From 78b1cfccac4457b37f8727c96b5910204e133bd6 Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Mon, 12 Oct 2020 20:19:30 -0700
Subject: [PATCH 01/31] starting email template

---
 cmd/server/assets/realmadmin/_form_email.html | 89 +++++++++++++++++++
 cmd/server/assets/realmadmin/edit.html        |  6 ++
 2 files changed, 95 insertions(+)
 create mode 100644 cmd/server/assets/realmadmin/_form_email.html

diff --git a/cmd/server/assets/realmadmin/_form_email.html b/cmd/server/assets/realmadmin/_form_email.html
new file mode 100644
index 000000000..02bab4456
--- /dev/null
+++ b/cmd/server/assets/realmadmin/_form_email.html
@@ -0,0 +1,89 @@
+{{define "realmadmin/_form_email"}}
+
+{{$realm := .realm}}
+{{$smsConfig := .smsConfig}}
+{{$countries := .countries}}
+
+<p class="mb-4">
+  These are the settings for configuring an email provider. The verification server
+  may use this email account to send invitations, password resets, and account-verifications
+  for the realm.
+</p>
+
+<form method="POST" action="/realm/settings#email" class="floating-form">
+  {{ .csrfField }}
+  <input type="hidden" name="email" value="1" />
+
+  {{if $realm.CanUseSystemSMSConfig}}
+    {{if $realm.UseSystemSMSConfig}}
+      <div class="alert alert-danger">
+        <strong>Warning!</strong> You are currently using the system-provided
+        SMS configuration. Specifying values below will override the system
+        configuration to use your supplied credentials.
+      </div>
+    {{end}}
+
+    <div class="form-group form-check">
+      <input type="checkbox" name="use_system_sms_config" id="use-system-sms-config" class="form-check-input" value="1" {{if $realm.UseSystemSMSConfig}} checked{{end}}
+        data-toggle="collapse" data-target="#sms-form">
+      <label class="form-check-label" for="use-system-sms-config">
+        Use system SMS configuration
+      </label>
+    </div>
+  {{end}}
+
+  <div id="email-form" class="collapse{{if not $realm.UseSystemSMSConfig}} show{{end}}">
+    <div class="form-label-group">
+      <input type="text" name="email_account" id="email-account" class="form-control text-monospace{{if $smsConfig.ErrorsFor "emailAccount"}} is-invalid{{end}}"
+        placeholder="SMTP account" value="{{if $smsConfig}}{{$smsConfig.TwilioAccountSid}}{{end}}" />
+      <label for="email-account">SMTP account</label>
+      {{template "errorable" $smsConfig.ErrorsFor "emailAccount"}}
+      <small class="form-text text-muted">
+        This is the SMTP email account eg. noreply@myrealm.com
+      </small>
+    </div>
+
+    <div class="form-label-group">
+      <div class="input-group">
+        <input type="password" name="smtp_password" id="smtp-password" class="form-control text-monospace{{if $smsConfig.ErrorsFor "twilioAuthToken"}} is-invalid{{end}}" autocomplete="new-password"
+          placeholder="SMTP password" value="{{if $smsConfig}}{{$smsConfig.TwilioAuthToken}}{{end}}">
+        <label for="smtp-password">SMTP password</label>
+        <div class="input-group-append">
+          <a class="input-group-text" data-toggle-password="smtp-password">
+            <span class="oi oi-lock-locked" aria-hidden="true"></span>
+          </a>
+        </div>
+      </div>
+      {{template "errorable" $smsConfig.ErrorsFor "twilioAuthToken"}}
+      <small class="form-text text-muted">
+        This is the password for your SMTP email.
+      </small>
+    </div>
+
+    <div class="form-label-group">
+      <input name="smtp_host" id="smtp-host" class="form-control text-monospace{{if $smsConfig.ErrorsFor "twilioFromNumber"}} is-invalid{{end}}" autocomplete="new-password"
+        placeholder="SMTP host" value="{{if $smsConfig}}{{$smsConfig.TwilioFromNumber}}{{end}}" />
+      <label for="smtp-port">SMTP host</label>
+      {{template "errorable" $smsConfig.ErrorsFor "smtpHost"}}
+      <small class="form-text text-muted">
+        SMTP host is the hostname for the SMTP server.
+      </small>
+    </div>
+
+    <div class="form-label-group">
+      <input name="twilio_from_number" id="twilio-from-number" class="form-control text-monospace{{if $smsConfig.ErrorsFor "twilioFromNumber"}} is-invalid{{end}}" autocomplete="new-password"
+        placeholder="SMTP port" value="{{if $smsConfig}}{{$smsConfig.TwilioFromNumber}}{{end}}" />
+      <label for="twilio-from-number">SMTP port</label>
+      {{template "errorable" $smsConfig.ErrorsFor "smtpPort"}}
+      <small class="form-text text-muted">
+        SMTP port is the port number to connect to.
+      </small>
+    </div>
+  </div>
+
+  <div class="mt-4">
+    <input type="submit" class="btn btn-primary btn-block" value="Update Email settings" />
+  </div>
+</form>
+
+{{end}}
diff --git a/cmd/server/assets/realmadmin/edit.html b/cmd/server/assets/realmadmin/edit.html
index 0f7980b1c..637031b1c 100644
--- a/cmd/server/assets/realmadmin/edit.html
+++ b/cmd/server/assets/realmadmin/edit.html
@@ -39,6 +39,9 @@ <h1>Realm settings</h1>
           <li class="nav-item" role="presentation">
             <a class="nav-link" id="sms-tab" data-toggle="tab" href="#sms" role="tab" aria-controls="sms" aria-selected="false">SMS</a>
           </li>
+          <li class="nav-item" role="presentation">
+            <a class="nav-link" id="sms-email" data-toggle="tab" href="#email" role="tab" aria-controls="email" aria-selected="false">Email</a>
+          </li>
           <li class="nav-item" role="presentation">
             <a class="nav-link" id="security-tab" data-toggle="tab" href="#security" role="tab" aria-controls="security" aria-selected="false">Security</a>
           </li>
@@ -64,6 +67,9 @@ <h1>Realm settings</h1>
           <div class="tab-pane" id="sms" role="tabpanel" aria-labelledby="sms-tab">
             {{template "realmadmin/_form_sms" .}}
           </div>
+          <div class="tab-pane" id="email" role="tabpanel" aria-labelledby="email-tab">
+            {{template "realmadmin/_form_email" .}}
+          </div>
           <div class="tab-pane" id="security" role="tabpanel" aria-labelledby="security-tab">
             {{template "realmadmin/_form_security" .}}
           </div>

From 6cf444d315c05ee93f6d0fd8faa12069b7cc52cd Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Tue, 13 Oct 2020 19:46:23 -0700
Subject: [PATCH 02/31] first thing

---
 cmd/server/assets/realmadmin/_form_email.html |  50 +++---
 pkg/database/database.go                      |   9 ++
 pkg/database/email_config.go                  | 115 +++++++++++++
 pkg/database/email_config_test.go             | 152 ++++++++++++++++++
 4 files changed, 301 insertions(+), 25 deletions(-)
 create mode 100644 pkg/database/email_config.go
 create mode 100644 pkg/database/email_config_test.go

diff --git a/cmd/server/assets/realmadmin/_form_email.html b/cmd/server/assets/realmadmin/_form_email.html
index 02bab4456..d1b285645 100644
--- a/cmd/server/assets/realmadmin/_form_email.html
+++ b/cmd/server/assets/realmadmin/_form_email.html
@@ -1,11 +1,11 @@
 {{define "realmadmin/_form_email"}}
 
 {{$realm := .realm}}
-{{$smsConfig := .smsConfig}}
+{{$emailConfig := .smtpConfig}}
 {{$countries := .countries}}
 
 <p class="mb-4">
-  These are the settings for configuring an email provider. The verification server
+  These are the settings for configuring an SMTP email provider. The verification server
   may use this email account to send invitations, password resets, and account-verifications
   for the realm.
 </p>
@@ -14,30 +14,30 @@
   {{ .csrfField }}
   <input type="hidden" name="email" value="1" />
 
-  {{if $realm.CanUseSystemSMSConfig}}
-    {{if $realm.UseSystemSMSConfig}}
+  {{if $realm.CanUseSystemSMTPConfig}}
+    {{if $realm.UseSystemSMTPConfig}}
       <div class="alert alert-danger">
         <strong>Warning!</strong> You are currently using the system-provided
-        SMS configuration. Specifying values below will override the system
+        SMTP email configuration. Specifying values below will override the system
         configuration to use your supplied credentials.
       </div>
     {{end}}
 
     <div class="form-group form-check">
-      <input type="checkbox" name="use_system_sms_config" id="use-system-sms-config" class="form-check-input" value="1" {{if $realm.UseSystemSMSConfig}} checked{{end}}
-        data-toggle="collapse" data-target="#sms-form">
-      <label class="form-check-label" for="use-system-sms-config">
-        Use system SMS configuration
+      <input type="checkbox" name="use_system_smtp_config" id="use-system-smtp-config" class="form-check-input" value="1" {{if $realm.UseSystemSMTPConfig}} checked{{end}}
+        data-toggle="collapse" data-target="#smtp-form">
+      <label class="form-check-label" for="use-system-smtp-config">
+        Use system SMTP configuration
       </label>
     </div>
   {{end}}
 
-  <div id="email-form" class="collapse{{if not $realm.UseSystemSMSConfig}} show{{end}}">
+  <div id="smtp-form" class="collapse{{if not $realm.UseSystemSMSConfig}} show{{end}}">
     <div class="form-label-group">
-      <input type="text" name="email_account" id="email-account" class="form-control text-monospace{{if $smsConfig.ErrorsFor "emailAccount"}} is-invalid{{end}}"
-        placeholder="SMTP account" value="{{if $smsConfig}}{{$smsConfig.TwilioAccountSid}}{{end}}" />
-      <label for="email-account">SMTP account</label>
-      {{template "errorable" $smsConfig.ErrorsFor "emailAccount"}}
+      <input type="text" name="smtp_account" id="smtp-account" class="form-control text-monospace{{if $emailConfig.ErrorsFor "smtpAccount"}} is-invalid{{end}}"
+        placeholder="SMTP account" value="{{if $emailConfig}}{{$emailConfig.SMTPAccount}}{{end}}" />
+      <label for="smtp-account">SMTP account</label>
+      {{template "errorable" $emailConfig.ErrorsFor "smtpAccount"}}
       <small class="form-text text-muted">
         This is the SMTP email account eg. noreply@myrealm.com
       </small>
@@ -45,8 +45,8 @@
 
     <div class="form-label-group">
       <div class="input-group">
-        <input type="password" name="smtp_password" id="smtp-password" class="form-control text-monospace{{if $smsConfig.ErrorsFor "twilioAuthToken"}} is-invalid{{end}}" autocomplete="new-password"
-          placeholder="SMTP password" value="{{if $smsConfig}}{{$smsConfig.TwilioAuthToken}}{{end}}">
+        <input type="password" name="smtp_password" id="smtp-password" class="form-control text-monospace{{if $emailConfig.ErrorsFor "smtpPassword"}} is-invalid{{end}}" autocomplete="new-password"
+          placeholder="SMTP password" value="{{if $emailConfig}}{{$emailConfig.SMTPPassword}}{{end}}">
         <label for="smtp-password">SMTP password</label>
         <div class="input-group-append">
           <a class="input-group-text" data-toggle-password="smtp-password">
@@ -54,27 +54,27 @@
           </a>
         </div>
       </div>
-      {{template "errorable" $smsConfig.ErrorsFor "twilioAuthToken"}}
+      {{template "errorable" $emailConfig.ErrorsFor "smtpPassword"}}
       <small class="form-text text-muted">
         This is the password for your SMTP email.
       </small>
     </div>
 
     <div class="form-label-group">
-      <input name="smtp_host" id="smtp-host" class="form-control text-monospace{{if $smsConfig.ErrorsFor "twilioFromNumber"}} is-invalid{{end}}" autocomplete="new-password"
-        placeholder="SMTP host" value="{{if $smsConfig}}{{$smsConfig.TwilioFromNumber}}{{end}}" />
+      <input name="smtp_host" id="smtp-host" class="form-control text-monospace{{if $emailConfig.ErrorsFor "smtpPort"}} is-invalid{{end}}"
+        placeholder="SMTP host" value="{{if $emailConfig}}{{$emailConfig.SMTPHost}}{{end}}" />
       <label for="smtp-port">SMTP host</label>
-      {{template "errorable" $smsConfig.ErrorsFor "smtpHost"}}
+      {{template "errorable" $emailConfig.ErrorsFor "smtpHost"}}
       <small class="form-text text-muted">
         SMTP host is the hostname for the SMTP server.
       </small>
     </div>
 
     <div class="form-label-group">
-      <input name="twilio_from_number" id="twilio-from-number" class="form-control text-monospace{{if $smsConfig.ErrorsFor "twilioFromNumber"}} is-invalid{{end}}" autocomplete="new-password"
-        placeholder="SMTP port" value="{{if $smsConfig}}{{$smsConfig.TwilioFromNumber}}{{end}}" />
-      <label for="twilio-from-number">SMTP port</label>
-      {{template "errorable" $smsConfig.ErrorsFor "smtpPort"}}
+      <input name="smtp_port" id="smtp-port" class="form-control text-monospace{{if $emailConfig.ErrorsFor "smtpPort"}} is-invalid{{end}}"
+        placeholder="SMTP port" value="{{if $emailConfig}}{{$emailConfig.SMTPPort}}{{end}}" />
+      <label for="smtp-port">SMTP port</label>
+      {{template "errorable" $emailConfig.ErrorsFor "smtpPort"}}
       <small class="form-text text-muted">
         SMTP port is the port number to connect to.
       </small>
@@ -82,7 +82,7 @@
   </div>
 
   <div class="mt-4">
-    <input type="submit" class="btn btn-primary btn-block" value="Update Email settings" />
+    <input type="submit" class="btn btn-primary btn-block" value="Update SMTP settings" />
   </div>
 </form>
 
diff --git a/pkg/database/database.go b/pkg/database/database.go
index a76145ec4..f1eab568f 100644
--- a/pkg/database/database.go
+++ b/pkg/database/database.go
@@ -196,6 +196,15 @@ func (db *Database) OpenWithCacher(ctx context.Context, cacher cache.Cacher) err
 
 	rawDB.Callback().Query().After("gorm:after_query").Register("sms_configs:decrypt", callbackKMSDecrypt(ctx, db.keyManager, c.EncryptionKey, "sms_configs", "TwilioAuthToken"))
 
