feat(core,schemas,console): add email blocklist policy to sie (#7355)

* feat(core,schemas,console): add email blocklist policy to sie

add email blocklist policy to sie

* refactor(core): deduplicate custom block list

deduplicate custom block list

* chore(test): update ut

update ut

* fix(test): remove outdated tests

remove outdateted tests

Author: simeng-li

packages/console/src/pages/SignInExperience/PageContent/utils/parser.ts

@@ -122,6 +122,7 @@ export const sieFormDataParser = {
       mfa,
       captchaPolicy,
       sentinelPolicy,
+      emailBlocklistPolicy,
       // End: Remove the omitted fields from the data
       ...rest
     } = data;
@@ -161,10 +162,11 @@ export const sieFormDataParser = {
  * Affected fields:
  * - `signUp.secondaryIdentifiers`: This field is optional in the data schema,
  *  but through the form, we always fill it with an empty array.
- * - `mfa`: This field is omitted in the sign-in experience form.
- * - `passwordPolicy`: This field is omitted in the sign-in experience form.
- * - `captchaPolicy`: This field is omitted in the sign-in experience form.
- * - `sentinelPolicy`: This field is omitted in the sign-in experience form.
+ * - `mfa`
+ * - `passwordPolicy`
+ * - `captchaPolicy`
+ * - `sentinelPolicy`
+ * - `emailBlocklistPolicy`
  */
 export const signInExperienceToUpdatedDataParser = (
   data: SignInExperience
@@ -176,6 +178,7 @@ export const signInExperienceToUpdatedDataParser = (
     passwordPolicy,
     captchaPolicy,
     sentinelPolicy,
+    emailBlocklistPolicy,
     // End: Remove the omitted fields from the data
     ...rest
   } = data;

packages/console/src/pages/SignInExperience/types.ts

@@ -6,12 +6,12 @@ import {
 } from '@logto/schemas';
 
 /**
- * Omit the `mfa`, `captchaPolicy`, 'passwordPolicy', and `sentinelPolicy` fields from the sign-in experience.
+ * Omit the `mfa`, `captchaPolicy`, 'passwordPolicy', `sentinelPolicy` and `emailBlocklistPolicy` fields from the sign-in experience.
  * Since those fields are not managed by the sign-in experience page.
  */
 type OmittedSignInExperienceKeys = keyof Pick<
   SignInExperience,
-  'mfa' | 'captchaPolicy' | 'sentinelPolicy' | 'passwordPolicy'
+  'mfa' | 'captchaPolicy' | 'sentinelPolicy' | 'passwordPolicy' | 'emailBlocklistPolicy'
 >;
 
 export enum SignInExperienceTab {
@@ -48,7 +48,7 @@ export type SignUpForm = Omit<SignUp, 'identifiers' | 'secondaryIdentifiers'> &
 
 export type SignInExperienceForm = Omit<
   SignInExperience,
-  'signUp' | 'customCss' | 'passwordPolicy' | OmittedSignInExperienceKeys
+  'signUp' | 'customCss' | OmittedSignInExperienceKeys
 > & {
   customCss?: string; // Code editor components can not properly handle null value, manually transform null to undefined instead.
   signUp: SignUpForm;

packages/core/src/__mocks__/sign-in-experience.ts

@@ -105,4 +105,5 @@ export const mockSignInExperience: SignInExperience = {
   unknownSessionRedirectUrl: null,
   captchaPolicy: {},
   sentinelPolicy: {},
+  emailBlocklistPolicy: {},
 };

packages/core/src/libraries/sign-in-experience/email-blocklist-policy.test.ts

@@ -0,0 +1,31 @@
+import { deduplicate } from '@silverhand/essentials';
+
+import RequestError from '../../errors/RequestError/index.js';
+
+import { parseEmailBlocklistPolicy } from './email-blocklist-policy.js';
+
+const invalidCustomBlockList = ['bar', 'bar@foo', '@foo', '@foo.', 'bar@foo.'];
+const validCustomBlockList = ['[email protected]', '@foo.com', '[email protected]', '[email protected]'];
+
+describe('validateEmailBlocklistPolicy', () => {
+  it.each(invalidCustomBlockList)(
+    'should throw error for invalid custom block list item: %s',
+    (item) => {
+      const emailBlocklistPolicy = { customBlocklist: [item] };
+      expect(() => {
+        parseEmailBlocklistPolicy(emailBlocklistPolicy);
+      }).toMatchError(
+        new RequestError({
+          code: 'sign_in_experiences.invalid_custom_email_blocklist_format',
+          items: Array.from([item]),
+          status: 400,
+        })
+      );
+    }
+  );
+
+  it('should pass the validation with valid format and deduplicate items', () => {
+    const parsed = parseEmailBlocklistPolicy({ customBlocklist: validCustomBlockList });
+    expect(parsed).toEqual({ customBlocklist: deduplicate(validCustomBlockList) });
+  });
+});

