feat(upload): add notifyRecipients toggle on /fileupload/init

rubenhensen · rubenhensen · commit 8e93bdd31367 · 2026-05-01T17:10:23.000+02:00
The recipient notification email was sent unconditionally on every
upload — there was no way for a client to upload silently. That's a
problem when the encrypted payload is delivered to recipients through
another channel (e.g. an email add-in delivering the message from the
sender's own mailbox) and the Cryptify mail would be a duplicate.

Adds an optional `notifyRecipients` field to the InitBody. Defaults to
`true` to preserve the long-standing behaviour for clients that don't
know about it. When `false`, the per-recipient SMTP delivery loop in
`send_email` is skipped; the recipient list is still parsed and stored
(so the existing validation behaviour is unchanged) and the sender
confirmation, gated separately by `confirm`, is sent regardless.
diff --git a/api-description.yaml b/api-description.yaml
@@ -65,6 +65,11 @@ paths:
                     type: "boolean"
                     example: true
                     description: "Whether to send a confirmation email to the sender"
+                  notifyRecipients:
+                    type: "boolean"
+                    default: true
+                    example: true
+                    description: "Whether to email each recipient with a download link. Optional; defaults to true. Set to false to upload silently when the encrypted payload reaches recipients through another channel and a Cryptify-sent notification would be a duplicate."
         responses:
           "200":
             description: "Successful operation"
diff --git a/src/email.rs b/src/email.rs
@@ -215,31 +215,39 @@ pub async fn send_email(
         mailer_builder = mailer_builder.credentials(credentials);
     }
 
-    for recipient in state.recipients.iter() {
-        // combine URL with mail variables into template
-        let base = Url::parse(config.server_url())?;
-        let mut url = base.join("/download")?;
-        url.query_pairs_mut()
-            .append_pair("uuid", uuid)
-            .append_pair("recipient", &format!("{}", recipient.email));
-
-        let (email, subject) = email_templates(state, url.as_str());
-        let email = Message::builder()
-            .header(ContentType::TEXT_HTML)
-            .header(XPostGuard(X_POSTGUARD_VERSION.to_owned()))
-            .from(config.email_from()) // checked in config
-            .to(recipient.clone())
-            .subject(subject)
-            .body(email)?;
-
-        // send email
-        log::info!("Sending email to {}", recipient.email);
-        let mailer = mailer_builder.clone().build();
-        mailer.send(&email).map_err(|e| {
-            log::error!("Failed to send email to {}: {}", recipient.email, e);
-            e
-        })?;
-        log::info!("Email sent to {}", recipient.email);
+    if state.notify_recipients {
+        for recipient in state.recipients.iter() {
+            // combine URL with mail variables into template
+            let base = Url::parse(config.server_url())?;
+            let mut url = base.join("/download")?;
+            url.query_pairs_mut()
+                .append_pair("uuid", uuid)
+                .append_pair("recipient", &format!("{}", recipient.email));
+
+            let (email, subject) = email_templates(state, url.as_str());
+            let email = Message::builder()
+                .header(ContentType::TEXT_HTML)
+                .header(XPostGuard(X_POSTGUARD_VERSION.to_owned()))
+                .from(config.email_from()) // checked in config
+                .to(recipient.clone())
+                .subject(subject)
+                .body(email)?;
+
+            // send email
+            log::info!("Sending email to {}", recipient.email);
+            let mailer = mailer_builder.clone().build();
+            mailer.send(&email).map_err(|e| {
+                log::error!("Failed to send email to {}: {}", recipient.email, e);
+                e
+            })?;
+            log::info!("Email sent to {}", recipient.email);
+        }
+    } else {
+        log::info!(
+            "notify_recipients disabled — skipping notification mail for {} recipient(s) on upload {}",
+            state.recipients.iter().count(),
+            uuid
+        );
     }
 
     if state.confirm {
diff --git a/src/main.rs b/src/main.rs
@@ -48,6 +48,19 @@ struct InitBody {
     #[serde(rename = "mailLang")]
     mail_lang: email::Language,
     confirm: bool,
+    /// Whether to email each recipient with a download link. Optional;
+    /// defaults to `true` to preserve existing client behaviour. Set to
+    /// `false` when the encrypted payload reaches the recipients through
+    /// another channel (e.g. an email add-in delivering the message from
+    /// the user's own mailbox) and a Cryptify-sent notification would be
+    /// a duplicate. The recipient list itself is still validated and
+    /// stored — only the SMTP delivery is skipped.
+    #[serde(rename = "notifyRecipients", default = "default_true")]
+    notify_recipients: bool,
+}
+
+fn default_true() -> bool {
+    true
 }
 
 #[derive(Serialize, Deserialize)]
@@ -121,6 +134,7 @@ async fn upload_init(
                     sender: None,
                     sender_attributes: Vec::new(),
                     confirm: request.confirm,
+                    notify_recipients: request.notify_recipients,
                     is_api_key: api_key.0,
                 },
             );
diff --git a/src/store.rs b/src/store.rs
@@ -24,6 +24,11 @@ pub struct FileState {
     pub sender: Option<String>,
     pub sender_attributes: Vec<(String, String)>,
     pub confirm: bool,
+    /// When false, the recipient notification email is suppressed (the
+    /// recipients still appear in the parsed list, but the SMTP delivery
+    /// loop in `send_email` is skipped). The sender confirmation, if
+    /// `confirm` is true, is sent regardless.
+    pub notify_recipients: bool,
     pub is_api_key: bool,
 }
 
