-14 00:03:04 +02:00
Bas	7f04275d39	Merge pull request #33 from xtr-dev/dev Dev	2025-09-13 23:53:56 +02:00
Bas van den Aakster	20afe30e88	Fix scheduledAt type in SendEmailTaskInput and add Date normalization - Update SendEmailTaskInput.scheduledAt to support string \| Date types - Add Date object normalization to ISO strings in sendEmail processing - Ensure consistent database storage format for all timestamp fields - Convert Date objects to ISO strings before database operations Resolves remaining "Type Date is not assignable to type string" error for scheduledAt field in job task input. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-09-13 23:53:25 +02:00
Bas van den Aakster	02b3fecadf	Bump package version to 0.1.17 in `package.json`.	2025-09-13 23:52:53 +02:00
Bas	ea87f14308	Merge pull request #32 from xtr-dev/dev Dev	2025-09-13 23:48:28 +02:00
Bas van den Aakster	6886027727	Bump package version to 0.1.16 in `package.json`.	2025-09-13 23:45:39 +02:00
Bas van den Aakster	965569be06	Add Date type support for timestamp fields - Update scheduledAt, sentAt, lastAttemptAt, createdAt, updatedAt fields to support Date \| string \| null - Support both Date objects and ISO string formats for all timestamp fields - Update BaseEmailDocument, BaseEmailTemplateDocument, and QueuedEmail interfaces consistently - Update documentation to reflect Date object compatibility Fixes type constraint error where customer timestamp fields use Date objects but plugin interfaces only supported string formats. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-09-13 23:44:57 +02:00