feat(core): remove dev feature guard for email blocklist (#7397)

simeng-li · web-flow · commit e8df19b7e1aa · 2025-05-19T06:17:59.000Z
* feat(core): remove dev feature guard for email blocklist

remove dev feature guard, enabeld email blocklist

* chore: fix typo

fix typo
diff --git a/.changeset/honest-news-rush.md b/.changeset/honest-news-rush.md
@@ -0,0 +1,13 @@
+---
+"@logto/core": minor
+---
+
+feat: introduce email blocklist policy
+
+We have added a new `emailBlocklistPolicy` in the `signInExperience` settings. This policy allows you to customize the email restriction rules for all users. Once this policy is set, users will be restricted from signing up or linking their accounts with any email addresses that are against the specified blocklist.
+This feature is particularly useful for organizations that want to prevent users from signing up with personal email addresses or any other specific domains.
+
+Available settings include:
+
+- `customBlocklist`: A custom blocklist of email addresses or domains that you want to restrict.
+- `blockSubaddressing`: Restrict email subaddressing (e.g., 'user+tag@example.com').
diff --git a/.changeset/soft-eggs-sell.md b/.changeset/soft-eggs-sell.md
@@ -0,0 +1,7 @@
+---
+"@logto/console": minor
+---
+
+feat: introduce email blocklist settings page
+
+Add a new email blocklist settings page to the Logto console under the Security section. This page allows administrators to manage the email blocklist policy for end users. Use this policy to restrict users from signing up or linking their accounts with any email addresses that are against the specified blocklist.
diff --git a/packages/console/src/hooks/use-console-routes/routes/security.tsx b/packages/console/src/hooks/use-console-routes/routes/security.tsx
@@ -1,7 +1,6 @@
 import { Navigate, type RouteObject } from 'react-router-dom';
 import { safeLazy } from 'react-safe-lazy';
 
-import { isDevFeaturesEnabled } from '@/consts/env';
 import { SecurityTabs } from '@/pages/Security/types';
 
 const Security = safeLazy(async () => import('@/pages/Security'));
@@ -30,12 +29,7 @@ export const security: RouteObject = {
     },
     {
       path: SecurityTabs.Blocklist,
-      // TODO: @simeng remove dev feature guard
-      element: isDevFeaturesEnabled ? (
-        <Security tab={SecurityTabs.Blocklist} />
-      ) : (
-        <Navigate replace to={SecurityTabs.PasswordPolicy} />
-      ),
+      element: <Security tab={SecurityTabs.Blocklist} />,
     },
   ],
 };
diff --git a/packages/console/src/pages/Security/index.tsx b/packages/console/src/pages/Security/index.tsx
@@ -2,7 +2,6 @@ import classNames from 'classnames';
 import { useTranslation } from 'react-i18next';
 