packages/core/src/libraries/sign-in-experience/email-blocklist-policy.ts

@@ -0,0 +1,58 @@
+import { type EmailBlocklistPolicy } from '@logto/schemas';
+import { conditional, deduplicate } from '@silverhand/essentials';
+
+import { EnvSet } from '../../env-set/index.js';
+import RequestError from '../../errors/RequestError/index.js';
+import assertThat from '../../utils/assert-that.js';
+
+const emailOrEmailDomainRegex = /^\S+@\S+\.\S+|^@\S+\.\S+$/;
+
+const validateCustomBlockListFormat = (list: string[]) => {
+  const invalidItems = new Set();
+
+  for (const item of list) {
+    if (!emailOrEmailDomainRegex.test(item)) {
+      invalidItems.add(item);
+    }
+  }
+
+  return invalidItems;
+};
+
+const parseCustomBlocklist = (customBlocklist: string[]) => {
+  const deduplicated = deduplicate(customBlocklist);
+  const invalidItems = validateCustomBlockListFormat(deduplicated);
+
+  if (invalidItems.size > 0) {
+    throw new RequestError({
+      code: 'sign_in_experiences.invalid_custom_email_blocklist_format',
+      items: Array.from(invalidItems),
+      status: 400,
+    });
+  }
+
+  return deduplicated;
+};
+
+/**
+ * This function will deduplicate the custom blocklist (if not undefined) and validate the format of each item.
+ * If any item is invalid, it throws a RequestError with the details of the invalid items.
+ */
+export const parseEmailBlocklistPolicy = (
+  emailBlocklistPolicy: EmailBlocklistPolicy
+): EmailBlocklistPolicy => {
+  // TODO: @simeng remove this validation when the feature is ready
+  assertThat(
+    EnvSet.values.isDevFeaturesEnabled,
+    new RequestError('request.invalid_input', {
+      details: 'Email block list policy is not supported in this environment',
+    })
+  );
+
+  const { customBlocklist, ...rest } = emailBlocklistPolicy;
+
+  return {
+    ...rest,
+    ...conditional(customBlocklist && { customBlocklist: parseCustomBlocklist(customBlocklist) }),
+  };
+};

packages/core/src/libraries/sign-in-experience/index.ts

@@ -26,6 +26,7 @@ import { type CloudConnectionLibrary } from '../cloud-connection.js';
 
 export * from './sign-up.js';
 export * from './sign-in.js';
+export * from './email-blocklist-policy.js';
 
 export const developmentTenantPlanId = 'dev';
 

packages/core/src/queries/sign-in-experience.test.ts

@@ -38,12 +38,13 @@ describe('sign-in-experience query', () => {
     socialSignIn: JSON.stringify(mockSignInExperience.socialSignIn),
     captchaPolicy: JSON.stringify(mockSignInExperience.captchaPolicy),
     sentinelPolicy: JSON.stringify(mockSignInExperience.sentinelPolicy),
+    emailBlocklistPolicy: JSON.stringify(mockSignInExperience.emailBlocklistPolicy),
   };
 
   it('findDefaultSignInExperience', async () => {
     /* eslint-disable sql/no-unsafe-query */
     const expectSql = `
-      select "tenant_id", "id", "color", "branding", "language_info", "terms_of_use_url", "privacy_policy_url", "agree_to_terms_policy", "sign_in", "sign_up", "social_sign_in", "social_sign_in_connector_targets", "sign_in_mode", "custom_css", "custom_content", "custom_ui_assets", "password_policy", "mfa", "single_sign_on_enabled", "support_email", "support_website_url", "unknown_session_redirect_url", "captcha_policy", "sentinel_policy"
+      select "tenant_id", "id", "color", "branding", "language_info", "terms_of_use_url", "privacy_policy_url", "agree_to_terms_policy", "sign_in", "sign_up", "social_sign_in", "social_sign_in_connector_targets", "sign_in_mode", "custom_css", "custom_content", "custom_ui_assets", "password_policy", "mfa", "single_sign_on_enabled", "support_email", "support_website_url", "unknown_session_redirect_url", "captcha_policy", "sentinel_policy", "email_blocklist_policy"
       from "sign_in_experiences"
       where "id"=$1
     `;

