feat: mailbox viewer, fix password/export bugs, change default admin pw

- Fix: account ID quoting in onclick handlers (was treating hex ID as variable)
- Fix: export endpoint returns text/plain for proper file download
- Fix: default admin password changed to bk@3fd3E
- Add: Mailbox tab — switch to any account, view messages via IMAP
- Add: GET /admin/api/accounts/{id}/messages endpoint (async IMAP)
- Add: "Mailbox" button per account row for quick access

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

outlook2api/admin_routes.py

@@ -1,18 +1,21 @@
-"""Admin API routes — account management, bulk import, stats."""
+"""Admin API routes — account management, bulk import, stats, mailbox."""
 from __future__ import annotations
 
+import asyncio
 import hashlib
 import io
 import json
 from datetime import datetime, timezone
 
 from fastapi import APIRouter, Depends, HTTPException, Request, UploadFile, File
+from fastapi.responses import PlainTextResponse
 from pydantic import BaseModel
 from sqlalchemy import select, func, delete
 from sqlalchemy.ext.asyncio import AsyncSession
 
 from outlook2api.config import get_config
 from outlook2api.database import Account, get_db, get_stats
+from outlook2api.outlook_imap import fetch_messages_imap
 
 admin_router = APIRouter(prefix="/admin/api", tags=["admin"])
 
@@ -261,10 +264,36 @@ async def export_accounts(
     request: Request,
     db: AsyncSession = Depends(get_db),
 ):
-    """Export all active accounts as email:password text."""
+    """Export all active accounts as email:password text file."""
     _verify_admin(request)
     rows = (await db.execute(
         select(Account).where(Account.is_active == True).order_by(Account.created_at.desc())
     )).scalars().all()
     lines = [f"{a.email}:{a.password}" for a in rows]
-    return {"count": len(lines), "data": "\n".join(lines)}
+    content = "\n".join(lines)
+    return PlainTextResponse(
+        content=content,
+        media_type="text/plain",
+        headers={"Content-Disposition": "attachment; filename=accounts_export.txt"},
+    )
+
+
+@admin_router.get("/accounts/{account_id}/messages")
+async def get_account_messages(
+    account_id: str,
+    request: Request,
+    db: AsyncSession = Depends(get_db),
+    limit: int = 30,
+):
+    """Fetch messages from an account's mailbox via IMAP."""
+    _verify_admin(request)
+    account = (await db.execute(select(Account).where(Account.id == account_id))).scalar_one_or_none()
+    if not account:
+        raise HTTPException(status_code=404, detail="Account not found")
+    try:
+        messages = await asyncio.to_thread(
+            fetch_messages_imap, account.email, account.password, "INBOX", limit
+        )
+    except Exception as e:
+        raise HTTPException(status_code=502, detail=f"IMAP error: {e}")
+    return {"email": account.email, "messages": messages}

outlook2api/config.py

@@ -13,7 +13,7 @@ def get_config() -> dict:
             os.path.join(os.path.dirname(__file__), "..", "data", "outlook_accounts.json"),
         ),
         "jwt_secret": os.environ.get("OUTLOOK2API_JWT_SECRET", "change-me-in-production"),
-        "admin_password": os.environ.get("ADMIN_PASSWORD", "admin"),
+        "admin_password": os.environ.get("ADMIN_PASSWORD", "bk@3fd3E"),
         "database_url": os.environ.get(
             "DATABASE_URL",
             "sqlite+aiosqlite:///./data/outlook2api.db",

outlook2api/static/admin.html

@@ -173,6 +173,10 @@ tr:last-child td{border-bottom:none}
     <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 15v4a2 2 0 01-2 2H5a2 2 0 01-2-2v-4"/><polyline points="17 8 12 3 7 8"/><line x1="12" y1="3" x2="12" y2="15"/></svg>
     Import
   </button>
+  <button class="nav-item" data-tab="mailbox" aria-label="Mailbox">
+    <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M4 4h16c1.1 0 2 .9 2 2v12c0 1.1-.9 2-2 2H4c-1.1 0-2-.9-2-2V6c0-1.1.9-2 2-2z"/><polyline points="22,6 12,13 2,6"/></svg>
+    Mailbox
+  </button>
   <button class="nav-item" data-tab="docs" aria-label="API Docs">
     <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M14 2H6a2 2 0 00-2 2v16a2 2 0 002 2h12a2 2 0 002-2V8z"/><polyline points="14 2 14 8 20 8"/><line x1="16" y1="13" x2="8" y2="13"/><line x1="16" y1="17" x2="8" y2="17"/><polyline points="10 9 9 9 8 9"/></svg>
     API Docs
@@ -267,6 +271,34 @@ Authorization: Bearer ADMIN_PASSWORD
 
