feat(core,experience): add disposable email validation (#7374)

* feat(core,experience): add disposable email validation

add disposable email validation

* chore(core): remove useless false return value

remove useless false return value

* refactor(core): optimize the error message

optimize the error message

Author: simeng-li

packages/console/src/pages/Security/Blocklist/BlocklistForm/index.tsx

@@ -11,6 +11,7 @@ import FormCard from '@/components/FormCard';
 import MultiOptionInput from '@/components/MultiOptionInput';
 import UnsavedChangesAlertModal from '@/components/UnsavedChangesAlertModal';
 import { emailBlocklist } from '@/consts';
+import { isCloud } from '@/consts/env';
 import { latestProPlanId } from '@/consts/subscriptions';
 import FormField from '@/ds-components/FormField';
 import Switch from '@/ds-components/Switch';
@@ -94,13 +95,15 @@ function BlocklistForm({ formData }: Props) {
           }
           learnMoreLink={{ href: emailBlocklist }}
         >
-          <FormField title="security.blocklist.disposable_email.title">
-            <Switch
-              disabled={isFreeTenant}
-              label={t('blocklist.disposable_email.description')}
-              {...register('blockDisposableAddresses')}
-            />
-          </FormField>
+          {isCloud && (
+            <FormField title="security.blocklist.disposable_email.title">
+              <Switch
+                disabled={isFreeTenant}
+                label={t('blocklist.disposable_email.description')}
+                {...register('blockDisposableAddresses')}
+              />
+            </FormField>
+          )}
           <FormField title="security.blocklist.email_subaddressing.title">
             <Switch
               disabled={isFreeTenant}

packages/core/src/libraries/sign-in-experience/email-blocklist-policy.ts

@@ -1,6 +1,8 @@
 import { emailOrEmailDomainRegex } from '@logto/core-kit';
 import { type EmailBlocklistPolicy } from '@logto/schemas';
 import { conditional, deduplicate } from '@silverhand/essentials';
+import { got } from 'got';
+import { z } from 'zod';
 
 import { EnvSet } from '#src/env-set/index.js';
 import RequestError from '#src/errors/RequestError/index.js';
@@ -50,12 +52,75 @@ export const parseEmailBlocklistPolicy = (
 
   const { customBlocklist, ...rest } = emailBlocklistPolicy;
 
+  // BlockDisposableAddresses is not supported for OSS.
+  if (rest.blockDisposableAddresses) {
+    assertThat(
+      EnvSet.values.isCloud,
+      new RequestError('request.invalid_input', {
+        details: 'blockDisposableAddresses is not supported in this environment',
+      })
+    );
+  }
+
   return {
     ...rest,
     ...conditional(customBlocklist && { customBlocklist: parseCustomBlocklist(customBlocklist) }),
   };
 };
 
+const disposableEmailDomainValidationResponseGuard = z.object({
+  isDisposable: z.boolean(),
+});
+
+const validateDisposableEmailDomain = async (email: string) => {
+  // TODO: Skip the validation for integration test for now
+  if (EnvSet.values.isIntegrationTest) {
+    return;
+  }
+
+  try {
+    assertThat(
+      EnvSet.values.azureFunctionAppEndpoint,
+      new Error('Environment variable AZURE_FUNCTION_APP_ENDPOINT is not set')
+    );
+
+    const result = await got
+      .post(
+        new URL('/api/disposable-email-domain-validation', EnvSet.values.azureFunctionAppEndpoint),
+        {
+          json: {
+            email,
+          },
+          headers: {
+            'x-functions-key': EnvSet.values.azureFunctionAppKey,
+          },
+        }
+      )
+      .json<unknown>();
+
+    const { isDisposable } = disposableEmailDomainValidationResponseGuard.parse(result);
+
+    assertThat(
+      !isDisposable,
+      new RequestError({
+        code: 'session.email_blocklist.email_not_allowed',
+        status: 422,
+        email,
+      })
+    );
+  } catch (error: unknown) {
+    if (error instanceof RequestError) {
+      throw error;
+    }
+
+    throw new RequestError({
+      code: 'session.email_blocklist.disposable_email_validation_failed',
+      status: 500,
+      error,
+    });
+  }
+};
+
 /**
  * Guard the email address is not in the sign-in experience blocklist. *
  *
@@ -80,7 +145,7 @@ export const validateEmailAgainstBlocklistPolicy = async (
 
   // Guard disposable email domain if enabled
   if (EnvSet.values.isCloud && blockDisposableAddresses) {
-    // TODO: call Azure function
+    await validateDisposableEmailDomain(email);
   }
 