 import PageMeta from '@/components/PageMeta';
-import { isDevFeaturesEnabled } from '@/consts/env';
 import { security } from '@/consts/external-links';
 import CardTitle from '@/ds-components/CardTitle';
 import TabNav, { TabNavItem } from '@/ds-components/TabNav';
@@ -45,15 +44,12 @@ function Security({ tab }: Props) {
         >
           {t('security.tabs.captcha')}
         </TabNavItem>
-        {/** TODO: @simeng remove dev feature guard */}
-        {isDevFeaturesEnabled && (
-          <TabNavItem
-            href={`/security/${SecurityTabs.Blocklist}`}
-            isActive={tab === SecurityTabs.Blocklist}
-          >
-            {t('security.tabs.blocklist')}
-          </TabNavItem>
-        )}
+        <TabNavItem
+          href={`/security/${SecurityTabs.Blocklist}`}
+          isActive={tab === SecurityTabs.Blocklist}
+        >
+          {t('security.tabs.blocklist')}
+        </TabNavItem>
         <TabNavItem
           href={`/security/${SecurityTabs.General}`}
           isActive={tab === SecurityTabs.General}
@@ -64,8 +60,7 @@ function Security({ tab }: Props) {
       {tab === SecurityTabs.Captcha && <Captcha />}
       {tab === SecurityTabs.PasswordPolicy && <PasswordPolicy />}
       {tab === SecurityTabs.General && <General />}
-      {/** TODO: @simeng remove dev feature guard */}
-      {isDevFeaturesEnabled && tab === SecurityTabs.Blocklist && <Blocklist />}
+      {tab === SecurityTabs.Blocklist && <Blocklist />}
     </div>
   );
 }
diff --git a/packages/core/src/libraries/sign-in-experience/email-blocklist-policy.ts b/packages/core/src/libraries/sign-in-experience/email-blocklist-policy.ts
@@ -42,15 +42,6 @@ const parseCustomBlocklist = (customBlocklist: string[]) => {
 export const parseEmailBlocklistPolicy = (
   emailBlocklistPolicy: EmailBlocklistPolicy
 ): EmailBlocklistPolicy => {
-  // TODO: @simeng remove this validation when the feature is ready
-  assertThat(
-    EnvSet.values.isDevFeaturesEnabled,
-    new RequestError({
-      code: 'request.invalid_input',
-      details: 'Email block list policy is not supported in this environment',
-    })
-  );
-
   const { customBlocklist, ...rest } = emailBlocklistPolicy;
 
   // BlockDisposableAddresses is not supported for OSS.
diff --git a/packages/core/src/routes/account/email-and-phone.ts b/packages/core/src/routes/account/email-and-phone.ts
@@ -4,7 +4,6 @@ import { z } from 'zod';
 
 import koaGuard from '#src/middleware/koa-guard.js';
 
-import { EnvSet } from '../../env-set/index.js';
 import RequestError from '../../errors/RequestError/index.js';
 import { validateEmailAgainstBlocklistPolicy } from '../../libraries/sign-in-experience/email-blocklist-policy.js';
 import { buildVerificationRecordByIdAndType } from '../../libraries/verification.js';
@@ -48,12 +47,9 @@ export default function emailAndPhoneRoutes<T extends UserRouter>(...args: Route
 
       assertThat(scopes.has(UserScope.Email), 'auth.unauthorized');
 
-      // TODO: remove this when the feature is ready @simeng
       // Validate email blocklist policy
-      if (EnvSet.values.isDevFeaturesEnabled) {
-        const { emailBlocklistPolicy } = await findDefaultSignInExperience();
-        await validateEmailAgainstBlocklistPolicy(emailBlocklistPolicy, email);
-      }
+      const { emailBlocklistPolicy } = await findDefaultSignInExperience();
+      await validateEmailAgainstBlocklistPolicy(emailBlocklistPolicy, email);
 
       // Check new identifier
       const newVerificationRecord = await buildVerificationRecordByIdAndType({
diff --git a/packages/core/src/routes/experience/classes/libraries/sign-in-experience-validator.ts b/packages/core/src/routes/experience/classes/libraries/sign-in-experience-validator.ts
@@ -8,7 +8,6 @@ import {
   VerificationType,
 } from '@logto/schemas';
 
