Merge pull request #19735 from mozilla/upgrade-to-nodemailer7

chore(): upgrade to nodemailer 7

Author: toufali

libs/accounts/email-sender/src/email-sender.spec.ts

@@ -9,7 +9,6 @@ import type { ILogger } from '@fxa/shared/log';
 import { AppError } from '../../errors/src';
 
 jest.mock('nodemailer');
-jest.mock('@aws-sdk/client-ses');
 jest.mock('@sentry/node');
 
 // additional imports after Jest has mocked modules
@@ -159,7 +158,7 @@ describe('EmailSender', () => {
       expect(mockTransport.sendMail).not.toHaveBeenCalled();
     });
 
-    it('falls back to ses when no username/password provided', async () => {
+    it('uses SMTP without auth when no username/password provided', async () => {
       config = {
         ...config,
         user: undefined,
@@ -173,14 +172,18 @@ describe('EmailSender', () => {
         mockLogger
       );
 
-      // Verify constructor called createTransport with SES configuration
-      expect(mockNodemailer.createTransport).toHaveBeenCalledWith(
+      expect(mockNodemailer.createTransport).toHaveBeenLastCalledWith(
         expect.objectContaining({
-          SES: expect.objectContaining({
-            ses: expect.any(Object),
-          }),
-          sendingRate: 5,
-          maxConnections: 10,
+          host: config.host,
+          port: config.port,
+          secure: config.secure,
+          sendingRate: config.sendingRate,
+        })
+      );
+      expect(mockNodemailer.createTransport).toHaveBeenLastCalledWith(
+        expect.not.objectContaining({
+          SES: expect.anything(),
+          auth: expect.anything(),
         })
       );
 

libs/accounts/email-sender/src/email-sender.ts

@@ -2,7 +2,6 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-import { SES } from '@aws-sdk/client-ses';
 import { Bounces } from './bounces';
 import { StatsD } from 'hot-shots';
 import { ILogger } from '@fxa/shared/log';
@@ -37,10 +36,14 @@ export type MailerConfig = {
   /** DNS timeout for smtp server connection. */
   dnsTimeout: number;
 
-  /** Optional user name.  If not supplied, we fallback to local SES config. */
+  /** Optional user name for SMTP authentication. */
   user?: string;
-  /** Optional password. If not supplied, we fallback to local SES config. */
+  /** Optional password for SMTP authentication. */
   password?: string;
+  /** Optional flag to ignore STARTTLS even if the server advertises it. */
+  ignoreTLS?: boolean;
+  /** Optional flag to require STARTTLS even if the server does not advertise it. */
+  requireTLS?: boolean;
   sesConfigurationSet?: string;
   sender: string;
   retry: {
@@ -81,6 +84,26 @@ export type Email = {
   headers: Record<string, string>;
 };
 
+type SmtpTransportOptions = nodemailer.TransportOptions & {
+  host: string;
+  port: number;
+  secure: boolean;
+  pool: boolean;
+  maxConnections: number;
+  maxMessages: number;
+  connectionTimeout: number;
+  greetingTimeout: number;
+  socketTimeout: number;
+  dnsTimeout: number;
+  sendingRate: number;
+  ignoreTLS?: boolean;
+  requireTLS?: boolean;
+  auth?: {
+    user: string;
+    pass: string;
+  };
+};
+
 /**
  * Sends an email to end end user.
  */
@@ -93,36 +116,10 @@ export class EmailSender {
     private readonly statsd: StatsD,
     private readonly log: ILogger
   ) {
-    // Determine auth credentials
-    const auth = (() => {
-      // If the user name and password are set use this
-      if (config.user && config.password) {
-        return {
-          auth: {
-            user: config.user,
-            pass: config.password,
-          },
-        };
-      }
-
-      // Otherwise fallback to the SES configuration
-      const ses = new SES({
-        // The key apiVersion is no longer supported in v3, and can be removed.
-        // @deprecated The client uses the "latest" apiVersion.
-        apiVersion: '2010-12-01',
-      });
-      return {
-        SES: { ses },
-        sendingRate: 5,
-        maxConnections: 10,
-      };
-    })();
-
-    // Build node mailer options
-    const options = {
+    // Build SMTP-only nodemailer options
+    const options: SmtpTransportOptions = {
       host: config.host,
       secure: config.secure,
-      ignoreTLS: !config.secure,
       port: config.port,
       pool: config.pool,
       maxConnections: config.maxConnections,
@@ -131,9 +128,24 @@ export class EmailSender {
       greetingTimeout: config.greetingTimeout,
       socketTimeout: config.socketTimeout,
       dnsTimeout: config.dnsTimeout,
-      sendingRate: this.config.sendingRate,
-      ...auth,
+      sendingRate: config.sendingRate,
     };
+
+    if (config.user && config.password) {
+      options.auth = {
+        user: config.user,
+        pass: config.password,
+      };
+    }
+
+    if (typeof config.ignoreTLS === 'boolean') {
+      options.ignoreTLS = config.ignoreTLS;
+    }
+
+    if (typeof config.requireTLS === 'boolean') {
+      options.requireTLS = config.requireTLS;
+    }
+
     this.emailClient = nodemailer.createTransport(options);
   }
 
@@ -261,9 +273,9 @@ export class EmailSender {
     attempt = 0
   ): Promise<{
     sent: boolean;
-    message?: string;
     messageId?: string;
     response?: string;
+    message?: string;
   }> {
     const { maxAttempts, backOffMs } = this.config.retry;
     const isRetry = attempt > 0;
@@ -292,7 +304,7 @@ export class EmailSender {
         await this.emailClient.sendMail(sendMailPayload);
 
       this.log.debug('mailer.send', {
-        status: info.message,
+        status: info.response,
         id: info.messageId,
         to: email.to,
         isRetry,
@@ -307,13 +319,23 @@ export class EmailSender {
         retryAttempt: attempt,
       });
 
