feat: ensure total recipients within SES limit (#2125)

opengovsg · Jul 28, 2023 · 36061d0 · 36061d0
1 parent d81bd40
commit 36061d0
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 0 deletions.
diff --git a/backend/src/core/errors/rest-api.errors.ts b/backend/src/core/errors/rest-api.errors.ts
@@ -19,6 +19,11 @@ export class ApiInvalidRecipientError extends RestApiError {
     super(400, 'invalid_recipient', message)
   }
 }
+export class ApiTooManyRecipientsError extends RestApiError {
+  constructor(message: string) {
+    super(400, 'too_many_recipients', message)
+  }
+}
 
 export class ApiInvalidCredentialsError extends RestApiError {
   constructor(message: string) {

diff --git a/backend/src/email/middlewares/email-transactional.middleware.ts b/backend/src/email/middlewares/email-transactional.middleware.ts
@@ -31,6 +31,7 @@ import {
   ApiInvalidTemplateError,
   ApiNotFoundError,
   ApiRateLimitError,
+  ApiTooManyRecipientsError,
 } from '@core/errors/rest-api.errors'
 import { UploadedFile } from 'express-fileupload'
 import { Op } from 'sequelize'
@@ -41,6 +42,7 @@ export interface EmailTransactionalMiddleware {
   rateLimit: Handler
   getById: Handler
   listMessages: Handler
+  checkCcLimit: Handler
 }
 
 export const RATE_LIMIT_ERROR_MESSAGE =
@@ -365,6 +367,16 @@ export const InitEmailTransactionalMiddleware = (
     })
   }
 
+  function checkCcLimit(req: Request, _res: Response, next: NextFunction) {
+    const { cc, bcc } = req.body as ReqBody
+    // limit set by AWS SES: https://docs.aws.amazon.com/ses/latest/APIReference/API_SendEmail.html#:~:text=The%20message%20may%20not%20include%20more%20than%2050%20recipients
+    const TOTAL_CC_LIMIT = 49 // 50 minus 1 to account for main recipient
+    if ((cc?.length ?? 0) + (bcc?.length ?? 0) > TOTAL_CC_LIMIT) {
+      throw new ApiTooManyRecipientsError('Maximum of 50 recipients allowed')
+    }
+    next()
+  }
+
   const rateLimit = expressRateLimit({
     store: new RedisStore({
       prefix: 'transactionalEmail:',
@@ -390,5 +402,6 @@ export const InitEmailTransactionalMiddleware = (
     rateLimit,
     getById,
     listMessages,
+    checkCcLimit,
   }
 }
diff --git a/backend/src/email/routes/email-transactional.routes.ts b/backend/src/email/routes/email-transactional.routes.ts
@@ -115,6 +115,7 @@ export const InitEmailTransactionalRoute = (
     FileAttachmentMiddleware.preprocessPotentialIncomingFile,
     celebrate(sendValidator),
     FileAttachmentMiddleware.checkAttachmentValidity,
+    emailTransactionalMiddleware.checkCcLimit,
     emailTransactionalMiddleware.saveMessage,
     emailMiddleware.isFromAddressAccepted,
     emailMiddleware.existsFromAddress, // future todo: put a cache to reduce db hits