Replace SendGrid with AWS SES for contact form emails

- Replace @sendgrid/mail with @aws-sdk/client-ses
- Update Lambda policy to use ses:SendEmail instead of SSM for SendGrid key
- Remove SENDGRID_API_KEY from secrets list
- Update all tests and mocks for SES

SES is already configured with verified email address messmer@cryfs.org.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: smessmer

backend/__mocks__/@aws-sdk/client-ses.js

@@ -0,0 +1,20 @@
+const mockSend = jest.fn().mockResolvedValue({});
+
+class SESClient {
+  constructor() {}
+  send(command) {
+    return mockSend(command);
+  }
+}
+
+class SendEmailCommand {
+  constructor(input) {
+    this.input = input;
+  }
+}
+
+module.exports = {
+  SESClient,
+  SendEmailCommand,
+  __mockSend: mockSend,
+};

backend/__mocks__/@sendgrid/mail.js

@@ -1,28 +1,24 @@
 "use strict";
 
-import CachedValue from "./cached_value";
-import secret from "./secret";
-import sendgrid_ from "@sendgrid/mail";
+import { SESClient, SendEmailCommand } from "@aws-sdk/client-ses";
 
-const sendgrid = new CachedValue(async () => {
-    const key = await secret('SENDGRID_API_KEY')
-    sendgrid_.setApiKey(key)
-    return sendgrid_
-})
+const ses = new SESClient({ region: "us-east-1" });
 
 export const email_myself = async (from, subject, message, reply_to = undefined) => {
-    let msg = {
-        to: 'messmer@cryfs.org',
-        from: {
-            email: 'messmer@cryfs.org',
-            name: from,
+    const params = {
+        Source: `${from} <messmer@cryfs.org>`,
+        Destination: {
+            ToAddresses: ["messmer@cryfs.org"],
         },
-        subject: subject,
-        text: message,
-    }
+        Message: {
+            Subject: { Data: subject },
+            Body: { Text: { Data: message } },
+        },
+    };
+
     if (typeof reply_to !== 'undefined' && reply_to !== '') {
-        msg['reply_to'] = reply_to
+        params.ReplyToAddresses = [reply_to];
     }
-    const sg = await sendgrid.get()
-    await sg.send(msg)
-}
+
+    await ses.send(new SendEmailCommand(params));
+};

backend/email.js

@@ -1,72 +1,56 @@
 "use strict";
 
-jest.mock('@sendgrid/mail');
-jest.mock('./secret', () => jest.fn().mockResolvedValue('test-sendgrid-key'));
+jest.mock('@aws-sdk/client-ses');
 
 describe('email_myself', () => {
-  let sendgrid;
+  let SESClient, SendEmailCommand, mockSend;
   let email_myself;
 
   beforeEach(() => {
     jest.resetModules();
-    sendgrid = require('@sendgrid/mail');
-    sendgrid.__mockSend.mockClear();
-    sendgrid.__mockSetApiKey.mockClear();
+    const ses = require('@aws-sdk/client-ses');
+    SESClient = ses.SESClient;
+    SendEmailCommand = ses.SendEmailCommand;
+    mockSend = ses.__mockSend;
+    mockSend.mockClear();
+    mockSend.mockResolvedValue({});
     email_myself = require('./email').email_myself;
   });
 
   test('sends email with correct payload', async () => {
     await email_myself('Test Sender', 'Test Subject', 'Test message body');
 
-    expect(sendgrid.setApiKey).toHaveBeenCalledWith('test-sendgrid-key');
-    expect(sendgrid.send).toHaveBeenCalledWith({
-      to: 'messmer@cryfs.org',
-      from: {
-        email: 'messmer@cryfs.org',
-        name: 'Test Sender',
+    expect(mockSend).toHaveBeenCalledTimes(1);
+    const command = mockSend.mock.calls[0][0];
+    expect(command).toBeInstanceOf(SendEmailCommand);
+    expect(command.input).toEqual({
+      Source: 'Test Sender <messmer@cryfs.org>',
+      Destination: { ToAddresses: ['messmer@cryfs.org'] },
+      Message: {
+        Subject: { Data: 'Test Subject' },
+        Body: { Text: { Data: 'Test message body' } },
       },
-      subject: 'Test Subject',
-      text: 'Test message body',
     });
   });
 
   test('includes reply_to when provided', async () => {
     await email_myself('Sender', 'Subject', 'Message', 'reply@example.com');
 
-    expect(sendgrid.send).toHaveBeenCalledWith({
-      to: 'messmer@cryfs.org',
-      from: {
-        email: 'messmer@cryfs.org',
-        name: 'Sender',
-      },
-      subject: 'Subject',
-      text: 'Message',
-      reply_to: 'reply@example.com',
-    });
+    const command = mockSend.mock.calls[0][0];
+    expect(command.input.ReplyToAddresses).toEqual(['reply@example.com']);
   });
 
   test('excludes reply_to when undefined', async () => {
     await email_myself('Sender', 'Subject', 'Message', undefined);
 
-    const callArgs = sendgrid.send.mock.calls[0][0];
-    expect(callArgs).not.toHaveProperty('reply_to');
+    const command = mockSend.mock.calls[0][0];
+    expect(command.input).not.toHaveProperty('ReplyToAddresses');
   });
 
   test('excludes reply_to when empty string', async () => {
     await email_myself('Sender', 'Subject', 'Message', '');
 
