feat(one-click): implement RFC 8058 one-click unsubscribe

Author: kschelonka

src/app/[locale]/(redesign)/(authenticated)/admin/emails/actions.tsx

@@ -48,7 +48,7 @@ async function send(
   emailAddress: string,
   subject: string,
   template: ReactNode,
-  plaintextVersion?: string,
+  options?: { plaintextVersion?: string; oneClickUrl?: string },
 ) {
   const subscriber = await getAdminSubscriber();
   if (!subscriber) {
@@ -68,7 +68,12 @@ async function send(
     emailAddress,
     "Test email: " + subject,
     await renderEmail(template),
-    plaintextVersion,
+    {
+      plaintext: options?.plaintextVersion,
+      ...(options?.oneClickUrl && {
+        oneClickUnsubscribe: { url: options?.oneClickUrl },
+      }),
+    },
   );
 }
 
@@ -127,7 +132,8 @@ export async function triggerBreachAlert(emailAddress: string) {
 
   const acceptLangHeader = await getAcceptLangHeaderInServerComponents();
   const l10n = getL10n(acceptLangHeader);
-  const unsubscribeLink = await getBreachAlertsUnsubscribeLink(subscriber);
+  const { footer: unsubscribeLink, oneClick: oneClickUrl } =
+    await getBreachAlertsUnsubscribeLink(subscriber);
 
   await send(
     emailAddress,
@@ -140,5 +146,6 @@ export async function triggerBreachAlert(emailAddress: string) {
       l10n={l10n}
       unsubscribeLink={unsubscribeLink}
     />,
+    { oneClickUrl },
   );
 }

