search

OpenFn / lightning

OpenFn/Lightning ⚡️ is the newest version of the OpenFn DPG and provides a web UI to visually manage complex workflow automation projects.
https://openfn.github.io/lightning/
GNU Lesser General Public License v3.0
134 stars 38 forks source link

Allow `/dev/mailbox` in `prod` #2708

Open midigofrank opened 3 days ago

midigofrank commented 3 days ago

https://github.com/OpenFn/lightning/pull/2700 introduced a MAIL_PROVIDER env var which specifies which email provider to use. The providers are essentially all the adapters supported by Swoosh: https://hexdocs.pm/swoosh/Swoosh.html#module-adapters So far, lightning only supports mailgun and smtp.

Swoosh also supports the local adapter, https://hexdocs.pm/swoosh/Swoosh.Adapters.Local.html, which is meant for use in dev. When using this adapter, the user can get access to the emails directly from the same host via /dev/mailbox. At the moment, this route is controlled at compile time and only availed in dev

Given that MAIL_PROVIDER defaults to local, regardless of the compile env, should we not make available /dev/mailbox to all compile envs?

Ideally, instead of it being controlled by the compile env, it should be based on the value of MAIL_PROVIDER

midigofrank commented 2 days ago

The /dev/mailbox lists all emails sent in the whole system. This could be a big security risk. @stuartc notes that if we're to do it, then we should probably restrict it to superusers only