No description
  • PHP 68.5%
  • JavaScript 19.7%
  • CSS 11.8%
Find a file
2026-06-25 04:30:10 +01:00
localization v0.3.0: consolidated Preferences sections + section icons 2026-06-25 04:24:51 +01:00
skins/elastic v0.3.1: fix section icons — target table rows (tr.section>td.section), not li>a 2026-06-25 04:30:10 +01:00
.gitignore Initial release: self-service app-passwords + server-side PGP settings 2026-06-25 01:24:40 +01:00
account.js v0.3.0: consolidated Preferences sections + section icons 2026-06-25 04:24:51 +01:00
albient_account.php v0.3.0: consolidated Preferences sections + section icons 2026-06-25 04:24:51 +01:00
CHANGELOG.md v0.2.0: encryption restructure + key info + danger remove; app-pw modal + fixes 2026-06-25 02:03:04 +01:00
composer.json v0.2.0: encryption restructure + key info + danger remove; app-pw modal + fixes 2026-06-25 02:03:04 +01:00
LICENSE Initial release: self-service app-passwords + server-side PGP settings 2026-06-25 01:24:40 +01:00
README.md Initial release: self-service app-passwords + server-side PGP settings 2026-06-25 01:24:40 +01:00

roundcube-albient-account-settings

Self-service account settings for Albient Mail, as a Roundcube Settings plugin:

  • Accounts Settings section (placed above Server Settings) — create, list and revoke app passwords for mail apps (IMAP/SMTP) that don't use SSO. New passwords are shown once.
  • Server-side encryption block (added next to the existing Encryption / Mailvelope panel) — upload/paste/import your PGP public key and toggle encryption at rest, so Albient stores your incoming mail encrypted to your key.

Everything is performed through the provisioning API's per-user self-service endpoints (/api/v1/me/...), authenticated with the user's own OIDC access token (stashed in the session by the albient_sso plugin). There is no standing privileged credential on the webmail node, and the API scopes every change to the caller's own mailbox.

PGP key guardrail

When you add a public key, the provisioning API checks it carries a User ID for one of your own addresses — otherwise you'd encrypt your mail to a key you can't decrypt with and lock yourself out. A mismatch is rejected with an explicit "use it anyway" override for advanced cases.

Installation

Drop into plugins/albient_account/, enable it, and set the API base:

$config['plugins'][] = 'albient_account';
$config['albient_account_api_base'] = 'http://127.0.0.1:8090/api/v1';

Requires the albient_sso plugin (for the stashed OIDC token) and the albient-provisioning-api ≥ 0.2.1 (for the /me endpoints).

Deployment

In the Albient stack this plugin is deployed by the albient.mailstack.roundcube Ansible role via a pinned-tag git checkout.

License

Copyright © Albient. All rights reserved. See LICENSE.