feat: Disallow disposable emails

Author: LubomirGeorgiev

README.md

@@ -15,6 +15,7 @@ Have a look at the [project plan](./cursor-docs/project-plan.md) to get an overv
   - 📧 Email/Password Sign In
   - 📝 Email/Password Sign Up
   - 🔑 WebAuthn/Passkey Authentication
+  - 🌐 Google OAuth/SSO Integration
   - 🔄 Forgot Password Flow
   - 🔒 Change Password
   - ✉️ Email Verification
@@ -23,6 +24,7 @@ Have a look at the [project plan](./cursor-docs/project-plan.md) to get an overv
   - ⚡ Rate Limiting for Auth Endpoints
   - 🛡️ Protected Routes and Layouts
   - 📋 Session Listing and Management
+  - 🔒 Anti-Disposable Email Protection
 - 💾 Database with Drizzle and Cloudflare D1
   - 🏗️ Type-safe Database Operations
   - 🔄 Automatic Migration Generation

src/app/(auth)/sign-up/passkey-sign-up.actions.ts

@@ -8,7 +8,7 @@ import { userTable } from "@/db/schema";
 import { eq } from "drizzle-orm";
 import { createId } from "@paralleldrive/cuid2";
 import { cookies, headers } from "next/headers";
-import { createSession, generateSessionToken, setSessionTokenCookie } from "@/utils/auth";
+import { createSession, generateSessionToken, setSessionTokenCookie, canSignUp } from "@/utils/auth";
 import type { RegistrationResponseJSON, PublicKeyCredentialCreationOptionsJSON } from "@simplewebauthn/typescript-types";
 import { withRateLimit, RATE_LIMITS } from "@/utils/with-rate-limit";
 import { getIP } from "@/utils/getIP";
@@ -28,6 +28,10 @@ export const startPasskeyRegistrationAction = createServerAction()
     return withRateLimit(
       async () => {
         const db = getDB();
+
+        // Check if email is disposable
+        await canSignUp({ email: input.email });
+
         const existingUser = await db.query.userTable.findFirst({
           where: eq(userTable.email, input.email),
         });

src/app/(auth)/sign-up/sign-up.actions.ts

@@ -5,7 +5,7 @@ import { getDB } from "@/db"
 import { userTable } from "@/db/schema"
 import { signUpSchema } from "@/schemas/signup.schema";
 import { hashPassword } from "@/utils/passwordHasher";
-import { createSession, generateSessionToken, setSessionTokenCookie } from "@/utils/auth";
+import { createSession, generateSessionToken, setSessionTokenCookie, canSignUp } from "@/utils/auth";
 import { eq } from "drizzle-orm";
 import { createId } from "@paralleldrive/cuid2";
 import { getCloudflareContext } from "@opennextjs/cloudflare";
@@ -25,6 +25,9 @@ export const signUpAction = createServerAction()
 
         // TODO Implement a captcha
 
+        // Check if email is disposable
+        await canSignUp({ email: input.email });
+
         // Check if email is already taken
         const existingUser = await db.query.userTable.findFirst({
           where: eq(userTable.email, input.email),

src/app/(auth)/sso/google/callback/google-callback.action.ts

@@ -10,7 +10,7 @@ import { decodeIdToken } from "arctic";
 import { getDB } from "@/db";
 import { eq } from "drizzle-orm";
 import { userTable } from "@/db/schema";
-import { createAndStoreSession } from "@/utils/auth";
+import { createAndStoreSession, canSignUp } from "@/utils/auth";
 import { isGoogleSSOEnabled } from "@/flags";
 import { getIP } from "@/utils/getIP";
 
@@ -96,6 +96,9 @@ export const googleSSOCallbackAction = createServerAction()
       const avatarUrl = claims.picture;
       const email = claims.email;
 
+      // Check if email is disposable
+      await canSignUp({ email });
+
       const db = getDB();
 
       try {

src/utils/auth.ts

@@ -218,3 +218,106 @@ export async function requireVerifiedEmail() {
 
   return session;
 }
+
+interface DisposableEmailResponse {
+  disposable: string;
+}
+
+interface MailcheckResponse {
+  status: number;
+  email: string;
+  domain: string;
+  mx: boolean;
+  disposable: boolean;
+  public_domain: boolean;
+  relay_domain: boolean;
+  alias: boolean;
+  role_account: boolean;
+  did_you_mean: string | null;
+}
+
+type ValidatorResult = {
+  success: boolean;
+  isDisposable: boolean;
+};
+
+/**
+ * Checks if an email is disposable using debounce.io
+ */
+async function checkWithDebounce(email: string): Promise<ValidatorResult> {
+  try {
+    const response = await fetch(`https://disposable.debounce.io/?email=${encodeURIComponent(email)}`);
+
+    if (!response.ok) {
+      console.error("Debounce.io API error:", response.status);
+      return { success: false, isDisposable: false };
+    }
+
+    const data = await response.json() as DisposableEmailResponse;
+
+    return { success: true, isDisposable: data.disposable === "true" };
+  } catch (error) {
+    console.error("Failed to check disposable email with debounce.io:", error);
+    return { success: false, isDisposable: false };
+  }
+}
+
+/**
+ * Checks if an email is disposable using mailcheck.ai
+ */
+async function checkWithMailcheck(email: string): Promise<ValidatorResult> {
+  try {
+    const response = await fetch(`https://api.mailcheck.ai/email/${encodeURIComponent(email)}`);
+
+    if (!response.ok) {
+      console.error("Mailcheck.ai API error:", response.status);
+      return { success: false, isDisposable: false };
+    }
+
+    const data = await response.json() as MailcheckResponse;
+    return { success: true, isDisposable: data.disposable };
+  } catch (error) {
+    console.error("Failed to check disposable email with mailcheck.ai:", error);
+    return { success: false, isDisposable: false };
+  }
+}
+
+
+/**
+ * Checks if an email is allowed for sign up by verifying it's not a disposable email
+ * Uses multiple services in sequence for redundancy.
+ *
+ * @throws {ZSAError} If email is disposable or if all services fail
+ */
+export async function canSignUp({ email }: { email: string }): Promise<void> {
+  const validators = [
+    checkWithDebounce,
+    checkWithMailcheck,
+  ];
+
+  for (const validator of validators) {
+    const result = await validator(email);
+
+    // If the validator failed (network error, rate limit, etc), try the next one
+    if (!result.success) {
+      continue;
+    }
+
+    // If we got a successful response and it's disposable, reject the signup
+    if (result.isDisposable) {
+      throw new ZSAError(
+        "PRECONDITION_FAILED",
+        "Disposable email addresses are not allowed"
+      );
+    }
+
+    // If we got a successful response and it's not disposable, allow the signup
+    return;
+  }
+
+  // If all validators failed, we can't verify the email
+  throw new ZSAError(
+    "PRECONDITION_FAILED",
+    "Unable to verify email address at this time. Please try again later."
+  );
+}

src/utils/with-rate-limit.ts

@@ -2,6 +2,7 @@ import "server-only";
 import { checkRateLimit } from "./rate-limit";
 import { getIP } from "./getIP";
 import ms from "ms";
+import isProd from "./isProd";
 
 interface RateLimitConfig {
   identifier: string;
@@ -13,6 +14,11 @@ export async function withRateLimit<T>(
   action: () => Promise<T>,
   config: RateLimitConfig
 ): Promise<T> {
+
+  if (!isProd) {
+    return action();
+  }
+
   const ip = await getIP();
 
   const rateLimitResult = await checkRateLimit({