Merge pull request #19951 from mozilla/fxa-12829

vbudhram · web-flow · commit 6f5ce04a06de · 2026-02-03T16:36:08.000-05:00
fxa(email): Add email normalization check to email libs
diff --git a/libs/accounts/email-sender/src/bounces.spec.ts b/libs/accounts/email-sender/src/bounces.spec.ts
@@ -327,4 +327,172 @@ describe('Bounces', () => {
       });
     });
   });
+
+  describe('checkBouncesWithAliases', () => {
+    const aliasNormalizationConfig = JSON.stringify([
+      { domain: 'example.com', regex: '\\+.*', replace: '' },
+    ]);
+
+    it('uses regular check when aliasCheckEnabled is false', async () => {
+      const config: BouncesConfig = {
+        ...defaultBouncesConfig,
+        aliasCheckEnabled: false,
+        emailAliasNormalization: aliasNormalizationConfig,
+      };
+      const db: BounceDb = {
+        emailBounces: {
+          findByEmail: jest.fn().mockResolvedValue([]),
+        },
+      };
+      const bounces = new Bounces(config, db);
+
+      await bounces.check('test+alias@example.com', 'verifyEmail');
+
+      // Should only call once with the original email
+      expect(db.emailBounces.findByEmail).toHaveBeenCalledTimes(1);
+      expect(db.emailBounces.findByEmail).toHaveBeenCalledWith(
+        'test+alias@example.com'
+      );
+    });
+
+    it('queries both normalized and wildcard emails when aliasCheckEnabled is true', async () => {
+      const config: BouncesConfig = {
+        ...defaultBouncesConfig,
+        aliasCheckEnabled: true,
+        emailAliasNormalization: aliasNormalizationConfig,
+      };
+      const db: BounceDb = {
+        emailBounces: {
+          findByEmail: jest.fn().mockResolvedValue([]),
+        },
+      };
+      const bounces = new Bounces(config, db);
+
+      await bounces.check('test+alias@example.com', 'verifyEmail');
+
+      // Should call twice: once for normalized, once for wildcard
+      expect(db.emailBounces.findByEmail).toHaveBeenCalledTimes(2);
+      expect(db.emailBounces.findByEmail).toHaveBeenCalledWith(
+        'test@example.com'
+      );
+      expect(db.emailBounces.findByEmail).toHaveBeenCalledWith(
+        'test+%@example.com'
+      );
+    });
+
+    it('throws error when alias bounces exceed threshold', async () => {
+      const config: BouncesConfig = {
+        ...defaultBouncesConfig,
+        aliasCheckEnabled: true,
+        emailAliasNormalization: aliasNormalizationConfig,
+        hard: { 0: daysInMs(30) },
+      };
+      const bouncedAt = mockNow - daysInMs(10);
+      const db: BounceDb = {
+        emailBounces: {
+          findByEmail: jest.fn().mockImplementation((email: string) => {
+            if (email === 'test@example.com') {
+              return Promise.resolve([
+                {
+                  email: 'test@example.com',
+                  bounceType: BOUNCE_TYPE_HARD,
+                  createdAt: bouncedAt,
+                },
+              ]);
+            }
+            return Promise.resolve([]);
+          }),
+        },
+      };
+      const bounces = new Bounces(config, db);
+
+      // Email with alias should fail because root email has a bounce
+      await expect(
+        bounces.check('test+alias@example.com', 'verifyEmail')
+      ).rejects.toMatchObject(AppError.emailBouncedHard(bouncedAt));
+    });
+
+    it('merges and deduplicates bounces from both queries', async () => {
+      const config: BouncesConfig = {
+        ...defaultBouncesConfig,
+        aliasCheckEnabled: true,
+        emailAliasNormalization: aliasNormalizationConfig,
+        hard: { 2: daysInMs(30) }, // Allow 2 bounces before throwing
+      };
+      const bounce1At = mockNow - daysInMs(5);
+      const bounce2At = mockNow - daysInMs(10);
+      const duplicateBounceAt = mockNow - daysInMs(15);
+
+      const db: BounceDb = {
+        emailBounces: {
+          findByEmail: jest.fn().mockImplementation((email: string) => {
+            if (email === 'test@example.com') {
+              return Promise.resolve([
+                {
+                  email: 'test@example.com',
+                  bounceType: BOUNCE_TYPE_HARD,
+                  createdAt: bounce1At,
+                },
+                {
+                  email: 'test@example.com',
+                  bounceType: BOUNCE_TYPE_HARD,
+                  createdAt: duplicateBounceAt,
+                },
+              ]);
+            }
+            if (email === 'test+%@example.com') {
+              return Promise.resolve([
+                {
+                  email: 'test+alias@example.com',
+                  bounceType: BOUNCE_TYPE_HARD,
+                  createdAt: bounce2At,
+                },
+                // Duplicate entry (same email and createdAt as normalized query)
+                {
+                  email: 'test@example.com',
+                  bounceType: BOUNCE_TYPE_HARD,
+                  createdAt: duplicateBounceAt,
+                },
+              ]);
+            }
+            return Promise.resolve([]);
+          }),
+        },
+      };
+      const bounces = new Bounces(config, db);
+
+      // Should throw because we have 3 unique hard bounces (one duplicate removed)
+      await expect(
+        bounces.check('test+alias@example.com', 'verifyEmail')
+      ).rejects.toMatchObject(AppError.emailBouncedHard(bounce1At));
+    });
+
+    it('does not apply alias normalization for domains not in config', async () => {
+      const config: BouncesConfig = {
+        ...defaultBouncesConfig,
+        aliasCheckEnabled: true,
+        emailAliasNormalization: aliasNormalizationConfig, // Only example.com configured
+      };
+      const db: BounceDb = {
+        emailBounces: {
+          findByEmail: jest.fn().mockResolvedValue([]),
+        },
+      };
+      const bounces = new Bounces(config, db);
+
+      await bounces.check('test+alias@other.com', 'verifyEmail');
+
+      // For non-configured domain, both queries should use the original email
+      // (no transformation applied)
+      expect(db.emailBounces.findByEmail).toHaveBeenCalledTimes(2);
+      expect(db.emailBounces.findByEmail).toHaveBeenNthCalledWith(
+        1,
+        'test+alias@other.com'
+      );
+      expect(db.emailBounces.findByEmail).toHaveBeenNthCalledWith(
+        2,
+        'test+alias@other.com'
+      );
+    });
+  });
 });
diff --git a/libs/accounts/email-sender/src/bounces.ts b/libs/accounts/email-sender/src/bounces.ts
@@ -3,16 +3,20 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 import { AppError } from '@fxa/accounts/errors';
+import { EmailNormalization } from './email-normalization';
 
