smtp pw

internal/backend/db.go

@@ -8,7 +8,6 @@ import (
 	"log"
 	"net/http"
 	"net/url"
-	"os/exec"
 	"path"
 	"slices"
 	"strings"
@@ -140,16 +139,9 @@ func (b *DBBackend) initSchema(ctx context.Context) error {
 }
 
 func (b *DBBackend) resolvePassword(u config.User) (string, error) {
-	var raw string
-	if u.PasswordCmd != "" {
-		cmd := exec.Command("sh", "-c", u.PasswordCmd)
-		out, err := cmd.Output()
-		if err != nil {
-			return "", fmt.Errorf("failed to run password command for %s: %v", u.Name, err)
-		}
-		raw = strings.TrimSpace(string(out))
-	} else {
-		raw = u.Password
+	raw, err := config.ResolvePassword(u.Password, u.PasswordCmd)
+	if err != nil {
+		return "", fmt.Errorf("failed to resolve password for %s: %v", u.Name, err)
 	}
 
 	// If it already looks like a bcrypt hash, return as is.

internal/backend/email.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 
 	"github.com/emersion/go-ical"
+	"nxcaldav/internal/config"
 )
 
 // sendInvitation sends an iMIP (RFC 6047) invitation email.
@@ -99,8 +100,14 @@ func (b *DBBackend) sendInvitation(senderName, recipientEmail, summary, descript
 			if err = c.StartTLS(tlsConfig); err != nil { return err }
 		}
 	}
-	if b.smtp.User != "" && b.smtp.Password != "" {
-		auth := smtp.PlainAuth("", b.smtp.User, b.smtp.Password, b.smtp.Host)
+
+	smtpPassword, err := config.ResolvePassword(b.smtp.Password, b.smtp.PasswordCmd)
+	if err != nil {
+		return fmt.Errorf("failed to resolve SMTP password: %v", err)
+	}
+
+	if b.smtp.User != "" && smtpPassword != "" {
+		auth := smtp.PlainAuth("", b.smtp.User, smtpPassword, b.smtp.Host)
 		if err = c.Auth(auth); err != nil { return err }
 	}