fix: use database for Mail.tm API routes, fix PostgreSQL SSL handling

- routes.py: Replace legacy JSON store with SQLAlchemy database lookup.
The /token endpoint now checks the database first, avoiding unnecessary
IMAP validation for admin-imported and CI-registered accounts.
- database.py: Handle Neon PostgreSQL sslmode=require properly by
stripping sslmode from URL and passing SSL context via connect_args.
- Dockerfile: Add comment clarifying DATABASE_URL override for PostgreSQL.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Dockerfile

@@ -10,6 +10,7 @@ COPY pyproject.toml .
 
 RUN mkdir -p /tmp/data
 
+# Default to SQLite; override with DATABASE_URL env var for PostgreSQL persistence
 ENV DATABASE_URL=sqlite+aiosqlite:////tmp/data/outlook2api.db
 ENV OUTLOOK2API_PORT=7860
 

outlook2api/database.py

@@ -1,8 +1,10 @@
 """SQLAlchemy async database setup and models."""
 from __future__ import annotations
 
+import ssl as _ssl
 import uuid
 from datetime import datetime, timezone
+from urllib.parse import urlparse, parse_qs, urlencode, urlunparse
 
 from sqlalchemy import Column, String, Boolean, DateTime, Integer, Text, select, func
 from sqlalchemy.ext.asyncio import AsyncSession, create_async_engine, async_sessionmaker
@@ -51,15 +53,31 @@ def _get_db_url() -> str:
     # Convert postgres:// to postgresql+asyncpg://
     if url.startswith("postgres://"):
         url = url.replace("postgres://", "postgresql+asyncpg://", 1)
-    elif url.startswith("postgresql://"):
+    elif url.startswith("postgresql://") and not url.startswith("postgresql+"):
         url = url.replace("postgresql://", "postgresql+asyncpg://", 1)
+    # Strip sslmode from URL — handled via connect_args instead
+    if "asyncpg" in url and "sslmode=" in url:
+        parsed = urlparse(url)
+        params = parse_qs(parsed.query)
+        params.pop("sslmode", None)
+        new_query = urlencode(params, doseq=True)
+        url = urlunparse(parsed._replace(query=new_query))
     return url
 
 
+def _needs_ssl() -> bool:
+    """Check if the configured database URL requires SSL."""
+    url = get_config()["database_url"]
+    return "sslmode=require" in url or "ssl=true" in url
+
+
 async def init_db() -> None:
     global _engine, _session_factory
     url = _get_db_url()
-    connect_args = {"check_same_thread": False} if "sqlite" in url else {}
+    is_sqlite = "sqlite" in url
+    connect_args: dict = {"check_same_thread": False} if is_sqlite else {}
+    if not is_sqlite and _needs_ssl():
+        connect_args["ssl"] = _ssl.create_default_context()
     _engine = create_async_engine(url, echo=False, connect_args=connect_args)
     _session_factory = async_sessionmaker(_engine, expire_on_commit=False)
     async with _engine.begin() as conn:

outlook2api/routes.py

@@ -7,11 +7,13 @@ import time
 
 from fastapi import APIRouter, HTTPException, Depends
 from pydantic import BaseModel
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
 
 from outlook2api.auth import make_jwt, get_current_user
 from outlook2api.config import get_config
+from outlook2api.database import Account, get_db
 from outlook2api.outlook_imap import fetch_messages_imap, validate_login
-from outlook2api.store import AccountStore, get_store
 
 router = APIRouter()
 
@@ -38,7 +40,7 @@ def get_domains():
 
 
 @router.post("/accounts")
-def create_account(body: AccountCreate, store: AccountStore = Depends(get_store)):
+async def create_account(body: AccountCreate, db: AsyncSession = Depends(get_db)):
     address = body.address.strip().lower()
     password = body.password
     if not address or "@" not in address:
@@ -49,22 +51,29 @@ def create_account(body: AccountCreate, store: AccountStore = Depends(get_store)
         raise HTTPException(status_code=400, detail=f"Domain {domain} not supported")
     if not validate_login(address, password):
         raise HTTPException(status_code=401, detail="Invalid credentials or IMAP disabled")
-    store.add(address, password)
+    # Add to database if not exists
+    existing = (await db.execute(select(Account).where(Account.email == address))).scalar_one_or_none()
+    if not existing:
+        db.add(Account(email=address, password=password, source="api"))
+        await db.commit()
     return {"id": f"/accounts/{secrets.token_hex(8)}", "address": address, "createdAt": time.time()}
 
 
 @router.post("/token")
-def get_token(body: TokenRequest, store: AccountStore = Depends(get_store)):
+async def get_token(body: TokenRequest, db: AsyncSession = Depends(get_db)):
     address = body.address.strip().lower()
     password = body.password
-    if not store.has(address):
-        if not validate_login(address, password):
+    # Check database first
+    account = (await db.execute(select(Account).where(Account.email == address))).scalar_one_or_none()
+    if account:
+        if account.password != password:
             raise HTTPException(status_code=401, detail="Invalid credentials")
-        store.add(address, password)
     else:
-        pwd = store.get_password(address)
-        if pwd != password:
+        # Not in database — validate via IMAP and add
+        if not validate_login(address, password):
             raise HTTPException(status_code=401, detail="Invalid credentials")
+        db.add(Account(email=address, password=password, source="api"))
+        await db.commit()
     secret = get_config().get("jwt_secret", "change-me-in-production")
     token = make_jwt(address, password, secret)
     return {"token": token, "id": address}
@@ -118,8 +127,11 @@ async def get_message_code(
 
 @router.delete("/accounts/me")
 async def delete_account(
-    store: AccountStore = Depends(get_store),
+    db: AsyncSession = Depends(get_db),
     user: tuple[str, str] = Depends(get_current_user),
 ):
-    store.remove(user[0])
+    account = (await db.execute(select(Account).where(Account.email == user[0]))).scalar_one_or_none()
+    if account:
+        await db.delete(account)
+        await db.commit()
     return {"status": "deleted"}