Enhance SMTP configuration in docker-compose and email handler

- Updated docker-compose.yml to include optional SMTP settings with comments for clarity on configuration.
- Modified email-handler.ts to prioritize FROM_EMAIL for the sender address, falling back to SMTP_USER or ADMIN_EMAIL if not set, improving email handling flexibility.

.cursor/worktrees.json

@@ -0,0 +1,5 @@
+{
+  "setup-worktree": [
+    "npm install"
+  ]
+}

docker-compose.yml

@@ -14,12 +14,19 @@ services:
       - NODE_ENV=production
       - PORT=3000
       - ENABLE_SSR_CSP=1
-      # Add your other environment variables here
+      # SMTP Settings - Loaded from .env file or set here
+      # Uncomment and set these if not using .env file:
+      # - SMTP_HOST=smtp.your-server.com
+      # - SMTP_PORT=587
+      # - SMTP_USER=your-email@domain.com
+      # - SMTP_PASS=your-password
+      # - FROM_EMAIL=support@365devnet.eu  # Optional: Custom "from" address
+      # - ADMIN_EMAIL=admin@365devnet.eu
+      # - WEBSITE_NAME=365DevNet
+      # Other settings
       # - GEMINI_API_KEY=${GEMINI_API_KEY}
-      # - EMAIL_USER=${EMAIL_USER}
-      # - EMAIL_PASS=${EMAIL_PASS}
     env_file:
-      - .env
+      - .env  # SMTP settings will be loaded from this file
     volumes:
       # Mount logs directory if you want to persist logs
       - ./logs:/app/logs

server.js

@@ -25,7 +25,7 @@ app.use((req, res, next) => {
   if (process.env.ENABLE_SSR_CSP === '1') {
     res.setHeader(
       'Content-Security-Policy',
-      "default-src 'self' https://365devnet.eu https://*.365devnet.eu; " +
+      "default-src 'self' https://365devnet.eu https://*.365devnet.eu https://chat.365devnet.eu; " +
       "script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' https://chat.365devnet.eu; " +
       "style-src 'self' 'unsafe-inline'; " +
       "img-src 'self' data: https: blob:; " +

src/utils/email-handler.ts

@@ -12,6 +12,7 @@ const {
   SMTP_USER = '',
   SMTP_PASS = '',
   ADMIN_EMAIL = '',
+  FROM_EMAIL = '', // Optional: Custom "from" address (defaults to SMTP_USER or ADMIN_EMAIL)
   WEBSITE_NAME = '365DevNet Support',
   // Microsoft 365 / OAuth2 (optional)
   OAUTH2_CLIENT_ID = '',
@@ -229,7 +230,8 @@ export async function sendEmail(to: string, subject: string, html: string, text:
 
   try {
     // Never trust user-provided domain for From header to prevent spoofing.
-    const safeSender = SMTP_USER || ADMIN_EMAIL;
+    // Use FROM_EMAIL if set, otherwise fall back to SMTP_USER or ADMIN_EMAIL
+    const safeSender = FROM_EMAIL || SMTP_USER || ADMIN_EMAIL;
     const fromAddress = isProduction
       ? `"${WEBSITE_NAME}" <${safeSender}>`
       : `"${WEBSITE_NAME}" <${ADMIN_EMAIL}>`;