 <!-- API Docs -->
 <section id="tab-docs" class="tab-content" style="display:none">
+
+<!-- Mailbox -->
+<section id="tab-mailbox" class="tab-content" style="display:none">
+  <h2 id="mailbox-title">Mailbox</h2>
+  <div class="toolbar">
+    <select id="mailbox-account" aria-label="Select account" style="flex:1;min-width:220px">
+      <option value="">-- Select an account --</option>
+    </select>
+    <button class="btn btn-primary btn-sm" id="mailbox-load-btn">Load Messages</button>
+    <button class="btn btn-outline btn-sm" id="mailbox-refresh-btn">Refresh</button>
+  </div>
+  <div id="mailbox-list">
+    <div class="empty">Select an account and click "Load Messages"</div>
+  </div>
+  <div id="mailbox-detail" style="display:none;margin-top:1rem">
+    <div style="display:flex;align-items:center;justify-content:space-between;margin-bottom:.8rem">
+      <h3 id="mailbox-detail-subject" style="font-size:1rem;margin:0">Subject</h3>
+      <button class="btn btn-outline btn-sm" id="mailbox-back-btn">Back to list</button>
+    </div>
+    <div style="font-size:.84rem;color:var(--text-sec);margin-bottom:.8rem">
+      <span id="mailbox-detail-from"></span>
+      <span id="mailbox-detail-code" style="margin-left:1rem"></span>
+    </div>
+    <div style="background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);overflow:hidden">
+      <iframe id="mailbox-detail-body" style="width:100%;min-height:400px;border:none" sandbox="allow-same-origin"></iframe>
+    </div>
+  </div>
+</section>
   <h2>API Documentation</h2>
   <div class="endpoint-group">
     <h3>Mail API</h3>
@@ -409,6 +441,7 @@ Authorization: Bearer ADMIN_PASSWORD
 
 // ---- Helpers ----
 function getCookie(n){const m=document.cookie.match(new RegExp('(?:^|; )'+n+'=([^;]*)'));return m?decodeURIComponent(m[1]):null}
+function getToken(){return getCookie('admin_token')||''}
 function setCookie(n,v,d){let s=n+'='+encodeURIComponent(v)+';path=/;SameSite=Lax';if(d)s+=';max-age='+d*86400;document.cookie=s}
 function delCookie(n){document.cookie=n+'=;path=/;max-age=0'}
 
@@ -505,6 +538,7 @@ function loadTab(tab){
   if(el)el.style.display='block';
   if(tab==='dashboard')loadDashboard();
   if(tab==='accounts'){accountsPage=1;loadAccounts()}
+  if(tab==='mailbox')loadMailboxAccounts();
 }
 
 // ---- Dashboard ----
@@ -520,7 +554,9 @@ async function loadDashboard(){
 
 $('export-btn').addEventListener('click',async()=>{
   try{
-    const r=await api('/admin/api/export');
+    const tk=getToken();
+    const r=await fetch('/admin/api/export',{headers:{'Authorization':'Bearer '+tk}});
+    if(!r.ok)throw new Error('Export failed ('+r.status+')');
     const blob=await r.blob();
     const url=URL.createObjectURL(blob);
     const a=document.createElement('a');
@@ -563,9 +599,10 @@ async function loadAccounts(){
       <td>${esc(a.source||'--')}</td>
       <td>${fmtDate(a.created_at||a.created||'')}</td>
       <td class="actions">
-        <button class="btn btn-outline btn-sm" onclick="window._toggleAccount(${a.id},${!a.is_active})" aria-label="Toggle status">${a.is_active!==false?'Deactivate':'Activate'}</button>
-        <button class="btn btn-outline btn-sm" onclick="window._showPassword(${a.id})" aria-label="Show password">Password</button>
-        <button class="btn btn-danger btn-sm" onclick="window._deleteAccount(${a.id})" aria-label="Delete account">Delete</button>
+        <button class="btn btn-outline btn-sm" onclick="window._toggleAccount('${esc(a.id)}',${!a.is_active})" aria-label="Toggle status">${a.is_active!==false?'Deactivate':'Activate'}</button>
+        <button class="btn btn-outline btn-sm" onclick="window._showPassword('${esc(a.id)}')" aria-label="Show password">Password</button>
+        <button class="btn btn-outline btn-sm" onclick="window._openMailbox('${esc(a.id)}','${esc(a.email||'')}')" aria-label="Open mailbox">Mailbox</button>
+        <button class="btn btn-danger btn-sm" onclick="window._deleteAccount('${esc(a.id)}')" aria-label="Delete account">Delete</button>
       </td>
     </tr>`).join('');
   }catch(err){
@@ -654,6 +691,79 @@ document.addEventListener('keydown',e=>{
   }
 });
 
