feat(core): add email blocklist guard (#7368)

* feat(core): add email blocklist guard

add email blocllist guard

* feat(test): add integration tests

add integration tests

* fix(test): fix lint error

fix lint error

* fix: fix eslint module not found error

fix eslint module not found error

* chore(core): refactor the devFeature condition

refactor the devFeature condition

Author: simeng-li

.npmrc

@@ -0,0 +1 @@
+public-hoist-pattern[]=*eslint*

packages/core/src/libraries/sign-in-experience/email-blocklist-policy.test.ts

@@ -1,8 +1,12 @@
+import { type EmailBlocklistPolicy } from '@logto/schemas';
 import { deduplicate } from '@silverhand/essentials';
 
-import RequestError from '../../errors/RequestError/index.js';
+import RequestError from '#src/errors/RequestError/index.js';
 
-import { parseEmailBlocklistPolicy } from './email-blocklist-policy.js';
+import {
+  parseEmailBlocklistPolicy,
+  validateEmailAgainstBlocklistPolicy,
+} from './email-blocklist-policy.js';
 
 const invalidCustomBlockList = ['bar', 'bar@foo', '@foo', '@foo.', 'bar@foo.'];
 const validCustomBlockList = ['[email protected]', '@foo.com', '[email protected]', '[email protected]'];
@@ -29,3 +33,58 @@ describe('validateEmailBlocklistPolicy', () => {
     expect(parsed).toEqual({ customBlocklist: deduplicate(validCustomBlockList) });
   });
 });
+
+describe('validateEmailAgainstBlocklistPolicy', () => {
+  const emailBlocklistPolicy: EmailBlocklistPolicy = {
+    blockDisposableAddresses: true,
+    blockSubaddressing: true,
+    customBlocklist: ['[email protected]', '@foo.com'],
+  };
+
+  it('should throw if the email uses subaddressing', async () => {
+    await expect(
+      validateEmailAgainstBlocklistPolicy(emailBlocklistPolicy, '[email protected]')
+    ).rejects.toMatchError(
+      new RequestError({
+        code: 'session.email_blocklist.email_subaddressing_not_allowed',
+        status: 422,
+      })
+    );
+  });
+
+  it('should throw if the email domain is in the custom blocklist', async () => {
+    const emails = ['[email protected]', '[email protected]'];
+
+    for (const email of emails) {
+      // eslint-disable-next-line no-await-in-loop
+      await expect(
+        validateEmailAgainstBlocklistPolicy(emailBlocklistPolicy, email)
+      ).rejects.toMatchError(
+        new RequestError({
+          code: 'session.email_blocklist.email_not_allowed',
+          status: 422,
+          email,
+        })
+      );
+    }
+  });
+
+  it('should throw if the email address is in the custom blocklist', async () => {
+    const email = '[email protected]';
+    await expect(
+      validateEmailAgainstBlocklistPolicy(emailBlocklistPolicy, email)
+    ).rejects.toMatchError(
+      new RequestError({
+        code: 'session.email_blocklist.email_not_allowed',
+        status: 422,
+        email,
+      })
+    );
+  });
+
+  it('should pass the blocklist policy validation', async () => {
+    await expect(
+      validateEmailAgainstBlocklistPolicy(emailBlocklistPolicy, '[email protected]')
+    ).resolves.not.toThrow();
+  });
+});

packages/core/src/libraries/sign-in-experience/email-blocklist-policy.ts

@@ -2,9 +2,9 @@ import { emailOrEmailDomainRegex } from '@logto/core-kit';
 import { type EmailBlocklistPolicy } from '@logto/schemas';
 import { conditional, deduplicate } from '@silverhand/essentials';
 
