Add guarded async confirmation emails

Author: dtretyakov

lib/BackgroundJob/SendConfirmationMailJob.php

@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Forms\BackgroundJob;
+
+use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\BackgroundJob\QueuedJob;
+use OCP\Mail\IMailer;
+use Psr\Log\LoggerInterface;
+
+class SendConfirmationMailJob extends QueuedJob {
+	public function __construct(
+		ITimeFactory $time,
+		private IMailer $mailer,
+		private LoggerInterface $logger,
+	) {
+		parent::__construct($time);
+	}
+
+	/**
+	 * @param array{recipient: string, subject: string, body: string, formId: int, submissionId: int} $argument
+	 */
+	public function run($argument): void {
+		$recipient = $argument['recipient'];
+		$subject = $argument['subject'];
+		$body = $argument['body'];
+		$formId = $argument['formId'];
+		$submissionId = $argument['submissionId'];
+
+		try {
+			$message = $this->mailer->createMessage();
+			$message->setSubject($subject);
+			$message->setPlainBody($body);
+			$message->setTo([$recipient]);
+			$this->mailer->send($message);
+			$this->logger->debug('Confirmation email sent successfully', [
+				'formId' => $formId,
+				'submissionId' => $submissionId,
+			]);
+		} catch (\Exception $e) {
+			$this->logger->error('Error while sending confirmation email', [
+				'exception' => $e,
+				'formId' => $formId,
+				'submissionId' => $submissionId,
+			]);
+		}
+	}
+}

lib/Constants.php

@@ -18,12 +18,14 @@ class Constants {
 	public const CONFIG_KEY_ALLOWSHOWTOALL = 'allowShowToAll';
 	public const CONFIG_KEY_CREATIONALLOWEDGROUPS = 'creationAllowedGroups';
 	public const CONFIG_KEY_RESTRICTCREATION = 'restrictCreation';
+	public const CONFIG_KEY_ALLOWCONFIRMATIONEMAIL = 'allowConfirmationEmail';
 	public const CONFIG_KEYS = [
 		self::CONFIG_KEY_ALLOWPERMITALL,
 		self::CONFIG_KEY_ALLOWPUBLICLINK,
 		self::CONFIG_KEY_ALLOWSHOWTOALL,
 		self::CONFIG_KEY_CREATIONALLOWEDGROUPS,
-		self::CONFIG_KEY_RESTRICTCREATION
+		self::CONFIG_KEY_RESTRICTCREATION,
+		self::CONFIG_KEY_ALLOWCONFIRMATIONEMAIL,
 	];
 
 	/**

lib/Controller/ApiController.php

@@ -31,12 +31,14 @@
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Db\IMapperException;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\AnonRateLimit;
 use OCP\AppFramework\Http\Attribute\ApiRoute;
 use OCP\AppFramework\Http\Attribute\BruteForceProtection;
 use OCP\AppFramework\Http\Attribute\CORS;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\PublicPage;
+use OCP\AppFramework\Http\Attribute\UserRateLimit;
 use OCP\AppFramework\Http\DataDownloadResponse;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCS\OCSBadRequestException;
@@ -1353,6 +1355,8 @@ public function deleteAllSubmissions(int $formId): DataResponse {
 	 *
 	 * 201: empty response
 	 */
+	#[AnonRateLimit(limit: 3, period: 3600)]
+	#[UserRateLimit(limit: 10, period: 3600)]
 	#[CORS()]
 	#[NoAdminRequired()]
 	#[NoCSRFRequired()]

lib/Db/Form.php

@@ -59,6 +59,8 @@
  * @method void setConfirmationEmailSubject(string|null $value)
  * @method string|null getConfirmationEmailBody()
  * @method void setConfirmationEmailBody(string|null $value)
+ * @method int|null getConfirmationEmailRecipient()
+ * @method void setConfirmationEmailRecipient(int|null $value)
  */
 class Form extends Entity {
 	protected $hash;
@@ -83,6 +85,7 @@ class Form extends Entity {
 	protected $confirmationEmailEnabled;
 	protected $confirmationEmailSubject;
 	protected $confirmationEmailBody;
+	protected $confirmationEmailRecipient;
 
 	/**
 	 * Form constructor.
@@ -100,6 +103,7 @@ public function __construct() {
 		$this->addType('lockedUntil', 'integer');
 		$this->addType('maxSubmissions', 'integer');
 		$this->addType('confirmationEmailEnabled', 'boolean');
+		$this->addType('confirmationEmailRecipient', 'integer');
 	}
 
