Skip to content

Add auto-forwarding of java.no emails to personal email#123

Merged
Alexanderamiri merged 2 commits into
mainfrom
feat/email-auto-forwarding
Apr 14, 2026
Merged

Add auto-forwarding of java.no emails to personal email#123
Alexanderamiri merged 2 commits into
mainfrom
feat/email-auto-forwarding

Conversation

@Alexanderamiri
Copy link
Copy Markdown
Member

@Alexanderamiri Alexanderamiri commented Apr 14, 2026

Summary

  • When the team-provisioner creates or syncs hero accounts, it now sets up Gmail auto-forwarding so all mail to the java.no address is forwarded to the member's personal email (copy kept in inbox)
  • Uses domain-wide delegation to impersonate each user via the Gmail Settings API — forwarding addresses are accepted without verification
  • Applies to both new and existing accounts (idempotent — skips already-configured forwarding)

Changes

  • Added gmail.settings.sharing scope to GOOGLE_SCOPES
  • New _get_user_google_access_token() — mints per-user JWT tokens (cached)
  • New _setup_email_forwarding() — registers forwarding address + enables auto-forwarding
  • Called after account creation in handle_sync_groups_and_heros for both new and existing accounts

Prerequisites

  • gmail.settings.sharing scope added to domain-wide delegation in Google Admin console ✅

Test plan

@Alexanderamiri
Add auto-forwarding of java.no emails to personal email
7f44ff8 
When the team-provisioner creates or syncs hero accounts, it now sets
up Gmail auto-forwarding so all mail to the java.no address is
forwarded to the member's personal email (with a copy kept in inbox).

Uses domain-wide delegation to impersonate each user via the Gmail
Settings API — forwarding addresses are accepted without verification.
@Alexanderamiri Alexanderamiri requested a review from a team as a code owner April 14, 2026 20:03
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 14, 2026

Terraform Plan

🚧 Changes detected — Plan: 0 to add, 1 to change, 0 to destroy.

Plan output 
Acquiring state lock. This may take a few moments...

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.lambdas.aws_lambda_function.team_provisioner will be updated in-place
  ~ resource "aws_lambda_function" "team_provisioner" {
        id                             = "javabin-team-provisioner"
      ~ last_modified                  = "2026-03-26T20:54:45.000+0000" -> (known after apply)
      ~ source_code_hash               = "7DSejz3Xn0CiM4UkSgYjwAnhf5pjehbiOrllxTrgfeM=" -> "rrMJrrtDWXfkKLJhLYioRSRN00lpBIeA7M04WMUYFSY="
        tags                           = {}
        # (21 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

LLM Review

Risk: 🟢 LOW

Routine Lambda function code update for team_provisioner with source code hash change.

  • [routine] Lambda function team_provisioner source code updated (hash change from 7DSejz3Xn0CiM4UkSgYjwAnhf5pjehbiOrllxTrgfeM= to rrMJrrtDWXfkKLJhLYioRSRN00lpBIeA7M04WMUYFSY=). This is an in-place update with no infrastructure changes.
  • [routine] No resources being created or destroyed. Only metadata update (last_modified timestamp) alongside code deployment.
  • [routine] No security group, IAM policy, or permission changes detected. Existing access controls remain unchanged.
  • [routine] No cost implications. Lambda function configuration remains the same; only code is updated.
  • [routine] No force-replacement or data loss risk. Update is non-destructive and maintains function availability.

@Alexanderamiri
Fix password-set link docstring: 48h → 60 days
7158f09 
The token expiry was changed to 60 days but the docstring on
handle_resend_password_link still referenced "48h".
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 14, 2026

Terraform Plan

🚧 Changes detected — Plan: 0 to add, 1 to change, 0 to destroy.

Plan output 

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.lambdas.aws_lambda_function.team_provisioner will be updated in-place
  ~ resource "aws_lambda_function" "team_provisioner" {
        id                             = "javabin-team-provisioner"
      ~ last_modified                  = "2026-03-26T20:54:45.000+0000" -> (known after apply)
      ~ source_code_hash               = "7DSejz3Xn0CiM4UkSgYjwAnhf5pjehbiOrllxTrgfeM=" -> "/tK4IAED6H3qJU5jH2WkSd1SstJ2tcnzCMThkQEBq/0="
        tags                           = {}
        # (21 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

LLM Review

Risk: 🟢 LOW

Routine Lambda function code update for team_provisioner with source code hash change.

  • [routine] Lambda function team_provisioner source code updated (hash change from 7DSejz3Xn0CiM4UkSgYjwAnhf5pjehbiOrllxTrgfeM= to /tK4IAED6H3qJU5jH2WkSd1SstJ2tcnzCMThkQEBq/0=). This is an in-place update with no infrastructure changes.
  • [routine] Last modified timestamp will be updated automatically by AWS. No manual configuration changes detected.
  • [routine] No IAM permissions, security groups, or access controls are being modified. Function configuration remains unchanged.
  • [routine] No resources are being created or destroyed. This is a code deployment only affecting a single Lambda function.
  • [routine] No cost implications - existing Lambda function is being updated in-place without scaling or configuration changes.

@Alexanderamiri Alexanderamiri merged commit 0ac926d into main Apr 14, 2026
3 checks passed
@Alexanderamiri Alexanderamiri deleted the feat/email-auto-forwarding branch April 14, 2026 20:09
Alexanderamiri added a commit that referenced this pull request May 9, 2026
@Alexanderamiri
Add auto-forwarding of java.no emails to personal email (#123)
1bf182c 
## Summary
- When the team-provisioner creates or syncs hero accounts, it now sets
up Gmail auto-forwarding so all mail to the java.no address is forwarded
to the member's personal email (copy kept in inbox)
- Uses domain-wide delegation to impersonate each user via the Gmail
Settings API — forwarding addresses are accepted without verification
- Applies to both new and existing accounts (idempotent — skips
already-configured forwarding)

## Changes
- Added `gmail.settings.sharing` scope to `GOOGLE_SCOPES`
- New `_get_user_google_access_token()` — mints per-user JWT tokens
(cached)
- New `_setup_email_forwarding()` — registers forwarding address +
enables auto-forwarding
- Called after account creation in `handle_sync_groups_and_heros` for
both new and existing accounts

## Prerequisites
- `gmail.settings.sharing` scope added to domain-wide delegation in
Google Admin console ✅

## Test plan
- [ ] Deploy Lambda, then merge registry PR #21 (members sync)
- [ ] Verify forwarding is active on a newly created java.no account
- [ ] Verify forwarding is set up for an existing account (e.g.
alexander.amiri@java.no)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Alexanderamiri