JS-Mailer - Form mailer for JavaScript-based websites

JS-Mailer is a simple webservice, that allows JavaScript-based websites to easily send form data, by providing a simple API that can be accessed via JavaScript Fetch() or XMLHttpRequest.

Features

• Single-binary webservice
• Multi-form support
• Multiple recipients per form
• Only display form-fields that are configured in for the form in the resulting mail
• Check for required form fields
• Anti-SPAM functionality via built-in, auto-expiring and single-use security token feature
• Anti-SPAM functionality via honeypot fields
• Limit form access to specific domains
• Per-form mail server configuration
• hCaptcha support
• reCaptcha v2 support
• Turnstile support
• Form field type validation (text, email, number, bool)
• Confirmation mail to poster
• Custom Reply-To header based on sending mail address

Planed features

• Form body templates (possibly HTML)

Installation

There is a ready-to-use Docker image hosted on Github.

• Download the image:

  $ docker pull ghcr.io/wneessen/js-mailer:main

• Get your config files in place
• Run the image:

  $ docker run -p 8765:8765 -v /etc/js-mailer:/etc/js-mailer ghcr.io/wneessen/js-mailer:main

Configuration

Server configuration

The server configuration, by default, is searched for in /etc/js-mailer/js-mailer.json. The JSON syntax is very basic and comes with sane defaults.

{
  "forms": {
    "path": "/etc/js-mailer/forms",
    "maxlength": "10M"
  },
  "loglevel": "debug",
  "server": {
    "bind_addr": "0.0.0.0",
    "port": 8765,
    "timeout": "15s"
  }
}

• server (type: struct): The struct for the web api configuration
  • bind_addr (type: string): The IP address to bind the web service to
  • port (type: uint): The port for the webservice to listen on
  • timeout (type: time.Duration): The duration a request can take at max.
• forms (type: struct): The struct for the forms configuration
  • path (type: string): The path in which js-mailer will look for form configuration JSON files
  • maxlength (type: string): Maximum size of the request body (default: "10M")
• loglevel (type: string): The log level for the web service

Form configuration

Each form has its own configuration file. The configuration is searched in the forms path and are named by its id. Again the JSON syntax of the form configuration is very simple, yet flexible.

{
  "id": "test_form",
  "secret": "SuperSecretsString",
  "recipients": [
    "who@cares.net"
  ],
  "sender": "website@example.com",
  "domains": [
    "www.example.com",
    "example.com"
  ],
  "content": {
    "subject": "New message through the www.example.com contact form",
    "fields": [
      "name",
      "email",
      "message"
    ]
  },
  "replyto": {
    "field": "email"
  },
  "confirmation": {
    "enabled": true,
    "rcpt_field": "email",
    "subject": "Thank you for your message",
    "content": "We have received your message via www.example.com and will tough base with you, shortly."
  },
  "validation": {
    "hcaptcha": {
      "enabled": true,
      "secret_key": "0x01234567890"
    },
    "recaptcha": {
      "enabled": true,
      "secret_key": "0x01234567890"
    },
    "turnstile": {
      "enabled": true,
      "secret_key": "0x01234567890"
    },
    "honeypot": "street",
    "fields": [
      {
        "name": "name",
        "type": "text",
        "required": true
      },
      {
        "name": "mail_addr",
        "type": "email",
        "required": true
      },
      {
        "name": "terms_checked",
        "type": "matchval",
        "value": "on",
        "required": true
      }
    ]
  },
  "server": {
    "host": "mail.example.com",
    "port": 25,
    "username": "website@example.com",
    "password": "verySecurePassword",
    "timeout": "5s",
    "force_tls": true
  }
}