+	// Email configs
+	rawDB.Callback().Create().Before("gorm:create").Register("email_configs:encrypt", callbackKMSEncrypt(ctx, db.keyManager, c.EncryptionKey, "email_configs", "SMTPPassword"))
+	rawDB.Callback().Create().After("gorm:create").Register("email_configs:decrypt", callbackKMSDecrypt(ctx, db.keyManager, c.EncryptionKey, "email_configs", "SMTPPassword"))
+
+	rawDB.Callback().Update().Before("gorm:update").Register("email_configs:encrypt", callbackKMSEncrypt(ctx, db.keyManager, c.EncryptionKey, "email_configs", "SMTPPassword"))
+	rawDB.Callback().Update().After("gorm:update").Register("email_configs:decrypt", callbackKMSDecrypt(ctx, db.keyManager, c.EncryptionKey, "email_configs", "SMTPPassword"))
+
+	rawDB.Callback().Query().After("gorm:after_query").Register("email_configs:decrypt", callbackKMSDecrypt(ctx, db.keyManager, c.EncryptionKey, "email_configs", "SMTPPassword"))
+
 	// Verification codes
 	rawDB.Callback().Create().Before("gorm:create").Register("verification_codes:hmac_code", callbackHMAC(ctx, db.GenerateVerificationCodeHMAC, "verification_codes", "code"))
 	rawDB.Callback().Create().Before("gorm:create").Register("verification_codes:hmac_long_code", callbackHMAC(ctx, db.GenerateVerificationCodeHMAC, "verification_codes", "long_code"))
diff --git a/pkg/database/email_config.go b/pkg/database/email_config.go
new file mode 100644
index 000000000..5c659226c
--- /dev/null
+++ b/pkg/database/email_config.go
@@ -0,0 +1,115 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package database
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/google/exposure-notifications-verification-server/pkg/email"
+	"github.com/jinzhu/gorm"
+)
+
+// EmailConfig represents and email configuration.
+type EmailConfig struct {
+	gorm.Model
+	Errorable
+
+	// email Config belongs to exactly one realm.
+	RealmID uint
+
+	// ProviderType is the email provider type - it's used to determine the
+	// underlying configuration.
+	ProviderType email.ProviderType `gorm:"type:varchar(100)"`
+
+	SMTPAccount string `gorm:"type:varchar(250)"`
+	SMTPHost    string `gorm:"type:varchar(250)"`
+	SMTPPort    string `gorm:"type:varchar(250)"`
+
+	// TwilioAuthToken is encrypted/decrypted automatically by callbacks. The
+	// cache fields exist as optimizations.
+	SMTPPassword                string `gorm:"type:varchar(250)"`
+	SMTPPasswordPlaintextCache  string `gorm:"-"`
+	SMTPPasswordCiphertextCache string `gorm:"-"`
+
+	// IsSystem determines if this is a system-level email configuration. There can
+	// only be one system-level email configuration.
+	IsSystem bool `gorm:"type:bool; not null; default:false;"`
+}
+
+func (s *EmailConfig) BeforeSave(tx *gorm.DB) error {
+	// Twilio config is all or nothing
+	if (s.TwilioAccountSid != "" || s.TwilioAuthToken != "" || s.TwilioFromNumber != "") &&
+		(s.TwilioAccountSid == "" || s.TwilioAuthToken == "" || s.TwilioFromNumber == "") {
+		s.AddError("twilioAccountSid", "all must be specified or all must be blank")
+		s.AddError("twilioAuthToken", "all must be specified or all must be blank")
+		s.AddError("twilioFromNumber", "all must be specified or all must be blank")
+	}
+
+	if len(s.Errors()) > 0 {
+		return fmt.Errorf("email config validation failed: %s", strings.Join(s.ErrorMessages(), ", "))
+	}
+	return nil
+}
+
+// SystemEmailConfig returns the system email config, if one exists
+func (db *Database) SystemEmailConfig() (*EmailConfig, error) {
+	var emailConfig emailConfig
+	if err := db.db.
+		Model(&EmailConfig{}).
+		Where("is_system IS TRUE").
+		First(&emailConfig).
+		Error; err != nil {
+		return nil, err
+	}
+	return &emailConfig, nil
+}
+
+// SaveEmailConfig creates or updates an email configuration record.
+func (db *Database) SaveEmailConfig(s *EmailConfig) error {
+	if s.TwilioAccountSid == "" && s.TwilioAuthToken == "" && s.TwilioFromNumber == "" {
+		if db.db.NewRecord(s) {
+			// The fields are all blank, do not create the record.
+			return nil
+		}
+
+		if s.IsSystem {
+			// We're about to delete the system email config, revoke everyone's
+			// permissions to use it. You would think there'd be a way to do this with
+			// gorm natively. You'd even find an example in the documentation that led
+			// you to believe that gorm does this.
+			//
+			// Narrator: gorm does not do this.
+			if err := db.db.
+				Exec(`UPDATE realms SET can_use_system_email_config = FALSE, use_system_email_config = FALSE`).
+				Error; err != nil {
+				return err
+			}
+		}
+
+		// The fields were blank, delete the email config.
+		return db.db.Unscoped().Delete(s).Error
+	}
+
+	if db.db.NewRecord(s) {
+		return db.db.Create(s).Error
+	}
+	return db.db.Save(s).Error
+}
+
+// DeleteEmailConfig removes an email configuration record.
+func (db *Database) DeleteEmailConfig(s *EmailConfig) error {
+	return db.db.Unscoped().Delete(s).Error
+}
diff --git a/pkg/database/email_config_test.go b/pkg/database/email_config_test.go
new file mode 100644
index 000000000..7b737cd99
--- /dev/null
+++ b/pkg/database/email_config_test.go
@@ -0,0 +1,152 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package database
+
+import (
+	"testing"
+
+	"github.com/google/exposure-notifications-verification-server/pkg/sms"
+)
+
+func TestSMSConfig_Lifecycle(t *testing.T) {
+	t.Parallel()
+
+	db := NewTestDatabase(t)
+
+	// Create realm
+	realmName := t.Name()
+	realm, err := db.CreateRealm(realmName)
+	if err != nil {
+		t.Fatalf("unable to cerate test realm: %v", err)
+	}
+
+	// Initial config should be nil
+	{
+		got, err := realm.SMSConfig(db)
+		if !IsNotFound(err) {
+			t.Errorf("expected %#v to be %#v", err, "not found")
+		}
+		if got != nil {
+			t.Errorf("expected %#v to be %#v", got, nil)
+		}
+	}
+
+	// Create SMS config on the realm
+	smsConfig := &SMSConfig{
+		RealmID:          realm.ID,
+		ProviderType:     sms.ProviderType("TWILIO"),
+		TwilioAccountSid: "abc123",
+		TwilioAuthToken:  "def123",
+		TwilioFromNumber: "+11234567890",
+	}
+	if err := db.SaveSMSConfig(smsConfig); err != nil {
+		t.Fatal(err)
+	}
+
+	// Get the realm to verify SMS configs are NOT preloaded
+	realm, err = db.FindRealm(realm.ID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Load the SMS config
+	{
+		got, err := realm.SMSConfig(db)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if got == nil {
+			t.Fatalf("expected SMSConfig, got %#v", got)
+		}
+
+		if got, want := got.ID, smsConfig.ID; got != want {
+			t.Errorf("expected %#v to be %#v", got, want)
+		}
+		if got, want := got.RealmID, smsConfig.RealmID; got != want {
+			t.Errorf("expected %#v to be %#v", got, want)
+		}
+		if got, want := got.ProviderType, smsConfig.ProviderType; got != want {
+			t.Errorf("expected %#v to be %#v", got, want)
+		}
+		if got, want := got.TwilioAccountSid, smsConfig.TwilioAccountSid; got != want {
+			t.Errorf("expected %#v to be %#v", got, want)
+		}
+		if got, want := got.TwilioAuthToken, smsConfig.TwilioAuthToken; got != want {
+			t.Errorf("expected %#v to be %#v", got, want)
+		}
+		if got, want := got.TwilioFromNumber, smsConfig.TwilioFromNumber; got != want {
+			t.Errorf("expected %#v to be %#v", got, want)
+		}
+	}
+
+	// Update value
+	smsConfig.TwilioAuthToken = "banana123"
+	if err := db.SaveSMSConfig(smsConfig); err != nil {
+		t.Fatal(err)
+	}
+
+	// Read back updated value
+	{
+		got, err := realm.SMSConfig(db)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if got == nil {
+			t.Fatalf("expected SMSConfig, got %#v", got)
+		}
+
+		if got, want := got.TwilioAuthToken, "banana123"; got != want {
+			t.Errorf("expected %#v to be %#v", got, want)
+		}
+	}
+}
+
+func TestSMSProvider(t *testing.T) {
+	t.Parallel()
+
+	db := NewTestDatabase(t)
+
+	realm, err := db.CreateRealm("test-sms-realm-1")
+	if err != nil {
+		t.Fatalf("realm create failed: %v", err)
+	}
+
+	provider, err := realm.SMSProvider(db)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if provider != nil {
+		t.Errorf("expected %v to be %v", provider, nil)
+	}
+
+	smsConfig := &SMSConfig{
+		RealmID:          realm.ID,
+		ProviderType:     sms.ProviderType("TWILIO"),
+		TwilioAccountSid: "abc123",
+		TwilioAuthToken:  "my-secret-ref",
+		TwilioFromNumber: "+11234567890",
+	}
+	if err := db.SaveSMSConfig(smsConfig); err != nil {
+		t.Fatal(err)
+	}
+
+	provider, err = realm.SMSProvider(db)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if provider == nil {
+		t.Errorf("expected %v to be not nil", provider)
+	}
+}

From 3613515dd2be698ca2e363064610319aad2d87d1 Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Wed, 14 Oct 2020 16:58:31 -0700
Subject: [PATCH 03/31] email settings

---
 internal/firebase/password_reset_email.go |  2 +-
 pkg/controller/controller.go              | 28 +++++++
 pkg/controller/user/importbatch.go        |  9 ++-
 pkg/controller/user/reset_password.go     | 17 ++++-
 pkg/database/email_config.go              | 16 ++--
 pkg/database/email_config_test.go         | 74 +++++++++----------
 pkg/database/realm.go                     | 90 +++++++++++++++++++++++
 pkg/email/config.go                       | 16 +---
 pkg/email/firebase.go                     | 34 ---------
 pkg/email/noop.go                         |  6 +-
 pkg/email/smtp.go                         | 49 ++----------
 11 files changed, 202 insertions(+), 139 deletions(-)
 delete mode 100644 pkg/email/firebase.go

diff --git a/internal/firebase/password_reset_email.go b/internal/firebase/password_reset_email.go
index 9573df81e..c72996ad4 100644
--- a/internal/firebase/password_reset_email.go
+++ b/internal/firebase/password_reset_email.go
@@ -36,7 +36,7 @@ type sendPasswordResetEmailRequest struct {
 // face rate-limiting on the firebase side if called too quickly.
 //
 // See: https://firebase.google.com/docs/reference/rest/auth#section-send-password-reset-email
-func (c *Client) SendNewUserInvitation(ctx context.Context, email string) error {
+func (c *Client) SendNewUserInvitation(ctx context.Context, email, realmName string) error {
 	r := &sendPasswordResetEmailRequest{
 		RequestType: "PASSWORD_RESET",
 		Email:       email,
diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
index 7f3d99a68..4b7fd5c3e 100644
--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@@ -21,6 +21,7 @@ import (
 	"net/http"
 	"strings"
 
+	"firebase.google.com/go/auth"
 	"github.com/google/exposure-notifications-verification-server/pkg/api"
 	"github.com/google/exposure-notifications-verification-server/pkg/render"
 
@@ -125,6 +126,33 @@ func RedirectToChangePassword(w http.ResponseWriter, r *http.Request, h *render.
 	http.Redirect(w, r, "/login/change-password", http.StatusSeeOther)
 }
 
+// ComposeInviteEmail uses the renderer and auth client to generate a password reset link
+// and emit an invite email
+func ComposeInviteEmail(h *render.Renderer, auth *auth.Client, toEmail, fromEmail, realmName string) (string, error) {
+	inviteLink, err := auth.PasswordResetLink(ctx, toEmail)
+	if err != nil {
+		return err
+	}
+
+	// Compose message
+	message, err := h.RenderEmail("email/invite",
+		struct {
+			ToEmail    string
+			FromEmail  string
+			InviteLink string
+			RealmName  string
+		}{
+			ToEmail:    toEmail,
+			FromEmail:  fromEmail,
+			InviteLink: inviteLink,
+			RealmName:  realmName,
+		})
+	if err != nil {
+		return nil, err
+	}
+	return message, nil
+}
+
 func prefixInList(list []string, prefix string) bool {
 	for _, v := range list {
 		if strings.HasPrefix(v, prefix) {
diff --git a/pkg/controller/user/importbatch.go b/pkg/controller/user/importbatch.go
index c26d66340..7998639c1 100644
--- a/pkg/controller/user/importbatch.go
+++ b/pkg/controller/user/importbatch.go
@@ -74,7 +74,14 @@ func (c *Controller) HandleImportBatch() http.Handler {
 				continue
 			} else if created {
 				newUsers = append(newUsers, &batchUser)
-				if err := c.emailer.SendNewUserInvitation(ctx, user.Email); err != nil {
+				message, err := controller.ComposeInviteEmail(c.h, c.client, user.Email, currentUser.Email, realm.Name)
+				if err != nil {
+					c.logger.Warnw("failed composing invitation", "error", err)
+					batchErr = multierror.Append(batchErr, errors.New("send invitation failed"))
+					continue
+				}
+
+				if err := c.emailer.SendNewUserInvitation(ctx, user.Email, realm.Name); err != nil {
 					c.logger.Warnw("failed sending invitation", "error", err)
 					batchErr = multierror.Append(batchErr, errors.New("send invitation failed"))
 					continue
diff --git a/pkg/controller/user/reset_password.go b/pkg/controller/user/reset_password.go
index b308249a4..84e0de134 100644
--- a/pkg/controller/user/reset_password.go
+++ b/pkg/controller/user/reset_password.go
@@ -49,7 +49,22 @@ func (c *Controller) ensureFirebaseUserExists(ctx context.Context, user *databas
 	}
 
 	if created {
-		err := c.emailer.SendNewUserInvitation(ctx, user.Email)
+		if c.emailer == nil {
+			// fallback to firebase
+			c.config.Firebase
+		}
+
+		realm := controller.RealmFromContext(ctx)
+		currentUser := controller.UserFromContext(ctx)
+
+		message, err := controller.ComposeInviteEmail(c.h, c.client, user.Email, currentUser.Email, realm.Name)
+		if err != nil {
+			c.logger.Warnw("failed composing invitation", "error", err)
+			flash.Error("Could not send new user invitation.")
+			return true, err
+		}
+
+		err := c.emailer.SendEmail(ctx, user.Email, message)
 		if err != nil {
 			c.logger.Warnw("failed sending invitation", "error", err)
 			flash.Error("Could not send new user invitation.")
diff --git a/pkg/database/email_config.go b/pkg/database/email_config.go
index 5c659226c..37e7ed724 100644
--- a/pkg/database/email_config.go
+++ b/pkg/database/email_config.go
@@ -50,12 +50,12 @@ type EmailConfig struct {
 }
 
 func (s *EmailConfig) BeforeSave(tx *gorm.DB) error {
-	// Twilio config is all or nothing
-	if (s.TwilioAccountSid != "" || s.TwilioAuthToken != "" || s.TwilioFromNumber != "") &&
-		(s.TwilioAccountSid == "" || s.TwilioAuthToken == "" || s.TwilioFromNumber == "") {
-		s.AddError("twilioAccountSid", "all must be specified or all must be blank")
-		s.AddError("twilioAuthToken", "all must be specified or all must be blank")
-		s.AddError("twilioFromNumber", "all must be specified or all must be blank")
+	// Email config is all or nothing
+	if (s.SMTPAccount != "" || s.SMTPPassword != "" || s.SMTPHost != "") &&
+		(s.SMTPAccount == "" || s.SMTPPassword == "" || s.SMTPHost == "") {
+		s.AddError("SMTPAccount", "all must be specified or all must be blank")
+		s.AddError("SMTPPassword", "all must be specified or all must be blank")
+		s.AddError("SMTPHost", "all must be specified or all must be blank")
 	}
 
 	if len(s.Errors()) > 0 {
@@ -66,7 +66,7 @@ func (s *EmailConfig) BeforeSave(tx *gorm.DB) error {
 
 // SystemEmailConfig returns the system email config, if one exists
 func (db *Database) SystemEmailConfig() (*EmailConfig, error) {
-	var emailConfig emailConfig
+	var emailConfig EmailConfig
 	if err := db.db.
 		Model(&EmailConfig{}).
 		Where("is_system IS TRUE").
@@ -79,7 +79,7 @@ func (db *Database) SystemEmailConfig() (*EmailConfig, error) {
 
 // SaveEmailConfig creates or updates an email configuration record.
 func (db *Database) SaveEmailConfig(s *EmailConfig) error {
-	if s.TwilioAccountSid == "" && s.TwilioAuthToken == "" && s.TwilioFromNumber == "" {
+	if s.SMTPAccount == "" && s.SMTPPassword == "" && s.SMTPHost == "" {
 		if db.db.NewRecord(s) {
 			// The fields are all blank, do not create the record.
 			return nil
diff --git a/pkg/database/email_config_test.go b/pkg/database/email_config_test.go
index 7b737cd99..f0c9560b6 100644
--- a/pkg/database/email_config_test.go
+++ b/pkg/database/email_config_test.go
@@ -17,10 +17,10 @@ package database
 import (
 	"testing"
 
-	"github.com/google/exposure-notifications-verification-server/pkg/sms"
+	"github.com/google/exposure-notifications-verification-server/pkg/email"
 )
 
-func TestSMSConfig_Lifecycle(t *testing.T) {
+func TestEmailConfig_Lifecycle(t *testing.T) {
 	t.Parallel()
 
 	db := NewTestDatabase(t)
@@ -34,7 +34,7 @@ func TestSMSConfig_Lifecycle(t *testing.T) {
 
 	// Initial config should be nil
 	{
-		got, err := realm.SMSConfig(db)
+		got, err := realm.EmailConfig(db)
 		if !IsNotFound(err) {
 			t.Errorf("expected %#v to be %#v", err, "not found")
 		}
@@ -43,87 +43,87 @@ func TestSMSConfig_Lifecycle(t *testing.T) {
 		}
 	}
 
-	// Create SMS config on the realm
-	smsConfig := &SMSConfig{
-		RealmID:          realm.ID,
-		ProviderType:     sms.ProviderType("TWILIO"),
-		TwilioAccountSid: "abc123",
-		TwilioAuthToken:  "def123",
-		TwilioFromNumber: "+11234567890",
+	// Create email config on the realm
+	emailConfig := &EmailConfig{
+		RealmID:      realm.ID,
+		ProviderType: email.ProviderType("TWILIO"),
+		SMTPAccount:  "noreply@sendemails.meh",
+		SMTPPassword: "my-secret-ref",
+		SMTPHost:     "smtp.sendemails.meh",
 	}
-	if err := db.SaveSMSConfig(smsConfig); err != nil {
+	if err := db.SaveEmailConfig(emailConfig); err != nil {
 		t.Fatal(err)
 	}
 
-	// Get the realm to verify SMS configs are NOT preloaded
+	// Get the realm to verify email configs are NOT preloaded
 	realm, err = db.FindRealm(realm.ID)
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	// Load the SMS config
+	// Load the email config
 	{
-		got, err := realm.SMSConfig(db)
+		got, err := realm.EmailConfig(db)
 		if err != nil {
 			t.Fatal(err)
 		}
 		if got == nil {
-			t.Fatalf("expected SMSConfig, got %#v", got)
+			t.Fatalf("expected emailConfig, got %#v", got)
 		}
 
-		if got, want := got.ID, smsConfig.ID; got != want {
+		if got, want := got.ID, emailConfig.ID; got != want {
 			t.Errorf("expected %#v to be %#v", got, want)
 		}
-		if got, want := got.RealmID, smsConfig.RealmID; got != want {
+		if got, want := got.RealmID, emailConfig.RealmID; got != want {
 			t.Errorf("expected %#v to be %#v", got, want)
 		}
-		if got, want := got.ProviderType, smsConfig.ProviderType; got != want {
+		if got, want := got.ProviderType, emailConfig.ProviderType; got != want {
 			t.Errorf("expected %#v to be %#v", got, want)
 		}
-		if got, want := got.TwilioAccountSid, smsConfig.TwilioAccountSid; got != want {
+		if got, want := got.SMTPAccount, emailConfig.SMTPAccount; got != want {
 			t.Errorf("expected %#v to be %#v", got, want)
 		}
-		if got, want := got.TwilioAuthToken, smsConfig.TwilioAuthToken; got != want {
+		if got, want := got.SMTPPassword, emailConfig.SMTPPassword; got != want {
 			t.Errorf("expected %#v to be %#v", got, want)
 		}
-		if got, want := got.TwilioFromNumber, smsConfig.TwilioFromNumber; got != want {
+		if got, want := got.SMTPHost, emailConfig.SMTPHost; got != want {
 			t.Errorf("expected %#v to be %#v", got, want)
 		}
 	}
 
 	// Update value
-	smsConfig.TwilioAuthToken = "banana123"
-	if err := db.SaveSMSConfig(smsConfig); err != nil {
+	emailConfig.SMTPPassword = "banana123"
+	if err := db.SaveEmailConfig(emailConfig); err != nil {
 		t.Fatal(err)
 	}
 
 	// Read back updated value
 	{
-		got, err := realm.SMSConfig(db)
+		got, err := realm.EmailConfig(db)
 		if err != nil {
 			t.Fatal(err)
 		}
 		if got == nil {
-			t.Fatalf("expected SMSConfig, got %#v", got)
+			t.Fatalf("expected EmailConfig, got %#v", got)
 		}
 
-		if got, want := got.TwilioAuthToken, "banana123"; got != want {
+		if got, want := got.SMTPPassword, "banana123"; got != want {
 			t.Errorf("expected %#v to be %#v", got, want)
 		}
 	}
 }
 
-func TestSMSProvider(t *testing.T) {
+func TestEmailProvider(t *testing.T) {
 	t.Parallel()
 
 	db := NewTestDatabase(t)
 
-	realm, err := db.CreateRealm("test-sms-realm-1")
+	realm, err := db.CreateRealm("test-email-realm-1")
 	if err != nil {
 		t.Fatalf("realm create failed: %v", err)
 	}
 
-	provider, err := realm.SMSProvider(db)
+	provider, err := realm.EmailProvider(db)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -131,18 +131,18 @@ func TestSMSProvider(t *testing.T) {
 		t.Errorf("expected %v to be %v", provider, nil)
 	}
 
-	smsConfig := &SMSConfig{
-		RealmID:          realm.ID,
-		ProviderType:     sms.ProviderType("TWILIO"),
-		TwilioAccountSid: "abc123",
-		TwilioAuthToken:  "my-secret-ref",
-		TwilioFromNumber: "+11234567890",
+	emailConfig := &EmailConfig{
+		RealmID:      realm.ID,
+		ProviderType: email.ProviderType(email.ProviderTypeSMTP),
+		SMTPAccount:  "noreply@sendemails.meh",
+		SMTPPassword: "my-secret-ref",
+		SMTPHost:     "smtp.sendemails.meh",
 	}
-	if err := db.SaveSMSConfig(smsConfig); err != nil {
+	if err := db.SaveEmailConfig(emailConfig); err != nil {
 		t.Fatal(err)
 	}
 