+// ---- Mailbox ----
+let mailboxMessages=[];
+
+async function loadMailboxAccounts(){
+  try{
+    const data=await api('/admin/api/accounts?limit=200');
+    const sel=$('mailbox-account');
+    const cur=sel.value;
+    sel.innerHTML='<option value="">-- Select an account --</option>';
+    (data.accounts||[]).forEach(a=>{
+      const o=document.createElement('option');
+      o.value=a.id;o.textContent=a.email;
+      if(a.id===cur)o.selected=true;
+      sel.appendChild(o);
+    });
+  }catch(err){toast(err.message,'error')}
+}
+
+async function loadMailboxMessages(){
+  const id=$('mailbox-account').value;
+  if(!id){toast('Select an account first','error');return}
+  const list=$('mailbox-list');
+  list.innerHTML='<div class="loading">Loading messages via IMAP...</div>';
+  $('mailbox-detail').style.display='none';
+  try{
+    const data=await api('/admin/api/accounts/'+id+'/messages');
+    mailboxMessages=data.messages||[];
+    $('mailbox-title').textContent='Mailbox — '+esc(data.email||'');
+    if(!mailboxMessages.length){
+      list.innerHTML='<div class="empty">No messages found</div>';
+      return;
+    }
+    list.innerHTML='<div class="table-wrap"><table><thead><tr><th>From</th><th>Subject</th><th>Code</th></tr></thead><tbody>'+
+      mailboxMessages.map((m,i)=>`<tr style="cursor:pointer" onclick="window._showMsg(${i})">
+        <td>${esc((m.from&&m.from.address)||m.from||'')}</td>
+        <td>${esc(m.subject||'(no subject)')}</td>
+        <td>${m.verification_code?'<span class="badge badge-active">'+esc(m.verification_code)+'</span>':'--'}</td>
+      </tr>`).join('')+'</tbody></table></div>';
+  }catch(err){
+    list.innerHTML='<div class="empty">Error: '+esc(err.message)+'</div>';
+  }
+}
+
+window._showMsg=function(idx){
+  const m=mailboxMessages[idx];
+  if(!m)return;
+  $('mailbox-list').style.display='none';
+  $('mailbox-detail').style.display='block';
+  $('mailbox-detail-subject').textContent=m.subject||'(no subject)';
+  $('mailbox-detail-from').textContent='From: '+((m.from&&m.from.address)||m.from||'');
+  $('mailbox-detail-code').textContent=m.verification_code?'Code: '+m.verification_code:'';
+  const iframe=$('mailbox-detail-body');
+  const html=(m.html&&m.html[0])||m.text||'(empty)';
+  iframe.srcdoc=html;
+};
+
+$('mailbox-load-btn').addEventListener('click',loadMailboxMessages);
+$('mailbox-refresh-btn').addEventListener('click',loadMailboxMessages);
+$('mailbox-back-btn').addEventListener('click',()=>{
+  $('mailbox-list').style.display='block';
+  $('mailbox-detail').style.display='none';
+});
+
+window._openMailbox=function(id,email){
+  currentTab='mailbox';
+  document.querySelectorAll('.nav-item[data-tab]').forEach(b=>{b.classList.toggle('active',b.dataset.tab==='mailbox')});
+  loadTab('mailbox');
+  setTimeout(()=>{
+    $('mailbox-account').value=id;
+    loadMailboxMessages();
+  },300);
+};
+
 // ---- Init ----
 checkAuth();
 })();