   // Guard email subaddressing if enabled

packages/experience/src/hooks/use-email-blocked-error-handler.ts

@@ -0,0 +1,33 @@
+import { type RequestErrorBody } from '@logto/schemas';
+import { useCallback, useMemo } from 'react';
+import { useNavigate } from 'react-router-dom';
+
+import { usePromiseConfirmModal } from './use-confirm-modal';
+import { type ErrorHandlers } from './use-error-handler';
+
+const useEmailBlockedErrorHandler = (): ErrorHandlers => {
+  const navigate = useNavigate();
+  const { show } = usePromiseConfirmModal();
+
+  const errorCallback = useCallback(
+    async (error: RequestErrorBody) => {
+      await show({
+        type: 'alert',
+        ModalContent: error.message,
+        cancelText: 'action.got_it',
+      });
+      navigate(-1);
+    },
+    [navigate, show]
+  );
+
+  return useMemo<ErrorHandlers>(
+    () => ({
+      'session.email_blocklist.email_not_allowed': errorCallback,
+      'session.email_blocklist.email_subaddressing_not_allowed': errorCallback,
+    }),
+    [errorCallback]
+  );
+};
+
+export default useEmailBlockedErrorHandler;

packages/experience/src/hooks/use-submit-interaction-error-handler.ts

@@ -2,6 +2,7 @@ import { useMemo } from 'react';
 
 import { type ContinueFlowInteractionEvent } from '@/types';
 
+import useEmailBlockedErrorHandler from './use-email-blocked-error-handler';
 import { type ErrorHandlers } from './use-error-handler';
 import useMfaErrorHandler, {
   type Options as UseMfaVerificationErrorHandlerOptions,
@@ -36,13 +37,15 @@ const useSubmitInteractionErrorHandler = (
     ...rest,
   });
   const mfaErrorHandler = useMfaErrorHandler({ replace });
+  const emailBlockedErrorHandler = useEmailBlockedErrorHandler();
 
   return useMemo(
     () => ({
+      ...emailBlockedErrorHandler,
       ...requiredProfileErrorHandler,
       ...mfaErrorHandler,
     }),
-    [mfaErrorHandler, requiredProfileErrorHandler]
+    [emailBlockedErrorHandler, mfaErrorHandler, requiredProfileErrorHandler]
   );
 };
 

packages/phrases/src/locales/ar/errors/session.ts

@@ -42,6 +42,8 @@ const session = {
   captcha_required: 'مطلوب التحقق من Captcha.',
   captcha_failed: 'فشل التحقق من Captcha.',
   email_blocklist: {
+    /** UNTRANSLATED */
+    disposable_email_validation_failed: 'Email address validation failed.',
     /** UNTRANSLATED */
     invalid_email: 'Invalid email address.',
     /** UNTRANSLATED */

packages/phrases/src/locales/de/errors/session.ts

@@ -52,6 +52,8 @@ const session = {
   captcha_required: 'Captcha ist erforderlich.',
   captcha_failed: 'Captcha-Verifizierung fehlgeschlagen.',
   email_blocklist: {
+    /** UNTRANSLATED */
+    disposable_email_validation_failed: 'Email address validation failed.',
     /** UNTRANSLATED */
     invalid_email: 'Invalid email address.',
     /** UNTRANSLATED */

packages/phrases/src/locales/en/errors/session.ts

@@ -47,6 +47,7 @@ const session = {
   captcha_required: 'Captcha is required.',
   captcha_failed: 'Captcha verification failed.',
   email_blocklist: {
+    disposable_email_validation_failed: 'Email address validation failed.',
     invalid_email: 'Invalid email address.',
     email_subaddressing_not_allowed: 'Email subaddressing is not allowed.',
     email_not_allowed:

packages/phrases/src/locales/es/errors/session.ts

@@ -53,6 +53,8 @@ const session = {
   captcha_required: 'Se requiere captcha.',
   captcha_failed: 'La verificación del captcha falló.',
   email_blocklist: {
+    /** UNTRANSLATED */
+    disposable_email_validation_failed: 'Email address validation failed.',
     /** UNTRANSLATED */
     invalid_email: 'Invalid email address.',
     /** UNTRANSLATED */

packages/phrases/src/locales/fr/errors/session.ts

@@ -54,6 +54,8 @@ const session = {
   captcha_required: 'Le captcha est requis.',
   captcha_failed: 'La vérification du captcha a échoué.',
   email_blocklist: {
+    /** UNTRANSLATED */
+    disposable_email_validation_failed: 'Email address validation failed.',
     /** UNTRANSLATED */
     invalid_email: 'Invalid email address.',
     /** UNTRANSLATED */

packages/phrases/src/locales/it/errors/session.ts

@@ -50,6 +50,8 @@ const session = {
   captcha_required: 'È richiesto il Captcha.',
   captcha_failed: 'La verifica del Captcha non è riuscita.',
   email_blocklist: {
+    /** UNTRANSLATED */
+    disposable_email_validation_failed: 'Email address validation failed.',
     /** UNTRANSLATED */
     invalid_email: 'Invalid email address.',
     /** UNTRANSLATED */