feat: add OIDC send email api endpoint [RIGSE-334]#1472
Open
dougmartin wants to merge 2 commits intomasterfrom
Open
feat: add OIDC send email api endpoint [RIGSE-334]#1472dougmartin wants to merge 2 commits intomasterfrom
dougmartin wants to merge 2 commits intomasterfrom
Conversation
Add a new API endpoint that allows OIDC-authenticated services (Cloud Functions) to send plain-text email notifications to the invoking user. This supports the AI4VS button interactive (QI-116) notifying teachers when students complete actions like joining a class. - OidcMailer with plain-text template in app/models/ (matches codebase convention) - Pundit policy enforcing OIDC-only authorization (defense in depth) - Controller with dual-layer OIDC auth, input validation, type checking, subject newline sanitization, error handling (502), and audit logging - Route: POST /api/v1/emails/oidc_send - 16 specs covering auth enforcement, validation, delivery, and error paths
There was a problem hiding this comment.
Pull request overview
Adds a new OIDC-restricted Portal API endpoint for sending plain-text email notifications to the invoking (OIDC-mapped) user, intended for server-to-server callers like Cloud Functions.
Changes:
- Introduces
POST /api/v1/emails/oidc_sendwith OIDC-only enforcement (controller guard + Pundit policy), validation, logging, and delivery error handling. - Adds
OidcMailerwith a plain-text template for sending the message. - Adds specs covering policy authorization, controller behavior, and mailer formatting.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| specs/RIGSE-334-send-email-api.md | Functional/technical spec for the new OIDC send-email endpoint. |
| rails/app/controllers/api/v1/emails_controller.rb | Implements oidc_send endpoint with OIDC-only guard, validation, logging, and SMTP error handling. |
| rails/app/policies/api/v1/email_policy.rb | Pundit policy enforcing OIDC-only access for oidc_send?. |
| rails/app/models/oidc_mailer.rb | Adds mailer for sending plain-text messages. |
| rails/app/views/oidc_mailer/send_message.text.erb | Plain-text mailer template rendering the message body. |
| rails/config/routes.rb | Adds the new /api/v1/emails/oidc_send route. |
| rails/spec/controllers/api/v1/emails_controller_spec.rb | Controller specs for auth/validation/delivery/error paths (needs isolation fix). |
| rails/spec/models/oidc_mailer_spec.rb | Mailer spec verifying headers/body/content type. |
| rails/spec/policies/api/v1/email_policy_spec.rb | Policy spec verifying OIDC-only authorization. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Prevents flaky test failures from delivery state leaking across examples (e.g., "does not send email" assertion failing because a prior test sent one).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a new API endpoint that allows OIDC-authenticated services (Cloud Functions) to send plain-text email notifications to the invoking user. This supports the AI4VS button interactive (QI-116) notifying teachers when students complete actions like joining a class.