Make email publishing work, when access-control is enabled

[tamcore]

This will fix #420, by allowing emails in the format ${prefix}-${topic}+${token}@${host}, so the user can pass a token with write-permissions to the defined topic.

A container image to test it with is available via ghcr.io/tamcore/ntfy:v2.0.1@sha256:e6616f3531f9960da1f0ea918feb73faa8ffa0794a58d0d606eb131f911a7650

---

Tests

Without token

root@ubuntu:/# cat << EOC | nc -N ntfy.ntfy.svc.cluster.local 2525
> EHLO example.com
> MAIL FROM: phil@example.com
> RCPT TO: ntfy-mytopic@ntfy.ntfy.svc.cluster.local
> DATA
> Subject: Email for you
> Content-Type: text/plain; charset="UTF-8"
>
> Hello from 🇩🇪
> .
> EOC
220 ntfy.ntfy.svc.cluster.local ESMTP Service Ready
250-Hello example.com
250-PIPELINING
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-CHUNKING
250-AUTH PLAIN
250 SIZE 1048576
250 2.0.0 Roger, accepting mail from <phil@example.com>
250 2.0.0 I'll make sure <ntfy-mytopic@ntfy.ntfy.svc.cluster.local> gets this
354 2.0.0 Go ahead. End your data with <CR><LF>.<CR><LF>
554 5.0.0 Error: transaction failed, blame it on the weather: error: {"code":40301,"http":403,"error":"forbidden","link":"https://ntfy.sh/docs/publish/#authentication"}

With invalid token

root@ubuntu:/# cat << EOC | nc -N ntfy.ntfy.svc.cluster.local 2525
> EHLO example.com
> MAIL FROM: phil@example.com
> RCPT TO: ntfy-mytopic+tk_invalidtoken@ntfy.ntfy.svc.cluster.local
> DATA
> Subject: Email for you
> Content-Type: text/plain; charset="UTF-8"
>
> Hello from 🇩🇪
> .
> EOC
220 ntfy.ntfy.svc.cluster.local ESMTP Service Ready
250-Hello example.com
250-PIPELINING
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-CHUNKING
250-AUTH PLAIN
250 SIZE 1048576
250 2.0.0 Roger, accepting mail from <phil@example.com>
250 2.0.0 I'll make sure <ntfy-mytopic+tk_invalidtoken@ntfy.ntfy.svc.cluster.local> gets this
354 2.0.0 Go ahead. End your data with <CR><LF>.<CR><LF>
554 5.0.0 Error: transaction failed, blame it on the weather: error: {"code":40101,"http":401,"error":"unauthorized","link":"https://ntfy.sh/docs/publish/#authentication"}

With valid token

root@ubuntu:/# cat << EOC | nc -N ntfy.ntfy.svc.cluster.local 2525
> EHLO example.com
> MAIL FROM: phil@example.com
> RCPT TO: ntfy-mytopic+tk_JhbsnoMrgy2FcfHeofv97Pi5uXaZZ@ntfy.ntfy.svc.cluster.local
> DATA
> Subject: Email for you
> Content-Type: text/plain; charset="UTF-8"
>
> Hello from 🇩🇪
> .
> EOC
220 ntfy.ntfy.svc.cluster.local ESMTP Service Ready
250-Hello example.com
250-PIPELINING
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-CHUNKING
250-AUTH PLAIN
250 SIZE 1048576
250 2.0.0 Roger, accepting mail from <phil@example.com>
250 2.0.0 I'll make sure <ntfy-mytopic+tk_JhbsnoMrgy2FcfHeofv97Pi5uXaZZ@ntfy.ntfy.svc.cluster.local> gets this
354 2.0.0 Go ahead. End your data with <CR><LF>.<CR><LF>
250 2.0.0 OK: queued

[binwiederhier]

This is fantastic. Could you add a unit test for this?

[tamcore]

Could you add a unit test for this?

Unfortunately struggling a bit with this bit, as i can't figure out how to mock the full app with enabled ACLs, so i can test for valid/invalid token. If ACL is disabled, it doesn't seem to care about the presence of a valid/invalid token.

[binwiederhier]

I don't think you need to do a full end to end test with this. Just one like the other SMTP tests. Just make sure that the auth header with the token gets to the handler function. Like in the other SMTP tests.

[tamcore]

Gotcha! PR updated :)

[binwiederhier]

Looks fantastic. Thanks for your contribution!

[chrisjameschamp]

This is not working for me on 2.1.1

I get "Unrouteable address" error when attaching my token and without it I get a 403 error