Send internal emails to ACM email (#244)

If that email doesn't exist, then it will be forwarded to the Illinois
email.

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: devksingh4

src/api/package.json

@@ -58,6 +58,7 @@
     "pino": "^9.6.0",
     "pluralize": "^8.0.0",
     "qrcode": "^1.5.4",
+    "sanitize-html": "^2.17.0",
     "stripe": "^18.0.0",
     "uuid": "^11.1.0",
     "zod": "^4.0.14",
@@ -67,9 +68,10 @@
     "@tsconfig/node22": "^22.0.1",
     "@types/aws-lambda": "^8.10.152",
     "@types/qrcode": "^1.5.5",
+    "@types/sanitize-html": "^2.16.0",
     "esbuild-copy-static-files": "^0.1.0",
     "nodemon": "^3.1.10",
     "pino-pretty": "^13.1.1",
     "yaml": "^2.8.0"
   }
-}
+}

src/api/routes/apiKey.ts

@@ -24,6 +24,7 @@ import {
 import * as z from "zod/v4";
 import { AvailableSQSFunctions, SQSPayload } from "common/types/sqsMessage.js";
 import { SendMessageCommand, SQSClient } from "@aws-sdk/client-sqs";
+import { getAllUserEmails } from "common/utils.js";
 
 const apiKeyRoute: FastifyPluginAsync = async (fastify, _options) => {
   await fastify.register(rateLimiter, {
@@ -96,7 +97,7 @@ const apiKeyRoute: FastifyPluginAsync = async (fastify, _options) => {
           reqId: request.id,
         },
         payload: {
-          to: [request.username!],
+          to: getAllUserEmails(request.username),
           subject: "Important: API Key Created",
           content: `
 This email confirms that an API key for the Core API has been generated from your account.
@@ -203,7 +204,7 @@ If you did not create this API key, please secure your account and notify the AC
           reqId: request.id,
         },
         payload: {
-          to: [request.username!],
+          to: getAllUserEmails(request.username),
           subject: "Important: API Key Deleted",
           content: `
 This email confirms that an API key for the Core API has been deleted from your account.

src/api/routes/iam.ts

@@ -44,6 +44,7 @@ import { AvailableSQSFunctions } from "common/types/sqsMessage.js";
 import { SendMessageBatchCommand, SQSClient } from "@aws-sdk/client-sqs";
 import { randomUUID } from "crypto";
 import { getKey, setKey } from "api/functions/redisCache.js";
+import { getAllUserEmails } from "common/utils.js";
 
 const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
   const getAuthorizedClients = async () => {
@@ -456,7 +457,7 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
               reqId: request.id,
             },
             payload: {
-              to: [x],
+              to: getAllUserEmails(x),
               subject: "You have been added to an access group",
               content: `
 Hello,
@@ -478,7 +479,7 @@ No action is required from you at this time.
               reqId: request.id,
             },
             payload: {
-              to: [x],
+              to: getAllUserEmails(x),
               subject: "You have been removed from an access group",
               content: `
 Hello,

src/api/routes/roomRequests.ts

@@ -32,6 +32,7 @@ import { buildAuditLogTransactPut } from "api/functions/auditLog.js";
 import { Modules } from "common/modules.js";
 import {
   generateProjectionParams,
+  getAllUserEmails,
   getDefaultFilteringQuerystring,
   nonEmptyCommaSeparatedStringSchema,
 } from "common/utils.js";
@@ -142,7 +143,7 @@ const roomRequestRoutes: FastifyPluginAsync = async (fastify, _options) => {
           reqId: request.id,
         },
         payload: {
-          to: [originalRequestor],
+          to: getAllUserEmails(originalRequestor),
           subject: "Room Reservation Request Status Change",
           content: `Your Room Reservation Request has been been moved to status "${formatStatus(request.body.status)}". Please visit the management portal for more details.`,
           callToActionButton: {

src/api/routes/stripe.ts

@@ -44,6 +44,7 @@ import rawbody from "fastify-raw-body";
 import { AvailableSQSFunctions, SQSPayload } from "common/types/sqsMessage.js";
 import { SendMessageCommand, SQSClient } from "@aws-sdk/client-sqs";
 import * as z from "zod/v4";
+import { getAllUserEmails } from "common/utils.js";
 
