Developer Documentation

Complete guide to the Bulk Mailer system architecture and API reference.

Getting Started

The Bulk Mailer is a scalable email distribution system built on Cloudflare Workers with Next.js 14 and TypeScript.

Installation

cd bulk-mailer
npm install
npm run dev

Environment Setup

Create a .env.local file with the following variables:

JWT_SECRET=your-secret-here
ENCRYPTION_KEY=your-encryption-key-here
CSRF_SECRET=your-csrf-secret-here
SMTP_SERVER=smtp.sendgrid.net
SMTP_PORT=587
SMTP_USERNAME=apikey
SMTP_PASSWORD=your-sendgrid-api-key
FROM_EMAIL=noreply@yourdomain.com

Development Server

npm run dev

The application will start on http://localhost:3000

System Architecture

The system follows a three-phase architecture optimized for edge computing and scalability.

Phase 1: Foundation and Security

JWT-based authentication (stateless)
CSRF protection with token validation
Security headers via middleware
Password hashing with bcryptjs
Encryption for sensitive data (AES-256-GCM)
Rate limiting (in-memory)

Phase 2: Core Features

In-memory database with singleton pattern
Email queue processing
Campaign management
Contact management
SMTP provider configuration
Template variable substitution

Phase 3: Advanced Features (Planned)

Durable Objects for persistent storage
Cloudflare KV Store for distributed caching
R2 buckets for file storage
Bounce handling
Delivery tracking
Multi-tenant support

Technology Stack

Component	Technology	Purpose
Runtime	Cloudflare Workers	Edge computing
Framework	Next.js 14	React framework
Language	TypeScript	Type safety
Database	Durable Objects	Phase 3 storage
Cache	KV Store	Phase 3 caching
Email	Nodemailer	SMTP sending

Authentication

JWT Flow

User registers with email and password
Password is hashed with bcryptjs (10 rounds)
JWT token is generated with 24-hour expiry
CSRF token is generated for state-changing operations
Tokens are stored in localStorage on client
All requests send JWT in Authorization header

Token Structure

interface JWTPayload {
  userId: string
  email: string
  role: string
  iat: number
  exp: number
}

CSRF Protection

All state-changing operations (POST, PUT, DELETE, PATCH) require CSRF token validation:

CSRF tokens are JWT-based (stateless)
Generated upon login/register
Stored in localStorage as csrf_token
Sent in X-CSRF-Token header
Verified on backend before processing
No session storage required

API Endpoints

Authentication

POST/api/auth/register

Request Body:

{
  name: string
  email: string
  password: string
}

Response:

{
  success: boolean
  data: {
    user: User
    token: string
    csrfToken: string
  }
}

POST/api/auth/login

Authenticate user

Request Body:

{
  email: string
  password: string
}

Response:

{
  success: boolean
  data: {
    user: User
    token: string
    csrfToken: string
  }
}

SMTP Providers

GET/api/smtp/providers

List SMTP providers

Authentication: Required

Response:

{
  success: boolean
  data: SMTPProvider[]
}

POST/api/smtp/providers

Create SMTP provider

Authentication: Required + CSRF

Request Body:

{
  name: string
  host: string
  port: number
  username: string
  password: string
  secure: 'tls' | 'ssl'
  dailyLimit: number
}

Response:

{
  success: boolean
  data: SMTPProvider
}

Contacts

GET/api/contacts

List contacts with pagination

Authentication: Required

Query Parameters: page, limit

POST/api/contacts

Create contact

Authentication: Required + CSRF

Request Body:

{
  email: string
  firstName?: string
  lastName?: string
  tags?: string[]
}

Campaigns

GET/api/campaigns

List campaigns with pagination

Authentication: Required

Query Parameters: page, limit

POST/api/campaigns

Create campaign

Authentication: Required + CSRF

Request Body:

{
  name: string
  subject: string
  template: string
  scheduledAt?: string
}

Database Design

Phase 2: In-Memory Database

Current implementation uses in-memory storage with singleton pattern for development and testing.