-	provider, err = realm.SMSProvider(db)
+	provider, err = realm.EmailProvider(db)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/pkg/database/realm.go b/pkg/database/realm.go
index a38b5fdd7..ba0eec72b 100644
--- a/pkg/database/realm.go
+++ b/pkg/database/realm.go
@@ -24,6 +24,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/google/exposure-notifications-verification-server/pkg/email"
 	"github.com/google/exposure-notifications-verification-server/pkg/sms"
 	"github.com/microcosm-cc/bluemonday"
 
@@ -140,6 +141,26 @@ type Realm struct {
 	// configuration, making it impossible to opt out of text message sending.
 	UseSystemSMSConfig bool `gorm:"column:use_system_sms_config; type:bool; not null; default:false;"`
 
+	// EmailInviteTemplate is the template for inviting new users.
+	EmailInviteTemplate string `gorm:"type:varchar(400);"`
+
+	// EmailPasswordResetTemplate is the template for resetting password.
+	EmailPasswordResetTemplate string `gorm:"type:varchar(400);"`
+
+	// EmailVerifyTemplate is the template used for email verification.
+	EmailVerifyTemplate string `gorm:"type:varchar(400);"`
+
+	// CanUseSystemEmailConfig is configured by system administrators to share the
+	// system email config with this realm. Note that the system email config could be
+	// empty and a local SMS config is preferred over the system value.
+	CanUseSystemEmailConfig bool `gorm:"column:can_use_system_sms_config; type:bool; not null; default:false;"`
+
+	// UseSystemEmailConfig is a realm-level configuration that lets a realm opt-out
+	// of sending email messages using the system-provided email configuration.
+	// Without this, a realm would always fallback to the system-level email
+	// configuration, making it impossible to opt out of text message sending.
+	UseSystemEmailConfig bool `gorm:"column:use_system_sms_config; type:bool; not null; default:false;"`
+
 	// MFAMode represents the mode for Multi-Factor-Authorization requirements for the realm.
 	MFAMode AuthRequirement `gorm:"type:smallint; not null; default: 0"`
 
@@ -459,6 +480,75 @@ func (r *Realm) SMSProvider(db *Database) (sms.Provider, error) {
 	return provider, nil
 }
 
+// EmailConfig returns the SMS configuration for this realm, if one exists. If the
+// realm is configured to use the system SMS configuration, that configuration
+// is preferred.
+func (r *Realm) EmailConfig(db *Database) (*EmailConfig, error) {
+	q := db.db.
+		Model(&EmailConfig{}).
+		Order("is_system DESC").
+		Where("realm_id = ?", r.ID)
+
+	if r.UseSystemEmailConfig {
+		q = q.Or("is_system IS TRUE")
+	}
+
+	var emailConfig EmailConfig
+	if err := q.First(&emailConfig).Error; err != nil {
+		return nil, err
+	}
+	return &emailConfig, nil
+}
+
+// HasEmailConfig returns true if the realm has an email config, false otherwise.
+// This does not perform the KMS encryption/decryption, so it's more efficient
+// that loading the full email config.
+func (r *Realm) HasEmailConfig(db *Database) (bool, error) {
+	q := db.db.
+		Model(&EmailConfig{}).
+		Select("id").
+		Order("is_system DESC").
+		Where("realm_id = ?", r.ID)
+
+	if r.UseSystemEmailConfig {
+		q = q.Or("is_system IS TRUE")
+	}
+
+	var id []uint64
+	if err := q.Pluck("id", &id).Error; err != nil {
+		if IsNotFound(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	return len(id) > 0, nil
+}
+
+// EmailProvider returns the email provider for the realm. If no email configuration
+// exists, it returns nil. If any errors occur creating the provider, they are
+// returned.
+func (r *Realm) EmailProvider(db *Database) (email.Provider, error) {
+	emailConfig, err := r.EmailConfig(db)
+	if err != nil {
+		if IsNotFound(err) {
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	ctx := context.Background()
+	provider, err := email.ProviderFor(ctx, &email.Config{
+		User:     emailConfig.SMTPAccount,
+		Password: emailConfig.SMTPPassword,
+		SMTPHost: emailConfig.SMTPHost,
+		SMTPPort: emailConfig.SMTPPort,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return provider, nil
+}
+
 func (r *Realm) Audits(db *Database) ([]*AuditEntry, error) {
 	var entries []*AuditEntry
 	if err := db.db.
diff --git a/pkg/email/config.go b/pkg/email/config.go
index 48f99e954..ca0f87940 100644
--- a/pkg/email/config.go
+++ b/pkg/email/config.go
@@ -18,9 +18,7 @@ import (
 	"context"
 	"fmt"
 
-	"firebase.google.com/go/auth"
 	"github.com/google/exposure-notifications-server/pkg/secrets"
-	"github.com/google/exposure-notifications-verification-server/pkg/render"
 )
 
 // ProviderType represents a type of email provider.
@@ -30,10 +28,6 @@ const (
 	// ProviderTypeNoop is a no-op provider
 	ProviderTypeNoop ProviderType = "NOOP"
 
-	// ProviderTypeFirebase falls back to firebase's default email template.
-	// it uses password-reset rather than a true invitation.
-	ProviderTypeFirebase ProviderType = "FIREBASE"
-
 	// ProviderTypeSMTP composes emails and sends them via an external SMTP server.
 	ProviderTypeSMTP ProviderType = "SIMPLE_SMTP"
 )
@@ -65,8 +59,8 @@ type Config struct {
 
 // Provider is an interface for email-sending mechanisms.
 type Provider interface {
-	// SendNewUserInvitation sends an invite to join the server.
-	SendNewUserInvitation(ctx context.Context, email string) error
+	// SendEmail sends an email with the given message.
+	SendEmail(ctx context.Context, toEmail string, message []byte) error
 }
 
 // HasSMTPCreds returns true if required fields for connecting to SMTP are set.
@@ -75,14 +69,12 @@ func (c *Config) HasSMTPCreds() bool {
 }
 
 // ProviderFor creates an email provider given a Config.
-func ProviderFor(ctx context.Context, c *Config, h *render.Renderer, auth *auth.Client) (Provider, error) {
+func ProviderFor(ctx context.Context, c *Config) (Provider, error) {
 	switch typ := c.ProviderType; typ {
 	case ProviderTypeNoop:
 		return NewNoop(), nil
-	case ProviderTypeFirebase:
-		return NewFirebase(ctx)
 	case ProviderTypeSMTP:
-		return NewSMTP(ctx, c.User, c.Password, c.SMTPHost, c.SMTPPort, h, auth), nil
+		return NewSMTP(ctx, c.User, c.Password, c.SMTPHost, c.SMTPPort), nil
 	default:
 		return nil, fmt.Errorf("unknown email provider type: %v", typ)
 	}
diff --git a/pkg/email/firebase.go b/pkg/email/firebase.go
deleted file mode 100644
index 3ca9d8a4b..000000000
--- a/pkg/email/firebase.go
+++ /dev/null
@@ -1,34 +0,0 @@
-// Copyright 2020 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// Package email is logic for sending email invitations
-package email
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/google/exposure-notifications-verification-server/internal/firebase"
-)
-
-var _ Provider = (*firebase.Client)(nil)
-
-// NewFirebase creates a new SMTP email sender with the given auth.
-func NewFirebase(ctx context.Context) (Provider, error) {
-	firebaseInternal, err := firebase.New(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("failed to configure internal firebase client: %w", err)
-	}
-	return firebaseInternal, nil
-}
diff --git a/pkg/email/noop.go b/pkg/email/noop.go
index d6580edb7..9f941308c 100644
--- a/pkg/email/noop.go
+++ b/pkg/email/noop.go
@@ -31,9 +31,9 @@ func NewNoop() Provider {
 	return &NoopProvider{}
 }
 
-// SendNewUserInvitation sends a password reset email to the user.
-func (s *NoopProvider) SendNewUserInvitation(ctx context.Context, toEmail string) error {
+// SendEmail sends a password reset email to the user.
+func (s *NoopProvider) SendEmail(ctx context.Context, toEmail string, message []byte) error {
 	logger := logging.FromContext(ctx)
-	logger.Infow("Noop send invitation", "email", toEmail)
+	logger.Infow("Noop send email", "email", toEmail)
 	return nil
 }
diff --git a/pkg/email/smtp.go b/pkg/email/smtp.go
index cd48727ee..b49f3c7f2 100644
--- a/pkg/email/smtp.go
+++ b/pkg/email/smtp.go
@@ -19,20 +19,13 @@ import (
 	"context"
 	"net/smtp"
 
-	"firebase.google.com/go/auth"
 	"github.com/google/exposure-notifications-server/pkg/logging"
-	"github.com/google/exposure-notifications-verification-server/pkg/controller"
-	"github.com/google/exposure-notifications-verification-server/pkg/render"
 )
 
 var _ Provider = (*SMTPProvider)(nil)
 
 // SMTPProvider sends messages via an external SMTP server.
 type SMTPProvider struct {
-	FirebaseAuth *auth.Client
-
-	Renderer *render.Renderer
-
 	User     string
 	Password string
 	SMTPHost string
@@ -40,45 +33,17 @@ type SMTPProvider struct {
 }
 
 // NewSMTP creates a new Smtp email sender with the given auth.
-func NewSMTP(ctx context.Context, user, password, host, port string, h *render.Renderer, auth *auth.Client) Provider {
+func NewSMTP(ctx context.Context, user, password, host, port string) Provider {
 	return &SMTPProvider{
-		FirebaseAuth: auth,
-		Renderer:     h,
-		User:         user,
-		Password:     password,
-		SMTPHost:     host,
-		SMTPPort:     port,
+		User:     user,
+		Password: password,
+		SMTPHost: host,
+		SMTPPort: port,
 	}
 }
 
-// SendNewUserInvitation sends a password reset email to the user.
-func (s *SMTPProvider) SendNewUserInvitation(ctx context.Context, toEmail string) error {
-	inviteLink, err := s.FirebaseAuth.PasswordResetLink(ctx, toEmail)
-	if err != nil {
-		return err
-	}
-
-	realmName := ""
-	if realm := controller.RealmFromContext(ctx); realm != nil {
-		realmName = realm.Name
-	}
-
-	// Compose message
-	message, err := s.Renderer.RenderEmail("email/invite",
-		struct {
-			ToEmail    string
-			FromEmail  string
-			InviteLink string
-			RealmName  string
-		}{
-			ToEmail:    toEmail,
-			FromEmail:  s.User,
-			InviteLink: inviteLink,
-			RealmName:  realmName,
-		})
-	if err != nil {
-		return err
-	}
+// SendEmail sends an email to the user.
+func (s *SMTPProvider) SendEmail(ctx context.Context, toEmail string, message []byte) error {
 
 	// Authentication.
 	auth := smtp.PlainAuth("", s.User, s.Password, s.SMTPHost)

From 3a1dd1081cdc64afb199e30dc8c8dc7b1f272e60 Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Thu, 15 Oct 2020 10:19:44 -0700
Subject: [PATCH 04/31] fixes form integrate

---
 internal/firebase/password_reset_email.go |  2 +-
 pkg/controller/controller.go              | 28 -----------------------
 pkg/database/realm.go                     |  5 ++--
 3 files changed, 4 insertions(+), 31 deletions(-)

diff --git a/internal/firebase/password_reset_email.go b/internal/firebase/password_reset_email.go
index c72996ad4..9573df81e 100644
--- a/internal/firebase/password_reset_email.go
+++ b/internal/firebase/password_reset_email.go
@@ -36,7 +36,7 @@ type sendPasswordResetEmailRequest struct {
 // face rate-limiting on the firebase side if called too quickly.
 //
 // See: https://firebase.google.com/docs/reference/rest/auth#section-send-password-reset-email
-func (c *Client) SendNewUserInvitation(ctx context.Context, email, realmName string) error {
+func (c *Client) SendNewUserInvitation(ctx context.Context, email string) error {
 	r := &sendPasswordResetEmailRequest{
 		RequestType: "PASSWORD_RESET",
 		Email:       email,
diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
index 2c3494bb2..fd9757c65 100644
--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@@ -21,7 +21,6 @@ import (
 	"net/http"
 	"strings"
 
-	"firebase.google.com/go/auth"
 	"github.com/google/exposure-notifications-verification-server/pkg/api"
 	"github.com/google/exposure-notifications-verification-server/pkg/render"
 
@@ -141,33 +140,6 @@ func RedirectToChangePassword(w http.ResponseWriter, r *http.Request, h *render.
 	http.Redirect(w, r, "/login/change-password", http.StatusSeeOther)
 }
 
-// ComposeInviteEmail uses the renderer and auth client to generate a password reset link
-// and emit an invite email
-func ComposeInviteEmail(h *render.Renderer, auth *auth.Client, toEmail, fromEmail, realmName string) (string, error) {
-	inviteLink, err := auth.PasswordResetLink(ctx, toEmail)
-	if err != nil {
-		return err
-	}
-
-	// Compose message
-	message, err := h.RenderEmail("email/invite",
-		struct {
-			ToEmail    string
-			FromEmail  string
-			InviteLink string
-			RealmName  string
-		}{
-			ToEmail:    toEmail,
-			FromEmail:  fromEmail,
-			InviteLink: inviteLink,
-			RealmName:  realmName,
-		})
-	if err != nil {
-		return nil, err
-	}
-	return message, nil
-}
-
 func prefixInList(list []string, prefix string) bool {
 	for _, v := range list {
 		if strings.HasPrefix(v, prefix) {
diff --git a/pkg/database/realm.go b/pkg/database/realm.go
index a904bf390..9c2e108be 100644
--- a/pkg/database/realm.go
+++ b/pkg/database/realm.go
@@ -25,6 +25,7 @@ import (
 	"time"
 
 	"github.com/google/exposure-notifications-verification-server/pkg/digest"
+	"github.com/google/exposure-notifications-verification-server/pkg/email"
 	"github.com/google/exposure-notifications-verification-server/pkg/sms"
 	"github.com/microcosm-cc/bluemonday"
 
@@ -154,13 +155,13 @@ type Realm struct {
 	// CanUseSystemEmailConfig is configured by system administrators to share the
 	// system email config with this realm. Note that the system email config could be
 	// empty and a local SMS config is preferred over the system value.
-	CanUseSystemEmailConfig bool `gorm:"column:can_use_system_sms_config; type:bool; not null; default:false;"`
+	CanUseSystemEmailConfig bool `gorm:"column:can_use_system_email_config; type:bool; not null; default:false;"`
 
 	// UseSystemEmailConfig is a realm-level configuration that lets a realm opt-out
 	// of sending email messages using the system-provided email configuration.
 	// Without this, a realm would always fallback to the system-level email
 	// configuration, making it impossible to opt out of text message sending.
-	UseSystemEmailConfig bool `gorm:"column:use_system_sms_config; type:bool; not null; default:false;"`
+	UseSystemEmailConfig bool `gorm:"column:use_system_email_config; type:bool; not null; default:false;"`
 
 	// MFAMode represents the mode for Multi-Factor-Authorization requirements for the realm.
 	MFAMode AuthRequirement `gorm:"type:smallint; not null; default: 0"`

From eca29c84a368268ed856825d3dbf6368a345e93d Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Thu, 15 Oct 2020 11:01:57 -0700
Subject: [PATCH 05/31] update migrations

---
 pkg/database/email_config_test.go |  2 +-
 pkg/database/migrations.go        | 70 +++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/pkg/database/email_config_test.go b/pkg/database/email_config_test.go
index f0c9560b6..6887c1eac 100644
--- a/pkg/database/email_config_test.go
+++ b/pkg/database/email_config_test.go
@@ -46,7 +46,7 @@ func TestEmailConfig_Lifecycle(t *testing.T) {
 	// Create email config on the realm
 	emailConfig := &EmailConfig{
 		RealmID:      realm.ID,
-		ProviderType: email.ProviderType("TWILIO"),
+		ProviderType: email.ProviderType(email.ProviderTypeSMTP),
 		SMTPAccount:  "noreply@sendemails.meh",
 		SMTPPassword: "my-secret-ref",
 		SMTPHost:     "smtp.sendemails.meh",
diff --git a/pkg/database/migrations.go b/pkg/database/migrations.go
index 705ff5498..cd5786e31 100644
--- a/pkg/database/migrations.go
+++ b/pkg/database/migrations.go
@@ -1465,6 +1465,76 @@ func (db *Database) getMigrations(ctx context.Context) *gormigrate.Gormigrate {
 				return nil
 			},
 		},
+		{
+			ID: "00060-AddEmailConfig",
+			Migrate: func(tx *gorm.DB) error {
+				logger.Debugw("adding email_configs table")
+				return tx.AutoMigrate(&EmailConfig{}).Error
+			},
+			Rollback: func(tx *gorm.DB) error {
+				return tx.DropTable("email_configs").Error
+			},
+		},
+		{
+			ID: "00061-CreateSystemEmailConfig",
+			Migrate: func(tx *gorm.DB) error {
+				sqls := []string{
+					// Add a new is_system boolean column and a constraint to ensure that
+					// only one row can have a value of true.
+					`CREATE UNIQUE INDEX IF NOT EXISTS uix_email_configs_is_system_true ON email_configs (is_system) WHERE (is_system IS TRUE)`,
+
+					// Require realm_id be set on all rows except system configs, and
+					// ensure that realm_id is unique.
+					`ALTER TABLE email_configs DROP CONSTRAINT IF EXISTS nn_email_configs_realm_id`,
+					`DROP INDEX IF EXISTS nn_email_configs_realm_id`,
+					`ALTER TABLE email_configs ADD CONSTRAINT nn_email_configs_realm_id CHECK (is_system IS TRUE OR realm_id IS NOT NULL)`,
+
+					`ALTER TABLE email_configs DROP CONSTRAINT IF EXISTS uix_email_configs_realm_id`,
+					`DROP INDEX IF EXISTS uix_email_configs_realm_id`,
+					`ALTER TABLE email_configs ADD CONSTRAINT uix_email_configs_realm_id UNIQUE (realm_id)`,
+
+					// Realm option set by system admins to share the system Email config
+					// with the realm.
+					`ALTER TABLE realms ADD COLUMN IF NOT EXISTS can_use_system_email_config BOOL`,
+					`UPDATE realms SET can_use_system_email_config = FALSE WHERE can_use_system_email_config IS NULL`,
+					`ALTER TABLE realms ALTER COLUMN can_use_system_email_config SET DEFAULT FALSE`,
+					`ALTER TABLE realms ALTER COLUMN can_use_system_email_config SET NOT NULL`,
+
+					// If true, the realm is set to use the system Email config.
+					`ALTER TABLE realms ADD COLUMN IF NOT EXISTS use_system_email_config BOOL`,
+					`UPDATE realms SET use_system_email_config = FALSE WHERE use_system_email_config IS NULL`,
+					`ALTER TABLE realms ALTER COLUMN use_system_email_config SET DEFAULT FALSE`,
+					`ALTER TABLE realms ALTER COLUMN use_system_email_config SET NOT NULL`,
+				}
+
+				for _, sql := range sqls {
+					if err := tx.Exec(sql).Error; err != nil {
+						return err
+					}
+				}
+
+				return nil
+			},
+			Rollback: func(tx *gorm.DB) error {
+				sqls := []string{
+					`ALTER TABLE sms_configs DROP COLUMN IF EXISTS is_system`,
+					`DROP INDEX IF EXISTS uix_sms_configs_is_system_true`,
+					`ALTER TABLE sms_configs DROP CONSTRAINT IF EXISTS nn_sms_configs_realm_id`,
+					`ALTER TABLE sms_configs DROP CONSTRAINT IF EXISTS uix_sms_configs_realm_id`,
+
+					`ALTER TABLE realms DROP COLUMN IF EXISTS can_use_system_sms_config`,
+					`ALTER TABLE realms DROP COLUMN IF EXISTS use_system_sms_config`,
+				}
+
+				for _, sql := range sqls {
+					if err := tx.Exec(sql).Error; err != nil {
+						return err
+					}
+				}
+
+				return nil
+			},
+		},
 	})
 }
 