 const stripeRoutes: FastifyPluginAsync = async (fastify, _options) => {
   await fastify.register(rawbody, {
@@ -412,7 +413,7 @@ const stripeRoutes: FastifyPluginAsync = async (fastify, _options) => {
                       reqId: request.id,
                     },
                     payload: {
-                      to: [unmarshalledEntry.userId],
+                      to: getAllUserEmails(unmarshalledEntry.userId),
                       subject: `Payment Failed for Invoice ${unmarshalledEntry.invoiceId}`,
                       content: `
 A ${paidInFull ? "full" : "partial"} payment for Invoice ${unmarshalledEntry.invoiceId} (${withCurrency} paid by ${name}, ${email}) <b>has failed.</b>
@@ -565,7 +566,7 @@ Please ask the payee to try again, perhaps with a different payment method, or c
                       reqId: request.id,
                     },
                     payload: {
-                      to: [unmarshalledEntry.userId],
+                      to: getAllUserEmails(unmarshalledEntry.userId),
                       subject: `Payment Pending for Invoice ${unmarshalledEntry.invoiceId}`,
                       content: `
 ACM @ UIUC has received intent of ${paidInFull ? "full" : "partial"} payment for Invoice ${unmarshalledEntry.invoiceId} (${withCurrency} paid by ${name}, ${email}).
@@ -610,7 +611,7 @@ Please contact Officer Board with any questions.
                       reqId: request.id,
                     },
                     payload: {
-                      to: [unmarshalledEntry.userId],
+                      to: getAllUserEmails(unmarshalledEntry.userId),
                       cc: [
                         notificationRecipients[fastify.runEnvironment]
                           .Treasurer,

src/api/sqs/handlers/emailNotifications.ts

@@ -6,6 +6,7 @@ import { createAuditLogEntry } from "api/functions/auditLog.js";
 import { Modules } from "common/modules.js";
 import Handlebars from "handlebars";
 import emailTemplate from "./templates/notification.js";
+import sanitizeHtml from "sanitize-html";
 
 Handlebars.registerHelper("nl2br", (text) => {
   let nl2br = `${text}`.replace(/([^>\r\n]?)(\r\n|\n\r|\r|\n)/g, "$1<br>$2");
@@ -16,17 +17,22 @@ Handlebars.registerHelper("nl2br", (text) => {
 const compiledTemplate = Handlebars.compile(emailTemplate);
 
 const stripHtml = (html: string): string => {
-  return html
-    .replace(/<[^>]*>/g, "") // Remove HTML tags
-    .replace(/&nbsp;/g, " ") // Replace non-breaking spaces
-    .replace(/\s+/g, " ") // Normalize whitespace
-    .trim();
+  // Remove all HTML tags and attributes, then normalize whitespace and trim
+  const sanitized = sanitizeHtml(html, {
+    allowedTags: [],
+    allowedAttributes: {},
+  });
+  return sanitized.replace(/\s+/g, " ").trim();
 };
 
 export const emailNotificationsHandler: SQSHandlerFunction<
   AvailableSQSFunctions.EmailNotifications
 > = async (payload, metadata, logger) => {
   const { to, cc, bcc, content, subject } = payload;
+  if (to.length + (cc || []).length + (bcc || []).length === 0) {
+    logger.warn("Found no message recipients. Exiting without calling SES.");
+    return;
+  }
   const senderEmailAddress = `notifications@${currentEnvironmentConfig.EmailDomain}`;
   const senderEmail = `ACM @ UIUC <${senderEmailAddress}>`;
   logger.info("Constructing email...");
@@ -59,17 +65,16 @@ export const emailNotificationsHandler: SQSHandlerFunction<
       },
     },
   });
-  const logPromise = createAuditLogEntry({
+  const sesClient = new SESClient({ region: genericConfig.AwsRegion });
+  const response = await sesClient.send(command);
+  logger.info("Sent!");
+  await createAuditLogEntry({
     entry: {
       module: Modules.EMAIL_NOTIFICATION,
       actor: metadata.initiator,
-      target: to.join(";"),
+      target: [...to, ...(bcc || []), ...(cc || [])].join(";"),
       message: `Sent email notification with subject "${subject}".`,
     },
   });
-  const sesClient = new SESClient({ region: genericConfig.AwsRegion });
-  const response = await sesClient.send(command);
-  logger.info("Sent!");
-  await logPromise;
   return response;
 };

src/common/utils.ts

@@ -53,3 +53,10 @@ export const getDefaultFilteringQuerystring = ({ defaultSelect }: GetDefaultFilt
     })
   };
 };
+
+export const getAllUserEmails = (username?: string) => {
+  if (!username) {
+    return [];
+  }
+  return [username.replace("@illinois.edu", "@acm.illinois.edu")]
+}