vdavid · vdavid · Nov 15, 2025 · Nov 13, 2025 · Nov 13, 2025 · Nov 13, 2025
diff --git a/.env.example b/.env.example
@@ -4,7 +4,7 @@
 
 # --- V-Mail app secrets and settings ---
 
-# The environment the V-Mail app is running in. One of "development" or "production"
+# The environment the V-Mail app is running in. One of "development", "test", and "production".
 VMAIL_ENV=production
 
 # The encryption key for AES-GCM encryption. 32-byte (256-bit) cryptographically secure random string, base64-encoded.

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -33,11 +33,19 @@ This setup lets you run the Go backend and the React frontend locally for debugg
 
 The project includes several utility scripts in the `scripts/` directory. See [`scripts/README.md`](../scripts/README.md) for detailed documentation.
 
-**Available scripts:**
-
-- **`check.sh`** - Runs all formatting, linting, and tests. Use `./scripts/check.sh` before committing new code and ensure all checks pass locally.
-- **`roadmap-burndown.go`** - Analyzes git history of `ROADMAP.md` to generate a CSV burndown chart showing task completion over time.
-
+## Testing
+`scripts/check.sh`uns all formatting, linting, and tests.
+Always use `./scripts/check.sh` before committing new code and ensure all checks pass locally.
+
+More ideas to make it efficient:
+
+```bash
+./scripts/check.sh # Run all checks (backend and frontend)
+./scripts/check.sh --backend # Run only backend checks
+./scripts/check.sh --frontend # Run only frontend checks
+./scripts/check.sh --check <check-name> # Run a specific check
+./scripts/check.sh --help # Show help, including a list of available checks
+```
 
 ### Dev process
 

diff --git a/ROADMAP.md b/ROADMAP.md
@@ -26,6 +26,15 @@
     * Goal: Basic offline support.
     * Tasks: Implement IndexedDB caching for recently viewed emails. Build the sync logic.
 
+## Milestone 2: Missing things
+
+### **2/7. 🔐 Authentication**
+
+- [ ] `ValidateToken` in `middleware.go` is currently a stub, and it always returns "test@example.com" without
+  actually validating the Authelia JWT token. This must be implemented before deploying to production.
+  The function should parse and validate the JWT token from Authelia, extract the user's email from the token claims,
+  and verify the token's signature and expiration.
+
 ## Milestone 3: Actions
 
 - Goal: Be able to manage email.
@@ -805,7 +814,7 @@ Done! 🎉 It works nicely. It's in `/backend/cmd/spike`. See `/backend/README.m
     * Create its handler function. This function should:
         * (For now) Assume auth is okay.
         * Check if a row exists in `user_settings` for this user.
-        * Return `{"isAuthenticated": true, "isSetupComplete": [true/false]}`.
+        * Return `{"isSetupComplete": [true/false]}`.
 * [x] **Create API: <code>settings</code> endpoints:**
     * In `/backend/internal/db`, create `user_settings.go`. Add `GetUserSettings(userID string)` and `SaveUserSettings(settings UserSettings)` functions.
     * Add the `GET /api/v1/settings` route and handler. It should call `GetUserSettings` and return the data (without passwords).

diff --git a/backend/cmd/server/main.go b/backend/cmd/server/main.go
@@ -42,21 +42,21 @@ func main() {
 }
 
 // NewServer creates and returns a new HTTP handler for the V-Mail API server.
-func NewServer(cfg *config.Config, pool *pgxpool.Pool) http.Handler {
+func NewServer(cfg *config.Config, dbPool *pgxpool.Pool) http.Handler {
 	encryptor, err := crypto.NewEncryptor(cfg.EncryptionKeyBase64)
 	if err != nil {
 		log.Fatalf("Failed to create encryptor: %v", err)
 	}
 
