Skip to content

Send new Gitea account credentials via Mailtrap #187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ht3aa merged 2 commits into from
Apr 4, 2026
Merged

Send new Gitea account credentials via Mailtrap #187

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6843ac6
Send Gitea credentials via Mailtrap when provisioning new users
ht3aa Apr 4, 2026
b1a4e2d
Build frontend assets
ht3aa Apr 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions app/Notifications/GiteaAccountCredentialsNotification.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
<?php

namespace App\Notifications;

use App\Notifications\Channels\MailtrapChannel;
use App\Notifications\Messages\MailtrapMessage;
use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Notifications\Notification;
use Illuminate\Support\Facades\View;

class GiteaAccountCredentialsNotification extends Notification implements ShouldQueue
{
use Queueable;

public function __construct(
public string $giteaUsername,
public string $temporaryPassword,
Comment on lines +17 to +18
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

The temporary password is stored as a public property on a queued notification. When the notification is queued, these properties are serialized and stored in plain text in the queue storage (e.g., Redis or the jobs table). This exposes sensitive credentials to anyone with access to the queue or logs. While it is a temporary password, consider encrypting this data or using a flow that doesn't involve sending plain-text passwords through the queue.

) {}

/**
* @return array<int, string>
*/
public function via(object $notifiable): array
{
return [MailtrapChannel::class];
}

public function toMailtrap(object $notifiable): MailtrapMessage
{
$giteaUrl = config('services.gitea.url');

$html = View::make('emails.gitea-account-credentials', [
'user' => $notifiable,
'giteaUsername' => $this->giteaUsername,
'temporaryPassword' => $this->temporaryPassword,
'giteaUrl' => $giteaUrl,
])->render();

$textLines = [
'A Gitea account has been created for you on '.config('app.name').'.',
'',
'Username: '.$this->giteaUsername,
'Temporary password: '.$this->temporaryPassword,
'',
'You must change this password when you first sign in to Gitea.',
Comment on lines +41 to +46
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The introductory sentence in the text version of the email differs from the HTML version, and it is missing the greeting. It's better to keep the messaging consistent across both formats to ensure a uniform user experience.

            'Hello ' . $notifiable->name . ',',
            '',
            'A Gitea account has been created for you so you can collaborate on remote work repositories.',
            '',
            'Username: ' . $this->giteaUsername,
            'Temporary password: ' . $this->temporaryPassword,
            '',
            'You must change this password when you first sign in to Gitea.',

];

if (filled($giteaUrl)) {
$textLines[] = '';
$textLines[] = 'Sign in: '.rtrim((string) $giteaUrl, '/');
}

return MailtrapMessage::create()
->subject('Your Gitea account credentials')
->text(implode("\n", $textLines))
->html($html)
->category('Gitea Account');
}
}
3 changes: 3 additions & 0 deletions app/Services/CompanyJobGiteaProvisioner.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
use App\Models\CompanyJobApplication;
use App\Models\Developer;
use App\Models\User;
use App\Notifications\GiteaAccountCredentialsNotification;
use Illuminate\Support\Str;
use RuntimeException;

Expand Down Expand Up @@ -117,6 +118,8 @@ public function ensureUserHasGiteaAccount(User $user): void
}

$user->forceFill(['gitea_username' => $login])->save();

$user->notify(new GiteaAccountCredentialsNotification($login, $password));
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The notification is dispatched after the gitea_username is saved to the database. If the notification fails to be queued (e.g., due to a connection issue with the queue driver), the user will be marked as having a Gitea account in the database, but they will never receive their credentials. Subsequent retries of the provisioning process will return early because gitea_username is already set (see line 89), leaving the user with an inaccessible account. Consider swapping the order to ensure the notification is successfully queued before finalizing the state in the database.

}

/**
Expand Down
2 changes: 1 addition & 1 deletion public/build/assets/Appearance-BpaRbKLR.js → public/build/assets/Appearance-DM4M8juV.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion ...e_type_script_setup_true_lang-DNE6msv0.js → ...e_type_script_setup_true_lang-C4NPYUiB.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion ...e_type_script_setup_true_lang-C3hiDJqO.js → ...e_type_script_setup_true_lang-g6a-KgnL.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion public/build/assets/DeveloperCardSection-ByWs1UIH.js
View file
Open in desktop

This file was deleted.

Loading
Loading