From 1563e26dad16d1af4a00ae9d120c4e76978e950a Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Thu, 15 Oct 2020 14:10:01 -0700
Subject: [PATCH 06/31] some feedback

---
 cmd/server/assets/realmadmin/_form_email.html | 2 +-
 cmd/server/assets/realmadmin/edit.html        | 2 +-
 pkg/database/email_config.go                  | 2 +-
 pkg/database/realm.go                         | 8 ++++----
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/cmd/server/assets/realmadmin/_form_email.html b/cmd/server/assets/realmadmin/_form_email.html
index d1b285645..70a6342f3 100644
--- a/cmd/server/assets/realmadmin/_form_email.html
+++ b/cmd/server/assets/realmadmin/_form_email.html
@@ -32,7 +32,7 @@
     </div>
   {{end}}
 
-  <div id="smtp-form" class="collapse{{if not $realm.UseSystemSMSConfig}} show{{end}}">
+  <div id="smtp-form" class="collapse{{if not $realm.UseSystemEmailConfig}} show{{end}}">
     <div class="form-label-group">
       <input type="text" name="smtp_account" id="smtp-account" class="form-control text-monospace{{if $emailConfig.ErrorsFor "smtpAccount"}} is-invalid{{end}}"
         placeholder="SMTP account" value="{{if $emailConfig}}{{$emailConfig.SMTPAccount}}{{end}}" />
diff --git a/cmd/server/assets/realmadmin/edit.html b/cmd/server/assets/realmadmin/edit.html
index 637031b1c..4e1ad8034 100644
--- a/cmd/server/assets/realmadmin/edit.html
+++ b/cmd/server/assets/realmadmin/edit.html
@@ -40,7 +40,7 @@ <h1>Realm settings</h1>
             <a class="nav-link" id="sms-tab" data-toggle="tab" href="#sms" role="tab" aria-controls="sms" aria-selected="false">SMS</a>
           </li>
           <li class="nav-item" role="presentation">
-            <a class="nav-link" id="sms-email" data-toggle="tab" href="#email" role="tab" aria-controls="email" aria-selected="false">Email</a>
+            <a class="nav-link" id="email-tab" data-toggle="tab" href="#email" role="tab" aria-controls="email" aria-selected="false">Email</a>
           </li>
           <li class="nav-item" role="presentation">
             <a class="nav-link" id="security-tab" data-toggle="tab" href="#security" role="tab" aria-controls="security" aria-selected="false">Security</a>
diff --git a/pkg/database/email_config.go b/pkg/database/email_config.go
index 37e7ed724..9ebdfb359 100644
--- a/pkg/database/email_config.go
+++ b/pkg/database/email_config.go
@@ -28,7 +28,7 @@ type EmailConfig struct {
 	Errorable
 
 	// email Config belongs to exactly one realm.
-	RealmID uint
+	RealmID uint `gorm:"type:integer"`
 
 	// ProviderType is the email provider type - it's used to determine the
 	// underlying configuration.
diff --git a/pkg/database/realm.go b/pkg/database/realm.go
index 9c2e108be..228bfba11 100644
--- a/pkg/database/realm.go
+++ b/pkg/database/realm.go
@@ -144,17 +144,17 @@ type Realm struct {
 	UseSystemSMSConfig bool `gorm:"column:use_system_sms_config; type:bool; not null; default:false;"`
 
 	// EmailInviteTemplate is the template for inviting new users.
-	EmailInviteTemplate string `gorm:"type:varchar(400);"`
+	EmailInviteTemplate string `gorm:"type:text;"`
 
 	// EmailPasswordResetTemplate is the template for resetting password.
-	EmailPasswordResetTemplate string `gorm:"type:varchar(400);"`
+	EmailPasswordResetTemplate string `gorm:"type:text;"`
 
 	// EmailVerifyTemplate is the template used for email verification.
-	EmailVerifyTemplate string `gorm:"type:varchar(400);"`
+	EmailVerifyTemplate string `gorm:"type:text;"`
 
 	// CanUseSystemEmailConfig is configured by system administrators to share the
 	// system email config with this realm. Note that the system email config could be
-	// empty and a local SMS config is preferred over the system value.
+	// empty and a local email config is preferred over the system value.
 	CanUseSystemEmailConfig bool `gorm:"column:can_use_system_email_config; type:bool; not null; default:false;"`
 
 	// UseSystemEmailConfig is a realm-level configuration that lets a realm opt-out

From b953abf6df3b7f33b59f7c3b9946c72ff1300f2c Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Thu, 15 Oct 2020 14:10:47 -0700
Subject: [PATCH 07/31] words

---
 cmd/server/assets/realmadmin/_form_email.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/server/assets/realmadmin/_form_email.html b/cmd/server/assets/realmadmin/_form_email.html
index 70a6342f3..9c3c8886b 100644
--- a/cmd/server/assets/realmadmin/_form_email.html
+++ b/cmd/server/assets/realmadmin/_form_email.html
@@ -6,7 +6,7 @@
 
 <p class="mb-4">
   These are the settings for configuring an SMTP email provider. The verification server
-  may use this email account to send invitations, password resets, and account-verifications
+  will use this email account to send invitations, password resets, and account-verifications
   for the realm.
 </p>
 

From 5bb6a212e88b782eb7c3cc7476ef94f08fa9936a Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Thu, 15 Oct 2020 14:38:54 -0700
Subject: [PATCH 08/31] remaining migration

---
 pkg/database/email_config.go |  5 -----
 pkg/database/migrations.go   | 21 +++++++++++++++------
 pkg/database/sms_config.go   |  5 -----
 3 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/pkg/database/email_config.go b/pkg/database/email_config.go
index 9ebdfb359..d3fc006ff 100644
--- a/pkg/database/email_config.go
+++ b/pkg/database/email_config.go
@@ -108,8 +108,3 @@ func (db *Database) SaveEmailConfig(s *EmailConfig) error {
 	}
 	return db.db.Save(s).Error
 }
-
-// DeleteEmailConfig removes an email configuration record.
-func (db *Database) DeleteEmailConfig(s *EmailConfig) error {
-	return db.db.Unscoped().Delete(s).Error
-}
diff --git a/pkg/database/migrations.go b/pkg/database/migrations.go
index cd5786e31..31e633e9b 100644
--- a/pkg/database/migrations.go
+++ b/pkg/database/migrations.go
@@ -1505,6 +1505,11 @@ func (db *Database) getMigrations(ctx context.Context) *gormigrate.Gormigrate {
 					`UPDATE realms SET use_system_email_config = FALSE WHERE use_system_email_config IS NULL`,
 					`ALTER TABLE realms ALTER COLUMN use_system_email_config SET DEFAULT FALSE`,
 					`ALTER TABLE realms ALTER COLUMN use_system_email_config SET NOT NULL`,
+
+					// Add templates
+					`ALTER TABLE realms ADD COLUMN IF NOT EXISTS email_invite_template text`,
+					`ALTER TABLE realms ADD COLUMN IF NOT EXISTS email_password_reset_template text`,
+					`ALTER TABLE realms ADD COLUMN IF NOT EXISTS email_verify_template text`,
 				}
 
 				for _, sql := range sqls {
@@ -1517,13 +1522,17 @@ func (db *Database) getMigrations(ctx context.Context) *gormigrate.Gormigrate {
 			},
 			Rollback: func(tx *gorm.DB) error {
 				sqls := []string{
-					`ALTER TABLE sms_configs DROP COLUMN IF EXISTS is_system`,
-					`DROP INDEX IF EXISTS uix_sms_configs_is_system_true`,
-					`ALTER TABLE sms_configs DROP CONSTRAINT IF EXISTS nn_sms_configs_realm_id`,
-					`ALTER TABLE sms_configs DROP CONSTRAINT IF EXISTS uix_sms_configs_realm_id`,
+					`ALTER TABLE email_configs DROP COLUMN IF EXISTS is_system`,
+					`DROP INDEX IF EXISTS uix_email_configs_is_system_true`,
+					`ALTER TABLE email_configs DROP CONSTRAINT IF EXISTS nn_email_configs_realm_id`,
+					`ALTER TABLE email_configs DROP CONSTRAINT IF EXISTS uix_email_configs_realm_id`,
 
-					`ALTER TABLE realms DROP COLUMN IF EXISTS can_use_system_sms_config`,
-					`ALTER TABLE realms DROP COLUMN IF EXISTS use_system_sms_config`,
+					`ALTER TABLE realms DROP COLUMN IF EXISTS can_use_system_email_config`,
+					`ALTER TABLE realms DROP COLUMN IF EXISTS use_system_email_config`,
+
+					`ALTER TABLE realms DROP COLUMN IF EXISTS email_invite_template`,
+					`ALTER TABLE realms DROP COLUMN IF EXISTS email_password_reset_template`,
+					`ALTER TABLE realms DROP COLUMN IF EXISTS email_verify_template`,
 				}
 
 				for _, sql := range sqls {
diff --git a/pkg/database/sms_config.go b/pkg/database/sms_config.go
index 5a73554e1..17d4ba95c 100644
--- a/pkg/database/sms_config.go
+++ b/pkg/database/sms_config.go
@@ -108,8 +108,3 @@ func (db *Database) SaveSMSConfig(s *SMSConfig) error {
 	}
 	return db.db.Save(s).Error
 }
-
-// DeleteSMSConfig removes an SMS configuration record.
-func (db *Database) DeleteSMSConfig(s *SMSConfig) error {
-	return db.db.Unscoped().Delete(s).Error
-}

From 14766447a638db8873e77fb9d1837c9b7415f46d Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Thu, 15 Oct 2020 14:49:46 -0700
Subject: [PATCH 09/31] fix form fields

---
 cmd/server/assets/realmadmin/_form_email.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cmd/server/assets/realmadmin/_form_email.html b/cmd/server/assets/realmadmin/_form_email.html
index 9c3c8886b..f9f9363a7 100644
--- a/cmd/server/assets/realmadmin/_form_email.html
+++ b/cmd/server/assets/realmadmin/_form_email.html
@@ -14,8 +14,8 @@
   {{ .csrfField }}
   <input type="hidden" name="email" value="1" />
 
-  {{if $realm.CanUseSystemSMTPConfig}}
-    {{if $realm.UseSystemSMTPConfig}}
+  {{if $realm.CanUseSystemEmailConfig}}
+    {{if $realm.UseSystemEmailConfig}}
       <div class="alert alert-danger">
         <strong>Warning!</strong> You are currently using the system-provided
         SMTP email configuration. Specifying values below will override the system
@@ -24,7 +24,7 @@
     {{end}}
 
     <div class="form-group form-check">
-      <input type="checkbox" name="use_system_smtp_config" id="use-system-smtp-config" class="form-check-input" value="1" {{if $realm.UseSystemSMTPConfig}} checked{{end}}
+      <input type="checkbox" name="use_system_smtp_config" id="use-system-smtp-config" class="form-check-input" value="1" {{if $realm.UseSystemEmailConfig}} checked{{end}}
         data-toggle="collapse" data-target="#smtp-form">
       <label class="form-check-label" for="use-system-smtp-config">
         Use system SMTP configuration

From 48df05ae4f51c11cc03253d7c28a531c0f450e6d Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Thu, 15 Oct 2020 14:57:19 -0700
Subject: [PATCH 10/31] default port

---
 cmd/server/assets/realmadmin/_form_email.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/server/assets/realmadmin/_form_email.html b/cmd/server/assets/realmadmin/_form_email.html
index f9f9363a7..8b6f34fe7 100644
--- a/cmd/server/assets/realmadmin/_form_email.html
+++ b/cmd/server/assets/realmadmin/_form_email.html
@@ -72,7 +72,7 @@
 
     <div class="form-label-group">
       <input name="smtp_port" id="smtp-port" class="form-control text-monospace{{if $emailConfig.ErrorsFor "smtpPort"}} is-invalid{{end}}"
-        placeholder="SMTP port" value="{{if $emailConfig}}{{$emailConfig.SMTPPort}}{{end}}" />
+        placeholder="SMTP port" value="{{if $emailConfig}}{{$emailConfig.SMTPPort}}{{else}}587{{end}}" />
       <label for="smtp-port">SMTP port</label>
       {{template "errorable" $emailConfig.ErrorsFor "smtpPort"}}
       <small class="form-text text-muted">

From 257a98f24812d94062d06266082df1c516033d09 Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Thu, 15 Oct 2020 15:03:12 -0700
Subject: [PATCH 11/31] provider type

---
 pkg/database/realm.go | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/pkg/database/realm.go b/pkg/database/realm.go
index 228bfba11..06cc230af 100644
--- a/pkg/database/realm.go
+++ b/pkg/database/realm.go
@@ -540,10 +540,11 @@ func (r *Realm) EmailProvider(db *Database) (email.Provider, error) {
 
 	ctx := context.Background()
 	provider, err := email.ProviderFor(ctx, &email.Config{
-		User:     emailConfig.SMTPAccount,
-		Password: emailConfig.SMTPPassword,
-		SMTPHost: emailConfig.SMTPHost,
-		SMTPPort: emailConfig.SMTPPort,
+		ProviderType: email.ProviderType(emailConfig.ProviderType),
+		User:         emailConfig.SMTPAccount,
+		Password:     emailConfig.SMTPPassword,
+		SMTPHost:     emailConfig.SMTPHost,
+		SMTPPort:     emailConfig.SMTPPort,
 	})
 	if err != nil {
 		return nil, err

From 996fe11cbb325652d18f127281a49cca3ee9e50f Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Thu, 15 Oct 2020 15:20:17 -0700
Subject: [PATCH 12/31] actually save settings

---
 pkg/controller/realmadmin/express.go  |   8 +-
 pkg/controller/realmadmin/settings.go | 104 +++++++++++++++++++++++---
 2 files changed, 99 insertions(+), 13 deletions(-)

diff --git a/pkg/controller/realmadmin/express.go b/pkg/controller/realmadmin/express.go
index 1c214a3a6..63ff0f166 100644
--- a/pkg/controller/realmadmin/express.go
+++ b/pkg/controller/realmadmin/express.go
@@ -46,7 +46,7 @@ func (c *Controller) HandleDisableExpress() http.Handler {
 
 		if !realm.EnableENExpress {
 			flash.Error("Realm is not currently enrolled in EN Express.")
-			c.renderSettings(ctx, w, r, realm, nil, 0, 0)
+			c.renderSettings(ctx, w, r, realm, nil, nil, 0, 0)
 			return
 		}
 
@@ -56,7 +56,7 @@ func (c *Controller) HandleDisableExpress() http.Handler {
 		if err := c.db.SaveRealm(realm, currentUser); err != nil {
 			flash.Error("Failed to disable EN Express: %v", err)
 
-			c.renderSettings(ctx, w, r, realm, nil, 0, 0)
+			c.renderSettings(ctx, w, r, realm, nil, nil, 0, 0)
 			return
 		}
 
@@ -90,7 +90,7 @@ func (c *Controller) HandleEnableExpress() http.Handler {
 
 		if realm.EnableENExpress {
 			flash.Error("Realm already has EN Express Enabled.")
-			c.renderSettings(ctx, w, r, realm, nil, 0, 0)
+			c.renderSettings(ctx, w, r, realm, nil, nil, 0, 0)
 			return
 		}
 
@@ -110,7 +110,7 @@ func (c *Controller) HandleEnableExpress() http.Handler {
 			// This will allow the user to correct other validation errors and then click "uprade" again.
 			realm.EnableENExpress = false
 			realm.SMSTextTemplate = enxSettings.SMSTextTemplate
-			c.renderSettings(ctx, w, r, realm, nil, 0, 0)
+			c.renderSettings(ctx, w, r, realm, nil, nil, 0, 0)
 			return
 		}
 
diff --git a/pkg/controller/realmadmin/settings.go b/pkg/controller/realmadmin/settings.go
index abfcc37fd..7e62ecdb0 100644
--- a/pkg/controller/realmadmin/settings.go
+++ b/pkg/controller/realmadmin/settings.go
@@ -21,6 +21,7 @@ import (
 
 	"github.com/google/exposure-notifications-verification-server/pkg/controller"
 	"github.com/google/exposure-notifications-verification-server/pkg/database"
+	"github.com/google/exposure-notifications-verification-server/pkg/email"
 	"github.com/google/exposure-notifications-verification-server/pkg/sms"
 )
 
@@ -66,6 +67,13 @@ func (c *Controller) HandleSettings() http.Handler {
 		TwilioAuthToken    string `form:"twilio_auth_token"`
 		TwilioFromNumber   string `form:"twilio_from_number"`
 
+		Email                bool   `form:"email"`
+		UseSystemEmailConfig bool   `form:"use_system_email_config"`
+		SMTPAccount          string `form:"smtp-account"`
+		SMTPPassword         string `form:"smtp-password"`
+		SMTPHost             string `form:"smtp-host"`
+		SMTPPort             string `form:"smtp-port"`
+
 		Security                    bool   `form:"security"`
 		MFAMode                     int16  `form:"mfa_mode"`
 		MFARequiredGracePeriod      int64  `form:"mfa_grace_period"`
@@ -120,14 +128,14 @@ func (c *Controller) HandleSettings() http.Handler {
 		}
 
 		if r.Method == http.MethodGet {
-			c.renderSettings(ctx, w, r, realm, nil, quotaLimit, quotaRemaining)
+			c.renderSettings(ctx, w, r, realm, nil, nil, quotaLimit, quotaRemaining)
 			return
 		}
 
 		var form FormData
 		if err := controller.BindForm(w, r, &form); err != nil {
 			flash.Error("Failed to process form: %v", err)
-			c.renderSettings(ctx, w, r, realm, nil, quotaLimit, quotaRemaining)
+			c.renderSettings(ctx, w, r, realm, nil, nil, quotaLimit, quotaRemaining)
 			return
 		}
 
@@ -159,6 +167,11 @@ func (c *Controller) HandleSettings() http.Handler {
 			realm.SMSCountry = form.SMSCountry
 		}
 
