fix(mothership): fail inbox ban checks closed without emailing, gate blocked senders

Author: TheodoreSpeaks

apps/sim/lib/auth/ban.test.ts

@@ -21,7 +21,7 @@ vi.mock('@/lib/core/config/env', () => ({
 }))
 vi.mock('@/lib/core/config/feature-flags', () => ({ isAppConfigEnabled: false }))
 
-import { getActivelyBannedUserIds, isBanActive } from '@/lib/auth/ban'
+import { getActivelyBannedUserIds, isBanActive, isEmailDomainBlocked } from '@/lib/auth/ban'
 
 describe('isBanActive', () => {
   it('returns true for a permanent ban', () => {
@@ -42,6 +42,23 @@ describe('isBanActive', () => {
   })
 })
 
+describe('isEmailDomainBlocked', () => {
+  beforeEach(() => {
+    envRef.BLOCKED_SIGNUP_DOMAINS = 'bad.com'
+  })
+
+  it('returns true for blocked domains and subdomains', async () => {
+    expect(await isEmailDomainBlocked('a@bad.com')).toBe(true)
+    expect(await isEmailDomainBlocked('a@mail.bad.com')).toBe(true)
+  })
+
+  it('returns false for clean domains and missing emails', async () => {
+    expect(await isEmailDomainBlocked('a@good.com')).toBe(false)
+    expect(await isEmailDomainBlocked(null)).toBe(false)
+    expect(await isEmailDomainBlocked(undefined)).toBe(false)
+  })
+})
+
 describe('getActivelyBannedUserIds', () => {
   beforeEach(() => {
     vi.clearAllMocks()

apps/sim/lib/auth/ban.ts

@@ -12,6 +12,16 @@ export function isBanActive(row: { banned: boolean | null; banExpires: Date | nu
   return true
 }
 
+/**
+ * True when the email's domain is in the appconfig blocked-domains list.
+ * For gating raw emails (e.g. inbound senders) that have no user row.
+ */
+export async function isEmailDomainBlocked(email: string | null | undefined): Promise<boolean> {
+  if (!email) return false
+  const accessControl = await getAccessControlConfig()
+  return isEmailInDenylist(email, accessControl.blockedSignupDomains)
+}
+
 /**
  * Returns the subset of the given user ids that are currently blocked: an
  * active account ban, or an email domain in the appconfig blocked-domains

apps/sim/lib/mothership/inbox/executor.ts

@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { getErrorMessage } from '@sim/utils/errors'
 import { generateId } from '@sim/utils/id'
 import { and, eq, sql } from 'drizzle-orm'
-import { getActivelyBannedUserIds } from '@/lib/auth/ban'
+import { getActivelyBannedUserIds, isEmailDomainBlocked } from '@/lib/auth/ban'
 import { resolveOrCreateChat } from '@/lib/copilot/chat/lifecycle'
 import { appendCopilotChatMessages } from '@/lib/copilot/chat/messages-store'
 import { buildIntegrationToolSchemas } from '@/lib/copilot/chat/payload'
@@ -94,11 +94,34 @@ export async function executeInboxTask(taskId: string): Promise<void> {
       return
     }
 
-    // No email response on purpose — never mail a suspended account.
-    const [bannedUserId] = await getActivelyBannedUserIds([userId])
-    if (bannedUserId) {
-      logger.warn('Blocking inbox task: resolved user is banned', { taskId, userId })
-      await markTaskFailed(taskId, 'User account is suspended')
+    // Blocked senders and banned accounts must not drive the agent; the sender
+    // email is checked directly because non-members resolve to the workspace
+    // owner. Fails closed on lookup errors. No email response in any of these
+    // paths — never mail a suspended account.
+    let blockReason: string | null = null
+    try {
+      const [senderBlocked, [bannedUserId]] = await Promise.all([
+        isEmailDomainBlocked(inboxTask.fromEmail),
+        getActivelyBannedUserIds([userId]),
+      ])
+      if (senderBlocked || bannedUserId) {
+        logger.warn('Blocking inbox task: sender or resolved user is banned', {
+          taskId,
+          userId,
+          senderBlocked,
+        })
+        blockReason = 'User account is suspended'
+      }
+    } catch (error) {
+      logger.error('Inbox task ban check failed; failing closed', {
+        taskId,
+        error: getErrorMessage(error, 'Unknown error'),
+      })
+      blockReason = 'Unable to verify account status'
+    }
+    if (blockReason) {
+      responseSent = true
+      await markTaskFailed(taskId, blockReason)
       return
     }