-import { EnvSet } from '#src/env-set/index.js';
 import RequestError from '#src/errors/RequestError/index.js';
 import { validateEmailAgainstBlocklistPolicy } from '#src/libraries/sign-in-experience/index.js';
 import type Libraries from '#src/tenants/Libraries.js';
@@ -281,11 +280,6 @@ export class SignInExperienceValidator {
    * - guard custom email address/domain if provided
    */
   public async guardEmailBlocklist(verificationRecord: VerificationRecord) {
-    // TODO: Remove this once the dev feature is ready
-    if (!EnvSet.values.isDevFeaturesEnabled) {
-      return;
-    }
-
     const email = getEmailIdentifierFromVerificationRecord(verificationRecord);
     if (!email) {
       return;
diff --git a/packages/core/src/routes/sign-in-experience/index.openapi.json b/packages/core/src/routes/sign-in-experience/index.openapi.json
@@ -66,6 +66,20 @@
                     },
                     "sentinelPolicy": {
                       "description": "Custom sentinel policy settings. Use this field to customize the user lockout policy. The default value is 100 failed attempts within one hour. The user will be locked out for 60 minutes after exceeding the limit."
+                    },
+                    "emailBlocklistPolicy": {
+                      "description": "Define email restriction policies. Users will be prohibited from registering or linking any email addresses that are included in the blocklist.",
+                      "properties": {
+                        "blockDisposableAddress": {
+                          "description": "Cloud only.  Whether to block disposable email addresses. Once enabled, Logto will check the email domain against a list of known disposable email domains. If the domain is found in the list, the email address will be blocked."
+                        },
+                        "blockSubaddressing": {
+                          "description": "Whether to block sub-addresses. (E.g., example+shopping@test.com)"
+                        },
+                        "customBlocklist": {
+                          "description": "Custom blocklist of email addresses or domains."
+                        }
+                      }
                     }
                   }
                 }
@@ -135,6 +149,23 @@
                   },
                   "unknownSessionRedirectUrl": {
                     "description": "The fallback URL to redirect users when the sign-in session does not exist or unknown. Client should initiate a new authentication flow after the redirection."
+                  },
+                  "sentinelPolicy": {
+                    "description": "Custom sentinel policy settings. Use this field to customize the user lockout policy. The default value is 100 failed attempts within one hour. The user will be locked out for 60 minutes after exceeding the limit."
+                  },
+                  "emailBlocklistPolicy": {
+                    "description": "Define email restriction policies. Users will be prohibited from registering or linking any email addresses that are included in the blocklist.",
+                    "properties": {
+                      "blockDisposableAddress": {
+                        "description": "Cloud only.  Whether to block disposable email addresses. Once enabled, Logto will check the email domain against a list of known disposable email domains. If the domain is found in the list, the email address will be blocked."
+                      },
+                      "blockSubaddressing": {
+                        "description": "Whether to block sub-addresses. (E.g., example+shopping@test.com)"
+                      },
+                      "customBlocklist": {
+                        "description": "Custom blocklist of email addresses or domains."
+                      }
+                    }
                   }
                 }
               }
diff --git a/packages/integration-tests/src/tests/api/account/email-and-phone.test.ts b/packages/integration-tests/src/tests/api/account/email-and-phone.test.ts
@@ -25,12 +25,7 @@ import {
   signInAndGetUserApi,
 } from '#src/helpers/profile.js';
 import { enableAllPasswordSignInMethods } from '#src/helpers/sign-in-experience.js';
-import {
-  devFeatureTest,
-  generateEmail,
-  generatePhone,
-  generateNationalPhoneNumber,
-} from '#src/utils.js';
+import { generateEmail, generatePhone, generateNationalPhoneNumber } from '#src/utils.js';
 
 describe('account (email and phone)', () => {
   beforeAll(async () => {
@@ -146,7 +141,7 @@ describe('account (email and phone)', () => {
       await deleteDefaultTenantUser(user.id);
     });
 
-    devFeatureTest.it('should reject the email if the email is in the blocklist', async () => {
+    it('should reject the email if the email is in the blocklist', async () => {
       const email = generateEmail();
       await updateSignInExperience({
         emailBlocklistPolicy: {
diff --git a/packages/integration-tests/src/tests/api/experience-api/register-interaction/email-blocklist.test.ts b/packages/integration-tests/src/tests/api/experience-api/register-interaction/email-blocklist.test.ts
diff --git a/packages/integration-tests/src/tests/api/experience-api/sign-in-interaction/password.test.ts b/packages/integration-tests/src/tests/api/experience-api/sign-in-interaction/password.test.ts