+		// Email
+		if form.Email {
+			realm.UseSystemEmailConfig = form.UseSystemEmailConfig
+		}
+
 		// Security
 		if form.Security {
 			realm.EmailVerifiedMode = database.AuthRequirement(form.EmailVerifiedMode)
@@ -171,7 +184,7 @@ func (c *Controller) HandleSettings() http.Handler {
 			if err != nil {
 				realm.AddError("allowedCIDRsAdminAPI", err.Error())
 				flash.Error("Failed to update realm")
-				c.renderSettings(ctx, w, r, realm, nil, quotaLimit, quotaRemaining)
+				c.renderSettings(ctx, w, r, realm, nil, nil, quotaLimit, quotaRemaining)
 				return
 			}
 			realm.AllowedCIDRsAdminAPI = allowedCIDRsAdminADPI
@@ -180,7 +193,7 @@ func (c *Controller) HandleSettings() http.Handler {
 			if err != nil {
 				realm.AddError("allowedCIDRsAPIServer", err.Error())
 				flash.Error("Failed to update realm")
-				c.renderSettings(ctx, w, r, realm, nil, quotaLimit, quotaRemaining)
+				c.renderSettings(ctx, w, r, realm, nil, nil, quotaLimit, quotaRemaining)
 				return
 			}
 			realm.AllowedCIDRsAPIServer = allowedCIDRsAPIServer
@@ -189,7 +202,7 @@ func (c *Controller) HandleSettings() http.Handler {
 			if err != nil {
 				realm.AddError("allowedCIDRsServer", err.Error())
 				flash.Error("Failed to update realm")
-				c.renderSettings(ctx, w, r, realm, nil, quotaLimit, quotaRemaining)
+				c.renderSettings(ctx, w, r, realm, nil, nil, quotaLimit, quotaRemaining)
 				return
 			}
 			realm.AllowedCIDRsServer = allowedCIDRsServer
@@ -230,7 +243,7 @@ func (c *Controller) HandleSettings() http.Handler {
 		// Save realm
 		if err := c.db.SaveRealm(realm, currentUser); err != nil {
 			flash.Error("Failed to update realm: %v", err)
-			c.renderSettings(ctx, w, r, realm, nil, quotaLimit, quotaRemaining)
+			c.renderSettings(ctx, w, r, realm, nil, nil, quotaLimit, quotaRemaining)
 			return
 		}
 
@@ -252,7 +265,7 @@ func (c *Controller) HandleSettings() http.Handler {
 
 				if err := c.db.SaveSMSConfig(smsConfig); err != nil {
 					flash.Error("Failed to update realm: %v", err)
-					c.renderSettings(ctx, w, r, realm, smsConfig, quotaLimit, quotaRemaining)
+					c.renderSettings(ctx, w, r, realm, smsConfig, nil, quotaLimit, quotaRemaining)
 					return
 				}
 			} else {
@@ -268,7 +281,49 @@ func (c *Controller) HandleSettings() http.Handler {
 
 				if err := c.db.SaveSMSConfig(smsConfig); err != nil {
 					flash.Error("Failed to update realm: %v", err)
-					c.renderSettings(ctx, w, r, realm, smsConfig, quotaLimit, quotaRemaining)
+					c.renderSettings(ctx, w, r, realm, smsConfig, nil, quotaLimit, quotaRemaining)
+					return
+				}
+			}
+		}
+
+		// Email
+		if form.Email && !form.UseSystemEmailConfig {
+			// Fetch the existing Email config record, if one exists
+			emailConfig, err := realm.EmailConfig(c.db)
+			if err != nil && !database.IsNotFound(err) {
+				controller.InternalError(w, r, c.h, err)
+				return
+			}
+			if emailConfig != nil && !emailConfig.IsSystem {
+				// We have an existing record and the existing record is NOT the system
+				// record.
+				emailConfig.ProviderType = email.ProviderTypeSMTP
+				emailConfig.SMTPAccount = form.SMTPAccount
+				emailConfig.SMTPPassword = form.SMTPPassword
+				emailConfig.SMTPHost = form.SMTPHost
+				emailConfig.SMTPPort = form.SMTPPort
+
+				if err := c.db.SaveEmailConfig(emailConfig); err != nil {
+					flash.Error("Failed to update realm: %v", err)
+					c.renderSettings(ctx, w, r, realm, nil, emailConfig, quotaLimit, quotaRemaining)
+					return
+				}
+			} else {
+				// There's no record or the existing record was the system config so we
+				// want to create our own.
+				emailConfig := &database.EmailConfig{
+					RealmID:      realm.ID,
+					ProviderType: email.ProviderTypeSMTP,
+					SMTPAccount:  form.SMTPAccount,
+					SMTPPassword: form.SMTPPassword,
+					SMTPHost:     form.SMTPHost,
+					SMTPPort:     form.SMTPPort,
+				}
+
+				if err := c.db.SaveEmailConfig(emailConfig); err != nil {
+					flash.Error("Failed to update realm: %v", err)
+					c.renderSettings(ctx, w, r, realm, nil, emailConfig, quotaLimit, quotaRemaining)
 					return
 				}
 			}
@@ -294,7 +349,9 @@ func (c *Controller) HandleSettings() http.Handler {
 	})
 }
 
-func (c *Controller) renderSettings(ctx context.Context, w http.ResponseWriter, r *http.Request, realm *database.Realm, smsConfig *database.SMSConfig, quotaLimit, quotaRemaining uint64) {
+func (c *Controller) renderSettings(
+	ctx context.Context, w http.ResponseWriter, r *http.Request, realm *database.Realm,
+	smsConfig *database.SMSConfig, emailConfig *database.EmailConfig, quotaLimit, quotaRemaining uint64) {
 	if smsConfig == nil {
 		var err error
 		smsConfig, err = realm.SMSConfig(c.db)
@@ -307,6 +364,18 @@ func (c *Controller) renderSettings(ctx context.Context, w http.ResponseWriter,
 		}
 	}
 
+	if emailConfig == nil {
+		var err error
+		emailConfig, err = realm.EmailConfig(c.db)
+		if err != nil {
+			if !database.IsNotFound(err) {
+				controller.InternalError(w, r, c.h, err)
+				return
+			}
+			emailConfig = new(database.EmailConfig)
+		}
+	}
+
 	// Don't pass through the system config to the template - we don't want to
 	// risk accidentally rendering its ID or values since the realm should never
 	// see these values. However, we have to go lookup the actual SMS config
@@ -328,9 +397,26 @@ func (c *Controller) renderSettings(ctx context.Context, w http.ResponseWriter,
 		}
 	}
 
+	if emailConfig.IsSystem {
+		var tmpRealm database.Realm
+		tmpRealm.ID = realm.ID
+		tmpRealm.UseSystemEmailConfig = false
+
+		var err error
+		emailConfig, err = tmpRealm.EmailConfig(c.db)
+		if err != nil {
+			if !database.IsNotFound(err) {
+				controller.InternalError(w, r, c.h, err)
+				return
+			}
+			emailConfig = new(database.EmailConfig)
+		}
+	}
+
 	m := controller.TemplateMapFromContext(ctx)
 	m["realm"] = realm
 	m["smsConfig"] = smsConfig
+	m["emailConfig"] = emailConfig
 	m["countries"] = database.Countries
 	m["testTypes"] = map[string]database.TestType{
 		"confirmed": database.TestTypeConfirmed,

From 0d353be90f367d162bdf1cfad8e01b3d917671ec Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Thu, 15 Oct 2020 15:30:10 -0700
Subject: [PATCH 13/31] tested

---
 cmd/server/assets/realmadmin/_form_email.html | 3 +--
 pkg/controller/realmadmin/settings.go         | 8 ++++----
 pkg/database/realm.go                         | 4 ++--
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/cmd/server/assets/realmadmin/_form_email.html b/cmd/server/assets/realmadmin/_form_email.html
index 8b6f34fe7..0fc4eae12 100644
--- a/cmd/server/assets/realmadmin/_form_email.html
+++ b/cmd/server/assets/realmadmin/_form_email.html
@@ -1,8 +1,7 @@
 {{define "realmadmin/_form_email"}}
 
 {{$realm := .realm}}
-{{$emailConfig := .smtpConfig}}
-{{$countries := .countries}}
+{{$emailConfig := .emailConfig}}
 
 <p class="mb-4">
   These are the settings for configuring an SMTP email provider. The verification server
diff --git a/pkg/controller/realmadmin/settings.go b/pkg/controller/realmadmin/settings.go
index 7e62ecdb0..9cf8bd84f 100644
--- a/pkg/controller/realmadmin/settings.go
+++ b/pkg/controller/realmadmin/settings.go
@@ -69,10 +69,10 @@ func (c *Controller) HandleSettings() http.Handler {
 
 		Email                bool   `form:"email"`
 		UseSystemEmailConfig bool   `form:"use_system_email_config"`
-		SMTPAccount          string `form:"smtp-account"`
-		SMTPPassword         string `form:"smtp-password"`
-		SMTPHost             string `form:"smtp-host"`
-		SMTPPort             string `form:"smtp-port"`
+		SMTPAccount          string `form:"smtp_account"`
+		SMTPPassword         string `form:"smtp_password"`
+		SMTPHost             string `form:"smtp_host"`
+		SMTPPort             string `form:"smtp_port"`
 
 		Security                    bool   `form:"security"`
 		MFAMode                     int16  `form:"mfa_mode"`
diff --git a/pkg/database/realm.go b/pkg/database/realm.go
index 06cc230af..03574eac7 100644
--- a/pkg/database/realm.go
+++ b/pkg/database/realm.go
@@ -482,8 +482,8 @@ func (r *Realm) SMSProvider(db *Database) (sms.Provider, error) {
 	return provider, nil
 }
 
-// EmailConfig returns the SMS configuration for this realm, if one exists. If the
-// realm is configured to use the system SMS configuration, that configuration
+// EmailConfig returns the email configuration for this realm, if one exists. If the
+// realm is configured to use the system email configuration, that configuration
 // is preferred.
 func (r *Realm) EmailConfig(db *Database) (*EmailConfig, error) {
 	q := db.db.

From 7457237c76209b4b7d1fb05fd9f7d7a50f4c3abc Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Fri, 16 Oct 2020 09:32:24 -0700
Subject: [PATCH 14/31] use realm emailer to send mail

---
 cmd/server/main.go                 | 13 +-------
 pkg/config/server_config.go        |  2 --
 pkg/controller/user/controller.go  |  4 ---
 pkg/controller/user/importbatch.go | 48 +++++++++++++++++++-----------
 4 files changed, 32 insertions(+), 35 deletions(-)

diff --git a/cmd/server/main.go b/cmd/server/main.go
index 06eb26240..e253a49a5 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -40,7 +40,6 @@ import (
 	"github.com/google/exposure-notifications-verification-server/pkg/controller/realmadmin"
 	"github.com/google/exposure-notifications-verification-server/pkg/controller/realmkeys"
 	"github.com/google/exposure-notifications-verification-server/pkg/controller/user"
-	"github.com/google/exposure-notifications-verification-server/pkg/email"
 	"github.com/google/exposure-notifications-verification-server/pkg/ratelimit"
 	"github.com/google/exposure-notifications-verification-server/pkg/ratelimit/limitware"
 	"github.com/google/exposure-notifications-verification-server/pkg/render"
@@ -156,16 +155,6 @@ func realMain(ctx context.Context) error {
 		return fmt.Errorf("failed to create renderer: %w", err)
 	}
 
-	// Setup server emailer
-	var emailer email.Provider
-	if cfg.Email.HasSMTPCreds() {
-		cfg.Email.ProviderType = email.ProviderTypeSMTP
-		emailer, err = email.ProviderFor(ctx, &cfg.Email)
-		if err != nil {
-			return fmt.Errorf("failed to configure internal firebase client: %w", err)
-		}
-	}
-
 	// Rate limiting
 	limiterStore, err := ratelimit.RateLimiterFor(ctx, &cfg.RateLimit)
 	if err != nil {
@@ -374,7 +363,7 @@ func realMain(ctx context.Context) error {
 		userSub.Use(requireMFA)
 		userSub.Use(rateLimit)
 
-		userController := user.New(ctx, firebaseInternal, auth, emailer, cacher, cfg, db, h)
+		userController := user.New(ctx, firebaseInternal, auth, cacher, cfg, db, h)
 		userSub.Handle("", userController.HandleIndex()).Methods("GET")
 		userSub.Handle("", userController.HandleIndex()).
 			Queries("offset", "{[0-9]*}", "email", "").Methods("GET")
diff --git a/pkg/config/server_config.go b/pkg/config/server_config.go
index 5a003fa4e..ef51c1f37 100644
--- a/pkg/config/server_config.go
+++ b/pkg/config/server_config.go
@@ -21,7 +21,6 @@ import (
 
 	"github.com/google/exposure-notifications-verification-server/pkg/cache"
 	"github.com/google/exposure-notifications-verification-server/pkg/database"
-	"github.com/google/exposure-notifications-verification-server/pkg/email"
 	"github.com/google/exposure-notifications-verification-server/pkg/ratelimit"
 
 	"github.com/google/exposure-notifications-server/pkg/observability"
@@ -52,7 +51,6 @@ type ServerConfig struct {
 	Database      database.Config
 	Observability observability.Config
 	Cache         cache.Config
-	Email         email.Config
 
 	Port string `env:"PORT,default=8080"`
 
diff --git a/pkg/controller/user/controller.go b/pkg/controller/user/controller.go
index 0974dc99c..9e345d230 100644
--- a/pkg/controller/user/controller.go
+++ b/pkg/controller/user/controller.go
@@ -23,7 +23,6 @@ import (
 	"github.com/google/exposure-notifications-verification-server/pkg/cache"
 	"github.com/google/exposure-notifications-verification-server/pkg/config"
 	"github.com/google/exposure-notifications-verification-server/pkg/database"
-	"github.com/google/exposure-notifications-verification-server/pkg/email"
 	"github.com/google/exposure-notifications-verification-server/pkg/render"
 
 	"github.com/google/exposure-notifications-server/pkg/logging"
@@ -36,7 +35,6 @@ type Controller struct {
 	cacher           cache.Cacher
 	firebaseInternal *firebase.Client
 	client           *auth.Client
-	emailer          email.Provider
 	config           *config.ServerConfig
 	db               *database.Database
 	h                *render.Renderer
@@ -48,7 +46,6 @@ func New(
 	ctx context.Context,
 	firebaseInternal *firebase.Client,
 	client *auth.Client,
-	emailer email.Provider,
 	cacher cache.Cacher,
 	config *config.ServerConfig,
 	db *database.Database,
@@ -59,7 +56,6 @@ func New(
 		cacher:           cacher,
 		firebaseInternal: firebaseInternal,
 		client:           client,
-		emailer:          emailer,
 		config:           config,
 		db:               db,
 		h:                h,
diff --git a/pkg/controller/user/importbatch.go b/pkg/controller/user/importbatch.go
index f835afd8b..4de3e0d62 100644
--- a/pkg/controller/user/importbatch.go
+++ b/pkg/controller/user/importbatch.go
@@ -109,24 +109,8 @@ func (c *Controller) HandleImportBatch() http.Handler {
 }
 
 func (c *Controller) sendInvitation(ctx context.Context, toEmail string) error {
-	// Send email with emailer
-	if c.emailer != nil {
-		realmName := ""
-		if realm := controller.RealmFromContext(ctx); realm != nil {
-			realmName = realm.Name
-		}
-
-		from := c.emailer.From()
-		message, err := controller.ComposeInviteEmail(ctx, c.h, c.client, toEmail, from, realmName)
-		if err != nil {
-			c.logger.Warnw("failed composing invitation", "error", err)
-			return fmt.Errorf("failed composing invitation: %w", err)
-		}
-		if err := c.emailer.SendEmail(ctx, toEmail, message); err != nil {
-			c.logger.Warnw("failed sending invitation", "error", err)
-			return fmt.Errorf("failed sending invitation: %w", err)
-		}
 
+	if err := c.sendInvitationFromRealmEmailer(ctx, toEmail); err == nil {
 		return nil
 	}
 
@@ -138,3 +122,33 @@ func (c *Controller) sendInvitation(ctx context.Context, toEmail string) error {
 	}
 	return nil
 }
+
+func (c *Controller) sendInvitationFromRealmEmailer(ctx context.Context, toEmail string) error {
+	// Send email with realm email config
+	realm := controller.RealmFromContext(ctx)
+	if realm == nil {
+		return errors.New("no realm found")
+	}
+
+	emailer, err := realm.EmailProvider(c.db)
+	if emailer == nil {
+		return errors.New("no emailer found")
+	}
+	if err != nil {
+		c.logger.Warnw("failed to get emailer for realm:", "error", err)
+		return errors.New("failed to get emailer for realm: %w", err)
+	}
+
+	message, err := controller.ComposeInviteEmail(ctx, c.h, c.client, toEmail, emailer.From(), realm.Name)
+	if err != nil {
+		c.logger.Warnw("failed composing invitation", "error", err)
+		return fmt.Errorf("failed composing invitation: %w", err)
+	}
+
+	if err := emailer.SendEmail(ctx, toEmail, message); err != nil {
+		c.logger.Warnw("failed sending invitation", "error", err)
+		return fmt.Errorf("failed sending invitation: %w", err)
+	}
+
+	return nil
+}

From 57011e8c5b7db75175fb1ef7a849e52a5dd9851a Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Fri, 16 Oct 2020 09:34:50 -0700
Subject: [PATCH 15/31] fix error

---
 pkg/controller/user/importbatch.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/controller/user/importbatch.go b/pkg/controller/user/importbatch.go
index 4de3e0d62..66740e906 100644
--- a/pkg/controller/user/importbatch.go
+++ b/pkg/controller/user/importbatch.go
@@ -136,7 +136,7 @@ func (c *Controller) sendInvitationFromRealmEmailer(ctx context.Context, toEmail
 	}
 	if err != nil {
 		c.logger.Warnw("failed to get emailer for realm:", "error", err)
-		return errors.New("failed to get emailer for realm: %w", err)
+		return fmt.Errorf("failed to get emailer for realm: %w", err)
 	}
 
 	message, err := controller.ComposeInviteEmail(ctx, c.h, c.client, toEmail, emailer.From(), realm.Name)

From 80a127698d6d42b8b9a8f95cb2a4512cabec6d32 Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Fri, 16 Oct 2020 09:36:54 -0700
Subject: [PATCH 16/31] sned invite

---
 pkg/controller/user/importbatch.go | 47 ---------------------
 pkg/controller/user/send_invite.go | 67 ++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+), 47 deletions(-)
 create mode 100644 pkg/controller/user/send_invite.go

diff --git a/pkg/controller/user/importbatch.go b/pkg/controller/user/importbatch.go
index 66740e906..fda8adb57 100644
--- a/pkg/controller/user/importbatch.go
+++ b/pkg/controller/user/importbatch.go
@@ -15,9 +15,7 @@
 package user
 
 import (
-	"context"
 	"errors"
-	"fmt"
 	"net/http"
 