 	// JSON-Decoding of access-column.
@@ -177,6 +181,7 @@ public function setAccess(array $access): void {
 	 *   confirmationEmailEnabled: bool,
 	 *   confirmationEmailSubject: ?string,
 	 *   confirmationEmailBody: ?string,
+	 *   confirmationEmailRecipient: ?int,
 	 *  }
 	 */
 	public function read() {
@@ -204,6 +209,7 @@ public function read() {
 			'confirmationEmailEnabled' => (bool)$this->getConfirmationEmailEnabled(),
 			'confirmationEmailSubject' => $this->getConfirmationEmailSubject(),
 			'confirmationEmailBody' => $this->getConfirmationEmailBody(),
+			'confirmationEmailRecipient' => $this->getConfirmationEmailRecipient(),
 		];
 	}
 }

lib/ResponseDefinitions.php

@@ -145,6 +145,7 @@
  *   confirmationEmailEnabled: bool,
  *   confirmationEmailSubject: ?string,
  *   confirmationEmailBody: ?string,
+ *   confirmationEmailRecipient: ?int,
  * }
  *
  * @psalm-type FormsUploadedFile = array{

lib/Service/ConfigService.php

@@ -49,6 +49,9 @@ public function getCreationAllowedGroups(): array {
 	public function getRestrictCreation(): bool {
 		return json_decode($this->config->getAppValue($this->appName, Constants::CONFIG_KEY_RESTRICTCREATION, 'false'));
 	}
+	public function getAllowConfirmationEmail(): bool {
+		return json_decode($this->config->getAppValue($this->appName, Constants::CONFIG_KEY_ALLOWCONFIRMATIONEMAIL, 'false'));
+	}
 
 	/**
 	 * Provide the full AppConfig
@@ -60,6 +63,7 @@ public function getAppConfig(): array {
 			Constants::CONFIG_KEY_ALLOWSHOWTOALL => $this->getAllowShowToAll(),
 			Constants::CONFIG_KEY_CREATIONALLOWEDGROUPS => $this->getCreationAllowedGroups(),
 			Constants::CONFIG_KEY_RESTRICTCREATION => $this->getRestrictCreation(),
+			Constants::CONFIG_KEY_ALLOWCONFIRMATIONEMAIL => $this->getAllowConfirmationEmail(),
 
 			// Additional, calculated information out of Config
 			'canCreateForms' => $this->canCreateForms()

lib/Service/FormsService.php

@@ -8,6 +8,7 @@
 namespace OCA\Forms\Service;
 
 use OCA\Forms\Activity\ActivityManager;
+use OCA\Forms\BackgroundJob\SendConfirmationMailJob;
 use OCA\Forms\Constants;
 use OCA\Forms\Db\AnswerMapper;
 use OCA\Forms\Db\Form;
@@ -26,12 +27,15 @@
 use OCP\AppFramework\Db\IMapperException;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\OCS\OCSForbiddenException;
+use OCP\BackgroundJob\IJobList;
 use OCP\EventDispatcher\IEventDispatcher;
 use OCP\Files\IRootFolder;
 use OCP\Files\NotFoundException;
+use OCP\ICacheFactory;
 use OCP\IGroup;
 use OCP\IGroupManager;
 use OCP\IL10N;
+use OCP\IMemcache;
 use OCP\IUser;
 use OCP\IUserManager;
 use OCP\IUserSession;
@@ -53,6 +57,9 @@
 class FormsService {
 	private ?IUser $currentUser;
 
+	private const EMAIL_RATE_LIMIT = 3;
+	private const EMAIL_RATE_LIMIT_TTL = 86400; // 24 hours
+
 	public function __construct(
 		IUserSession $userSession,
 		private ActivityManager $activityManager,
@@ -73,6 +80,8 @@ public function __construct(
 		private IMailer $mailer,
 		private IEmailValidator $emailValidator,
 		private AnswerMapper $answerMapper,
+		private IJobList $jobList,
+		private ICacheFactory $cacheFactory,
 	) {
 		$this->currentUser = $userSession->getUser();
 	}
@@ -762,18 +771,23 @@ private function sendConfirmationEmail(Form $form, Submission $submission): void
 			return;
 		}
 
+		if (!$this->configService->getAllowConfirmationEmail()) {
+			$this->logger->debug('Confirmation email feature is disabled by administrator', [
+				'formId' => $form->getId(),
+			]);
+			return;
+		}
+
 		$subject = $form->getConfirmationEmailSubject();
 		$body = $form->getConfirmationEmailBody();
 
-		// If no subject or body is set, use defaults
 		if (empty($subject)) {
 			$subject = $this->l10n->t('Thank you for your submission');
 		}
 		if (empty($body)) {
 			$body = $this->l10n->t('Thank you for submitting the form "%s".', [$form->getTitle()]);
 		}
 
-		// Get questions and answers
 		$questions = $this->getQuestions($form->getId());
 		$answers = $this->answerMapper->findBySubmission($submission->getId());
 
@@ -805,61 +819,74 @@ private function sendConfirmationEmail(Form $form, Submission $submission): void
 			return;
 		}
 
