more review fixes

Author: sylvinus

.github/workflows/messages.yml

@@ -95,6 +95,46 @@ jobs:
       - name: Build frontend
         run: make build-front
 
+  lint-client-bridge:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Create env files
+        run: make create-env-files
+      - name: Run client-bridge linting
+        run: make lint-client-bridge
+
+  test-client-bridge:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Create env files
+        run: make create-env-files
+      - name: Run client-bridge tests
+        run: make test-client-bridge
+
+  test-mta-in:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Create env files
+        run: make create-env-files
+      - name: Run mta-in tests
+        run: make test-mta-in
+
+  test-socks-proxy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Create env files
+        run: make create-env-files
+      - name: Run socks-proxy tests
+        run: make test-socks-proxy
+
   check-api-state:
     runs-on: ubuntu-latest
     steps:

README.md

@@ -60,7 +60,7 @@ It features a [MTA](https://en.wikipedia.org/wiki/Message_transfer_agent) based
 ### Based on standards
 * 🔑 OpenID Connect for all user accounts as the primary authentication method. Plug any identity provider, including Keycloak.
 * 📬 SMTP in and out (server-to-server).
-* ✅ JMAP-inspired data model. JMAP-compilant endpoint [in progress](https://github.com/suitenumerique/messages/pull/479).
+* ✅ JMAP-inspired data model. JMAP-compliant endpoint [in progress](https://github.com/suitenumerique/messages/pull/479).
 * 📮 Optional IMAP and SMTP client access via the [client bridge](/src/client-bridge/), for users who prefer traditional email clients like Thunderbird or mobile phones. Uses app-specific passwords with configurable roles.
 
 

src/backend/core/api/openapi.json

@@ -124,34 +124,6 @@
                 }
             }
         },
-        "/api/v1.0/client-bridge/auth/": {
-            "post": {
-                "operationId": "client_bridge_auth_create",
-                "description": "Authenticate a client-bridge channel by email username and app-specific password.\n\nPOST /api/v1.0/client-bridge/auth/\nInput: {\"username\": \"<mailbox email>\", \"password\": \"...\"}\nReturns: {\"token\": \"<JWT>\", \"channel_id\", \"mailbox_id\", \"mailbox_email\", \"role\",\n          \"expires_at\": \"<ISO 8601>\"}\n\nThe request must carry ``X-Service-Auth: Bearer <CLIENTBRIDGE_API_SECRET>``\nto prove it comes from the client-bridge service.\n\nThe JWT is signed with CLIENTBRIDGE_API_SECRET and contains the channel_id,\nmailbox_id, role, and expiration. The client-bridge passes it as\nX-Channel-Token on all subsequent requests.",
-                "tags": [
-                    "client-bridge"
-                ],
-                "responses": {
-                    "200": {
-                        "description": "No response body"
-                    }
-                }
-            }
-        },
-        "/api/v1.0/client-bridge/submit/": {
-            "post": {
-                "operationId": "client_bridge_submit_create",
-                "description": "Submit an outbound message via the client-bridge.\n\nPOST /api/v1.0/client-bridge/submit/\nContent-Type: message/rfc822 (raw email)\nHeaders: X-Channel-Token (JWT), X-Mail-From, X-Rcpt-To\nReturns: {\"message_id\": \"...\", \"status\": \"accepted\"}\n\nUses ClientBridgeChannelAuthentication: the channel is resolved from\nthe JWT and available as request.auth.",
-                "tags": [
-                    "client-bridge"
-                ],
-                "responses": {
-                    "200": {
-                        "description": "No response body"
-                    }
-                }
-            }
-        },
         "/api/v1.0/config/": {
             "get": {
                 "operationId": "config_retrieve",
@@ -2879,7 +2851,17 @@
                 ],
                 "responses": {
                     "200": {
-                        "description": "New password generated"
+                        "content": {
+                            "application/json": {
+                                "schema": {
+                                    "$ref": "#/components/schemas/RotatePasswordResponse"
+                                }
+                            }
+                        },
+                        "description": ""
+                    },
+                    "400": {
+                        "description": "Channel type does not support password rotation"
                     },
                     "403": {
                         "description": "Permission denied"
@@ -7852,6 +7834,17 @@
                     "one_time_password"
                 ]
             },
+            "RotatePasswordResponse": {
+                "type": "object",
+                "properties": {
+                    "password": {
+                        "type": "string"
+                    }
+                },
+                "required": [
+                    "password"
+                ]
+            },
             "SendMessageRequest": {
                 "type": "object",
                 "description": "Serializer for sending messages.",

src/backend/core/api/serializers.py

@@ -1517,11 +1517,12 @@ def _move_sensitive_settings(self, validated_data):
             return validated_data
 
         extracted = {
-            key: settings_data.pop(key)
-            for key in keys_to_encrypt
-            if key in settings_data
+            key: settings_data[key] for key in keys_to_encrypt if key in settings_data
         }
         if extracted:
+            # Remove extracted keys from settings without mutating during iteration
+            for key in extracted:
+                del settings_data[key]
             existing = (self.instance.encrypted_settings or {}) if self.instance else {}
             validated_data["encrypted_settings"] = {**existing, **extracted}
 

src/backend/core/api/viewsets/channel.py

@@ -6,8 +6,10 @@
 from drf_spectacular.utils import (
     OpenApiResponse,
     extend_schema,
+    inline_serializer,
 )
 from rest_framework import mixins, status, viewsets
+from rest_framework import serializers as drf_serializers
 from rest_framework.decorators import action
 from rest_framework.response import Response
 