-import { EnvSet } from '../../env-set/index.js';
-import RequestError from '../../errors/RequestError/index.js';
-import assertThat from '../../utils/assert-that.js';
+import { EnvSet } from '#src/env-set/index.js';
+import RequestError from '#src/errors/RequestError/index.js';
+import assertThat from '#src/utils/assert-that.js';
 
 const validateCustomBlockListFormat = (list: string[]) => {
   const invalidItems = new Set();
@@ -55,3 +55,64 @@ export const parseEmailBlocklistPolicy = (
     ...conditional(customBlocklist && { customBlocklist: parseCustomBlocklist(customBlocklist) }),
   };
 };
+
+/**
+ * Guard the email address is not in the sign-in experience blocklist. *
+ *
+ * @remarks
+ * - guard disposable email domain if enabled
+ * - guard email subaddessing if enabled
+ * - guard custom email address/domain if provided
+ *
+ * @remarks
+ * This validation should be applied to all the client email profile fullment flow.
+ * - experience API
+ * - account API
+ */
+export const validateEmailAgainstBlocklistPolicy = async (
+  emailBlocklistPolicy: EmailBlocklistPolicy,
+  email: string
+) => {
+  const { customBlocklist, blockDisposableAddresses, blockSubaddressing } = emailBlocklistPolicy;
+  const domain = email.split('@')[1];
+
+  assertThat(domain, new RequestError('session.email_blocklist.invalid_email'));
+
+  // Guard disposable email domain if enabled
+  if (EnvSet.values.isCloud && blockDisposableAddresses) {
+    // TODO: call Azure function
+  }
+
+  // Guard email subaddressing if enabled
+  if (blockSubaddressing) {
+    const subaddressingRegex = new RegExp(`^.*\\+.*@${domain}$`);
+    assertThat(
+      !subaddressingRegex.test(email),
+      new RequestError({
+        code: 'session.email_blocklist.email_subaddressing_not_allowed',
+        status: 422,
+      })
+    );
+  }
+
+  // Guard custom email address/domain if provided
+  if (customBlocklist) {
+    const isCustomBlocklisted = customBlocklist.some((item) => {
+      // Guard email domain
+      if (item.startsWith('@')) {
+        return domain === item.slice(1);
+      }
+
+      return email === item;
+    });
+
+    assertThat(
+      !isCustomBlocklisted,
+      new RequestError({
+        code: 'session.email_blocklist.email_not_allowed',
+        status: 422,
+        email,
+      })
+    );
+  }
+};

packages/core/src/routes/experience/classes/experience-interaction.ts

@@ -291,11 +291,14 @@ export default class ExperienceInteraction {
         verification: verificationData,
       });
 
-      await this.signInExperienceValidator.guardSsoOnlyEmailIdentifier(verificationRecord);
+      if (verificationRecord.type !== VerificationType.EnterpriseSso) {
+        await this.signInExperienceValidator.guardSsoOnlyEmailIdentifier(verificationRecord);
+      }
+      await this.signInExperienceValidator.guardEmailBlocklist(verificationRecord);
+
       const identifierProfile = await getNewUserProfileFromVerificationRecord(verificationRecord);
 
       await this.profile.setProfileWithValidation(identifierProfile);
-
       // Save the updated profile data to the interaction storage
       await this.save();
     }

packages/core/src/routes/experience/classes/libraries/sign-in-experience-validator.ts

@@ -8,16 +8,20 @@ import {
   VerificationType,
 } from '@logto/schemas';
 
+import { EnvSet } from '#src/env-set/index.js';
 import RequestError from '#src/errors/RequestError/index.js';
+import { validateEmailAgainstBlocklistPolicy } from '#src/libraries/sign-in-experience/index.js';
 import type Libraries from '#src/tenants/Libraries.js';
 import type Queries from '#src/tenants/Queries.js';
 import assertThat from '#src/utils/assert-that.js';
 