 	"github.com/google/exposure-notifications-verification-server/pkg/api"
@@ -107,48 +105,3 @@ func (c *Controller) HandleImportBatch() http.Handler {
 		c.h.RenderJSON(w, http.StatusOK, response)
 	})
 }
-
-func (c *Controller) sendInvitation(ctx context.Context, toEmail string) error {
-
-	if err := c.sendInvitationFromRealmEmailer(ctx, toEmail); err == nil {
-		return nil
-	}
-
-	// Fallback to Firebase
-
-	if err := c.firebaseInternal.SendNewUserInvitation(ctx, toEmail); err != nil {
-		c.logger.Warnw("failed sending invitation", "error", err)
-		return fmt.Errorf("failed sending invitation: %w", err)
-	}
-	return nil
-}
-
-func (c *Controller) sendInvitationFromRealmEmailer(ctx context.Context, toEmail string) error {
-	// Send email with realm email config
-	realm := controller.RealmFromContext(ctx)
-	if realm == nil {
-		return errors.New("no realm found")
-	}
-
-	emailer, err := realm.EmailProvider(c.db)
-	if emailer == nil {
-		return errors.New("no emailer found")
-	}
-	if err != nil {
-		c.logger.Warnw("failed to get emailer for realm:", "error", err)
-		return fmt.Errorf("failed to get emailer for realm: %w", err)
-	}
-
-	message, err := controller.ComposeInviteEmail(ctx, c.h, c.client, toEmail, emailer.From(), realm.Name)
-	if err != nil {
-		c.logger.Warnw("failed composing invitation", "error", err)
-		return fmt.Errorf("failed composing invitation: %w", err)
-	}
-
-	if err := emailer.SendEmail(ctx, toEmail, message); err != nil {
-		c.logger.Warnw("failed sending invitation", "error", err)
-		return fmt.Errorf("failed sending invitation: %w", err)
-	}
-
-	return nil
-}
diff --git a/pkg/controller/user/send_invite.go b/pkg/controller/user/send_invite.go
new file mode 100644
index 000000000..03bde39d4
--- /dev/null
+++ b/pkg/controller/user/send_invite.go
@@ -0,0 +1,67 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package user
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/google/exposure-notifications-verification-server/pkg/controller"
+)
+
+func (c *Controller) sendInvitation(ctx context.Context, toEmail string) error {
+	if err := c.sendInvitationFromRealmEmailer(ctx, toEmail); err == nil {
+		return nil
+	}
+
+	// Fallback to Firebase
+
+	if err := c.firebaseInternal.SendNewUserInvitation(ctx, toEmail); err != nil {
+		c.logger.Warnw("failed sending invitation", "error", err)
+		return fmt.Errorf("failed sending invitation: %w", err)
+	}
+	return nil
+}
+
+func (c *Controller) sendInvitationFromRealmEmailer(ctx context.Context, toEmail string) error {
+	// Send email with realm email config
+	realm := controller.RealmFromContext(ctx)
+	if realm == nil {
+		return errors.New("no realm found")
+	}
+
+	emailer, err := realm.EmailProvider(c.db)
+	if emailer == nil {
+		return errors.New("no emailer found")
+	}
+	if err != nil {
+		c.logger.Warnw("failed to get emailer for realm:", "error", err)
+		return fmt.Errorf("failed to get emailer for realm: %w", err)
+	}
+
+	message, err := controller.ComposeInviteEmail(ctx, c.h, c.client, toEmail, emailer.From(), realm.Name)
+	if err != nil {
+		c.logger.Warnw("failed composing invitation", "error", err)
+		return fmt.Errorf("failed composing invitation: %w", err)
+	}
+
+	if err := emailer.SendEmail(ctx, toEmail, message); err != nil {
+		c.logger.Warnw("failed sending invitation", "error", err)
+		return fmt.Errorf("failed sending invitation: %w", err)
+	}
+
+	return nil
+}

From 48300a7959154f447f9b54ffbec154dfadcd3697 Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Fri, 16 Oct 2020 10:27:09 -0700
Subject: [PATCH 17/31] handle verification email

---
 .../assets/email/default_email_verify.html    |  10 ++
 cmd/server/assets/login/verify-email.html     |  31 ++---
 cmd/server/main.go                            |   4 +-
 pkg/controller/email_compose.go               |  30 +++++
 ...erify_email.go => verify_email_receive.go} |  21 +---
 pkg/controller/login/verify_email_send.go     | 108 ++++++++++++++++++
 6 files changed, 169 insertions(+), 35 deletions(-)
 create mode 100644 cmd/server/assets/email/default_email_verify.html
 rename pkg/controller/login/{verify_email.go => verify_email_receive.go} (63%)
 create mode 100644 pkg/controller/login/verify_email_send.go

diff --git a/cmd/server/assets/email/default_email_verify.html b/cmd/server/assets/email/default_email_verify.html
new file mode 100644
index 000000000..0f8e6499a
--- /dev/null
+++ b/cmd/server/assets/email/default_email_verify.html
@@ -0,0 +1,10 @@
+{{- define "email/verifyemail" -}}
+{{template "email/plainheader" .}}
+
+Hello,
+
+A request was made to verify this email address for {{.RealmName}} COVID-19 exposure notifications verification server.
+Follow the link below to confirm your ownership of this address:
+
+{{.VerifyLink}}
+{{end}}
diff --git a/cmd/server/assets/login/verify-email.html b/cmd/server/assets/login/verify-email.html
index 81f6a2a94..84e165943 100644
--- a/cmd/server/assets/login/verify-email.html
+++ b/cmd/server/assets/login/verify-email.html
@@ -30,10 +30,13 @@
               <p>Email address ownership for <em>{{.currentUser.Email}}</em> is <strong id="not">not</strong> confirmed.
               </p>
 
-              <button id="verify" class="btn btn-primary btn-block" disabled>Send verification email</button>
+              <form method="POST">
+                <button id="verify" class="btn btn-primary btn-block" disabled>Send verification email</button>
 
-              <small class="form-text text-muted">Click to send an email containing a verification
-                link.</small>
+                <small class="form-text text-muted">
+                  Click to send an email containing a verification link.
+                </small>
+              </form>
 
               {{if ne .currentRealm.EmailVerifiedMode.String "required"}}
               <a id="skip" class="card-link float-right mt-3" href="/home">Skip for now</a>
@@ -52,18 +55,18 @@
     let $skip = $('#skip');
     let $not = $('#not');
 
+    {{if eq .emailVerify "send"}}
     $(function() {
-      $verify.on('click', function(event) {
-        let user = firebase.auth().currentUser
-        if (!user.emailVerified) {
-          user.sendEmailVerification().then(function() {
-            flash.clear();
-            flash.alert('Verification email sent.');
-            $verify.prop('disabled', true);
-          });
-        }
-      });
+      let user = firebase.auth().currentUser
+      if (!user.emailVerified) {
+        user.sendEmailVerification().then(function() {
+          flash.clear();
+          flash.alert('Verification email sent.');
+          $verify.prop('disabled', true);
+        });
+      }
     });
+    {{end}}
 
     firebase.auth().onAuthStateChanged(function(user) {
       if (!user) {
@@ -71,7 +74,7 @@
         return;
       }
 
-      if (user.emailVerified) {
+      if ({{if eq .emailVerify "sent"}}true{{else}}user.emailVerified{{end}}) {
         $not.hide();
         $skip.text("Go home");
       } else {
diff --git a/cmd/server/main.go b/cmd/server/main.go
index e253a49a5..edc66c038 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -229,7 +229,7 @@ func realMain(ctx context.Context) error {
 				Queries("oobCode", "", "mode", "resetPassword").Methods("GET")
 			sub.Handle("/login/manage-account", loginController.HandleSubmitNewPassword()).
 				Queries("oobCode", "", "mode", "resetPassword").Methods("POST")
-			sub.Handle("/login/manage-account", loginController.HandleSubmitVerifyEmail()).
+			sub.Handle("/login/manage-account", loginController.HandleReceiveVerifyEmail()).
 				Queries("oobCode", "{oobCode:.+}", "mode", "{mode:(?:verifyEmail|recoverEmail)}").Methods("GET")
 			sub.Handle("/session", loginController.HandleCreateSession()).Methods("POST")
 			sub.Handle("/signout", loginController.HandleSignOut()).Methods("GET")
@@ -255,6 +255,8 @@ func realMain(ctx context.Context) error {
 			sub.Use(processFirewall)
 			sub.Handle("/login/manage-account", loginController.HandleShowVerifyEmail()).
 				Queries("mode", "verifyEmail").Methods("GET")
+			sub.Handle("/login/manage-account", loginController.HandleSubmitVerifyEmail()).
+				Queries("mode", "verifyEmail").Methods("POST")
 
 			// SMS auth registration is realm-specific, so it needs to load the current realm.
 			sub = r.PathPrefix("").Subrouter()
diff --git a/pkg/controller/email_compose.go b/pkg/controller/email_compose.go
index 0fcfef35c..3d81b33a4 100644
--- a/pkg/controller/email_compose.go
+++ b/pkg/controller/email_compose.go
@@ -51,3 +51,33 @@ func ComposeInviteEmail(
 	}
 	return message, nil
 }
+
+// ComposeEmailVerifyEmail uses the renderer and auth client to generate an email to verify
+// the user's email address.
+func ComposeEmailVerifyEmail(
+	ctx context.Context,
+	h *render.Renderer,
+	auth *auth.Client, toEmail, fromEmail, realmName string) ([]byte, error) {
+	verifyLink, err := auth.EmailVerificationLink(ctx, toEmail)
+	if err != nil {
+		return nil, fmt.Errorf("failed generating verification link: %w", err)
+	}
+
+	// Compose message
+	message, err := h.RenderEmail("email/verifyemail",
+		struct {
+			ToEmail    string
+			FromEmail  string
+			VerifyLink string
+			RealmName  string
+		}{
+			ToEmail:    toEmail,
+			FromEmail:  fromEmail,
+			VerifyLink: verifyLink,
+			RealmName:  realmName,
+		})
+	if err != nil {
+		return nil, fmt.Errorf("failed rendering email verification template: %w", err)
+	}
+	return message, nil
+}
diff --git a/pkg/controller/login/verify_email.go b/pkg/controller/login/verify_email_receive.go
similarity index 63%
rename from pkg/controller/login/verify_email.go
rename to pkg/controller/login/verify_email_receive.go
index 3b0ae2c52..bc4a9413f 100644
--- a/pkg/controller/login/verify_email.go
+++ b/pkg/controller/login/verify_email_receive.go
@@ -21,26 +21,7 @@ import (
 	"github.com/google/exposure-notifications-verification-server/pkg/controller"
 )
 
-func (c *Controller) HandleShowVerifyEmail() http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		ctx := r.Context()
-
-		session := controller.SessionFromContext(ctx)
-		if session == nil {
-			controller.MissingSession(w, r, c.h)
-			return
-		}
-
-		// Mark prompted so we only prompt once.
-		controller.StoreSessionEmailVerificationPrompted(session, true)
-
-		m := controller.TemplateMapFromContext(ctx)
-		m["firebase"] = c.config.Firebase
-		c.h.RenderHTML(w, "login/verify-email", m)
-	})
-}
-
-func (c *Controller) HandleSubmitVerifyEmail() http.Handler {
+func (c *Controller) HandleReceiveVerifyEmail() http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()
 
diff --git a/pkg/controller/login/verify_email_send.go b/pkg/controller/login/verify_email_send.go
new file mode 100644
index 000000000..8f6313cc9
--- /dev/null
+++ b/pkg/controller/login/verify_email_send.go
@@ -0,0 +1,108 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package login defines the controller for the login page.
+package login
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+
+	"github.com/google/exposure-notifications-verification-server/pkg/controller"
+)
+
+func (c *Controller) HandleShowVerifyEmail() http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
+
+		session := controller.SessionFromContext(ctx)
+		if session == nil {
+			controller.MissingSession(w, r, c.h)
+			return
+		}
+
+		// Mark prompted so we only prompt once.
+		controller.StoreSessionEmailVerificationPrompted(session, true)
+
+		c.renderEmailVerify(ctx, w, "")
+	})
+}
+
+func (c *Controller) HandleSubmitVerifyEmail() http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
+
+		session := controller.SessionFromContext(ctx)
+		if session == nil {
+			controller.MissingSession(w, r, c.h)
+			return
+		}
+		flash := controller.Flash(session)
+
+		currentUser := controller.UserFromContext(ctx)
+		if currentUser == nil {
+			controller.MissingUser(w, r, c.h)
+			return
+		}
+
+		if err := c.sendVerificationFromRealmEmailer(ctx, currentUser.Email); err == nil {
+			flash.Alert("Verification email sent.")
+			c.renderEmailVerify(ctx, w, "sent")
+			return
+		}
+
+		// fallback to firebase
+
+		c.renderEmailVerify(ctx, w, "send")
+	})
+}
+
+func (c *Controller) renderEmailVerify(ctx context.Context, w http.ResponseWriter, sendInvite string) {
+	m := controller.TemplateMapFromContext(ctx)
+	m["sendInvite"] = sendInvite
+	m["firebase"] = c.config.Firebase
+	c.h.RenderHTML(w, "login/verify-email", m)
+}
+
+func (c *Controller) sendVerificationFromRealmEmailer(ctx context.Context, toEmail string) error {
+	// Send email with realm email config
+	realm := controller.RealmFromContext(ctx)
+	if realm == nil {
+		return errors.New("no realm found")
+	}
+
+	emailer, err := realm.EmailProvider(c.db)
+	if emailer == nil {
+		return errors.New("no emailer found")
+	}
+	if err != nil {
+		c.logger.Warnw("failed to get emailer for realm:", "error", err)
+		return fmt.Errorf("failed to get emailer for realm: %w", err)
+	}
+
+	message, err := controller.ComposeInviteEmail(ctx, c.h, c.client, toEmail, emailer.From(), realm.Name)
+	if err != nil {
+		c.logger.Warnw("failed composing email verification", "error", err)
+		return fmt.Errorf("failed composing email verification: %w", err)
+	}
+
+	if err := emailer.SendEmail(ctx, toEmail, message); err != nil {
+		c.logger.Warnw("failed sending email verification", "error", err)
+		return fmt.Errorf("failed sending email verification: %w", err)
+	}
+
+	return nil
+}

From a5a0274655933ada027afb5066bb2c4358e0665c Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Fri, 16 Oct 2020 11:01:26 -0700
Subject: [PATCH 18/31] reset password from system

---
 .../assets/email/default_reset_password.html  | 10 ++++
 pkg/controller/email_compose.go               | 29 ++++++++++++
 pkg/controller/login/reset_password.go        | 46 ++++++++++++++++++-
 pkg/database/email_config.go                  | 16 +++++++
 pkg/database/realm.go                         | 13 +-----
 5 files changed, 101 insertions(+), 13 deletions(-)
 create mode 100644 cmd/server/assets/email/default_reset_password.html

diff --git a/cmd/server/assets/email/default_reset_password.html b/cmd/server/assets/email/default_reset_password.html
new file mode 100644
index 000000000..a00fda55f
--- /dev/null
+++ b/cmd/server/assets/email/default_reset_password.html
@@ -0,0 +1,10 @@
+{{- define "email/passwordresetemail" -}}
+{{template "email/plainheader" .}}
+
+Hello,
+
+A request was made to reset your password for the COVID-19 exposure notifications verification server.
+Follow the link below to select a new password:
+
+{{.ResetLink}}
+{{end}}
diff --git a/pkg/controller/email_compose.go b/pkg/controller/email_compose.go
index 3d81b33a4..c02b5c221 100644
--- a/pkg/controller/email_compose.go
+++ b/pkg/controller/email_compose.go
@@ -81,3 +81,32 @@ func ComposeEmailVerifyEmail(
 	}
 	return message, nil
 }
+
+// ComposePasswordResetEmail uses the renderer and auth client to generate an email for resetting
+// a user password
+func ComposePasswordResetEmail(
+	ctx context.Context,
+	h *render.Renderer,
+	auth *auth.Client, toEmail, fromEmail string) ([]byte, error) {
+	resetLink, err := auth.PasswordResetLink(ctx, toEmail)
+	if err != nil {
+		return nil, fmt.Errorf("failed generating password reset link: %w", err)
+	}
+
+	// Compose message
+	message, err := h.RenderEmail("email/passwordresetemail",
+		struct {
+			ToEmail   string
+			FromEmail string
+			ResetLink string
+			RealmName string
+		}{
+			ToEmail:   toEmail,
+			FromEmail: fromEmail,
+			ResetLink: resetLink,
+		})
+	if err != nil {
+		return nil, fmt.Errorf("failed rendering password reset template: %w", err)
+	}
+	return message, nil
+}
diff --git a/pkg/controller/login/reset_password.go b/pkg/controller/login/reset_password.go
index 83ebe1af2..f02c70b4b 100644
--- a/pkg/controller/login/reset_password.go
+++ b/pkg/controller/login/reset_password.go
@@ -17,6 +17,8 @@ package login
 
 import (
 	"context"
+	"errors"
+	"fmt"
 	"net/http"
 	"strings"
 
@@ -77,6 +79,48 @@ func (c *Controller) HandleSubmitResetPassword() http.Handler {
 			stats.Record(ctx, controller.MFirebaseRecreates.M(1))
 		}
 
-		c.renderResetPassword(ctx, w, flash, email, true)
+		if err = c.sendResetFromSystemEmailer(ctx, email); err != nil {
+			// fallback to firebase
+			c.renderResetPassword(ctx, w, flash, email, true)
+			return
+		}
+
+		flash.Alert("Password reset email sent.")
+		c.renderResetPassword(ctx, w, flash, email, false)
 	})
 }
+
+func (c *Controller) sendResetFromSystemEmailer(ctx context.Context, toEmail string) error {
+	// Send email with system email config
+
+	emailConfig, err := c.db.SystemEmailConfig()
+	if emailConfig == nil {
+		return fmt.Errorf("no email config found for system: %w", err)
+	}
+	if err != nil {
+		c.logger.Warnw("failed to get email config for system:", "error", err)
+		return fmt.Errorf("failed to get email config for system: %w", err)
+	}
+
+	emailer, err := emailConfig.Provider()
+	if emailer == nil {
+		return errors.New("no emailer found")
+	}
+	if err != nil {
+		c.logger.Warnw("failed to get emailer for realm:", "error", err)
+		return fmt.Errorf("failed to get emailer for realm: %w", err)
+	}
+
+	message, err := controller.ComposePasswordResetEmail(ctx, c.h, c.client, toEmail, emailer.From())
+	if err != nil {
+		c.logger.Warnw("failed composing password reset email", "error", err)
+		return fmt.Errorf("failed composing password reset email: %w", err)
+	}
+
+	if err := emailer.SendEmail(ctx, toEmail, message); err != nil {
+		c.logger.Warnw("failed sending password reset email", "error", err)
+		return fmt.Errorf("failed sending password reset email: %w", err)
+	}
+
+	return nil
+}
diff --git a/pkg/database/email_config.go b/pkg/database/email_config.go
index d3fc006ff..1bcd477ee 100644
--- a/pkg/database/email_config.go
+++ b/pkg/database/email_config.go
@@ -15,6 +15,7 @@
 package database
 
 import (
+	"context"
 	"fmt"
 	"strings"
 
@@ -64,6 +65,21 @@ func (s *EmailConfig) BeforeSave(tx *gorm.DB) error {
 	return nil
 }
 