Entity	Fields	Indexed By
User	id, email, passwordHash, createdAt	email
SMTPProvider	id, userId, host, port, username, password (encrypted)	userId
Contact	id, userId, email, firstName, lastName, tags, status	userId, email
Campaign	id, userId, name, subject, template, status	userId
EmailQueue	id, campaignId, contactId, status, attempts	campaignId

Phase 3: Durable Objects

Persistent storage will use Cloudflare Durable Objects with the following structure:

UsersDurableObject: User data and authentication
SMTPProvidersDurableObject: SMTP configurations
ContactsDurableObject: Contact information
CampaignsDurableObject: Campaign definitions
EmailQueueDurableObject: Email sending queue

Encryption

Sensitive data (SMTP passwords) is encrypted using AES-256-GCM before storage:

import { encryptData, decryptData } from '@/lib/encryption'

const encrypted = await encryptData(smtpPassword)
const decrypted = await decryptData(encrypted)

Security

Security Headers

Header	Value	Purpose
Strict-Transport-Security	max-age=31536000; includeSubDomains	Force HTTPS
Content-Security-Policy	Restrictive policy	Prevent XSS
X-Frame-Options	DENY	Prevent clickjacking
X-Content-Type-Options	nosniff	Prevent MIME sniffing

Input Validation

All endpoints validate input using Zod schemas:

import { z } from 'zod'

const contactSchema = z.object({
  email: z.string().email('Invalid email'),
  firstName: z.string().optional(),
  tags: z.array(z.string()).default([])
})

const data = contactSchema.parse(body)

Rate Limiting

Phase 2: In-memory rate limiting per IP
Phase 3: Distributed rate limiting with KV Store
Configurable per endpoint
Returns 429 Too Many Requests when exceeded

Password Security

Hashed with bcryptjs (10 rounds)
Never stored in plain text
Never transmitted in URLs
Always sent over HTTPS only

Testing

Unit Tests

npm test                  # Run all tests
npm run test:watch      # Watch mode
npm run test:coverage   # Coverage report

Test suites: Auth (8 tests), CSRF (7 tests), Utils (7 tests), Encryption (2 tests)

Integration Tests

Test API endpoints with request validation and response verification:

import request from 'supertest'
import { POST } from '@/app/api/contacts/route'

describe('Contacts API', () => {
  it('should create contact with CSRF token', async () => {
    const res = await request(app)
      .post('/api/contacts')
      .set('Authorization', `Bearer ${token}`)
      .set('X-CSRF-Token', csrfToken)
      .send({ email: 'test@example.com' })
    
    expect(res.status).toBe(200)
  })
})

Email Testing

Setup SMTP credentials (Gmail, SendGrid, or Mailgun)
Create test user and SMTP provider
Create test contacts
Create test campaign with template
Trigger email send
Verify email received with variables replaced

Deployment

Prerequisites

Cloudflare account
wrangler CLI installed
Environment variables configured
All tests passing

Deployment Steps

Build project: npm run build
Run tests: npm test
Set environment variables in Cloudflare Pages
Deploy: npm run deploy
Verify endpoints accessible
Monitor logs for errors

Environment Variables

Configure these in Cloudflare Pages dashboard, never commit to git:

JWT_SECRET: Long random string
ENCRYPTION_KEY: 32+ character string
CSRF_SECRET: Long random string
SMTP_SERVER: Your mail server
SMTP_PORT: Usually 587 or 465
SMTP_USERNAME: Authentication username
SMTP_PASSWORD: Authentication password
FROM_EMAIL: Sender email address

Troubleshooting

Common Issues

CSRF Token Missing Error

Ensure X-CSRF-Token header is included in state-changing requests:

fetch('/api/contacts', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${token}`,
    'X-CSRF-Token': csrfToken
  },
  body: JSON.stringify(data)
})

Invalid Email or Password

Check that credentials are correct and account exists. In Phase 2 (in-memory), data is lost on server restart.

Email Not Sending

Verify SMTP credentials, check server logs, ensure contact and campaign exist, and rate limits not exceeded.

TypeScript Errors

npm run type-check

Getting Help

Need help? Reach out through these channels:

Email: hello@nsisonglabs.com
Twitter: @1cbyc
GitHub Issues: github.com/1cbyc/mailer/issues