@@ -115,7 +117,13 @@ def destroy(self, request, *args, **kwargs):
     @extend_schema(
         request=None,
         responses={
-            200: OpenApiResponse(description="New password generated"),
+            200: inline_serializer(
+                name="RotatePasswordResponse",
+                fields={"password": drf_serializers.CharField()},
+            ),
+            400: OpenApiResponse(
+                description="Channel type does not support password rotation"
+            ),
             403: OpenApiResponse(description="Permission denied"),
             404: OpenApiResponse(description="Channel not found"),
         },

src/backend/core/api/viewsets/client_bridge.py

@@ -8,6 +8,7 @@
 from django.conf import settings
 
 import jwt
+from drf_spectacular.utils import extend_schema
 from rest_framework import status
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
@@ -67,6 +68,7 @@ class ClientBridgeAuthView(APIView):
     permission_classes = []
     throttle_classes = [ClientBridgeAuthThrottle]
 
+    @extend_schema(exclude=True)
     def post(self, request):  # pylint: disable=missing-function-docstring
         # Validate service secret
         if not settings.FEATURE_CLIENTBRIDGE:
@@ -164,6 +166,7 @@ class ClientBridgeSubmitView(APIView):
     authentication_classes = [ClientBridgeChannelAuthentication]
     permission_classes = [IsAuthenticated]
 
+    @extend_schema(exclude=True)
     def post(self, request):  # pylint: disable=missing-function-docstring
         channel = request.auth
         mail_from = request.META.get("HTTP_X_MAIL_FROM")
@@ -231,6 +234,7 @@ def post(self, request):  # pylint: disable=missing-function-docstring
             message,
             "",
             "",
+            user=request.user,
             raw_mime=raw_data,
         )
         if not prepared:
@@ -243,11 +247,9 @@ def post(self, request):  # pylint: disable=missing-function-docstring
         send_message_task.delay(str(message.id))
 
         logger.info(
-            "Message submitted via client-bridge: channel=%s, message=%s, from=%s, to=%s",
+            "Message submitted via client-bridge: channel=%s, message=%s",
             channel.id,
             message.id,
-            mail_from,
-            rcpt_to,
         )
 
         return Response(

src/backend/core/mda/inbound_create.py

@@ -372,9 +372,9 @@ def _create_message_from_inbound(  # pylint: disable=too-many-arguments
             mime_id=parsed_email.get("messageId", parsed_email.get("message_id"))
             or None,
             parent=parent_message,
-            sent_at=parsed_email.get("date") or timezone.now()
-            if not is_outbound
-            else None,
+            sent_at=(
+                None if is_outbound else (parsed_email.get("date") or timezone.now())
+            ),
             is_draft=is_outbound,  # Outbound: draft until prepare_outbound_message finalizes
             is_sender=is_sender,
             is_starred=False,

src/backend/core/mda/outbound.py

@@ -89,6 +89,7 @@ def prepare_outbound_message(
     if raw_mime is not None:
         # Client-bridge path: the email client already composed the MIME.
         # Just sign and store it.
+        message.sender_user = user
         return _sign_and_store(mailbox_sender, message, raw_mime)
 
     # --- Web/API path: compose MIME from text/html body --- #

src/backend/core/tests/api/test_client_bridge.py

@@ -595,6 +595,7 @@ def test_rotate_password_rejects_non_client_bridge(self, mailbox):
 
         assert response.status_code == status.HTTP_400_BAD_REQUEST
 
+    @override_settings(FEATURE_MAILBOX_ADMIN_CHANNELS=[], FEATURE_CLIENTBRIDGE=True)
     def test_client_bridge_type_rejected_when_not_in_admin_channels(self, mailbox):
         """Creating a client-bridge channel should fail when not in FEATURE_MAILBOX_ADMIN_CHANNELS."""
         user = UserFactory()
@@ -882,13 +883,13 @@ def test_post_allowed(self, _make_channel, mailbox, role):
         """Roles with CAN_EDIT should be allowed to POST."""
         channel = _make_channel(role)
         client = self._jwt_client(channel, mailbox, role=role)
-        # POST to threads — will fail validation but should not be 403
+        # POST to threads — will fail with 405 (no CreateModelMixin) but should not be 403
         response = client.post(
             "/api/v1.0/threads/",
             {},
             format="json",
         )
-        assert response.status_code != status.HTTP_403_FORBIDDEN
+        assert response.status_code == status.HTTP_405_METHOD_NOT_ALLOWED
 
     def test_post_blocked_reader(self, _make_channel, mailbox):
         """reader should not be allowed to POST (not in CAN_EDIT or CAN_SEND)."""
@@ -913,8 +914,7 @@ def test_patch_allowed(self, _make_channel, mailbox, role):
             {},
             format="json",
         )
-        # Not 403 — may be 404/405 depending on the endpoint
-        assert response.status_code != status.HTTP_403_FORBIDDEN
+        assert response.status_code == status.HTTP_405_METHOD_NOT_ALLOWED
 