+		$cacheKey = 'email_rl_' . hash('sha256', $form->getId() . ':' . strtolower($recipientEmail));
+		$cache = $this->cacheFactory->createDistributed('forms_confirmation_email');
+		if (!$cache instanceof IMemcache) {
+			$this->logger->warning('Distributed cache does not support atomic increments for confirmation email rate limiting', [
+				'formId' => $form->getId(),
+				'submissionId' => $submission->getId(),
+			]);
+			return;
+		}
+
+		if ($cache->add($cacheKey, 1, self::EMAIL_RATE_LIMIT_TTL)) {
+			$count = 1;
+		} else {
+			$count = $cache->inc($cacheKey);
+			if (!is_int($count)) {
+				$this->logger->warning('Failed to increment confirmation email rate limit counter', [
+					'formId' => $form->getId(),
+					'submissionId' => $submission->getId(),
+				]);
+				return;
+			}
+		}
+
+		if ($count > self::EMAIL_RATE_LIMIT) {
+			$this->logger->warning('Per-recipient confirmation email rate limit reached', [
+				'formId' => $form->getId(),
+				'submissionId' => $submission->getId(),
+			]);
+			return;
+		}
+
 		// Replace placeholders in subject and body
 		$replacements = [
 			'{formTitle}' => $form->getTitle(),
 			'{formDescription}' => $form->getDescription() ?? '',
 		];
 
-		// Add field placeholders (e.g., {name}, {email})
 		foreach ($questions as $question) {
 			$questionId = $question['id'];
 			$questionName = $question['name'] ?? '';
 			$questionText = $question['text'] ?? '';
 
-			// Use question name if available, otherwise use text
 			$fieldKey = !empty($questionName) ? $questionName : $questionText;
-			// Sanitize field key for placeholder (remove special chars, lowercase)
 			$fieldKey = strtolower(preg_replace('/[^a-zA-Z0-9]/', '', $fieldKey));
 
 			if (!empty($answerMap[$questionId])) {
 				$answerValue = implode('; ', $answerMap[$questionId]);
 				$replacements['{' . $fieldKey . '}'] = $answerValue;
-				// Also support {questionName} format
 				if (!empty($questionName)) {
 					$replacements['{' . strtolower(preg_replace('/[^a-zA-Z0-9]/', '', $questionName)) . '}'] = $answerValue;
 				}
 			}
 		}
 
-		// Apply replacements
 		$subject = str_replace(array_keys($replacements), array_values($replacements), $subject);
 		$body = str_replace(array_keys($replacements), array_values($replacements), $body);
 
-		try {
-			$message = $this->mailer->createMessage();
-			$message->setSubject($subject);
-			$message->setPlainBody($body);
-			$message->setTo([$recipientEmail]);
-
-			$this->mailer->send($message);
-			$this->logger->debug('Confirmation email sent successfully', [
-				'formId' => $form->getId(),
-				'submissionId' => $submission->getId(),
-				'recipient' => $recipientEmail,
-			]);
-		} catch (\Exception $e) {
-			// Handle exceptions silently, as this is not critical.
-			// We don't want to break the submission process just because of an email error.
-			$this->logger->error(
-				'Error while sending confirmation email',
-				[
-					'exception' => $e,
-					'formId' => $form->getId(),
-					'submissionId' => $submission->getId(),
-				]
-			);
-		}
+		$this->jobList->add(SendConfirmationMailJob::class, [
+			'recipient' => $recipientEmail,
+			'subject' => $subject,
+			'body' => $body,
+			'formId' => $form->getId(),
+			'submissionId' => $submission->getId(),
+		]);
+		$this->logger->debug('Confirmation email queued', [
+			'formId' => $form->getId(),
+			'submissionId' => $submission->getId(),
+		]);
 	}
 
 	/**

openapi.json

@@ -122,7 +122,8 @@
                     "submissionMessage",
                     "confirmationEmailEnabled",
                     "confirmationEmailSubject",
-                    "confirmationEmailBody"
+                    "confirmationEmailBody",
+                    "confirmationEmailRecipient"
                 ],
                 "properties": {
                     "id": {
@@ -246,6 +247,11 @@
                     "confirmationEmailBody": {
                         "type": "string",
                         "nullable": true
+                    },
+                    "confirmationEmailRecipient": {
+                        "type": "integer",
+                        "format": "int64",
+                        "nullable": true
                     }
                 }
             },

src/FormsSettings.vue

@@ -24,6 +24,22 @@
 				label="displayName"
 				@input="onCreationAllowedGroupsChange" />
 		</NcSettingsSection>
+		<NcSettingsSection
+			:name="t('forms', 'Confirmation emails')"
+			:description="
+				t(
+					'forms',
+					'Allow form owners to send a confirmation email to respondents after submission.',
+				)
+			">
+			<NcCheckboxRadioSwitch
+				ref="switchAllowConfirmationEmail"
+				v-model="appConfig.allowConfirmationEmail"
+				type="switch"
+				@update:modelValue="onAllowConfirmationEmailChange">
+				{{ t('forms', 'Allow confirmation emails to form respondents') }}
+			</NcCheckboxRadioSwitch>
+		</NcSettingsSection>
 		<NcSettingsSection :name="t('forms', 'Form sharing')">
 			<NcCheckboxRadioSwitch
 				ref="switchAllowPublicLink"
@@ -129,6 +145,13 @@ export default {
 			el.loading = false
 		},
 
+		async onAllowConfirmationEmailChange(newVal) {
+			const el = this.$refs.switchAllowConfirmationEmail
+			el.loading = true
+			await this.saveAppConfig('allowConfirmationEmail', newVal)
+			el.loading = false
+		},
+
 		/**
 		 * Save a key-value pair to the appConfig.
 		 *