-	imapPool := imap.NewPool()
-	imapService := imap.NewService(pool, encryptor)
+	imapPool := imap.NewPoolWithMaxWorkers(cfg.IMAPMaxWorkers)
+	imapService := imap.NewService(dbPool, imapPool, encryptor)
 
-	authHandler := api.NewAuthHandler(pool)
-	settingsHandler := api.NewSettingsHandler(pool, encryptor)
-	foldersHandler := api.NewFoldersHandler(pool, encryptor, imapPool)
-	threadsHandler := api.NewThreadsHandler(pool, encryptor, imapService)
-	threadHandler := api.NewThreadHandler(pool, encryptor, imapService)
-	searchHandler := api.NewSearchHandler(pool, encryptor, imapService)
+	authHandler := api.NewAuthHandler(dbPool)
+	settingsHandler := api.NewSettingsHandler(dbPool, encryptor)
+	foldersHandler := api.NewFoldersHandler(dbPool, encryptor, imapPool)
+	threadsHandler := api.NewThreadsHandler(dbPool, encryptor, imapService)
+	threadHandler := api.NewThreadHandler(dbPool, encryptor, imapService)
+	searchHandler := api.NewSearchHandler(dbPool, encryptor, imapService)
 
 	mux := http.NewServeMux()
 

diff --git a/backend/cmd/test-server/main.go b/backend/cmd/test-server/main.go
@@ -194,7 +194,10 @@ func setupTestUser(ctx context.Context, pool *pgxpool.Pool, cfg *config.Config,
 		return fmt.Errorf("failed to create encryptor: %w", err)
 	}
 
-	imapService := imap.NewService(pool, encryptor)
+	imapPool := imap.NewPool()
+	defer imapPool.Close()
+
+	imapService := imap.NewService(pool, imapPool, encryptor)
 	if err := imapService.SyncThreadsForFolder(ctx, userID, "INBOX"); err != nil {
 		log.Printf("Warning: Failed to sync INBOX folder: %v", err)
 	} else {
@@ -205,8 +208,8 @@ func setupTestUser(ctx context.Context, pool *pgxpool.Pool, cfg *config.Config,
 }
 
 // startHTTPServer starts the HTTP server and waits for shutdown signals.
-func startHTTPServer(cfg *config.Config, pool *pgxpool.Pool, imapServer *testutil.TestIMAPServer, smtpServer *testutil.TestSMTPServer) error {
-	server := NewServer(cfg, pool)
+func startHTTPServer(cfg *config.Config, dbPool *pgxpool.Pool, imapServer *testutil.TestIMAPServer, smtpServer *testutil.TestSMTPServer) error {
+	server := NewServer(cfg, dbPool)
 	address := ":" + cfg.Port
 
 	log.Printf("V-Mail test server starting on %s", address)
@@ -234,21 +237,21 @@ func startHTTPServer(cfg *config.Config, pool *pgxpool.Pool, imapServer *testuti
 }
 
 // NewServer creates and returns a new HTTP handler for the V-Mail API server.
-func NewServer(cfg *config.Config, pool *pgxpool.Pool) http.Handler {
+func NewServer(cfg *config.Config, dbPool *pgxpool.Pool) http.Handler {
 	encryptor, err := crypto.NewEncryptor(cfg.EncryptionKeyBase64)
 	if err != nil {
 		log.Fatalf("Failed to create encryptor: %v", err)
 	}
 
