From e55f20367d5c7b25fc1f5a589b2613a0d136f4b5 Mon Sep 17 00:00:00 2001
From: "Torsten Schulz (local)" <tsschulz@gmx.net>
Date: Sun, 19 Oct 2025 13:28:03 +0200
Subject: [PATCH] Refactor email transporter configuration in AuthService;
 update to support STARTTLS and TLS requirements based on environment
 variables, and adjust EMAIL_SECURE setting in production template for
 improved email security.

---
 backend/env.production.template     |  3 ++-
 backend/src/services/AuthService.js | 27 +++++++++++++++++++++++----
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/backend/env.production.template b/backend/env.production.template
index 6d2e62f..b634d3b 100644
--- a/backend/env.production.template
+++ b/backend/env.production.template
@@ -42,7 +42,8 @@ FRONTEND_URL=https://stechuhr3.tsschulz.de
 # SMTP-Server Konfiguration
 EMAIL_HOST=smtp.1blu.de
 EMAIL_PORT=587
-EMAIL_SECURE=true
+EMAIL_SECURE=false
+EMAIL_REQUIRE_TLS=true
 EMAIL_USER=e226079_0-kontakt
 EMAIL_PASSWORD=aNN31bll3Na!
 EMAIL_FROM=kontakt@tsschulz.de
diff --git a/backend/src/services/AuthService.js b/backend/src/services/AuthService.js
index 3052426..1635bc0 100644
--- a/backend/src/services/AuthService.js
+++ b/backend/src/services/AuthService.js
@@ -22,16 +22,35 @@ class AuthService {
    */
   initializeEmailTransporter() {
     if (process.env.EMAIL_HOST && process.env.EMAIL_USER && process.env.EMAIL_PASSWORD) {
-      this.emailTransporter = nodemailer.createTransport({
+      const port = parseInt(process.env.EMAIL_PORT) || 587;
+      const secure = process.env.EMAIL_SECURE === 'true';
+      
+      // Port 587 = STARTTLS (secure: false)
+      // Port 465 = Direct SSL (secure: true)
+      const config = {
         host: process.env.EMAIL_HOST,
-        port: parseInt(process.env.EMAIL_PORT) || 587,
-        secure: process.env.EMAIL_SECURE === 'true',
+        port: port,
+        secure: secure, // true für Port 465, false für Port 587
         auth: {
           user: process.env.EMAIL_USER,
           pass: process.env.EMAIL_PASSWORD
         }
-      });
+      };
+      
+      // Für Port 587: STARTTLS aktivieren
+      if (port === 587 && !secure) {
+        config.requireTLS = process.env.EMAIL_REQUIRE_TLS !== 'false';
+        config.tls = {
+          rejectUnauthorized: process.env.NODE_ENV === 'production'
+        };
+      }
+      
+      this.emailTransporter = nodemailer.createTransport(config);
+      
       console.log('✅ Email-Transporter konfiguriert');
+      console.log('   SMTP:', process.env.EMAIL_HOST + ':' + port);
+      console.log('   Secure:', secure);
+      console.log('   STARTTLS:', port === 587 && !secure ? 'aktiviert' : 'deaktiviert');
     } else {
       console.warn('⚠️  Email-Konfiguration fehlt - Passwort-Reset-E-Mails können nicht versendet werden');
     }