Backend: Enhance email validation in EvalAIAccountAdapter to reject role-based, disposable, and typo'd addresses. (#5057)

* Backend: Enhance email validation in EvalAIAccountAdapter to reject role-based, disposable, and typo'd addresses. Update settings to allow additional blocked domains via environment variable. Add comprehensive unit tests for new validation rules and typo detection.

* Refactor email validation in EvalAIAccountAdapter: streamline role-based and disposable email checks, enhance typo detection logic, and update unit tests. Remove unused JSON import and related comments from settings.

* Implement additional email validation tests in EvalAIAccountAdapter: add checks for role-based and disposable email addresses, enhance typo detection, and ensure comprehensive coverage in unit tests. Update imports and settings for improved functionality.

Author: RishabhJain2018

apps/accounts/adapter.py

@@ -2,18 +2,79 @@
 
 import dns.resolver
 from allauth.account.adapter import DefaultAccountAdapter
+from disposable_email_domains import blocklist
+from django.conf import settings
 from django.contrib.auth.models import User
 from django.core.exceptions import ValidationError
 
 logger = logging.getLogger(__name__)
 
+DISPOSABLE_DOMAINS = frozenset(blocklist)
+
+ROLE_BASED_LOCAL_PARTS = frozenset(
+    {
+        "abuse",
+        "admin",
+        "billing",
+        "compliance",
+        "devnull",
+        "ftp",
+        "hostmaster",
+        "info",
+        "mailer-daemon",
+        "marketing",
+        "no-reply",
+        "noc",
+        "noreply",
+        "postmaster",
+        "root",
+        "sales",
+        "security",
+        "support",
+        "webmaster",
+        "www",
+    }
+)
+
+DOMAIN_TYPO_MAP = {
+    "gamil.com": "gmail.com",
+    "gail.com": "gmail.com",
+    "gmal.com": "gmail.com",
+    "gmaill.com": "gmail.com",
+    "gmali.com": "gmail.com",
+    "gmial.com": "gmail.com",
+    "gmil.com": "gmail.com",
+    "gnail.com": "gmail.com",
+    "gogglemail.com": "googlemail.com",
+    "googlmail.com": "googlemail.com",
+    "hotamil.com": "hotmail.com",
+    "hotmai.com": "hotmail.com",
+    "hotmal.com": "hotmail.com",
+    "hotmial.com": "hotmail.com",
+    "hotmil.com": "hotmail.com",
+    "iclod.com": "icloud.com",
+    "iclould.com": "icloud.com",
+    "outloo.com": "outlook.com",
+    "outlok.com": "outlook.com",
+    "outlool.com": "outlook.com",
+    "outook.com": "outlook.com",
+    "protonmal.com": "protonmail.com",
+    "protonmaill.com": "protonmail.com",
+    "yaho.com": "yahoo.com",
+    "yahooo.com": "yahoo.com",
+    "yaho.co.in": "yahoo.co.in",
+    "yhaoo.com": "yahoo.com",
+    "yhoo.com": "yahoo.com",
+}
+
 
 class EvalAIAccountAdapter(DefaultAccountAdapter):
     """
     Custom allauth adapter that:
-    1. Validates email domains have valid MX records at registration time.
-    2. Suppresses outgoing allauth emails to addresses flagged as bounced.
-    3. Clears the email_bounced flag when a new email address is confirmed.
+    1. Rejects duplicate, role-based, typo'd, and disposable email addresses.
+    2. Validates email domains have valid MX records at registration time.
+    3. Suppresses outgoing allauth emails to addresses flagged as bounced.
+    4. Clears the email_bounced flag when a new email address is confirmed.
     """
 
     def clean_email(self, email):
@@ -24,7 +85,31 @@ def clean_email(self, email):
                 "A user is already registered with this email address."
             )
 
-        domain = email.rsplit("@", 1)[-1]
+        local_part, domain = email.rsplit("@", 1)
+        domain = domain.lower()
+
+        if local_part.lower() in ROLE_BASED_LOCAL_PARTS:
+            raise ValidationError(
+                "Role-based email addresses (e.g. noreply@, admin@) are "
+                "not accepted. Please use a personal email address."
+            )
+
+        # Check typo before disposable so users get helpful suggestions
+        # (typo domains may also appear in the disposable blocklist)
+        suggested = DOMAIN_TYPO_MAP.get(domain)
+        if suggested:
+            raise ValidationError(
+                "Did you mean {}@{}? The domain '{}' looks like a typo.".format(
+                    local_part, suggested, domain
+                )
+            )
+
+        extra_blocked = set(getattr(settings, "BLOCKED_EMAIL_DOMAINS", []))
+        if domain in DISPOSABLE_DOMAINS or domain in extra_blocked:
+            raise ValidationError(
+                "Disposable email addresses are not allowed. "
+                "Please use a permanent email address."
+            )
 
