[GH-ISSUE #424] [feature-request] Endpoint for isolated message preview #272

New issue

Closed

opened 2026-03-15 13:34:59 +03:00 by kerem · 3 comments

kerem commented

2026-03-15 13:34:59 +03:00

Owner

Originally created by @baiomys on GitHub (Jan 12, 2025).
Original GitHub issue: https://github.com/axllent/mailpit/issues/424

Hi, current api scheme has following variants of viewing a message:

/view/{ID}.html
/view/{ID}.txt
/view/{ID} == unsafe, getting access to all messages
/view/latest == unsafe, getting access to all messages
/view/latest.html == unsafe, getting access to someone else message
/view/latest.txt == unsafe, getting access to someone else message

Is it possible to implement separate endpoint without 'latest' and mandatory .html or .txt suffix?
In current condition path validation/isolation on reverse proxy side using regex or templates is definitely possible, but getting too complex for such a simple task.

Originally created by @baiomys on GitHub (Jan 12, 2025). Original GitHub issue: https://github.com/axllent/mailpit/issues/424 Hi, current api scheme has following variants of viewing a message: /view/{ID}.html /view/{ID}.txt /view/{ID} == unsafe, getting access to all messages /view/latest == unsafe, getting access to all messages /view/latest.html == unsafe, getting access to someone else message /view/latest.txt == unsafe, getting access to someone else message Is it possible to implement separate endpoint without 'latest' and mandatory .html or .txt suffix? In current condition path validation/isolation on reverse proxy side using regex or templates is definitely possible, but getting too complex for such a simple task.

kerem closed this issue

2026-03-15 13:35:04 +03:00

kerem commented

2026-03-15 13:35:10 +03:00

Author

Owner

@axllent commented on GitHub (Jan 13, 2025):

Hi @baiomys. I'm not sure how you see that working from Mailpit's end - either the whole API is exposed either with or without authentication. What you are affectively wanting is a custom (and partial) exposure to only some endpoints. By far the best place for this would definitely be in the proxy itself where you can control exactly what does and doesn't have access, and to what.

@axllent commented on GitHub (Jan 13, 2025): Hi @baiomys. I'm not sure how you see that working from Mailpit's end - either the whole API is exposed either with or without authentication. What you are affectively wanting is a custom (and partial) exposure to only some endpoints. By far the best place for this would definitely be in the proxy itself where you can control exactly what does and doesn't have access, and to what.

kerem commented

2026-03-15 13:35:15 +03:00

Author

Owner

@baiomys commented on GitHub (Jan 13, 2025):

Thanks, I got it.
It seems that it would be more handy to fork mailpit and make it more suitable for the task.
=)

@baiomys commented on GitHub (Jan 13, 2025): Thanks, I got it. It seems that it would be more handy to fork mailpit and make it more suitable for the task. =)

kerem commented

2026-03-15 13:35:20 +03:00

Author

Owner

@axllent commented on GitHub (Jan 13, 2025):

I agree. Based on several of your recent posts, you require a lot of custom functionality which is directly related to your project, but which falls completely outside the scope and intended purpose of Mailpit. This way you can theoretically get the best of both worlds.

@axllent commented on GitHub (Jan 13, 2025): I agree. Based on several of your recent posts, you require a lot of custom functionality which is directly related to your project, but which falls completely outside the scope and intended purpose of Mailpit. This way you can theoretically get the best of both worlds.