• id (type: string): The id of the form (will be looked for in the formid parameter of the token request)
• secret (type: string): Secret for the form. This will be used for the token generation
• recipients (type: []string): List of recipients, that should receive the mails with the submitted form data
• domains (type: []string): List of origin domains, that are allowed to use this form
• content (type: struct): The struct for the mail content configuration
  • subject (type: string): Subject for the mail notification of the form submission
  • fields (type: []string): List of field names that should show up in the mail notification
• confirmation (type: struct): The struct for the mail confirmail mail configuration
  • enabled (type: boolean): If true, the confirmation mail will be sent
  • rcpt_field (type: string): Name of the form field holding the confirmation mail recipient
  • subject (type: string): Subject for the confirmation mail
  • content (type: string): Content for the confirmation mail
    • fields (type: []string): List of field names that should show up in the mail notification
• validation (type: struct): The struct for the form validation configuration
  • hcaptcha (type: struct): The struct for the forms hCaptcha configuration
    • enabled (type: bool): Enable hCaptcha challenge-response validation
    • secret_key (type: string): Your hCaptcha secret key
  • recaptcha (type: struct): The struct for the forms reCaptcha configuration
    • enabled (type: bool): Enable reCaptcha challenge-response validation
    • secret_key (type: string): Your reCaptcha secret key
  • turnstile (type: struct): The struct for the forms Turnstile configuration
    • enabled (type: bool): Enable Turnstile challenge-response validation
    • secret_key (type: string): Your Turnstile secret key
  • honeypot (type: string): Name of the honeypot field, that is expected to be empty (Anti-SPAM)
  • fields (type: []struct): Array of single field validation configurations
    • name (type: string): Field validation identifier
    • type (type: string): Type of validation to run on field (text, email, nummber, bool)
    • required (type: boolean): If set to true, the field is required
• replyto (type: struct): The struct for the reply to configuration
  • rcpt_field (type: string): Name of the form field holding the reply-to mail sender address
• server (type: struct): The struct for the forms mail server configuration
  • host (type: string): Hostname of the sending mail server
  • port (type: uint32): Port to connect to on the sending mail server
  • username (type: string): Username for the mail server authentication
  • password (type: string): Password for the mail server authentication
  • timeout (type: duration): Timeout duration for the mail server connection
  • force_tls (type: boolean): If set to true, the mail server connection will require mandatory TLS

Workflow

JS-Mailer follows a two-step workflow. First your JavaScript requests a token from the API using the /api/v1/token endpoint. If the request is valid and website is authorized to request a token, the API will respond with a TokenResponseJson. This holds some data, which needs to be included into your form as hidden inputs. It will also provide a submission URL endpoint /api/v1/send/<formid>/<token> that can be used as action in your form. Once the form is submitted, the API will then validate that all submitted data is correct and submit the form data to the configured recipients.

API responses

The API basically responds with two different types of JSON objects. A success response or an error response.

Success response

The succss response JSON struct is very simple:

{
  "status_code": 200,
  "status": "Ok",
  "data": {}
}

• status_code (type: uint32): The HTTP status code of the success response
• status (type: string): The HTTP status string of the success response
• data (type: object): An object with abritrary data, based on the type of response

Successful token retrieval data object

The data object of the success response for a successful token retrieval looks like this:

{
  "token": "5b19fca2b154a2681f8d6014c63b5f81bdfdd01036a64f8a835465ab5247feff",
  "form_id": "test_form",
  "create_time": 1628670201,
  "expire_time": 1628670801,
  "url": "https://jsmailer.example.com/api/v1/send/test_form/5b19fca2b154a2681f8d6014c63b5f81bdfdd01036a64f8a835465ab5247feff",
  "enc_type": "multipart/form-data",
  "method": "post"
}

• token (type: string): The security token of this send request
• form_id (type: string): The form id of the current form (for reference or automatic inclusion via JS)
• create_time (type: int64): The epoch timestamp when the token was created
• expire_time (type: int64): The epoch timestamp when the token will expire
• url (type: string): API endpoint to set your form action to
• enc_type (type: string): The enctype for your form
• method (type: string): The method for your form

Sent successful data object

The data object of the success response for a successfully sent message looks like this:

The API response to a send request (/api/v1/send/<formid>/<token>) looks like this:

{
  "form_id": "test_form",
  "send_time": 1628670331,
  "confirmation_sent": true,
  "confirmation_rcpt": "toni.tester@example.com"
}

• form_id (type: string): The form id of the current form (for reference)
• send_time (type: int64): The epoch timestamp when the message was sent
• confirmation_sent (type: boolean): Is set to true, if a confirmation was sent successfully
• confirmation_rcpt (type: string): The recipient mail address that the confirmation was sent to

Error response

The error response JSON struct is also very simple:

{
  "status_code": 404,
  "status": "Not Found",
  "error_message": "Validation failed",
  "error_data": "Not a valid send URL"
}

• status_code (type: uint32): The HTTP status code of the success response
• status (type: string): The HTTP status string of the success response
• error_message (type: string): The general error message why this request failed
• error_data (type: interface{}): Optional details in addtion to the error message (i. e. missing fields)

Example implementation

A very basic HTML/JS example implementation for the JS-Mailer system can be found in the code-example directory