         if not self._domain_has_mx_records(domain):
             raise ValidationError(

requirements/common.txt

@@ -4,6 +4,7 @@ botocore==1.31.78
 celery[sqs]==4.3.0
 cfn-lint==0.48.3
 commonmark==0.9.1
+disposable-email-domains>=0.0.167
 django-allauth==0.43.0
 dnspython==2.6.1
 django-cors-headers==3.5.0

tests/unit/accounts/test_adapter.py

@@ -2,10 +2,10 @@
 
 import dns.exception
 import dns.resolver
-from accounts.adapter import EvalAIAccountAdapter
+from accounts.adapter import DISPOSABLE_DOMAINS, EvalAIAccountAdapter
 from django.contrib.auth.models import User
 from django.core.exceptions import ValidationError
-from django.test import TestCase
+from django.test import TestCase, override_settings
 
 
 class TestEvalAIAccountAdapterMXValidation(TestCase):
@@ -78,6 +78,67 @@ def test_clean_email_allows_new_address(self, mock_resolve):
         self.assertEqual(result, "fresh@example.com")
 
 
+class TestRoleBasedEmailRejection(TestCase):
+    def setUp(self):
+        self.adapter = EvalAIAccountAdapter()
+
+    @patch("accounts.adapter.dns.resolver.resolve")
+    def test_rejects_noreply_address(self, mock_resolve):
+        mock_resolve.return_value = [MagicMock()]
+        with self.assertRaises(ValidationError) as ctx:
+            self.adapter.clean_email("noreply@example.com")
+        self.assertIn("Role-based email", str(ctx.exception))
+
+    @patch("accounts.adapter.dns.resolver.resolve")
+    def test_rejects_admin_address(self, mock_resolve):
+        mock_resolve.return_value = [MagicMock()]
+        with self.assertRaises(ValidationError) as ctx:
+            self.adapter.clean_email("admin@example.com")
+        self.assertIn("Role-based email", str(ctx.exception))
+
+
+class TestDomainTypoDetection(TestCase):
+    def setUp(self):
+        self.adapter = EvalAIAccountAdapter()
+
+    @patch("accounts.adapter.dns.resolver.resolve")
+    def test_rejects_gmial_with_suggestion(self, mock_resolve):
+        mock_resolve.return_value = [MagicMock()]
+        with self.assertRaises(ValidationError) as ctx:
+            self.adapter.clean_email("alice@gmial.com")
+        msg = str(ctx.exception)
+        self.assertIn("Did you mean alice@gmail.com", msg)
+        self.assertIn("looks like a typo", msg)
+
+    @patch("accounts.adapter.dns.resolver.resolve")
+    def test_rejects_typo_case_insensitive(self, mock_resolve):
+        mock_resolve.return_value = [MagicMock()]
+        with self.assertRaises(ValidationError) as ctx:
+            self.adapter.clean_email("user@GMIAL.COM")
+        self.assertIn("Did you mean", str(ctx.exception))
+
+
+class TestDisposableEmailRejection(TestCase):
+    def setUp(self):
+        self.adapter = EvalAIAccountAdapter()
+
+    @patch("accounts.adapter.dns.resolver.resolve")
+    def test_rejects_known_disposable_domain(self, mock_resolve):
+        mock_resolve.return_value = [MagicMock()]
+        self.assertIn("mailinator.com", DISPOSABLE_DOMAINS)
+        with self.assertRaises(ValidationError) as ctx:
+            self.adapter.clean_email("user@mailinator.com")
+        self.assertIn("Disposable email", str(ctx.exception))
+
+    @patch("accounts.adapter.dns.resolver.resolve")
+    @override_settings(BLOCKED_EMAIL_DOMAINS=["custom-blocked.com"])
+    def test_rejects_admin_blocked_domain(self, mock_resolve):
+        mock_resolve.return_value = [MagicMock()]
+        with self.assertRaises(ValidationError) as ctx:
+            self.adapter.clean_email("user@custom-blocked.com")
+        self.assertIn("Disposable email", str(ctx.exception))
+
+
 class TestEvalAIAccountAdapterSendMail(TestCase):
     def setUp(self):
         self.adapter = EvalAIAccountAdapter()