fix: limit SEND_MAIL domain checks to binding paths (#987)

* fix: scope SEND_MAIL domain gating to binding * test: cover SEND_MAIL domain gating in e2e
2026-06-02 14:09:59 +08:00 · 2026-04-17 18:08:19 +08:00
parent e772db8c3e
commit 000cd0ddfa
11 changed files with 124 additions and 4 deletions
--- a/e2e/tests/api/send-mail-limit.spec.ts
+++ b/e2e/tests/api/send-mail-limit.spec.ts
@@ -1,6 +1,7 @@
 import { test, expect, APIRequestContext } from '@playwright/test';
 import {
  WORKER_URL,
+  WORKER_URL_SEND_MAIL_DOMAIN,
  createTestAddress,
  deleteAddress,
  deleteAllMailpitMessages,
@@ -424,6 +425,34 @@ test.describe('Send Mail Limit', () => {
    expect(res.status()).toBe(400);
  });

+  test('/admin/send_mail_by_binding returns 200 when domain is allowed', async ({ request }) => {
+    const res = await request.post(`${WORKER_URL_SEND_MAIL_DOMAIN}/admin/send_mail_by_binding`, {
+      headers: ADMIN_HEADERS,
+      data: {
+        from: 'admin@test.example.com',
+        to: ['recipient@test.example.com'],
+        subject: `send-mail-domain-ok-${Date.now()}`,
+        text: 'body',
+      },
+    });
+    expect(res.ok()).toBe(true);
+    expect(await res.json()).toEqual({ status: 'ok' });
+  });
+
+  test('/admin/send_mail_by_binding returns 400 when domain is not allowed', async ({ request }) => {
+    const res = await request.post(`${WORKER_URL_SEND_MAIL_DOMAIN}/admin/send_mail_by_binding`, {
+      headers: ADMIN_HEADERS,
+      data: {
+        from: 'admin@blocked.example.com',
+        to: ['recipient@test.example.com'],
+        subject: `send-mail-domain-blocked-${Date.now()}`,
+        text: 'body',
+      },
+    });
+    expect(res.status()).toBe(400);
+    expect(await res.text()).toContain('Please enable SEND_MAIL for this domain first');
+  });
+
  test('daily and monthly counters both increment on successful send', async ({ request }) => {
    const { jwt } = await createTestAddress(request, 'limit-both-inc');
    await requestSendAccess(request, jwt);