+import { type EnterpriseSsoVerification } from '../verifications/enterprise-sso-verification.js';
 import { type VerificationRecord } from '../verifications/index.js';
 
 const getEmailIdentifierFromVerificationRecord = (verificationRecord: VerificationRecord) => {
   switch (verificationRecord.type) {
     case VerificationType.Password:
+    case VerificationType.OneTimeToken:
     case VerificationType.EmailVerificationCode:
     case VerificationType.PhoneVerificationCode: {
       const {
@@ -30,6 +34,10 @@ const getEmailIdentifierFromVerificationRecord = (verificationRecord: Verificati
       const { socialUserInfo } = verificationRecord;
       return socialUserInfo?.email;
     }
+    case VerificationType.EnterpriseSso: {
+      const { enterpriseSsoUserInfo } = verificationRecord;
+      return enterpriseSsoUserInfo?.email;
+    }
     default: {
       break;
     }
@@ -222,7 +230,9 @@ export class SignInExperienceValidator {
    *
    * @throws {RequestError} with status 422 if the email identifier is SSO enabled
    **/
-  public async guardSsoOnlyEmailIdentifier(verificationRecord: VerificationRecord) {
+  public async guardSsoOnlyEmailIdentifier(
+    verificationRecord: Exclude<VerificationRecord, EnterpriseSsoVerification>
+  ) {
     const emailIdentifier = getEmailIdentifierFromVerificationRecord(verificationRecord);
 
     if (!emailIdentifier) {
@@ -261,6 +271,30 @@ export class SignInExperienceValidator {
     throw new RequestError({ code: 'session.captcha_required', status: 422 });
   }
 
+  /**
+   * Guard the email address is not in the blocklist.
+   *
+   * @remarks
+   * Use this method to guard the email address or domain is not in the blocklist.
+   * - guard disposable email domain if enabled
+   * - guard email subaddessing if enabled
+   * - guard custom email address/domain if provided
+   */
+  public async guardEmailBlocklist(verificationRecord: VerificationRecord) {
+    // TODO: Remove this once the dev feature is ready
+    if (!EnvSet.values.isDevFeaturesEnabled) {
+      return;
+    }
+
+    const email = getEmailIdentifierFromVerificationRecord(verificationRecord);
+    if (!email) {
+      return;
+    }
+
+    const { emailBlocklistPolicy } = await this.getSignInExperienceData();
+    await validateEmailAgainstBlocklistPolicy(emailBlocklistPolicy, email);
+  }
+
   /**
    * @throws {RequestError} with status 422 if the verification record type is not enabled
    * @throws {RequestError} with status 422 if the email identifier is SSO enabled
@@ -308,7 +342,9 @@ export class SignInExperienceValidator {
       }
     }
 
-    await this.guardSsoOnlyEmailIdentifier(verificationRecord);
+    if (verificationRecord.type !== VerificationType.EnterpriseSso) {
+      await this.guardSsoOnlyEmailIdentifier(verificationRecord);
+    }
   }
 
   /** Forgot password only supports verification code type verification record */

packages/core/src/routes/experience/classes/profile.ts

@@ -87,6 +87,8 @@ export class Profile {
     // Guard SSO only email identifier in verification record  (EmailVerificationCode, Social)
     await this.signInExperienceValidator.guardSsoOnlyEmailIdentifier(verificationRecord);
 
+    await this.signInExperienceValidator.guardEmailBlocklist(verificationRecord);
+
     log?.append({
       verification: verificationRecord.toJson(),
     });
@@ -99,7 +101,6 @@ export class Profile {
     if (verificationRecord.type === VerificationType.Social) {
       const user = await this.safeGetIdentifiedUser();
       const isNewUserIdentity = !user;
-
       // Sync the email and phone to the user profile only for new user identity
       const syncedProfile = await verificationRecord.toSyncedProfile(isNewUserIdentity);
       this.unsafePrepend(syncedProfile);
@@ -120,6 +121,7 @@ export class Profile {
     }
 
     await this.profileValidator.guardProfileUniquenessAcrossUsers(profile);
+
     this.unsafeSet(profile);
   }