 export type BouncesConfig = {
   enabled: boolean;
+  aliasCheckEnabled?: boolean;
+  emailAliasNormalization?: string;
   hard: Record<number, number>;
   soft: Record<number, number>;
   complaint: Record<number, number>;
   ignoreTemplates: string[];
 };
 
 export type Bounce = {
+  email?: string;
   bounceType: number;
   createdAt: number;
 };
@@ -34,6 +38,7 @@ export const BOUNCE_TYPE_COMPLAINT = 3;
 
 export class Bounces {
   private readonly bounceRules: Record<number, any>;
+  private readonly emailNormalization: EmailNormalization;
 
   constructor(
     private readonly config: BouncesConfig,
@@ -44,6 +49,9 @@ export class Bounces {
       [BOUNCE_TYPE_SOFT]: Object.freeze(config.soft || {}),
       [BOUNCE_TYPE_COMPLAINT]: Object.freeze(config.complaint || {}),
     };
+    this.emailNormalization = new EmailNormalization(
+      config.emailAliasNormalization || '[]'
+    );
   }
 
   async check(email: string, template: string) {
@@ -58,10 +66,64 @@ export class Bounces {
       return undefined;
     }
 
-    const bounces = await this.db.emailBounces.findByEmail(email);
+    let bounces: Array<Bounce>;
+
+    if (this.config.aliasCheckEnabled) {
+      bounces = await this.checkBouncesWithAliases(email);
+    } else {
+      bounces = await this.db.emailBounces.findByEmail(email);
+    }
+
     return this.applyRules(bounces);
   }
 
