fixes issue #344-mailer

uclibs / application_portfolio

The application manages applications at UCL

https://libapps.libraries.uc.edu/application_portfolio

2 stars 1 forks source link

fixes issue #344-mailer #360

Closed haitzlm closed 2 months ago

haitzlm commented 5 months ago

fixes #344 - updated to send mail securely

hortongn commented 4 months ago

@scherztc when you get a chance, deploy this to libappstest and verify sending a password reset email works.

scherztc commented 2 months ago

I deployed this branch to libappstest and attempted to sign up a new user. I got the following error :

[d10e9102-6cc5-4bb3-bcab-547b571cdaf6] OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 peeraddr=127.0.0.1:25 state=error: certificate verify failed (Hostname mismatch)): [d10e9102-6cc5-4bb3-bcab-547b571cdaf6]
[d10e9102-6cc5-4bb3-bcab-547b571cdaf6] app/mailers/new_user_signup_mailer.rb:15:in block in new_user_signup_mail' [d10e9102-6cc5-4bb3-bcab-547b571cdaf6] app/mailers/new_user_signup_mailer.rb:13:innew_user_signup_mail' [d10e9102-6cc5-4bb3-bcab-547b571cdaf6] app/models/user.rb:28:in `send_admin_mail'

scherztc commented 2 months ago

@haitzlm : HOLD on this Review. This doesn't do it securely. Let me try again.

Update this PR to use these settings for config/environments/production.rb. I followed the model from the Treatment Database.

  # Configure Mailers
  config.action_mailer.perform_caching = false
  config.action_mailer.default_options = { from: 'uclappdev@uc.edu' }
  # Store the base url from where request is received.
  config.action_mailer.default_url_options = { host: ENV.fetch('APP_PORTFOLIO_PRODUCTION_MAILER_URL', nil), protocol: 'https' }
  config.action_mailer.delivery_method = :smtp
  # updated for tls and sendmail
  config.action_mailer.smtp_settings = {
    enable_starttls_auto: false,
  }

I tested these on libappstest.libraries.uc.edu and was able to send mail.

Also, rebase this PR from the qa branch.

git checkout qa git pull git checkout update-mailer git rebase qa

scherztc commented 2 months ago

Here is the secure configuration that works on libappstest and libapps.

  config.action_mailer.default_url_options = { host: ENV['APP_PORTFOLIO_PRODUCTION_MAILER_URL'] }
  config.mailer_from = 'uclappdev@uc.edu'
  config.action_mailer.delivery_method = :smtp
  config.action_mailer.smtp_settings = {
    # 'address' specifies the address of the server that will handle email sending.
    address: ENV['MAIL_SMTP_ADDRESS'],
    # 'port' specifies which port to use on the SMTP server.
    # Port 25 is the default port for SMTP servers like Postfix.
    enable_starttls_auto: true,
    port: 25,
    # 'ca_file' is the path to the certificate authority file.
    # In our case, it's a self-signed certificate. This tells Rails to trust this specific certificate.
    ca_file: '/etc/ssl/certs/sendmail.pem'
  }

We will also need to a value to the .env.production file for

MAIL_SMTP_ADDRESS='libappstest.libraries.uc.edu'

I can work with you to get all of this into the PR and rebase.

scherztc commented 2 months ago

@haitzlm : I added a commit to account for the missing environment variables, the rexml vulnerability, and sendmail configuration settings. I pushed this branch up to libappstest.libraries.uc.edu and test the mailer by creating a new user. It successfully sent an e-mail. Since we both worked on the code and tested it on qa, I am okay with either of us merging this.

haitzlm commented 2 months ago

Thomas, what do you need me to do here?