src/app/api/v1/user/one-click-unsubscribe/route.test.ts

@@ -0,0 +1,218 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// @vitest-environment node
+
+import { describe, it, expect, vi, afterEach } from "vitest";
+import type { NextRequest } from "next/server";
+
+vi.mock("../../../../../db/tables/email_subscriptions", () => ({
+  getEmailSubscriptionByToken: vi.fn(),
+  unsubscribeEmailSubscription: vi.fn(),
+}));
+
+vi.mock("../../../../functions/server/logging", () => ({
+  logger: { info: vi.fn(), error: vi.fn() },
+}));
+
+vi.mock("@sentry/nextjs", () => ({
+  captureException: vi.fn(),
+}));
+
+import {
+  getEmailSubscriptionByToken,
+  unsubscribeEmailSubscription,
+} from "../../../../../db/tables/email_subscriptions";
+import { EmailSubscriptionsRow } from "knex/types/tables";
+import { BREACH_ALERT_LIST_ID } from "../../../../../constants";
+
+afterEach(() => {
+  vi.clearAllMocks();
+});
+
+const token = "valid-token-abc";
+const mockSubscription: EmailSubscriptionsRow = {
+  id: "1",
+  subscriber_id: 1,
+  token,
+  list_id: BREACH_ALERT_LIST_ID,
+  subscribed: true,
+  updated_at: new Date(),
+};
+
+function makeReq(
+  url: string,
+  {
+    contentType,
+    formFields,
+  }: { contentType?: string; formFields?: Record<string, string> } = {},
+): NextRequest {
+  const fd = new FormData();
+  for (const [key, value] of Object.entries(formFields ?? {})) {
+    fd.append(key, value);
+  }
+  return {
+    url,
+    headers: {
+      get: (name: string) =>
+        name === "content-type" ? (contentType ?? null) : null,
+    },
+    formData: () => Promise.resolve(fd),
+  } as unknown as NextRequest;
+}
+
+describe("POST /api/v1/user/one-click-unsubscribe", () => {
+  it("returns 400 when no token is provided", async () => {
+    const { POST } = await import("./route");
+
+    const req = makeReq(
+      "https://example.com/api/v1/user/one-click-unsubscribe",
+    );
+
+    const res = await POST(req);
+    expect(res.status).toBe(400);
+    const body = await res.json();
+    expect(body.success).toBe(false);
+    expect(body.message).toMatch(/token/i);
+  });
+
+  it("returns 400 when content-type is form-urlencoded but List-Unsubscribe field is missing", async () => {
+    const { POST } = await import("./route");
+
+    const req = makeReq(
+      `https://example.com/api/v1/user/one-click-unsubscribe?token=${token}`,
+      {
+        contentType: "application/x-www-form-urlencoded",
+        formFields: { some: "other" },
+      },
+    );
+
+    const res = await POST(req);
+    expect(res.status).toBe(400);
+    const body = await res.json();
+    expect(body.success).toBe(false);
+    expect(body.message).toMatch(/List-Unsubscribe=One-Click/);
+  });
+
+  it("returns 200 when content-type is form-urlencoded and List-Unsubscribe=One-Click", async () => {
+    vi.mocked(getEmailSubscriptionByToken).mockResolvedValue(mockSubscription);
+    vi.mocked(unsubscribeEmailSubscription).mockResolvedValue(undefined);
+
+    const { POST } = await import("./route");
+
+    const req = makeReq(
+      `https://example.com/api/v1/user/one-click-unsubscribe?token=${token}`,
+      {
+        contentType: "application/x-www-form-urlencoded",
+        formFields: { "List-Unsubscribe": "One-Click" },
+      },
+    );
+
+    const res = await POST(req);
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.success).toBe(true);
+    expect(unsubscribeEmailSubscription).toHaveBeenCalledWith(
+      mockSubscription,
+      "one-click",
+    );
+  });
+
+  it("returns 400 when content-type is multipart/form-data but List-Unsubscribe field is missing", async () => {
+    const { POST } = await import("./route");
+
+    const req = makeReq(
+      `https://example.com/api/v1/user/one-click-unsubscribe?token=${token}`,
+      {
+        contentType: "multipart/form-data; boundary=----boundary",
+        formFields: { some: "other" },
+      },
+    );
+
+    const res = await POST(req);
+    expect(res.status).toBe(400);
+    const body = await res.json();
+    expect(body.success).toBe(false);
+    expect(body.message).toMatch(/List-Unsubscribe=One-Click/);
+  });
+
+  it("returns 200 when content-type is multipart/form-data and List-Unsubscribe=One-Click", async () => {
+    vi.mocked(getEmailSubscriptionByToken).mockResolvedValue(mockSubscription);
+    vi.mocked(unsubscribeEmailSubscription).mockResolvedValue(undefined);
+
+    const { POST } = await import("./route");
+
+    const req = makeReq(
+      `https://example.com/api/v1/user/one-click-unsubscribe?token=${token}`,
+      {
+        contentType: "multipart/form-data; boundary=----boundary",
+        formFields: { "List-Unsubscribe": "One-Click" },
+      },
+    );
+
+    const res = await POST(req);
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.success).toBe(true);
+    expect(unsubscribeEmailSubscription).toHaveBeenCalledWith(
+      mockSubscription,
+      "one-click",
+    );
+  });
+
+  it("returns 200 if token does not map to a subscription", async () => {
+    vi.mocked(getEmailSubscriptionByToken).mockResolvedValue(undefined);
+
+    const { POST } = await import("./route");
+
+    const req = makeReq(
+      `https://example.com/api/v1/user/one-click-unsubscribe?token=${token}`,
+    );
+
+    const res = await POST(req);
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.success).toBe(true);
+    expect(getEmailSubscriptionByToken).toHaveBeenCalledWith(token);
+    expect(unsubscribeEmailSubscription).not.toHaveBeenCalled();
+  });
+
+  it("returns 200 and unsubscribes with source 'one-click' on success", async () => {
+    vi.mocked(getEmailSubscriptionByToken).mockResolvedValue(mockSubscription);
+    vi.mocked(unsubscribeEmailSubscription).mockResolvedValue(undefined);
+
+    const { POST } = await import("./route");
+
+    const req = makeReq(
+      `https://example.com/api/v1/user/one-click-unsubscribe?token=${token}`,
+    );
+
+    const res = await POST(req);
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.success).toBe(true);
+    expect(unsubscribeEmailSubscription).toHaveBeenCalledWith(
+      mockSubscription,
+      "one-click",
+    );
+  });
+
+  it("returns 500 when unsubscribeEmailSubscription throws", async () => {
+    vi.mocked(getEmailSubscriptionByToken).mockResolvedValue(mockSubscription);
+    vi.mocked(unsubscribeEmailSubscription).mockRejectedValue(
+      new Error("db failure"),
+    );
+
+    const { POST } = await import("./route");
+
+    const req = makeReq(
+      `https://example.com/api/v1/user/one-click-unsubscribe?token=${token}`,
+    );
+
+    const res = await POST(req);
+    expect(res.status).toBe(500);
+    const body = await res.json();
+    expect(body.success).toBe(false);
+  });
+});

