feat: prevent join requests with equal mail

lib/mv_web/emails/join_already_member_email.ex

@@ -0,0 +1,42 @@
+defmodule MvWeb.Emails.JoinAlreadyMemberEmail do
+  @moduledoc """
+  Sends an email when someone submits the join form with an address that is already a member.
+
+  Used for anti-enumeration: the UI shows the same success message; only the email
+  informs the recipient. Uses the unified email layout.
+  """
+  use Phoenix.Swoosh,
+    view: MvWeb.EmailsView,
+    layout: {MvWeb.EmailLayoutView, "layout.html"}
+
+  use MvWeb, :verified_routes
+  import Swoosh.Email
+  use Gettext, backend: MvWeb.Gettext, otp_app: :mv
+
+  alias Mv.Mailer
+
+  @doc """
+  Sends the "already a member" notice to the given address.
+
+  Returns `{:ok, email}` on success, `{:error, reason}` on delivery failure.
+  """
+  def send(email_address) when is_binary(email_address) do
+    subject = gettext("Membership application – already a member")
+
+    assigns = %{
+      subject: subject,
+      app_name: Mailer.mail_from() |> elem(0),
+      locale: Gettext.get_locale(MvWeb.Gettext)
+    }
+
+    email =
+      new()
+      |> from(Mailer.mail_from())
+      |> to(email_address)
+      |> subject(subject)
+      |> put_view(MvWeb.EmailsView)
+      |> render_body("join_already_member.html", assigns)
+
+    Mailer.deliver(email, Mailer.smtp_config())
+  end
+end

lib/mv_web/emails/join_already_pending_email.ex

@@ -0,0 +1,43 @@
+defmodule MvWeb.Emails.JoinAlreadyPendingEmail do
+  @moduledoc """
+  Sends an email when someone submits the join form with an address that already
+  has a submitted (confirmed) application under review.
+
+  Used for anti-enumeration: the UI shows the same success message; only the email
+  informs the recipient. Uses the unified email layout.
+  """
+  use Phoenix.Swoosh,
+    view: MvWeb.EmailsView,
+    layout: {MvWeb.EmailLayoutView, "layout.html"}
+
+  use MvWeb, :verified_routes
+  import Swoosh.Email
+  use Gettext, backend: MvWeb.Gettext, otp_app: :mv
+
+  alias Mv.Mailer
+
+  @doc """
+  Sends the "application already under review" notice to the given address.
+
+  Returns `{:ok, email}` on success, `{:error, reason}` on delivery failure.
+  """
+  def send(email_address) when is_binary(email_address) do
+    subject = gettext("Membership application – already under review")
+
+    assigns = %{
+      subject: subject,
+      app_name: Mailer.mail_from() |> elem(0),
+      locale: Gettext.get_locale(MvWeb.Gettext)
+    }
+
+    email =
+      new()
+      |> from(Mailer.mail_from())
+      |> to(email_address)
+      |> subject(subject)
+      |> put_view(MvWeb.EmailsView)
+      |> render_body("join_already_pending.html", assigns)
+
+    Mailer.deliver(email, Mailer.smtp_config())
+  end
+end

lib/mv_web/emails/join_confirmation_email.ex

@@ -18,10 +18,16 @@ defmodule MvWeb.Emails.JoinConfirmationEmail do
   Uses the same SMTP configuration as the test mail (Settings or boot ENV) via
   `Mailer.deliver/2` with `Mailer.smtp_config/0` for consistency.
 
-  Called from the domain after a JoinRequest is created (submit flow).
+  Called from the domain after a JoinRequest is created (submit flow) or when
+  resending to an existing pending request.
+
+  ## Options
+    - `:resend` - If true, adds a short note that the link is being sent again for an existing request.
+
   Returns `{:ok, email}` on success, `{:error, reason}` on delivery failure.
   """
-  def send(email_address, token) when is_binary(email_address) and is_binary(token) do
+  def send(email_address, token, opts \\ [])
+      when is_binary(email_address) and is_binary(token) do
     confirm_url = url(~p"/confirm_join/#{token}")
     subject = gettext("Confirm your membership request")
 
@@ -29,7 +35,8 @@ defmodule MvWeb.Emails.JoinConfirmationEmail do
       confirm_url: confirm_url,
       subject: subject,
       app_name: Mailer.mail_from() |> elem(0),
-      locale: Gettext.get_locale(MvWeb.Gettext)
+      locale: Gettext.get_locale(MvWeb.Gettext),
+      resend: Keyword.get(opts, :resend, false)
     }
 
     email =