+func (emailConfig *EmailConfig) Provider() (email.Provider, error) {
+	ctx := context.Background()
+	provider, err := email.ProviderFor(ctx, &email.Config{
+		ProviderType: email.ProviderType(emailConfig.ProviderType),
+		User:         emailConfig.SMTPAccount,
+		Password:     emailConfig.SMTPPassword,
+		SMTPHost:     emailConfig.SMTPHost,
+		SMTPPort:     emailConfig.SMTPPort,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return provider, nil
+}
+
 // SystemEmailConfig returns the system email config, if one exists
 func (db *Database) SystemEmailConfig() (*EmailConfig, error) {
 	var emailConfig EmailConfig
diff --git a/pkg/database/realm.go b/pkg/database/realm.go
index 03574eac7..0089478eb 100644
--- a/pkg/database/realm.go
+++ b/pkg/database/realm.go
@@ -538,18 +538,7 @@ func (r *Realm) EmailProvider(db *Database) (email.Provider, error) {
 		return nil, err
 	}
 
-	ctx := context.Background()
-	provider, err := email.ProviderFor(ctx, &email.Config{
-		ProviderType: email.ProviderType(emailConfig.ProviderType),
-		User:         emailConfig.SMTPAccount,
-		Password:     emailConfig.SMTPPassword,
-		SMTPHost:     emailConfig.SMTPHost,
-		SMTPPort:     emailConfig.SMTPPort,
-	})
-	if err != nil {
-		return nil, err
-	}
-	return provider, nil
+	return emailConfig.Provider()
 }
 
 func (r *Realm) Audits(db *Database) ([]*AuditEntry, error) {

From 4ca5a9aa8ba7a90fe810c3ca19406356dedde618 Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Fri, 16 Oct 2020 11:25:07 -0700
Subject: [PATCH 19/31] lint

---
 pkg/database/email_config.go | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/pkg/database/email_config.go b/pkg/database/email_config.go
index 1bcd477ee..480e32f22 100644
--- a/pkg/database/email_config.go
+++ b/pkg/database/email_config.go
@@ -50,29 +50,29 @@ type EmailConfig struct {
 	IsSystem bool `gorm:"type:bool; not null; default:false;"`
 }
 
-func (s *EmailConfig) BeforeSave(tx *gorm.DB) error {
+func (e *EmailConfig) BeforeSave(tx *gorm.DB) error {
 	// Email config is all or nothing
-	if (s.SMTPAccount != "" || s.SMTPPassword != "" || s.SMTPHost != "") &&
-		(s.SMTPAccount == "" || s.SMTPPassword == "" || s.SMTPHost == "") {
-		s.AddError("SMTPAccount", "all must be specified or all must be blank")
-		s.AddError("SMTPPassword", "all must be specified or all must be blank")
-		s.AddError("SMTPHost", "all must be specified or all must be blank")
+	if (e.SMTPAccount != "" || e.SMTPPassword != "" || e.SMTPHost != "") &&
+		(e.SMTPAccount == "" || e.SMTPPassword == "" || e.SMTPHost == "") {
+		e.AddError("SMTPAccount", "all must be specified or all must be blank")
+		e.AddError("SMTPPassword", "all must be specified or all must be blank")
+		e.AddError("SMTPHost", "all must be specified or all must be blank")
 	}
 
-	if len(s.Errors()) > 0 {
-		return fmt.Errorf("email config validation failed: %s", strings.Join(s.ErrorMessages(), ", "))
+	if len(e.Errors()) > 0 {
+		return fmt.Errorf("email config validation failed: %s", strings.Join(e.ErrorMessages(), ", "))
 	}
 	return nil
 }
 
-func (emailConfig *EmailConfig) Provider() (email.Provider, error) {
+func (e *EmailConfig) Provider() (email.Provider, error) {
 	ctx := context.Background()
 	provider, err := email.ProviderFor(ctx, &email.Config{
-		ProviderType: email.ProviderType(emailConfig.ProviderType),
-		User:         emailConfig.SMTPAccount,
-		Password:     emailConfig.SMTPPassword,
-		SMTPHost:     emailConfig.SMTPHost,
-		SMTPPort:     emailConfig.SMTPPort,
+		ProviderType: email.ProviderType(e.ProviderType),
+		User:         e.SMTPAccount,
+		Password:     e.SMTPPassword,
+		SMTPHost:     e.SMTPHost,
+		SMTPPort:     e.SMTPPort,
 	})
 	if err != nil {
 		return nil, err

From 3c1576dcb0046ba49aaa427c369d02a2e50251de Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Fri, 16 Oct 2020 14:05:33 -0700
Subject: [PATCH 20/31] review stuff

---
 .../assets/email/default_email_verify.html    |  5 ++--
 .../assets/email/default_reset_password.html  |  5 ++--
 cmd/server/assets/realmadmin/_form_email.html |  3 ++-
 pkg/database/realm.go                         | 24 -------------------
 4 files changed, 8 insertions(+), 29 deletions(-)

diff --git a/cmd/server/assets/email/default_email_verify.html b/cmd/server/assets/email/default_email_verify.html
index 0f8e6499a..acd5410c5 100644
--- a/cmd/server/assets/email/default_email_verify.html
+++ b/cmd/server/assets/email/default_email_verify.html
@@ -3,8 +3,9 @@
 
 Hello,
 
-A request was made to verify this email address for {{.RealmName}} COVID-19 exposure notifications verification server.
-Follow the link below to confirm your ownership of this address:
+Click the link below to verify your email address for {{.RealmName}} on the COVID-19 exposure notifications verification server:
 
 {{.VerifyLink}}
+
+If you did not request verification of this email, please disregard this message.
 {{end}}
diff --git a/cmd/server/assets/email/default_reset_password.html b/cmd/server/assets/email/default_reset_password.html
index a00fda55f..a51bea90e 100644
--- a/cmd/server/assets/email/default_reset_password.html
+++ b/cmd/server/assets/email/default_reset_password.html
@@ -3,8 +3,9 @@
 
 Hello,
 
-A request was made to reset your password for the COVID-19 exposure notifications verification server.
-Follow the link below to select a new password:
+Click the link below to reset your password for the COVID-19 exposure notifications verification server.
 
 {{.ResetLink}}
+
+If you did not request a password reset, please disregard this message.
 {{end}}
diff --git a/cmd/server/assets/realmadmin/_form_email.html b/cmd/server/assets/realmadmin/_form_email.html
index 0fc4eae12..9c1fcab88 100644
--- a/cmd/server/assets/realmadmin/_form_email.html
+++ b/cmd/server/assets/realmadmin/_form_email.html
@@ -38,7 +38,7 @@
       <label for="smtp-account">SMTP account</label>
       {{template "errorable" $emailConfig.ErrorsFor "smtpAccount"}}
       <small class="form-text text-muted">
-        This is the SMTP email account eg. noreply@myrealm.com
+        This is the SMTP email account eg. noreply@example.com
       </small>
     </div>
 
@@ -76,6 +76,7 @@
       {{template "errorable" $emailConfig.ErrorsFor "smtpPort"}}
       <small class="form-text text-muted">
         SMTP port is the port number to connect to.
+        587 is the default port for SMTP, and legacy port 25 is blocked.
       </small>
     </div>
   </div>
diff --git a/pkg/database/realm.go b/pkg/database/realm.go
index 0089478eb..7d6a3d024 100644
--- a/pkg/database/realm.go
+++ b/pkg/database/realm.go
@@ -502,30 +502,6 @@ func (r *Realm) EmailConfig(db *Database) (*EmailConfig, error) {
 	return &emailConfig, nil
 }
 
-// HasEmailConfig returns true if the realm has an email config, false otherwise.
-// This does not perform the KMS encryption/decryption, so it's more efficient
-// that loading the full email config.
-func (r *Realm) HasEmailConfig(db *Database) (bool, error) {
-	q := db.db.
-		Model(&EmailConfig{}).
-		Select("id").
-		Order("is_system DESC").
-		Where("realm_id = ?", r.ID)
-
-	if r.UseSystemEmailConfig {
-		q = q.Or("is_system IS TRUE")
-	}
-
-	var id []uint64
-	if err := q.Pluck("id", &id).Error; err != nil {
-		if IsNotFound(err) {
-			return false, nil
-		}
-		return false, err
-	}
-	return len(id) > 0, nil
-}
-
 // EmailProvider returns the email provider for the realm. If no email configuration
 // exists, it returns nil. If any errors occur creating the provider, they are
 // returned.

From b80e34177980248b2134b32df73b5e9269182d3c Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Fri, 16 Oct 2020 14:11:14 -0700
Subject: [PATCH 21/31] nils

---
 pkg/controller/login/reset_password.go    | 7 -------
 pkg/controller/login/verify_email_send.go | 3 ---
 pkg/controller/user/send_invite.go        | 3 ---
 pkg/database/database.go                  | 2 +-
 4 files changed, 1 insertion(+), 14 deletions(-)

diff --git a/pkg/controller/login/reset_password.go b/pkg/controller/login/reset_password.go
index f02c70b4b..f82fe7785 100644
--- a/pkg/controller/login/reset_password.go
+++ b/pkg/controller/login/reset_password.go
@@ -17,7 +17,6 @@ package login
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"net/http"
 	"strings"
@@ -94,18 +93,12 @@ func (c *Controller) sendResetFromSystemEmailer(ctx context.Context, toEmail str
 	// Send email with system email config
 
 	emailConfig, err := c.db.SystemEmailConfig()
-	if emailConfig == nil {
-		return fmt.Errorf("no email config found for system: %w", err)
-	}
 	if err != nil {
 		c.logger.Warnw("failed to get email config for system:", "error", err)
 		return fmt.Errorf("failed to get email config for system: %w", err)
 	}
 
 	emailer, err := emailConfig.Provider()
-	if emailer == nil {
-		return errors.New("no emailer found")
-	}
 	if err != nil {
 		c.logger.Warnw("failed to get emailer for realm:", "error", err)
 		return fmt.Errorf("failed to get emailer for realm: %w", err)
diff --git a/pkg/controller/login/verify_email_send.go b/pkg/controller/login/verify_email_send.go
index 8f6313cc9..7179b8dfb 100644
--- a/pkg/controller/login/verify_email_send.go
+++ b/pkg/controller/login/verify_email_send.go
@@ -85,9 +85,6 @@ func (c *Controller) sendVerificationFromRealmEmailer(ctx context.Context, toEma
 	}
 
 	emailer, err := realm.EmailProvider(c.db)
-	if emailer == nil {
-		return errors.New("no emailer found")
-	}
 	if err != nil {
 		c.logger.Warnw("failed to get emailer for realm:", "error", err)
 		return fmt.Errorf("failed to get emailer for realm: %w", err)
diff --git a/pkg/controller/user/send_invite.go b/pkg/controller/user/send_invite.go
index 03bde39d4..33b9a78b6 100644
--- a/pkg/controller/user/send_invite.go
+++ b/pkg/controller/user/send_invite.go
@@ -44,9 +44,6 @@ func (c *Controller) sendInvitationFromRealmEmailer(ctx context.Context, toEmail
 	}
 
 	emailer, err := realm.EmailProvider(c.db)
-	if emailer == nil {
-		return errors.New("no emailer found")
-	}
 	if err != nil {
 		c.logger.Warnw("failed to get emailer for realm:", "error", err)
 		return fmt.Errorf("failed to get emailer for realm: %w", err)
diff --git a/pkg/database/database.go b/pkg/database/database.go
index f54e07e1e..136b0adeb 100644
--- a/pkg/database/database.go
+++ b/pkg/database/database.go
@@ -256,7 +256,7 @@ func IsNotFound(err error) bool {
 	return errors.Is(err, gorm.ErrRecordNotFound) || gorm.IsRecordNotFoundError(err)
 }
 
-// callbackIncremementMetric incremements the provided metric
+// callbackIncrementMetric increments the provided metric
 func callbackIncrementMetric(ctx context.Context, m *stats.Int64Measure, table string) func(scope *gorm.Scope) {
 	return func(scope *gorm.Scope) {
 		if scope.TableName() != table {

From 8f5e42ab8d4e71ed5ed26d080fa4ed5ada9b700d Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Fri, 16 Oct 2020 14:35:31 -0700
Subject: [PATCH 22/31] review stuff

---
 pkg/controller/login/reset_password.go    | 25 +++++++-------
 pkg/controller/login/verify_email_send.go | 37 +++++++++++----------
 pkg/controller/user/send_invite.go        | 40 ++++++++++++-----------
 pkg/database/email_config.go              |  3 --
 pkg/database/realm.go                     |  3 --
 5 files changed, 55 insertions(+), 53 deletions(-)

diff --git a/pkg/controller/login/reset_password.go b/pkg/controller/login/reset_password.go
index f82fe7785..6637719ef 100644
--- a/pkg/controller/login/reset_password.go
+++ b/pkg/controller/login/reset_password.go
@@ -78,7 +78,11 @@ func (c *Controller) HandleSubmitResetPassword() http.Handler {
 			stats.Record(ctx, controller.MFirebaseRecreates.M(1))
 		}
 
-		if err = c.sendResetFromSystemEmailer(ctx, email); err != nil {
+		sent, err := c.sendResetFromSystemEmailer(ctx, email)
+		if err != nil {
+			c.logger.Warnw("failed sending password reset", "error", err)
+		}
+		if !sent {
 			// fallback to firebase
 			c.renderResetPassword(ctx, w, flash, email, true)
 			return
@@ -89,31 +93,30 @@ func (c *Controller) HandleSubmitResetPassword() http.Handler {
 	})
 }
 
-func (c *Controller) sendResetFromSystemEmailer(ctx context.Context, toEmail string) error {
+func (c *Controller) sendResetFromSystemEmailer(ctx context.Context, toEmail string) (bool, error) {
 	// Send email with system email config
 
 	emailConfig, err := c.db.SystemEmailConfig()
 	if err != nil {
-		c.logger.Warnw("failed to get email config for system:", "error", err)
-		return fmt.Errorf("failed to get email config for system: %w", err)
+		if !database.IsNotFound(err) {
+			return false, nil
+		}
+		return false, fmt.Errorf("failed to get email config for system: %w", err)
 	}
 
 	emailer, err := emailConfig.Provider()
 	if err != nil {
-		c.logger.Warnw("failed to get emailer for realm:", "error", err)
-		return fmt.Errorf("failed to get emailer for realm: %w", err)
+		return false, fmt.Errorf("failed to get emailer for realm: %w", err)
 	}
 
 	message, err := controller.ComposePasswordResetEmail(ctx, c.h, c.client, toEmail, emailer.From())
 	if err != nil {
-		c.logger.Warnw("failed composing password reset email", "error", err)
-		return fmt.Errorf("failed composing password reset email: %w", err)
+		return false, fmt.Errorf("failed composing password reset email: %w", err)
 	}
 
 	if err := emailer.SendEmail(ctx, toEmail, message); err != nil {
-		c.logger.Warnw("failed sending password reset email", "error", err)
-		return fmt.Errorf("failed sending password reset email: %w", err)
+		return false, fmt.Errorf("failed sending password reset email: %w", err)
 	}
 
-	return nil
+	return true, nil
 }
diff --git a/pkg/controller/login/verify_email_send.go b/pkg/controller/login/verify_email_send.go
index 7179b8dfb..6d3ad6c35 100644
--- a/pkg/controller/login/verify_email_send.go
+++ b/pkg/controller/login/verify_email_send.go
@@ -17,11 +17,11 @@ package login
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"net/http"
 
 	"github.com/google/exposure-notifications-verification-server/pkg/controller"
+	"github.com/google/exposure-notifications-verification-server/pkg/database"
 )
 
 func (c *Controller) HandleShowVerifyEmail() http.Handler {
@@ -58,15 +58,18 @@ func (c *Controller) HandleSubmitVerifyEmail() http.Handler {
 			return
 		}
 
-		if err := c.sendVerificationFromRealmEmailer(ctx, currentUser.Email); err == nil {
-			flash.Alert("Verification email sent.")
-			c.renderEmailVerify(ctx, w, "sent")
+		sent, err := c.sendVerificationFromRealmEmailer(ctx, currentUser.Email)
+		if err != nil {
+			c.logger.Warnw("failed sending verification", "error", err)
+		}
+		if !sent {
+			// fallback to firebase
+			c.renderEmailVerify(ctx, w, "send")
 			return
 		}
 
-		// fallback to firebase
-
-		c.renderEmailVerify(ctx, w, "send")
+		flash.Alert("Verification email sent.")
+		c.renderEmailVerify(ctx, w, "sent")
 	})
 }
 
@@ -77,29 +80,29 @@ func (c *Controller) renderEmailVerify(ctx context.Context, w http.ResponseWrite
 	c.h.RenderHTML(w, "login/verify-email", m)
 }
 
-func (c *Controller) sendVerificationFromRealmEmailer(ctx context.Context, toEmail string) error {
-	// Send email with realm email config
+// sendVerificationFromRealmEmailer send email with the realm email config
+func (c *Controller) sendVerificationFromRealmEmailer(ctx context.Context, toEmail string) (bool, error) {
 	realm := controller.RealmFromContext(ctx)
 	if realm == nil {
-		return errors.New("no realm found")
+		return false, nil
 	}
 
 	emailer, err := realm.EmailProvider(c.db)
 	if err != nil {
-		c.logger.Warnw("failed to get emailer for realm:", "error", err)
-		return fmt.Errorf("failed to get emailer for realm: %w", err)
+		if !database.IsNotFound(err) {
+			return false, nil
+		}
+		return false, fmt.Errorf("failed creating email provider: %w", err)
 	}
 
 	message, err := controller.ComposeInviteEmail(ctx, c.h, c.client, toEmail, emailer.From(), realm.Name)
 	if err != nil {
-		c.logger.Warnw("failed composing email verification", "error", err)
-		return fmt.Errorf("failed composing email verification: %w", err)
+		return false, fmt.Errorf("failed composing email verification: %w", err)
 	}
 
 	if err := emailer.SendEmail(ctx, toEmail, message); err != nil {
-		c.logger.Warnw("failed sending email verification", "error", err)
-		return fmt.Errorf("failed sending email verification: %w", err)
+		return false, fmt.Errorf("failed sending email verification: %w", err)
 	}
 
-	return nil
+	return true, nil
 }
diff --git a/pkg/controller/user/send_invite.go b/pkg/controller/user/send_invite.go
index 33b9a78b6..938ce9271 100644
--- a/pkg/controller/user/send_invite.go
+++ b/pkg/controller/user/send_invite.go
@@ -16,49 +16,51 @@ package user
 
 import (
 	"context"
-	"errors"
 	"fmt"
 
 	"github.com/google/exposure-notifications-verification-server/pkg/controller"
+	"github.com/google/exposure-notifications-verification-server/pkg/database"
 )
 
 func (c *Controller) sendInvitation(ctx context.Context, toEmail string) error {
-	if err := c.sendInvitationFromRealmEmailer(ctx, toEmail); err == nil {
-		return nil
-	}
-
-	// Fallback to Firebase
-
-	if err := c.firebaseInternal.SendNewUserInvitation(ctx, toEmail); err != nil {
+	sent, err := c.sendInvitationFromRealmEmailer(ctx, toEmail)
+	if err != nil {
 		c.logger.Warnw("failed sending invitation", "error", err)
-		return fmt.Errorf("failed sending invitation: %w", err)
 	}
+	if !sent {
+		// fallback to Firebase
+		if err := c.firebaseInternal.SendNewUserInvitation(ctx, toEmail); err != nil {
+			c.logger.Warnw("failed sending invitation", "error", err)
+			return fmt.Errorf("failed sending invitation: %w", err)
+		}
+	}
+
 	return nil
 }
 