     @pytest.mark.parametrize("role", ["reader", "sender_only"])
     def test_patch_blocked(self, _make_channel, mailbox, role):
@@ -938,7 +938,7 @@ def test_delete_allowed(self, _make_channel, mailbox, role):
         response = client.delete(
             "/api/v1.0/threads/",
         )
-        assert response.status_code != status.HTTP_403_FORBIDDEN
+        assert response.status_code == status.HTTP_405_METHOD_NOT_ALLOWED
 
     @pytest.mark.parametrize("role", ["reader", "sender_only"])
     def test_delete_blocked(self, _make_channel, mailbox, role):
@@ -961,8 +961,8 @@ def test_send_endpoint_allows_sender(self, _make_channel, mailbox):
             {"messageId": str(uuid.uuid4()), "senderId": str(mailbox.id)},
             format="json",
         )
-        # Should fail on draft lookup, not on role enforcement
-        assert response.status_code != status.HTTP_403_FORBIDDEN
+        # Should fail on draft lookup (404), not on role enforcement (403)
+        assert response.status_code == status.HTTP_404_NOT_FOUND
 
     @pytest.mark.parametrize("role", ["reader", "sender_only"])
     def test_send_endpoint_blocked_no_post(self, _make_channel, mailbox, role):
@@ -1049,6 +1049,31 @@ def test_submit_allows_sender_roles(
 
         assert response.status_code == status.HTTP_202_ACCEPTED
 
+    @patch("core.api.viewsets.client_bridge.send_message_task")
+    def test_submit_sets_sender_user(
+        self,
+        mock_send_task,  # pylint: disable=unused-argument
+        _make_channel,
+        mailbox,
+    ):
+        """Submit should set message.sender_user to the channel's user."""
+        channel = _make_channel("sender")
+        client = self._jwt_client(channel, mailbox, role="sender")
+        mailbox_email = str(mailbox)
+        raw_email = _build_raw_email(mailbox_email, "recipient@example.com")
+
+        response = client.post(
+            "/api/v1.0/client-bridge/submit/",
+            raw_email,
+            content_type="message/rfc822",
+            HTTP_X_MAIL_FROM=mailbox_email,
+            HTTP_X_RCPT_TO="recipient@example.com",
+        )
+
+        assert response.status_code == status.HTTP_202_ACCEPTED
+        message = models.Message.objects.get(id=response.data["message_id"])
+        assert message.sender_user == channel.user
+
     # ── Auth endpoint returns role ──────────────────────────────────────
 
     @pytest.mark.parametrize("role", ["reader", "editor", "sender", "sender_only"])
@@ -1086,10 +1111,10 @@ def test_default_role_is_sender(self, mailbox, channel_user):
         )
         assert response.status_code == status.HTTP_200_OK
 
-        # POST should work (sender can edit)
+        # POST should work (sender can edit) — 405 because ThreadViewSet has no CreateModelMixin
         response = client.post(
             "/api/v1.0/threads/",
             {},
             format="json",
         )
-        assert response.status_code != status.HTTP_403_FORBIDDEN
+        assert response.status_code == status.HTTP_405_METHOD_NOT_ALLOWED

src/backend/messages/settings.py

@@ -260,13 +260,13 @@ class Base(Configuration):
     }
     # Client-bridge service authentication
     CLIENTBRIDGE_API_SECRET = values.Value(
-        "my-shared-secret-clientbridge",
+        "",
         environ_name="CLIENTBRIDGE_API_SECRET",
         environ_prefix=None,
     )
     # Session JWT lifetime in seconds (default: 1 hour).
     # IMAP/SMTP clients must re-authenticate when the token expires.
-    CLIENTBRIDGE_SESSION_TIMEOUT = values.IntegerValue(
+    CLIENTBRIDGE_SESSION_TIMEOUT = values.PositiveIntegerValue(
         3600,
         environ_name="CLIENTBRIDGE_SESSION_TIMEOUT",
         environ_prefix=None,
@@ -1077,6 +1077,12 @@ def post_setup(cls):
                 "OIDC_STORE_REFRESH_TOKEN is enabled."
             )
 
+        if cls.FEATURE_CLIENTBRIDGE and not cls.CLIENTBRIDGE_API_SECRET:
+            raise ValueError(
+                "CLIENTBRIDGE_API_SECRET must be set when "
+                "FEATURE_CLIENTBRIDGE is enabled"
+            )
+
 
 class Build(Base):
     """Settings used when the application is built.