-	imapPool := imap.NewPool()
-	imapService := imap.NewService(pool, encryptor)
-
-	authHandler := api.NewAuthHandler(pool)
-	settingsHandler := api.NewSettingsHandler(pool, encryptor)
-	foldersHandler := api.NewFoldersHandler(pool, encryptor, imapPool)
-	threadsHandler := api.NewThreadsHandler(pool, encryptor, imapService)
-	threadHandler := api.NewThreadHandler(pool, encryptor, imapService)
-	searchHandler := api.NewSearchHandler(pool, encryptor, imapService)
+	imapPool := imap.NewPoolWithMaxWorkers(cfg.IMAPMaxWorkers)
+	imapService := imap.NewService(dbPool, imapPool, encryptor)
+
+	authHandler := api.NewAuthHandler(dbPool)
+	settingsHandler := api.NewSettingsHandler(dbPool, encryptor)
+	foldersHandler := api.NewFoldersHandler(dbPool, encryptor, imapPool)
+	threadsHandler := api.NewThreadsHandler(dbPool, encryptor, imapService)
+	threadHandler := api.NewThreadHandler(dbPool, encryptor, imapService)
+	searchHandler := api.NewSearchHandler(dbPool, encryptor, imapService)
 
 	mux := http.NewServeMux()
 

diff --git a/backend/internal/api/api_test_helpers.go b/backend/internal/api/api_test_helpers.go
@@ -0,0 +1,69 @@
+package api
+
+import (
+	"context"
+	"encoding/base64"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/vdavid/vmail/backend/internal/auth"
+	"github.com/vdavid/vmail/backend/internal/crypto"
+	"github.com/vdavid/vmail/backend/internal/db"
+	"github.com/vdavid/vmail/backend/internal/models"
+)
+
+// getTestEncryptor creates a test encryptor with a deterministic key for testing.
+func getTestEncryptor(t *testing.T) *crypto.Encryptor {
+	t.Helper()
+
+	key := make([]byte, 32)
+	for i := range key {
+		key[i] = byte(i)
+	}
+	base64Key := base64.StdEncoding.EncodeToString(key)
+
+	encryptor, err := crypto.NewEncryptor(base64Key)
+	if err != nil {
+		t.Fatalf("Failed to create encryptor: %v", err)
+	}
+	return encryptor
+}
+
+// setupTestUserAndSettings creates a test user and saves their settings.
+// Returns the userID for use in tests.
+func setupTestUserAndSettings(t *testing.T, pool *pgxpool.Pool, encryptor *crypto.Encryptor, email string) string {
+	t.Helper()
+	ctx := context.Background()
+	userID, err := db.GetOrCreateUser(ctx, pool, email)
+	if err != nil {
+		t.Fatalf("Failed to create user: %v", err)
+	}
+
+	encryptedIMAPPassword, _ := encryptor.Encrypt("imap_pass")
+	encryptedSMTPPassword, _ := encryptor.Encrypt("smtp_pass")
+
+	settings := &models.UserSettings{
+		UserID:                   userID,
+		UndoSendDelaySeconds:     20,
+		PaginationThreadsPerPage: 100,
+		IMAPServerHostname:       "imap.test.com",
+		IMAPUsername:             "user",
+		EncryptedIMAPPassword:    encryptedIMAPPassword,
+		SMTPServerHostname:       "smtp.test.com",
+		SMTPUsername:             "user",
+		EncryptedSMTPPassword:    encryptedSMTPPassword,
+	}
+	if err := db.SaveUserSettings(ctx, pool, settings); err != nil {
+		t.Fatalf("Failed to save settings: %v", err)
+	}
+	return userID
+}
+
+// createRequestWithUser creates an HTTP request with user email in context.
+func createRequestWithUser(method, url, email string) *http.Request {
+	req := httptest.NewRequest(method, url, nil)
+	ctx := context.WithValue(req.Context(), auth.UserEmailKey, email)
+	return req.WithContext(ctx)
+}
diff --git a/backend/internal/api/auth_handler.go b/backend/internal/api/auth_handler.go
@@ -2,7 +2,6 @@ package api
 
 import (
 	"context"
-	"encoding/json"
 	"log"
 	"net/http"
 
@@ -41,18 +40,16 @@ func (h *AuthHandler) GetAuthStatus(w http.ResponseWriter, r *http.Request) {
 	}
 
 	response := models.AuthStatusResponse{
-		IsAuthenticated: true, // TODO: Check if user is authenticated
 		IsSetupComplete: isSetupComplete,
 	}
 
