feat(core,experience): pre validate email blocklist (#7395)

simeng-li · web-flow · commit 2759ff85eca3 · 2025-05-16T12:27:28.000+08:00
* feat(core,experience): pre validate email blocklist

pre validate email against blocklist on user registraction before send verification code

* style(experience): add danger style
add danger style to the profile fulfillment form

* fix(test): fix tests

fix tests

* chore: fix typo

fix typo
diff --git a/packages/core/src/libraries/sign-in-experience/email-blocklist-policy.ts b/packages/core/src/libraries/sign-in-experience/email-blocklist-policy.ts
@@ -45,7 +45,8 @@ export const parseEmailBlocklistPolicy = (
   // TODO: @simeng remove this validation when the feature is ready
   assertThat(
     EnvSet.values.isDevFeaturesEnabled,
-    new RequestError('request.invalid_input', {
+    new RequestError({
+      code: 'request.invalid_input',
       details: 'Email block list policy is not supported in this environment',
     })
   );
@@ -56,8 +57,9 @@ export const parseEmailBlocklistPolicy = (
   if (rest.blockDisposableAddresses) {
     assertThat(
       EnvSet.values.isCloud,
-      new RequestError('request.invalid_input', {
-        details: 'blockDisposableAddresses is not supported in this environment',
+      new RequestError({
+        code: 'request.invalid_input',
+        details: 'Disposable email domain validation is not supported in this environment',
       })
     );
   }
@@ -74,7 +76,7 @@ const disposableEmailDomainValidationResponseGuard = z.object({
 
 const validateDisposableEmailDomain = async (email: string) => {
   // TODO: Skip the validation for integration test for now
-  if (EnvSet.values.isIntegrationTest) {
+  if (EnvSet.values.isIntegrationTest || EnvSet.values.isUnitTest) {
     return;
   }
 
@@ -143,11 +145,6 @@ export const validateEmailAgainstBlocklistPolicy = async (
 
   assertThat(domain, new RequestError('session.email_blocklist.invalid_email'));
 
-  // Guard disposable email domain if enabled
-  if (EnvSet.values.isCloud && blockDisposableAddresses) {
-    await validateDisposableEmailDomain(email);
-  }
-
   // Guard email subaddressing if enabled
   if (blockSubaddressing) {
     const subaddressingRegex = new RegExp(`^.*\\+.*@${domain}$`);
@@ -180,6 +177,11 @@ export const validateEmailAgainstBlocklistPolicy = async (
       })
     );
   }
+
+  // Guard disposable email domain if enabled
+  if (blockDisposableAddresses) {
+    await validateDisposableEmailDomain(email);
+  }
 };
 
 export const isEmailBlocklistPolicyEnabled = (emailBlockListPolicy: EmailBlocklistPolicy) => {
diff --git a/packages/core/src/routes/experience/verification-routes/verification-code.ts b/packages/core/src/routes/experience/verification-routes/verification-code.ts
@@ -101,6 +101,16 @@ export default function verificationCodeRoutes<T extends ExperienceInteractionRo
         getTemplateTypeByEvent(interactionEvent)
       );
 
+      // Pre validate the email against email blocklist if the interaction event is register
+      if (
+        interactionEvent === InteractionEvent.Register &&
+        identifier.type === SignInIdentifier.Email
+      ) {
+        await ctx.experienceInteraction.signInExperienceValidator.guardEmailBlocklist(
+          codeVerification
+        );
+      }
+
       const templateContext = await buildVerificationCodeTemplateContext(
         libraries.passcodes,
         ctx,
diff --git a/packages/experience/src/hooks/use-send-verification-code.ts b/packages/experience/src/hooks/use-send-verification-code.ts
@@ -56,6 +56,12 @@ const useSendVerificationCode = (flow: UserFlow, replaceCurrentPage?: boolean) =
               identifier === SignInIdentifier.Email ? 'invalid_email' : 'invalid_phone'
             );
           },
+          'session.email_blocklist.email_not_allowed': (error) => {
+            setErrorMessage(error.message);
+          },
+          'session.email_blocklist.email_subaddressing_not_allowed': (error) => {
+            setErrorMessage(error.message);
+          },
         });
 
         return;
diff --git a/packages/experience/src/pages/Continue/IdentifierProfileForm/index.tsx b/packages/experience/src/pages/Continue/IdentifierProfileForm/index.tsx
@@ -105,7 +105,7 @@ const IdentifierProfileForm = ({
             autoFocus={autoFocus}
             className={styles.inputField}
             {...field}
-            isDanger={!!errors.identifier}
+            isDanger={!!errors.identifier || !!errorMessage}
             errorMessage={errors.identifier?.message}
             enabledTypes={enabledTypes}
           />
diff --git a/packages/integration-tests/src/tests/api/experience-api/register-interaction/email-blocklist.test.ts b/packages/integration-tests/src/tests/api/experience-api/register-interaction/email-blocklist.test.ts
@@ -14,10 +14,6 @@ import {
   successFullyCreateSocialVerification,
   successFullyVerifySocialAuthorization,
 } from '#src/helpers/experience/social-verification.js';
-import {
-  successfullySendVerificationCode,
-  successfullyVerifyVerificationCode,
-} from '#src/helpers/experience/verification-code.js';
 import { expectRejects } from '#src/helpers/index.js';
 import { devFeatureTest, generateEmail } from '#src/utils.js';
 
@@ -57,33 +53,10 @@ devFeatureTest.describe(
         interactionEvent: InteractionEvent.Register,
       });
 
-      const { verificationId, code } = await successfullySendVerificationCode(client, {
-        identifier,
-        interactionEvent: InteractionEvent.Register,
-      });
-
-      await successfullyVerifyVerificationCode(client, {
-        identifier,
-        verificationId,
-        code,
-      });
-
-      // Should reject the registration directly
       await expectRejects(
-        client.identifyUser({
-          verificationId,
-        }),
-        {
-          code: 'session.email_blocklist.email_subaddressing_not_allowed',
-          status: 422,
-        }
-      );
-
-      // Should reject the profile creation
-      await expectRejects(
-        client.updateProfile({
-          type: SignInIdentifier.Email,
-          verificationId,
+        client.sendVerificationCode({
+          identifier,
+          interactionEvent: InteractionEvent.Register,
         }),
         {
           code: 'session.email_blocklist.email_subaddressing_not_allowed',
@@ -104,33 +77,10 @@ devFeatureTest.describe(
         interactionEvent: InteractionEvent.Register,
       });
 
-      const { verificationId, code } = await successfullySendVerificationCode(client, {
-        identifier,
-        interactionEvent: InteractionEvent.Register,
-      });
-
-      await successfullyVerifyVerificationCode(client, {
-        identifier,
-        verificationId,
-        code,
-      });
-
-      // Should reject the registration directly
-      await expectRejects(
-        client.identifyUser({
-          verificationId,
-        }),
-        {
-          code: errorCode,
-          status: 422,
-        }
-      );
-
-      // Should reject the profile creation
       await expectRejects(
-        client.updateProfile({
-          type: SignInIdentifier.Email,
-          verificationId,
+        client.sendVerificationCode({
+          identifier,
+          interactionEvent: InteractionEvent.Register,
         }),
         {
           code: errorCode,