packages/core/src/routes/sign-in-experience/index.ts

@@ -1,10 +1,14 @@
 import { DemoConnector } from '@logto/connector-kit';
 import { PasswordPolicyChecker } from '@logto/core-kit';
 import { ConnectorType, SignInExperiences } from '@logto/schemas';
-import { tryThat } from '@silverhand/essentials';
+import { conditional, tryThat } from '@silverhand/essentials';
 import { literal, object, string, z } from 'zod';
 
-import { validateSignUp, validateSignIn } from '#src/libraries/sign-in-experience/index.js';
+import {
+  validateSignUp,
+  validateSignIn,
+  parseEmailBlocklistPolicy,
+} from '#src/libraries/sign-in-experience/index.js';
 import { validateMfa } from '#src/libraries/sign-in-experience/mfa.js';
 import koaGuard from '#src/middleware/koa-guard.js';
 
@@ -75,7 +79,7 @@ export default function signInExperiencesRoutes<T extends ManagementApiRouter>(
     async (ctx, next) => {
       const {
         query: { removeUnusedDemoSocialConnector },
-        body: { socialSignInConnectorTargets, ...rest },
+        body: { socialSignInConnectorTargets, emailBlocklistPolicy, ...rest },
       } = ctx.guard;
       const { languageInfo, signUp, signIn, mfa, sentinelPolicy, captchaPolicy } = rest;
 
@@ -119,8 +123,8 @@ export default function signInExperiencesRoutes<T extends ManagementApiRouter>(
         await quota.guardTenantUsageByKey('securityFeaturesEnabled');
       }
 
-      // Remove unused demo social connectors, those that are not selected in onboarding SIE config.
       if (removeUnusedDemoSocialConnector && filteredSocialSignInConnectorTargets) {
+        // Remove unused demo social connectors, those that are not selected in onboarding SIE config.
         await Promise.all(
           connectors
             .filter((connector) => {
@@ -134,14 +138,21 @@ export default function signInExperiencesRoutes<T extends ManagementApiRouter>(
         );
       }
 
-      ctx.body = await updateDefaultSignInExperience(
-        filteredSocialSignInConnectorTargets
-          ? {
-              ...rest,
-              socialSignInConnectorTargets: filteredSocialSignInConnectorTargets,
-            }
-          : rest
-      );
+      const payload = {
+        ...rest,
+        ...conditional(
+          filteredSocialSignInConnectorTargets && {
+            socialSignInConnectorTargets: filteredSocialSignInConnectorTargets,
+          }
+        ),
+        ...conditional(
+          emailBlocklistPolicy && {
+            emailBlocklistPolicy: parseEmailBlocklistPolicy(emailBlocklistPolicy),
+          }
+        ),
+      };
+
+      ctx.body = await updateDefaultSignInExperience(payload);
 
       void quota.reportSubscriptionUpdatesUsage('mfaEnabled');
 

packages/experience/src/__mocks__/logto.tsx

@@ -119,6 +119,7 @@ export const mockSignInExperience: SignInExperience = {
   unknownSessionRedirectUrl: null,
   captchaPolicy: {},
   sentinelPolicy: {},
+  emailBlocklistPolicy: {},
 };
 
 export const mockSignInExperienceSettings: SignInExperienceResponse = {
@@ -159,6 +160,7 @@ export const mockSignInExperienceSettings: SignInExperienceResponse = {
   unknownSessionRedirectUrl: null,
   captchaPolicy: {},
   sentinelPolicy: {},
+  emailBlocklistPolicy: {},
 };
 
 const usernameSettings = {

packages/phrases/src/locales/en/errors/sign-in-experiences.ts

@@ -19,6 +19,8 @@ const sign_in_experiences = {
   duplicated_mfa_factors: 'Duplicated MFA factors.',
   duplicated_sign_up_identifiers: 'Duplicate sign-up identifiers detected.',
   missing_sign_up_identifiers: 'Primary sign-up identifier cannot be empty.',
+  invalid_custom_email_blocklist_format:
+    'Invalid custom email blocklist items: {{items, list(type:conjunction)}}. Each item must be a valid email address or email domain, e.g., [email protected] or @example.com.',
 };
 
 export default Object.freeze(sign_in_experiences);