Prevent service from adding duplicate reply-to addresses

Check for duplicate reply-to email address has been added on: -verification endpoint, so we do not send the verifying notification needlessly - add reply-to email address and update reply-to email address endpoints, as those can be hit multiple times after the email address has been verified (so the same email address could end up being added multiple times). EDIT: this has now been prevented on admin app, but it's better to retain double-check for safety.
2026-02-02 17:31:14 -05:00 · 2019-05-15 15:23:27 +01:00
parent 615ea6a98a
commit 3c3dde635b
2 changed files with 59 additions and 6 deletions
--- a/app/service/rest.py
+++ b/app/service/rest.py
@@ -650,21 +650,22 @@ def get_email_reply_to_address(service_id, reply_to_id):
    return jsonify(result.serialize()), 200


-@service_blueprint.route('/email-reply-to/verify', methods=['POST'])
-def verify_new_service_reply_to_email_address():
+@service_blueprint.route('/<uuid:service_id>/email-reply-to/verify', methods=['POST'])
+def verify_new_service_reply_to_email_address(service_id):
    email_address, errors = email_data_request_schema.load(request.get_json())
+    check_if_reply_to_address_already_in_use(service_id, email_address["email"])
    template = dao_get_template_by_id(current_app.config['REPLY_TO_EMAIL_ADDRESS_VERIFICATION_TEMPLATE_ID'])
-    service = Service.query.get(current_app.config['NOTIFY_SERVICE_ID'])
+    notify_service = Service.query.get(current_app.config['NOTIFY_SERVICE_ID'])
    saved_notification = persist_notification(
        template_id=template.id,
        template_version=template.version,
        recipient=email_address["email"],
-        service=service,
+        service=notify_service,
        personalisation='',
        notification_type=template.template_type,
        api_key_id=None,
        key_type=KEY_TYPE_NORMAL,
-        reply_to_text=service.get_default_reply_to_email_address()
+        reply_to_text=notify_service.get_default_reply_to_email_address()
    )

    send_notification_to_queue(saved_notification, False, queue=QueueNames.NOTIFY)
@@ -677,6 +678,7 @@ def add_service_reply_to_email_address(service_id):
    # validate the service exists, throws ResultNotFound exception.
    dao_fetch_service_by_id(service_id)
    form = validate(request.get_json(), add_service_email_reply_to_request)
+    check_if_reply_to_address_already_in_use(service_id, form['email_address'])
    new_reply_to = add_reply_to_email_address_for_service(service_id=service_id,
                                                          email_address=form['email_address'],
                                                          is_default=form.get('is_default', True))
@@ -688,6 +690,7 @@ def update_service_reply_to_email_address(service_id, reply_to_email_id):
    # validate the service exists, throws ResultNotFound exception.
    dao_fetch_service_by_id(service_id)
    form = validate(request.get_json(), add_service_email_reply_to_request)
+    check_if_reply_to_address_already_in_use(service_id, form['email_address'])
    new_reply_to = update_reply_to_email_address(service_id=service_id,
                                                 reply_to_id=reply_to_email_id,
                                                 email_address=form['email_address'],
@@ -901,3 +904,11 @@ def check_request_args(request):
    if errors:
        raise InvalidRequest(errors, status_code=400)
    return service_id, name, email_from
+
+
+def check_if_reply_to_address_already_in_use(service_id, email_address):
+    existing_reply_to_addresses = dao_get_reply_to_by_service_id(service_id)
+    if email_address in [i.email_address for i in existing_reply_to_addresses]:
+        raise InvalidRequest(
+            "Your service already uses '{}' as an email reply-to address.".format(email_address), status_code=400
+        )