-    const callArgs = sendgrid.send.mock.calls[0][0];
-    expect(callArgs).not.toHaveProperty('reply_to');
-  });
-
-  test('caches SendGrid instance across calls', async () => {
-    // Within this single test, make multiple calls
-    await email_myself('Sender1', 'Subject1', 'Message1');
-    await email_myself('Sender2', 'Subject2', 'Message2');
-    await email_myself('Sender3', 'Subject3', 'Message3');
-
-    // setApiKey should only be called once due to CachedValue
-    expect(sendgrid.setApiKey).toHaveBeenCalledTimes(1);
-    expect(sendgrid.send).toHaveBeenCalledTimes(3);
+    const command = mockSend.mock.calls[0][0];
+    expect(command.input).not.toHaveProperty('ReplyToAddresses');
   });
 });

backend/email.test.js

@@ -6,39 +6,40 @@
  */
 
 jest.mock('@aws-sdk/client-ssm');
-jest.mock('@sendgrid/mail');
+jest.mock('@aws-sdk/client-ses');
 jest.mock('mailchimp-api-v3');
 
 describe('Integration Tests', () => {
   const validToken = 'fd0kAn1zns';
   let ssmClient;
-  let sendgrid;
+  let sesClient;
   let Mailchimp;
 
   beforeEach(() => {
     jest.resetModules();
 
     // Re-require mocks after resetModules
     ssmClient = require('@aws-sdk/client-ssm');
-    sendgrid = require('@sendgrid/mail');
+    sesClient = require('@aws-sdk/client-ses');
     Mailchimp = require('mailchimp-api-v3');
 
     // Reset all mock functions
     ssmClient.__mockSend.mockReset();
-    sendgrid.__mockSend.mockClear();
-    sendgrid.__mockSetApiKey.mockClear();
+    sesClient.__mockSend.mockReset();
     Mailchimp.__mockPost.mockReset();
     Mailchimp.__mockGet.mockReset();
     Mailchimp.__mockPut.mockReset();
 
-    // Setup default AWS SSM mock
+    // Setup default AWS SSM mock (for newsletter - no longer has SENDGRID_API_KEY)
     ssmClient.__mockSend.mockResolvedValue({
       Parameters: [
         { Name: 'MAILCHIMP_API_TOKEN', Value: 'mc-token' },
         { Name: 'MAILCHIMP_LIST_ID', Value: 'list-id' },
-        { Name: 'SENDGRID_API_KEY', Value: 'sg-key' },
       ],
     });
+
+    // Setup default SES mock
+    sesClient.__mockSend.mockResolvedValue({});
   });
 
   describe('Newsletter Registration Flow', () => {
@@ -72,8 +73,8 @@ describe('Integration Tests', () => {
         },
       });
 
-      // Verify notification email was sent
-      expect(sendgrid.send).toHaveBeenCalled();
+      // Verify notification email was sent via SES
+      expect(sesClient.__mockSend).toHaveBeenCalled();
     });
 
     test('invalid token blocks Mailchimp call', async () => {
@@ -115,14 +116,14 @@ describe('Integration Tests', () => {
       // Verify CORS headers
       expect(result.headers['Access-Control-Allow-Origin']).toBe('https://www.cryfs.org');
 
-      // Verify email was sent via SendGrid
-      expect(sendgrid.send).toHaveBeenCalledWith(
-        expect.objectContaining({
-          to: 'messmer@cryfs.org',
-          subject: expect.stringContaining('visitor@example.com'),
-          text: 'Hello, I need help!',
-        })
-      );
+      // Verify email was sent via SES
+      expect(sesClient.__mockSend).toHaveBeenCalledTimes(1);
+      const command = sesClient.__mockSend.mock.calls[0][0];
+      expect(command).toBeInstanceOf(sesClient.SendEmailCommand);
+      expect(command.input.Destination.ToAddresses).toEqual(['messmer@cryfs.org']);
+      expect(command.input.Message.Subject.Data).toContain('visitor@example.com');
+      expect(command.input.Message.Body.Text.Data).toBe('Hello, I need help!');
+      expect(command.input.ReplyToAddresses).toEqual(['visitor@example.com']);
     });
   });
 
@@ -143,12 +144,10 @@ describe('Integration Tests', () => {
 
       expect(result.statusCode).toBe(500);
 
-      // Verify error notification email was sent
-      expect(sendgrid.send).toHaveBeenCalledWith(
-        expect.objectContaining({
-          subject: expect.stringContaining('Error'),
-        })
-      );
+      // Verify error notification email was sent via SES
+      expect(sesClient.__mockSend).toHaveBeenCalled();
+      const command = sesClient.__mockSend.mock.calls[0][0];
+      expect(command.input.Message.Subject.Data).toContain('Error');
     });
   });
 
@@ -167,12 +166,12 @@ describe('Integration Tests', () => {
 
       await register(event, {});
 
-      // Verify SSM was called with correct parameters
+      // Verify SSM was called with correct parameters (no more SENDGRID_API_KEY)
       expect(ssmClient.__mockSend).toHaveBeenCalledTimes(1);
       const command = ssmClient.__mockSend.mock.calls[0][0];
       expect(command).toBeInstanceOf(ssmClient.GetParametersCommand);
       expect(command.input).toEqual({
-        Names: ['MAILCHIMP_API_TOKEN', 'MAILCHIMP_LIST_ID', 'SENDGRID_API_KEY'],
+        Names: ['MAILCHIMP_API_TOKEN', 'MAILCHIMP_LIST_ID'],
         WithDecryption: true,
       });
     });