refactor: adress review

lib/mv/config.ex

@@ -362,26 +362,41 @@ defmodule Mv.Config do
   @doc """
   Returns the OIDC client secret.
   In production, uses the value from config :mv, :oidc (set by runtime.exs from OIDC_CLIENT_SECRET or OIDC_CLIENT_SECRET_FILE).
-  Otherwise ENV OIDC_CLIENT_SECRET, then Settings.
+  Otherwise ENV OIDC_CLIENT_SECRET, then Settings (read via explicit select; not in default get_settings).
   """
   @spec oidc_client_secret() :: String.t() | nil
   def oidc_client_secret do
     case Application.get_env(:mv, :oidc) do
       oidc when is_list(oidc) -> oidc_client_secret_from_config(Keyword.get(oidc, :client_secret))
-      _ -> env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret)
+      _ -> oidc_client_secret_from_env_or_settings()
     end
   end
 
+  @doc """
+  Returns whether the OIDC client secret is set in Settings (for UI badge). Does not expose the value.
+  """
+  @spec oidc_client_secret_set?() :: boolean()
+  def oidc_client_secret_set? do
+    present?(get_oidc_client_secret_from_settings())
+  end
+
   defp oidc_client_secret_from_config(nil),
-    do: env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret)
+    do: oidc_client_secret_from_env_or_settings()
 
   defp oidc_client_secret_from_config(secret) when is_binary(secret) do
     s = String.trim(secret)
-    if s != "", do: s, else: env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret)
+    if s != "", do: s, else: oidc_client_secret_from_env_or_settings()
   end
 
   defp oidc_client_secret_from_config(_),
-    do: env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret)
+    do: oidc_client_secret_from_env_or_settings()
+
+  defp oidc_client_secret_from_env_or_settings do
+    case System.get_env("OIDC_CLIENT_SECRET") do
+      nil -> get_oidc_client_secret_from_settings()
+      value -> trim_nil(value)
+    end
+  end
 
   @doc """
   Returns the OIDC admin group name (for role sync). ENV first, then Settings.
@@ -638,4 +653,17 @@ defmodule Mv.Config do
         nil
     end
   end
+
+  # Reads the OIDC client secret via explicit select (excluded from default read, same as smtp_password).
+  defp get_oidc_client_secret_from_settings do
+    query = Ash.Query.select(Mv.Membership.Setting, [:id, :oidc_client_secret])
+
+    case Ash.read_one(query, authorize?: false, domain: Mv.Membership) do
+      {:ok, settings} when not is_nil(settings) ->
+        settings |> Map.get(:oidc_client_secret) |> trim_nil()
+
+      _ ->
+        nil
+    end
+  end
 end

lib/mv/mailer.ex

@@ -33,6 +33,7 @@ defmodule Mv.Mailer do
 
   require Logger
 
+  # Simple format check for test-email recipient only (e.g. allows a@b.c). Not for strict RFC validation.
   @email_regex ~r/^[^\s@]+@[^\s@]+\.[^\s@]+$/
 
   @doc """
@@ -105,6 +106,11 @@ defmodule Mv.Mailer do
       password = Mv.Config.smtp_password()
       ssl_mode = Mv.Config.smtp_ssl() || "tls"
 
+      verify_mode =
+        if Application.get_env(:mv, :smtp_verify_peer, false),
+          do: :verify_peer,
+          else: :verify_none
+
       [
         adapter: Swoosh.Adapters.SMTP,
         relay: host,
@@ -114,10 +120,9 @@ defmodule Mv.Mailer do
         auth: :always,
         username: username,
         password: password,
-        # OTP 26+ enforces verify_peer; allow self-signed / internal certs.
-        # tls_options: STARTTLS upgrade (port 587); sockopts: direct SSL connect (port 465).
-        tls_options: [verify: :verify_none],
-        sockopts: [verify: :verify_none]
+        # tls_options: STARTTLS (587); sockopts: direct SSL (465). Verify from :smtp_verify_peer (ENV SMTP_VERIFY_PEER).
+        tls_options: [verify: verify_mode],
+        sockopts: [verify: verify_mode]
       ]
       |> Enum.reject(fn {_k, v} -> is_nil(v) end)
     else