-	w.Header().Set("Content-Type", "application/json")
-	if err := json.NewEncoder(w).Encode(response); err != nil {
-		log.Printf("AuthHandler: Failed to encode response: %v", err)
-		http.Error(w, "Internal server error", http.StatusInternalServerError)
+	if !WriteJSONResponse(w, response) {
 		return
 	}
 }
 
+// checkSetupComplete determines if the user has completed onboarding by checking
+// if user settings exist in the database.
 func (h *AuthHandler) checkSetupComplete(ctx context.Context, email string) (bool, error) {
 	userID, err := db.GetOrCreateUser(ctx, h.pool, email)
 	if err != nil {

diff --git a/backend/internal/api/auth_handler_test.go b/backend/internal/api/auth_handler_test.go
@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"testing"
+	"time"
 
 	"github.com/vdavid/vmail/backend/internal/auth"
 	"github.com/vdavid/vmail/backend/internal/db"
@@ -37,9 +38,6 @@ func TestAuthHandler_GetAuthStatus(t *testing.T) {
 			t.Fatalf("Failed to decode response: %v", err)
 		}
 
-		if !response.IsAuthenticated {
-			t.Error("Expected isAuthenticated to be true")
-		}
 		if response.IsSetupComplete {
 			t.Error("Expected isSetupComplete to be false for new user")
 		}
@@ -85,9 +83,6 @@ func TestAuthHandler_GetAuthStatus(t *testing.T) {
 			t.Fatalf("Failed to decode response: %v", err)
 		}
 
-		if !response.IsAuthenticated {
-			t.Error("Expected isAuthenticated to be true")
-		}
 		if !response.IsSetupComplete {
 			t.Error("Expected isSetupComplete to be true for user with settings")
 		}
@@ -103,4 +98,48 @@ func TestAuthHandler_GetAuthStatus(t *testing.T) {
 			t.Errorf("Expected status 401, got %d", rr.Code)
 		}
 	})
+
+	t.Run("returns 500 when GetOrCreateUser returns an error", func(t *testing.T) {
+		req := httptest.NewRequest("GET", "/api/v1/auth/status", nil)
+
+		// Use a cancelled context to simulate database connection failure
+		cancelledCtx, cancel := context.WithCancel(context.Background())
+		cancel()
+		reqCtx := context.WithValue(cancelledCtx, auth.UserEmailKey, "test@example.com")
+		req = req.WithContext(reqCtx)
+
+		rr := httptest.NewRecorder()
+		handler.GetAuthStatus(rr, req)
+
+		if rr.Code != http.StatusInternalServerError {
+			t.Errorf("Expected status 500, got %d", rr.Code)
+		}
+	})
+
+	t.Run("returns 500 when UserSettingsExist returns an error", func(t *testing.T) {
+		email := "erroruser@example.com"
+
+		// Create user first with valid context
+		ctx := context.Background()
+		_, err := db.GetOrCreateUser(ctx, pool, email)
+		if err != nil {
+			t.Fatalf("Failed to create user: %v", err)
+		}
+
+		// Use a context with a deadline that's already passed to cause UserSettingsExist to fail
+		// Note: GetOrCreateUser might succeed due to ON CONFLICT, but UserSettingsExist will fail
+		deadlineCtx, cancel := context.WithDeadline(context.Background(), time.Now().Add(-time.Second))
+		defer cancel()
+		reqCtx := context.WithValue(deadlineCtx, auth.UserEmailKey, email)
+
+		req := httptest.NewRequest("GET", "/api/v1/auth/status", nil)
+		req = req.WithContext(reqCtx)
+
+		rr := httptest.NewRecorder()
+		handler.GetAuthStatus(rr, req)
+
+		if rr.Code != http.StatusInternalServerError {
+			t.Errorf("Expected status 500, got %d", rr.Code)
+		}
+	})
 }