fix(mothership): also block inbox senders whose own account is banned

Author: TheodoreSpeaks

apps/sim/lib/auth/ban.test.ts

@@ -12,7 +12,7 @@ vi.mock('@sim/db', () => ({
   db: { select: vi.fn(() => ({ from: vi.fn(() => ({ where: mockWhere })) })) },
   user: { id: 'id', email: 'email', banned: 'banned', banExpires: 'banExpires' },
 }))
-vi.mock('drizzle-orm', () => ({ inArray: vi.fn() }))
+vi.mock('drizzle-orm', () => ({ inArray: vi.fn(), sql: vi.fn() }))
 vi.mock('@/lib/core/config/appconfig', () => ({ fetchAppConfigProfile: vi.fn() }))
 vi.mock('@/lib/core/config/env', () => ({
   get env() {
@@ -21,7 +21,7 @@ vi.mock('@/lib/core/config/env', () => ({
 }))
 vi.mock('@/lib/core/config/feature-flags', () => ({ isAppConfigEnabled: false }))
 
-import { getActivelyBannedUserIds, isBanActive, isEmailDomainBlocked } from '@/lib/auth/ban'
+import { getActivelyBannedUserIds, isBanActive, isEmailBlocked } from '@/lib/auth/ban'
 
 describe('isBanActive', () => {
   it('returns true for a permanent ban', () => {
@@ -42,20 +42,28 @@ describe('isBanActive', () => {
   })
 })
 
-describe('isEmailDomainBlocked', () => {
+describe('isEmailBlocked', () => {
   beforeEach(() => {
+    vi.clearAllMocks()
     envRef.BLOCKED_SIGNUP_DOMAINS = 'bad.com'
+    mockWhere.mockResolvedValue([])
+  })
+
+  it('returns true for blocked domains and subdomains without querying users', async () => {
+    expect(await isEmailBlocked('a@bad.com')).toBe(true)
+    expect(await isEmailBlocked('a@mail.bad.com')).toBe(true)
+    expect(mockWhere).not.toHaveBeenCalled()
   })
 
-  it('returns true for blocked domains and subdomains', async () => {
-    expect(await isEmailDomainBlocked('a@bad.com')).toBe(true)
-    expect(await isEmailDomainBlocked('a@mail.bad.com')).toBe(true)
+  it('returns true when the email belongs to an actively banned account', async () => {
+    mockWhere.mockResolvedValue([{ banned: true, banExpires: null }])
+    expect(await isEmailBlocked('a@good.com')).toBe(true)
   })
 
-  it('returns false for clean domains and missing emails', async () => {
-    expect(await isEmailDomainBlocked('a@good.com')).toBe(false)
-    expect(await isEmailDomainBlocked(null)).toBe(false)
-    expect(await isEmailDomainBlocked(undefined)).toBe(false)
+  it('returns false for clean accounts and missing emails', async () => {
+    expect(await isEmailBlocked('a@good.com')).toBe(false)
+    expect(await isEmailBlocked(null)).toBe(false)
+    expect(await isEmailBlocked(undefined)).toBe(false)
   })
 })
 

apps/sim/lib/auth/ban.ts

@@ -1,5 +1,5 @@
 import { db, user } from '@sim/db'
-import { inArray } from 'drizzle-orm'
+import { inArray, sql } from 'drizzle-orm'
 import { getAccessControlConfig, isEmailInDenylist } from '@/lib/auth/access-control'
 
 /**
@@ -13,13 +13,19 @@ export function isBanActive(row: { banned: boolean | null; banExpires: Date | nu
 }
 
 /**
- * True when the email's domain is in the appconfig blocked-domains list.
- * For gating raw emails (e.g. inbound senders) that have no user row.
+ * True when a raw email (e.g. an inbound sender) is blocked: its domain is in
+ * the appconfig blocked-domains list, or it belongs to an account with an
+ * active ban. Covers senders that don't resolve to a known user id.
  */
-export async function isEmailDomainBlocked(email: string | null | undefined): Promise<boolean> {
+export async function isEmailBlocked(email: string | null | undefined): Promise<boolean> {
   if (!email) return false
   const accessControl = await getAccessControlConfig()
-  return isEmailInDenylist(email, accessControl.blockedSignupDomains)
+  if (isEmailInDenylist(email, accessControl.blockedSignupDomains)) return true
+  const rows = await db
+    .select({ banned: user.banned, banExpires: user.banExpires })
+    .from(user)
+    .where(sql`lower(${user.email}) = ${email.toLowerCase()}`)
+  return rows.some(isBanActive)
 }
 
 /**

apps/sim/lib/mothership/inbox/executor.ts

@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { getErrorMessage } from '@sim/utils/errors'
 import { generateId } from '@sim/utils/id'
 import { and, eq, sql } from 'drizzle-orm'
-import { getActivelyBannedUserIds, isEmailDomainBlocked } from '@/lib/auth/ban'
+import { getActivelyBannedUserIds, isEmailBlocked } from '@/lib/auth/ban'
 import { resolveOrCreateChat } from '@/lib/copilot/chat/lifecycle'
 import { appendCopilotChatMessages } from '@/lib/copilot/chat/messages-store'
 import { buildIntegrationToolSchemas } from '@/lib/copilot/chat/payload'
@@ -95,13 +95,14 @@ export async function executeInboxTask(taskId: string): Promise<void> {
     }
 
     // Blocked senders and banned accounts must not drive the agent; the sender
-    // email is checked directly because non-members resolve to the workspace
-    // owner. Fails closed on lookup errors. No email response in any of these
-    // paths — never mail a suspended account.
+    // email is checked directly (domain list + the sender's own account ban)
+    // because non-members resolve to the workspace owner. Fails closed on
+    // lookup errors. No email response in any of these paths — never mail a
+    // suspended account.
     let blockReason: string | null = null
     try {
       const [senderBlocked, [bannedUserId]] = await Promise.all([
-        isEmailDomainBlocked(inboxTask.fromEmail),
+        isEmailBlocked(inboxTask.fromEmail),
         getActivelyBannedUserIds([userId]),
       ])
       if (senderBlocked || bannedUserId) {