-func (c *Controller) sendInvitationFromRealmEmailer(ctx context.Context, toEmail string) error {
-	// Send email with realm email config
+// sendInvitationFromRealmEmailer send email with the realm email config
+func (c *Controller) sendInvitationFromRealmEmailer(ctx context.Context, toEmail string) (bool, error) {
 	realm := controller.RealmFromContext(ctx)
 	if realm == nil {
-		return errors.New("no realm found")
+		return false, nil
 	}
 
 	emailer, err := realm.EmailProvider(c.db)
 	if err != nil {
-		c.logger.Warnw("failed to get emailer for realm:", "error", err)
-		return fmt.Errorf("failed to get emailer for realm: %w", err)
+		if !database.IsNotFound(err) {
+			return false, nil
+		}
+		return false, fmt.Errorf("failed creating email provider: %w", err)
 	}
 
 	message, err := controller.ComposeInviteEmail(ctx, c.h, c.client, toEmail, emailer.From(), realm.Name)
 	if err != nil {
-		c.logger.Warnw("failed composing invitation", "error", err)
-		return fmt.Errorf("failed composing invitation: %w", err)
+		return false, fmt.Errorf("failed composing email verification: %w", err)
 	}
 
 	if err := emailer.SendEmail(ctx, toEmail, message); err != nil {
-		c.logger.Warnw("failed sending invitation", "error", err)
-		return fmt.Errorf("failed sending invitation: %w", err)
+		return false, fmt.Errorf("failed sending email verification: %w", err)
 	}
 
-	return nil
+	return true, nil
 }
diff --git a/pkg/database/email_config.go b/pkg/database/email_config.go
index 480e32f22..a234c9803 100644
--- a/pkg/database/email_config.go
+++ b/pkg/database/email_config.go
@@ -119,8 +119,5 @@ func (db *Database) SaveEmailConfig(s *EmailConfig) error {
 		return db.db.Unscoped().Delete(s).Error
 	}
 
-	if db.db.NewRecord(s) {
-		return db.db.Create(s).Error
-	}
 	return db.db.Save(s).Error
 }
diff --git a/pkg/database/realm.go b/pkg/database/realm.go
index 7d6a3d024..bc5f06a06 100644
--- a/pkg/database/realm.go
+++ b/pkg/database/realm.go
@@ -508,9 +508,6 @@ func (r *Realm) EmailConfig(db *Database) (*EmailConfig, error) {
 func (r *Realm) EmailProvider(db *Database) (email.Provider, error) {
 	emailConfig, err := r.EmailConfig(db)
 	if err != nil {
-		if IsNotFound(err) {
-			return nil, nil
-		}
 		return nil, err
 	}
 

From dc806240d27c3f4c81f785bffab46c84f42db239 Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Fri, 16 Oct 2020 15:03:06 -0700
Subject: [PATCH 23/31] merge send realm email code

---
 pkg/controller/email_compose.go           | 30 ++++++++++++++++++++
 pkg/controller/login/verify_email_send.go | 34 ++++-------------------
 pkg/controller/user/send_invite.go        | 33 ++++------------------
 3 files changed, 40 insertions(+), 57 deletions(-)

diff --git a/pkg/controller/email_compose.go b/pkg/controller/email_compose.go
index c02b5c221..a1076b54a 100644
--- a/pkg/controller/email_compose.go
+++ b/pkg/controller/email_compose.go
@@ -19,9 +19,13 @@ import (
 	"fmt"
 
 	"firebase.google.com/go/auth"
+	"github.com/google/exposure-notifications-verification-server/pkg/database"
+	"github.com/google/exposure-notifications-verification-server/pkg/email"
 	"github.com/google/exposure-notifications-verification-server/pkg/render"
 )
 
+type ComposeFn func(provider email.Provider, realm *database.Realm, toEmail string) ([]byte, error)
+
 // ComposeInviteEmail uses the renderer and auth client to generate a password reset link
 // and emit an invite email
 func ComposeInviteEmail(
@@ -110,3 +114,29 @@ func ComposePasswordResetEmail(
 	}
 	return message, nil
 }
+
+func SendRealmEmail(ctx context.Context, db *database.Database, compose ComposeFn, toEmail string) (bool, error) {
+	realm := RealmFromContext(ctx)
+	if realm == nil {
+		return false, nil
+	}
+
+	emailer, err := realm.EmailProvider(db)
+	if err != nil {
+		if !database.IsNotFound(err) {
+			return false, nil
+		}
+		return false, fmt.Errorf("failed creating email provider: %w", err)
+	}
+
+	message, err := compose(emailer, realm, toEmail)
+	if err != nil {
+		return false, fmt.Errorf("failed composing email verification: %w", err)
+	}
+
+	if err := emailer.SendEmail(ctx, toEmail, message); err != nil {
+		return false, fmt.Errorf("failed sending email verification: %w", err)
+	}
+
+	return true, nil
+}
diff --git a/pkg/controller/login/verify_email_send.go b/pkg/controller/login/verify_email_send.go
index 6d3ad6c35..02f2edcb3 100644
--- a/pkg/controller/login/verify_email_send.go
+++ b/pkg/controller/login/verify_email_send.go
@@ -17,11 +17,11 @@ package login
 
 import (
 	"context"
-	"fmt"
 	"net/http"
 
 	"github.com/google/exposure-notifications-verification-server/pkg/controller"
 	"github.com/google/exposure-notifications-verification-server/pkg/database"
+	"github.com/google/exposure-notifications-verification-server/pkg/email"
 )
 
 func (c *Controller) HandleShowVerifyEmail() http.Handler {
@@ -58,7 +58,10 @@ func (c *Controller) HandleSubmitVerifyEmail() http.Handler {
 			return
 		}
 
-		sent, err := c.sendVerificationFromRealmEmailer(ctx, currentUser.Email)
+		compose := func(emailer email.Provider, realm *database.Realm, toEmail string) ([]byte, error) {
+			return controller.ComposeEmailVerifyEmail(ctx, c.h, c.client, toEmail, emailer.From(), realm.Name)
+		}
+		sent, err := controller.SendRealmEmail(ctx, c.db, compose, currentUser.Email)
 		if err != nil {
 			c.logger.Warnw("failed sending verification", "error", err)
 		}
@@ -79,30 +82,3 @@ func (c *Controller) renderEmailVerify(ctx context.Context, w http.ResponseWrite
 	m["firebase"] = c.config.Firebase
 	c.h.RenderHTML(w, "login/verify-email", m)
 }
-
-// sendVerificationFromRealmEmailer send email with the realm email config
-func (c *Controller) sendVerificationFromRealmEmailer(ctx context.Context, toEmail string) (bool, error) {
-	realm := controller.RealmFromContext(ctx)
-	if realm == nil {
-		return false, nil
-	}
-
-	emailer, err := realm.EmailProvider(c.db)
-	if err != nil {
-		if !database.IsNotFound(err) {
-			return false, nil
-		}
-		return false, fmt.Errorf("failed creating email provider: %w", err)
-	}
-
-	message, err := controller.ComposeInviteEmail(ctx, c.h, c.client, toEmail, emailer.From(), realm.Name)
-	if err != nil {
-		return false, fmt.Errorf("failed composing email verification: %w", err)
-	}
-
-	if err := emailer.SendEmail(ctx, toEmail, message); err != nil {
-		return false, fmt.Errorf("failed sending email verification: %w", err)
-	}
-
-	return true, nil
-}
diff --git a/pkg/controller/user/send_invite.go b/pkg/controller/user/send_invite.go
index 938ce9271..d4b06ccb9 100644
--- a/pkg/controller/user/send_invite.go
+++ b/pkg/controller/user/send_invite.go
@@ -20,10 +20,14 @@ import (
 
 	"github.com/google/exposure-notifications-verification-server/pkg/controller"
 	"github.com/google/exposure-notifications-verification-server/pkg/database"
+	"github.com/google/exposure-notifications-verification-server/pkg/email"
 )
 
 func (c *Controller) sendInvitation(ctx context.Context, toEmail string) error {
-	sent, err := c.sendInvitationFromRealmEmailer(ctx, toEmail)
+	compose := func(emailer email.Provider, realm *database.Realm, toEmail string) ([]byte, error) {
+		return controller.ComposeInviteEmail(ctx, c.h, c.client, toEmail, emailer.From(), realm.Name)
+	}
+	sent, err := controller.SendRealmEmail(ctx, c.db, compose, toEmail)
 	if err != nil {
 		c.logger.Warnw("failed sending invitation", "error", err)
 	}
@@ -37,30 +41,3 @@ func (c *Controller) sendInvitation(ctx context.Context, toEmail string) error {
 
 	return nil
 }
-
-// sendInvitationFromRealmEmailer send email with the realm email config
-func (c *Controller) sendInvitationFromRealmEmailer(ctx context.Context, toEmail string) (bool, error) {
-	realm := controller.RealmFromContext(ctx)
-	if realm == nil {
-		return false, nil
-	}
-
-	emailer, err := realm.EmailProvider(c.db)
-	if err != nil {
-		if !database.IsNotFound(err) {
-			return false, nil
-		}
-		return false, fmt.Errorf("failed creating email provider: %w", err)
-	}
-
-	message, err := controller.ComposeInviteEmail(ctx, c.h, c.client, toEmail, emailer.From(), realm.Name)
-	if err != nil {
-		return false, fmt.Errorf("failed composing email verification: %w", err)
-	}
-
-	if err := emailer.SendEmail(ctx, toEmail, message); err != nil {
-		return false, fmt.Errorf("failed sending email verification: %w", err)
-	}
-
-	return true, nil
-}

From 78f7f9550a9b7c0b4be9543817fc204cc6020ba5 Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Fri, 16 Oct 2020 15:11:55 -0700
Subject: [PATCH 24/31] expect notfound

---
 pkg/database/email_config_test.go | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/pkg/database/email_config_test.go b/pkg/database/email_config_test.go
index 6887c1eac..3ba6a8ef6 100644
--- a/pkg/database/email_config_test.go
+++ b/pkg/database/email_config_test.go
@@ -142,11 +142,8 @@ func TestEmailProvider(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	provider, err = realm.EmailProvider(db)
-	if err != nil {
+	_, err = realm.EmailProvider(db)
+	if !IsNotFound(err) {
 		t.Fatal(err)
 	}
-	if provider == nil {
-		t.Errorf("expected %v to be not nil", provider)
-	}
 }

From 510812a9cfffcf08d8f091a268d164c0fe2bd380 Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Fri, 16 Oct 2020 15:24:24 -0700
Subject: [PATCH 25/31] unit test

---
 pkg/database/email_config_test.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/pkg/database/email_config_test.go b/pkg/database/email_config_test.go
index 3ba6a8ef6..63b0f755f 100644
--- a/pkg/database/email_config_test.go
+++ b/pkg/database/email_config_test.go
@@ -124,7 +124,7 @@ func TestEmailProvider(t *testing.T) {
 	}
 
 	provider, err := realm.EmailProvider(db)
-	if err != nil {
+	if !IsNotFound(err) {
 		t.Fatal(err)
 	}
 	if provider != nil {
@@ -142,8 +142,11 @@ func TestEmailProvider(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	_, err = realm.EmailProvider(db)
-	if !IsNotFound(err) {
+	provider, err = realm.EmailProvider(db)
+	if err != nil {
 		t.Fatal(err)
 	}
+	if provider == nil {
+		t.Errorf("expected %v to be not nil", provider)
+	}
 }

From e0cbda518019352c1cea344596557f1557c00b93 Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Fri, 16 Oct 2020 15:46:02 -0700
Subject: [PATCH 26/31] json ignore

---
 pkg/database/email_config.go | 4 ++--
 pkg/email/config.go          | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/database/email_config.go b/pkg/database/email_config.go
index a234c9803..8f1b99491 100644
--- a/pkg/database/email_config.go
+++ b/pkg/database/email_config.go
@@ -39,9 +39,9 @@ type EmailConfig struct {
 	SMTPHost    string `gorm:"type:varchar(250)"`
 	SMTPPort    string `gorm:"type:varchar(250)"`
 
-	// TwilioAuthToken is encrypted/decrypted automatically by callbacks. The
+	// SMTPPassword is encrypted/decrypted automatically by callbacks. The
 	// cache fields exist as optimizations.
-	SMTPPassword                string `gorm:"type:varchar(250)"`
+	SMTPPassword                string `gorm:"type:varchar(250)" json:"-"` // ignored by zap's JSON formatter
 	SMTPPasswordPlaintextCache  string `gorm:"-"`
 	SMTPPasswordCiphertextCache string `gorm:"-"`
 
diff --git a/pkg/email/config.go b/pkg/email/config.go
index 29d1c0613..ea76092c2 100644
--- a/pkg/email/config.go
+++ b/pkg/email/config.go
@@ -43,7 +43,7 @@ type Config struct {
 	ProviderType ProviderType
 
 	User     string `env:"EMAIL_USER"`
-	Password string `env:"EMAIL_PASSWORD"`
+	Password string `env:"EMAIL_PASSWORD" json:"-"` // ignored by zap's JSON formatter
 	SMTPHost string `env:"EMAIL_SMTP_HOST"`
 
 	// SMTPPort defines the email port to connect to.

From 351b0a1aabd3c5c8fbfd0bf15d128d430fa0d089 Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Fri, 16 Oct 2020 15:50:55 -0700
Subject: [PATCH 27/31] ignore on sms

---
 pkg/database/sms_config.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/database/sms_config.go b/pkg/database/sms_config.go
index 17d4ba95c..2c78b8e10 100644
--- a/pkg/database/sms_config.go
+++ b/pkg/database/sms_config.go
@@ -40,7 +40,7 @@ type SMSConfig struct {
 
 	// TwilioAuthToken is encrypted/decrypted automatically by callbacks. The
 	// cache fields exist as optimizations.
-	TwilioAuthToken                string `gorm:"type:varchar(250)"`
+	TwilioAuthToken                string `gorm:"type:varchar(250)" json:"-"` // ignored by zap's JSON formatter
 	TwilioAuthTokenPlaintextCache  string `gorm:"-"`
 	TwilioAuthTokenCiphertextCache string `gorm:"-"`
 

From 94640218bd51c41c8bec22a793e3c1a18dc5faf1 Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Fri, 16 Oct 2020 16:36:09 -0700
Subject: [PATCH 28/31] only fallback on error

---
 pkg/controller/login/verify_email_send.go | 5 ++++-
 pkg/controller/user/send_invite.go        | 3 ++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkg/controller/login/verify_email_send.go b/pkg/controller/login/verify_email_send.go
index 02f2edcb3..4d6cc1790 100644
--- a/pkg/controller/login/verify_email_send.go
+++ b/pkg/controller/login/verify_email_send.go
@@ -64,9 +64,12 @@ func (c *Controller) HandleSubmitVerifyEmail() http.Handler {
 		sent, err := controller.SendRealmEmail(ctx, c.db, compose, currentUser.Email)
 		if err != nil {
 			c.logger.Warnw("failed sending verification", "error", err)
+			flash.Error("Failed to send verification email.")
+			c.renderEmailVerify(ctx, w, "")
+			return
 		}
 		if !sent {
-			// fallback to firebase
+			// fallback to Firebase if not SMTP found
 			c.renderEmailVerify(ctx, w, "send")
 			return
 		}
diff --git a/pkg/controller/user/send_invite.go b/pkg/controller/user/send_invite.go
index d4b06ccb9..a3773abd2 100644
--- a/pkg/controller/user/send_invite.go
+++ b/pkg/controller/user/send_invite.go
@@ -30,9 +30,10 @@ func (c *Controller) sendInvitation(ctx context.Context, toEmail string) error {
 	sent, err := controller.SendRealmEmail(ctx, c.db, compose, toEmail)
 	if err != nil {
 		c.logger.Warnw("failed sending invitation", "error", err)
+		return fmt.Errorf("failed sending invitation: %w", err)
 	}
 	if !sent {
-		// fallback to Firebase
+		// fallback to Firebase if not SMTP found
 		if err := c.firebaseInternal.SendNewUserInvitation(ctx, toEmail); err != nil {
 			c.logger.Warnw("failed sending invitation", "error", err)
 			return fmt.Errorf("failed sending invitation: %w", err)

From 1cab8028c87901210b786b700ee7075cdbd0259c Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Mon, 19 Oct 2020 12:57:19 -0700
Subject: [PATCH 29/31] fix notfound error message

---
 pkg/controller/email_compose.go        | 2 +-
 pkg/controller/login/reset_password.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/controller/email_compose.go b/pkg/controller/email_compose.go
index a1076b54a..29e4c7445 100644
--- a/pkg/controller/email_compose.go
+++ b/pkg/controller/email_compose.go
@@ -123,7 +123,7 @@ func SendRealmEmail(ctx context.Context, db *database.Database, compose ComposeF
 
 	emailer, err := realm.EmailProvider(db)
 	if err != nil {
-		if !database.IsNotFound(err) {
+		if database.IsNotFound(err) {
 			return false, nil
 		}
 		return false, fmt.Errorf("failed creating email provider: %w", err)
diff --git a/pkg/controller/login/reset_password.go b/pkg/controller/login/reset_password.go
index 6637719ef..f5071f388 100644
--- a/pkg/controller/login/reset_password.go
+++ b/pkg/controller/login/reset_password.go
@@ -98,7 +98,7 @@ func (c *Controller) sendResetFromSystemEmailer(ctx context.Context, toEmail str
 
 	emailConfig, err := c.db.SystemEmailConfig()
 	if err != nil {
-		if !database.IsNotFound(err) {
+		if database.IsNotFound(err) {
 			return false, nil
 		}
 		return false, fmt.Errorf("failed to get email config for system: %w", err)

From 532e9e0fbc7f4ff3f18e465c4242950dc6d57fd5 Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Mon, 19 Oct 2020 13:05:21 -0700
Subject: [PATCH 30/31] correct import

---
 pkg/controller/user/importbatch.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/controller/user/importbatch.go b/pkg/controller/user/importbatch.go
index 3bf0d9da9..edcbe7388 100644
--- a/pkg/controller/user/importbatch.go
+++ b/pkg/controller/user/importbatch.go
@@ -16,6 +16,7 @@ package user
 
 import (
 	"errors"
+	"fmt"
 	"net/http"
 
 	"github.com/google/exposure-notifications-verification-server/pkg/api"

From cc7d8dd75b929638aed6f8f028e2f6ed297b512e Mon Sep 17 00:00:00 2001
From: Weston Haught <whaught@google.com>
Date: Mon, 19 Oct 2020 13:14:47 -0700
Subject: [PATCH 31/31] ensure new port 587

---
 pkg/controller/realmadmin/settings.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/controller/realmadmin/settings.go b/pkg/controller/realmadmin/settings.go
index 9cf8bd84f..de4f2d74b 100644
--- a/pkg/controller/realmadmin/settings.go
+++ b/pkg/controller/realmadmin/settings.go
@@ -372,7 +372,7 @@ func (c *Controller) renderSettings(
 				controller.InternalError(w, r, c.h, err)
 				return
 			}
-			emailConfig = new(database.EmailConfig)
+			emailConfig = &database.EmailConfig{SMTPPort: "587"}
 		}
 	}