feat(core): add email blocklist validation to account API (#7376)

feat(core): add email blocklist validation on account API

add email blocklist validation on account API

Author: simeng-li

packages/core/src/routes/account/email-and-phone.ts

@@ -4,7 +4,9 @@ import { z } from 'zod';
 
 import koaGuard from '#src/middleware/koa-guard.js';
 
+import { EnvSet } from '../../env-set/index.js';
 import RequestError from '../../errors/RequestError/index.js';
+import { validateEmailAgainstBlocklistPolicy } from '../../libraries/sign-in-experience/email-blocklist-policy.js';
 import { buildVerificationRecordByIdAndType } from '../../libraries/verification.js';
 import assertThat from '../../utils/assert-that.js';
 import type { UserRouter, RouterInitArgs } from '../types.js';
@@ -46,6 +48,13 @@ export default function emailAndPhoneRoutes<T extends UserRouter>(...args: Route
 
       assertThat(scopes.has(UserScope.Email), 'auth.unauthorized');
 
+      // TODO: remove this when the feature is ready @simeng
+      // Validate email blocklist policy
+      if (EnvSet.values.isDevFeaturesEnabled) {
+        const { emailBlocklistPolicy } = await findDefaultSignInExperience();
+        await validateEmailAgainstBlocklistPolicy(emailBlocklistPolicy, email);
+      }
+
       // Check new identifier
       const newVerificationRecord = await buildVerificationRecordByIdAndType({
         type: VerificationType.EmailVerificationCode,

packages/integration-tests/src/tests/api/account/email-and-phone.test.ts

@@ -10,6 +10,7 @@ import {
   updatePrimaryEmail,
   updatePrimaryPhone,
 } from '#src/api/my-account.js';
+import { updateSignInExperience } from '#src/api/sign-in-experience.js';
 import {
   createAndVerifyVerificationCode,
   createVerificationRecordByPassword,
@@ -22,7 +23,7 @@ import {
   signInAndGetUserApi,
 } from '#src/helpers/profile.js';
 import { enableAllPasswordSignInMethods } from '#src/helpers/sign-in-experience.js';
-import { generateEmail, generatePhone } from '#src/utils.js';
+import { devFeatureTest, generateEmail, generatePhone } from '#src/utils.js';
 
 describe('account (email and phone)', () => {
   beforeAll(async () => {
@@ -137,6 +138,36 @@ describe('account (email and phone)', () => {
 
       await deleteDefaultTenantUser(user.id);
     });
+
+    devFeatureTest.it('should reject the email if the email is in the blocklist', async () => {
+      const email = generateEmail();
+      await updateSignInExperience({
+        emailBlocklistPolicy: {
+          customBlocklist: [email],
+        },
+      });
+
+      const { user, username, password } = await createDefaultTenantUserWithPassword();
+      const api = await signInAndGetUserApi(username, password, {
+        scopes: [UserScope.Profile, UserScope.Email],
+      });
+
+      const verificationRecordId = await createVerificationRecordByPassword(api, password);
+      const newVerificationRecordId = await createAndVerifyVerificationCode(api, {
+        type: SignInIdentifier.Email,
+        value: email,
+      });
+
+      await expectRejects(
+        updatePrimaryEmail(api, email, verificationRecordId, newVerificationRecordId),
+        {
+          code: 'session.email_blocklist.email_not_allowed',
+          status: 422,
+        }
+      );
+
+      await deleteDefaultTenantUser(user.id);
+    });
   });
 
   describe('DELETE /my-account/primary-email', () => {