feat: add inquiries api endpoint for webhook support, add query and f…

[shaunwarman]

…iltering for admin page

Checklist

• I have ensured my pull request is not behind the main or master branch of the original repository.
• I have rebased all commits where necessary so that reviewing this pull request can be done without having to merge it first.
• I have written a commit message that passes commitlint linting.
• I have ensured that my code changes pass linting tests.
• I have ensured that my code changes pass unit tests.
• I have described my pull request and the reasons for code changes along with context if necessary.

[titanism]

I typically do isResolved and isWebhook

[titanism]

But I see why you did it here for simplicity in the create below, which is totally OK

[titanism]

Get rid of the $exists and just add an index to is_resolved in the model, e.g. index: true for is_resolved property. When I deploy I will set all existing inquiries to is_resolved: true

[titanism]

This should just be:

query.$or.push({ is_resolved: false });

[titanism]

Looks awesome.

Here's a quick list of changes needed:

• Add index: true to the model for is_resolved
• Remove $exists from $or query (will speed up query - I will ensure that all existing data has boolean value for indexing when I deploy)

The other thing is that since this webhook is open to anyone, we should also at the least ensure that we check the resolved hostname of the connecting IP address that made the webhook request. In this case we should check that it's either mx1.forwardemail.net or mx2.forwardemail.net.

Note that in the code for config/api.js we have this section:

forwardemail.net/config/api.js

Lines 66 to 71 in cb0064f

	if (RATELIMIT_ALLOWLIST.includes(clientHostname))
	ctx.allowlistValue = clientHostname;
	else {
	const rootClientHostname = parseRootDomain(clientHostname);
	if (RATELIMIT_ALLOWLIST.includes(rootClientHostname))
	ctx.allowlistValue = rootClientHostname;

This sets a value accessible to you in this middleware of ctx.allowlistValue.

This means you could add to the top of the middleware the following:

if (!ctx.allowlistValue || ![env.MX1_HOST, env.MX2_HOST, env.WEB_HOST].includes(ctx.allowlistValue))
  throw Boom.forbidden(ctx.translateError('INVALID_INQUIRY_WEBHOOK_REQUEST'));

You would need to add to config/phrases.js the INVALID_INQUIRY_WEBHOOK_REQUEST value such as "Webhook request did not originate from a valid hostname".

This is related to the discussion here forwardemail/free-email-forwarding#235 (now that we're actually dogfooding our own webhook payload, which is AWESOME!!!).

In the future we could add webhook payload signature, e.g. https://stackoverflow.com/a/68885281 which would go in the MX server code when we make the webhook request.