+  private async checkBouncesWithAliases(email: string): Promise<Array<Bounce>> {
+    // Given an email alias like test+123@domain.com:
+    // We look for bounces to the 'root' email -> `test@domain.com`
+    // And look for bounces to the alias with a wildcard -> `test+%@domain.com`
+    //
+    // This prevents us from picking up false positives when we replace the alias
+    // with a wildcard, and doesn't miss the root email bounces either. We have to
+    // use both because just using the wildcard would miss bounces sent to the root
+    // and just using the root with a wildcard would pickup false positives.
+    //
+    // So, test+123@domain.com would match:
+    //   - test@domain.com            Covered by normalized email
+    //   - test+123@domain.com        Covered by wildcard email
+    //   - test+asdf@domain.com       Covered by wildcard email
+    // but not
+    //   - testing@domain.com         Not picked up by wildcard since we include the '+'
+    const normalizedEmail = this.emailNormalization.normalizeEmailAliases(
+      email,
+      ''
+    );
+    const wildcardEmail = this.emailNormalization.normalizeEmailAliases(
+      email,
+      '+%'
+    );
+
+    const [normalizedBounces, wildcardBounces] = await Promise.all([
+      this.db.emailBounces.findByEmail(normalizedEmail),
+      this.db.emailBounces.findByEmail(wildcardEmail),
+    ]);
+
+    // Merge and deduplicate by email+createdAt
+    // There shouldn't be any overlap, but just in case
+    const seen = new Set<string>();
+    const merged = [...normalizedBounces, ...wildcardBounces].filter(
+      (bounce) => {
+        const key = `${bounce.email || ''}:${bounce.createdAt}`;
+        if (seen.has(key)) {
+          return false;
+        }
+        seen.add(key);
+        return true;
+      }
+    );
+
+    return merged.sort((a, b) => b.createdAt - a.createdAt);
+  }
+
   private applyRules(bounces: Array<Bounce>) {
     const tallies: Record<number, any> = {
       [BOUNCE_TYPE_HARD]: {
diff --git a/libs/accounts/email-sender/src/email-normalization.spec.ts b/libs/accounts/email-sender/src/email-normalization.spec.ts
@@ -0,0 +1,97 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import { EmailNormalization } from './email-normalization';
+
+describe('EmailNormalization', () => {
+  it('trims and lowercases the email before processing', () => {
+    const emailNormalization = new EmailNormalization(JSON.stringify([]));
+
+    const result = emailNormalization.normalizeEmailAliases(
+      '  Foo.Bar@Example.COM  '
+    );
+
+    expect(result).toBe('foo.bar@example.com');
+  });
+
+  it('throws on bad json', () => {
+    expect(() => new EmailNormalization('{')).toThrow(
+      'emailTransforms must be JSON formatted string'
+    );
+  });
+
+  it('throws on invalid email: missing @', () => {
+    const emailNormalization = new EmailNormalization(JSON.stringify([]));
+
+    expect(() =>
+      emailNormalization.normalizeEmailAliases('not-an-email')
+    ).toThrow('Invalid Email!');
+  });
+
+  it('throws on invalid email: too many @', () => {
+    const emailNormalization = new EmailNormalization(JSON.stringify([]));
+
+    expect(() => emailNormalization.normalizeEmailAliases('a@b@c')).toThrow(
+      'Invalid Email!'
+    );
+  });
+
+  it('applies transforms only for matching domain', () => {
+    const transforms = JSON.stringify([
+      { domain: 'example.com', regex: '\\.', replace: '' },
+      { domain: 'other.com', regex: 'foo', replace: 'bar' },
+    ]);
+    const emailNormalization = new EmailNormalization(transforms);
+
+    const result1 = emailNormalization.normalizeEmailAliases(
+      'Foo.Bar@Example.com'
+    );
+    const result2 = emailNormalization.normalizeEmailAliases(
+      'foo.bar@allowed.com'
+    );
+
+    expect(result1).toBe('foobar@example.com');
+    expect(result2).toBe('foo.bar@allowed.com');
+  });
+
+  it('applies multiple transforms for the same domain in order', () => {
+    const transforms = JSON.stringify([
+      { domain: 'example.com', regex: '\\.', replace: '' }, // foo.bar -> foobar
+      { domain: 'example.com', regex: '^foo', replace: 'baz' }, // foobar -> bazbar
+    ]);
+    const emailNormalization = new EmailNormalization(transforms);
+
+    const result = emailNormalization.normalizeEmailAliases(
+      'Foo.Bar@Example.com'
+    );
+
+    expect(result).toBe('bazbar@example.com');
+  });
+
+  it('returns the normalized local-part plus the (lowercased) domain', () => {
+    const transforms = JSON.stringify([
+      { domain: 'example.com', regex: '\\+.*', replace: '' },
+    ]);
+    const emailNormalization = new EmailNormalization(transforms);
+
+    const result = emailNormalization.normalizeEmailAliases(
+      'User+tag@Example.com'
+    );
+
+    expect(result).toBe('user@example.com');
+  });
+
+  it('does nothing if there are no matching transforms', () => {
+    const transforms = JSON.stringify([
+      { domain: 'other.com', regex: '\\.', replace: '' },
+    ]);
+    const emailNormalization = new EmailNormalization(transforms);
+
+    const result = emailNormalization.normalizeEmailAliases(
+      'Foo.Bar@example.com'
+    );
+
+    expect(result).toBe('foo.bar@example.com');
+  });
+});
diff --git a/libs/accounts/email-sender/src/email-normalization.ts b/libs/accounts/email-sender/src/email-normalization.ts