src/app/api/v1/user/one-click-unsubscribe/route.ts

@@ -0,0 +1,71 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import { NextResponse } from "next/server";
+import type { NextRequest } from "next/server";
+import { logger } from "../../../../functions/server/logging";
+import {
+  getEmailSubscriptionByToken,
+  unsubscribeEmailSubscription,
+} from "../../../../../db/tables/email_subscriptions";
+import * as Sentry from "@sentry/nextjs";
+
+/**
+ * One-click unsubscribe endpoint per RFC 8058.
+ * https://datatracker.ietf.org/doc/html/rfc8058
+ *
+ * Email clients that support one-click unsubscribe will POST to this
+ * endpoint with a body of `List-Unsubscribe=One-Click` and expect a
+ * 200 response with no redirect.
+ */
+export async function POST(req: NextRequest) {
+  try {
+    const { searchParams } = new URL(req.url);
+    const unsubToken = searchParams.get("token");
+    if (!unsubToken) {
+      return NextResponse.json(
+        {
+          success: false,
+          message: "token is a required url parameter.",
+        },
+        { status: 400 },
+      );
+    }
+
+    // RFC 8058 §3: the POST body MUST contain a field named "List-Unsubscribe"
+    // with value "One-Click". The content type SHOULD be multipart/form-data
+    // or MAY be application/x-www-form-urlencoded.
+    const contentType = req.headers.get("content-type") ?? "";
+    if (
+      contentType.includes("multipart/form-data") ||
+      contentType.includes("application/x-www-form-urlencoded")
+    ) {
+      const formData = await req.formData();
+      if (formData.get("List-Unsubscribe") !== "One-Click") {
+        return NextResponse.json(
+          {
+            success: false,
+            message: "Body must contain List-Unsubscribe=One-Click.",
+          },
+          { status: 400 },
+        );
+      }
+    }
+
+    const subscriptionRecord = await getEmailSubscriptionByToken(unsubToken);
+    if (!subscriptionRecord) {
+      logger.info("No email_subscription associated with token", {
+        token: unsubToken,
+      });
+      // Return 200 per RFC 8058 to avoid leaking token validity
+      return NextResponse.json({ success: true }, { status: 200 });
+    }
+    await unsubscribeEmailSubscription(subscriptionRecord, "one-click");
+    return NextResponse.json({ success: true }, { status: 200 });
+  } catch (e) {
+    logger.error("one_click_unsubscribe_email", { error: e });
+    Sentry.captureException(e);
+    return NextResponse.json({ success: false }, { status: 500 });
+  }
+}

src/app/functions/cronjobs/unsubscribeLinks.ts

@@ -10,18 +10,20 @@ import { BREACH_ALERT_LIST_ID } from "../../../constants";
 import { config } from "../../../config";
 
 /**
- * Create an unsubscribe link for use in the breach alerts
- * email footer
+ * Create unsubscribe links for use in the breach alerts
+ * email footer, and one-click unsubscribe URL (RFC 8058).
  */
 export async function getBreachAlertsUnsubscribeLink(
   subscriber: Pick<SubscriberRow, "id">,
-) {
+): Promise<{ footer: string; oneClick: string }> {
   try {
     const token = await getOrCreateUnsubscribeToken(
       subscriber.id,
       BREACH_ALERT_LIST_ID,
     );
-    return `${config.serverUrl}/unsubscribe/breach-alerts?token=${token}`;
+    const footer = `${config.serverUrl}/unsubscribe/breach-alerts?token=${token}`;
+    const oneClick = `${config.serverUrl}/api/v1/user/one-click-unsubscribe?token=${token}`;
+    return { footer, oneClick };
   } catch (e) {
     logger.error("generate_unsubscribe_link", {
       exception: e,

src/scripts/cronjobs/emailBreachAlerts/emailBreachAlerts.tsx

@@ -201,9 +201,8 @@ export async function breachMessageHandler(
 
       const l10n = getCronjobL10n(recipient);
       const subject = l10n.getString("email-breach-alert-all-subject");
-      const unsubscribeLink = await getBreachAlertsUnsubscribeLink({
-        id: recipient.subscriber_id,
-      });
+      const { footer: unsubscribeLink, oneClick: oneClickUnsubscribeUrl } =
+        await getBreachAlertsUnsubscribeLink({ id: recipient.subscriber_id });
       await sendEmail(
         recipient.notification_email,
         subject,
@@ -217,6 +216,7 @@ export async function breachMessageHandler(
             unsubscribeLink={unsubscribeLink}
           />,
         ),
+        { oneClickUnsubscribe: { url: oneClickUnsubscribeUrl } },
       );
       await notifications.markEmailAsNotified(
         recipient.subscriber_id,