jocke/bilhej
1
0
Fork 0
Code Issues Pull requests 2 Projects Releases 1 Packages Wiki Activity Actions
bilhej/docs/production-email-checklist.md
Joakim Mörling 86fb946e33
All checks were successful
CI / Lint, type check, unit tests, coverage (push) Successful in 2m2s
Details
CI / E2E browser tests (push) Successful in 1m55s
Details
Add password reset, logged-in change password, and Mailpit email dev/E2E. 
Operators can fix prod admin passwords without email via Byt lösenord;
end users can use forgot-password when SMTP is configured. Local and CI
use Mailpit to capture outbound mail and verify reset links end-to-end.

- Backend: V8 password_reset_tokens, PasswordResetService, EmailService,
  POST /api/auth/forgot-password, reset-password, change-password
- Optional testToken in forgot-password response (docker profile only, for E2E)
- Frontend: ForgotPasswordPage, ResetPasswordPage, ChangePasswordPage,
  routes, login link, header Byt lösenord
- Mailpit (ghcr.io/axllent/mailpit:v1.28) in docker-compose + e2e stack
- E2E: password-reset.spec.ts + Mailpit API helper tests SMTP delivery
- Separate dev/e2e Docker image names to avoid overwriting bilhej-frontend
- Docs: README email section, production-email-checklist, .env.example
- Unit/integration tests for reset, change password, and Vitest page specs

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-21 18:05:15 +02:00

58 lines
1.6 KiB
Markdown
Raw Blame History

# Production email checklist (operator)
Complete these steps on the server / Forgejo—nothing in this file is applied automatically.
## Prerequisites
- Domain **bilhej.se** DNS managed at your registrar
- BilHej deployed via Forgejo **Deploy to Production**
## 1. Choose a transactional provider
Recommended: [Resend](https://resend.com) or [Brevo](https://www.brevo.com) (EU, free tier).
## 2. Verify the domain
In the provider dashboard, add **bilhej.se** and publish the DNS records they give you:
- **SPF** (TXT)
- **DKIM** (CNAME or TXT)
- **DMARC** (TXT, optional but recommended)
You do **not** need MX records if the app only sends mail (forgot-password).
Wait until the provider shows the domain as verified.
## 3. Create SMTP credentials
Copy from the provider:
- SMTP host (e.g. `smtp.resend.com`)
- Port (`587`)
- Username / password or API key used as password
## 4. Update production `.env`
On the server (same file used by `docker-compose.prod.yml`):
```bash
APP_PUBLIC_BASE_URL=https://bilhej.se
MAIL_HOST=<provider-smtp-host>
MAIL_PORT=587
MAIL_USERNAME=<from-provider>
MAIL_PASSWORD=<from-provider>
MAIL_FROM=noreply@bilhej.se
```
## 5. Deploy
Run **Deploy to Production** in Forgejo (do not rsync or manual compose on the server).
## 6. Smoke test
1. Open https://bilhej.se/logga-in → **Glömt lösenord?**
2. Enter an email that exists in `users`
3. Check the inbox (and spam) for the reset message
4. If nothing arrives: `docker logs bilhej-backend-prod 2>&1 | grep -i mail`
Fallback without SMTP: reset links still appear in backend logs (`Password reset link for`).
Reference in a new issue View git blame Copy permalink