-      // Relay email payload and send status back to calling code.
-      return {
+      const result: {
+        sent: boolean;
+        messageId?: string;
+        response?: string;
+        message?: string;
+      } = {
         sent: true,
-        message: info?.message,
         messageId: info?.messageId,
         response: info?.response,
       };
+
+      if (info?.message) {
+        result.message = info.message;
+      }
+
+      // Relay email payload and send status back to calling code.
+      return result;
     } catch (err) {
       // retry if configured
       if (!isFinalAttempt && backOffMs > 0) {

package.json

@@ -44,7 +44,6 @@
     "@apollo/server": "^4.11.3",
     "@aws-sdk/client-config-service": "^3.879.0",
     "@aws-sdk/client-s3": "^3.878.0",
-    "@aws-sdk/client-ses": "^3.876.0",
     "@aws-sdk/client-sns": "^3.876.0",
     "@aws-sdk/client-sqs": "^3.876.0",
     "@faker-js/faker": "^9.0.0",
@@ -124,6 +123,7 @@
     "node-fetch": "^2.6.7",
     "node-hkdf": "^0.0.2",
     "node-jose": "^2.2.0",
+    "nodemailer": "^7.0.7",
     "nps": "^5.10.0",
     "objection": "^3.1.3",
     "os-browserify": "^0.3.0",
@@ -226,6 +226,7 @@
     "@types/module-alias": "^2",
     "@types/mysql": "^2",
     "@types/node": "^22.13.5",
+    "@types/nodemailer": "^7.0.4",
     "@types/passport": "^1.0.6",
     "@types/passport-http-bearer": "^1.0.36",
     "@types/passport-jwt": "^4",

packages/fxa-auth-server/config/dev.json

@@ -18,6 +18,7 @@
     "host": "localhost",
     "port": 9999,
     "secure": false,
+    "ignoreTLS": true,
     "redirectDomain": "localhost",
     "subscriptionTermsUrl": "https://www.mozilla.org/about/legal/terms/subscription-services",
     "subscriptionSettingsUrl": "http://localhost:3035/",

packages/fxa-auth-server/config/index.ts

@@ -429,6 +429,12 @@ const convictConf = convict({
       default: false,
       env: 'SMTP_SECURE',
     },
+    ignoreTLS: {
+      doc: 'Ignore STARTTLS even if the server advertises it (needed for local mail helper)',
+      format: Boolean,
+      default: false,
+      env: 'SMTP_IGNORE_TLS',
+    },
     user: {
       doc: 'SMTP username',
       format: String,

packages/fxa-auth-server/lib/senders/email.js

@@ -6,7 +6,6 @@
 
 const emailUtils = require('../email/utils/helpers');
 const moment = require('moment-timezone');
-const { SES } = require('@aws-sdk/client-ses');
 const nodemailer = require('nodemailer');
 const safeUserAgent = require('fxa-shared/lib/user-agent').default;
 const url = require('url');
@@ -302,10 +301,9 @@ module.exports = function (log, config, bounces, statsd) {
   const validCardTypes = Object.keys(CARD_TYPE_TO_TEXT);
 
   function Mailer(mailerConfig, sender) {
-    let options = {
+    const options = {
       host: mailerConfig.host,
       secure: mailerConfig.secure,
-      ignoreTLS: !mailerConfig.secure,
       port: mailerConfig.port,
       pool: mailerConfig.pool,
       maxConnections: mailerConfig.maxConnections,
@@ -314,24 +312,22 @@ module.exports = function (log, config, bounces, statsd) {
       greetingTimeout: mailerConfig.greetingTimeout,
       socketTimeout: mailerConfig.socketTimeout,
       dnsTimeout: mailerConfig.dnsTimeout,
+      sendingRate: mailerConfig.sendingRate,
     };
 
     if (mailerConfig.user && mailerConfig.password) {
       options.auth = {
         user: mailerConfig.user,
         pass: mailerConfig.password,
       };
-    } else {
-      const ses = new SES({
-        // The key apiVersion is no longer supported in v3, and can be removed.
-        // @deprecated The client uses the "latest" apiVersion.
-        apiVersion: '2010-12-01',
-      });
-      options = {
-        SES: { ses },
-        sendingRate: 5,
-        maxConnections: 10,
-      };
+    }
+
+    if (typeof mailerConfig.ignoreTLS === 'boolean') {
+      options.ignoreTLS = mailerConfig.ignoreTLS;
+    }
+
+    if (typeof mailerConfig.requireTLS === 'boolean') {
+      options.requireTLS = mailerConfig.requireTLS;
     }
 
     this.accountSettingsUrl = mailerConfig.accountSettingsUrl;

packages/fxa-auth-server/package.json

@@ -105,7 +105,7 @@
     "mozlog": "^3.0.2",
     "mysql": "^2.18.1",
     "node-zendesk": "^2.2.0",
-    "nodemailer": "^6.9.9",
+    "nodemailer": "^7.0.7",
     "openapi-fetch": "^0.13.5",
     "otplib": "^11.0.1",
     "p-queue": "^8.1.0",
@@ -139,7 +139,7 @@
     "@types/nock": "^11.1.0",
     "@types/node": "^22.13.5",
     "@types/node-zendesk": "^2.0.2",
-    "@types/nodemailer": "^6.4.2",
+    "@types/nodemailer": "^7.0.4",
     "@types/request": "2.48.5",
     "@types/sass": "^1",
     "@types/uuid": "^10.0.0",