feat(core): add email blocklist policy paywall guard (#7377)

add email blocklist policy payeall guard

Author: simeng-li

packages/core/src/libraries/sign-in-experience/email-blocklist-policy.test.ts

@@ -6,12 +6,13 @@ import RequestError from '#src/errors/RequestError/index.js';
 import {
   parseEmailBlocklistPolicy,
   validateEmailAgainstBlocklistPolicy,
+  isEmailBlocklistPolicyEnabled,
 } from './email-blocklist-policy.js';
 
 const invalidCustomBlockList = ['bar', 'bar@foo', '@foo', '@foo.', 'bar@foo.'];
 const validCustomBlockList = ['[email protected]', '@foo.com', '[email protected]', '[email protected]'];
 
-describe('validateEmailBlocklistPolicy', () => {
+describe('parseEmailBlocklistPolicy', () => {
   it.each(invalidCustomBlockList)(
     'should throw error for invalid custom block list item: %s',
     (item) => {
@@ -88,3 +89,44 @@ describe('validateEmailAgainstBlocklistPolicy', () => {
     ).resolves.not.toThrow();
   });
 });
+
+describe('isEmailBlocklistPolicyEnabled', () => {
+  it('isEmailBlocklistPolicyEnabled should return true if any of the blocklist policies are enabled', () => {
+    const emailBlocklistPolicy: EmailBlocklistPolicy = {
+      blockDisposableAddresses: false,
+      blockSubaddressing: false,
+      customBlocklist: [],
+    };
+
+    expect(
+      isEmailBlocklistPolicyEnabled({
+        ...emailBlocklistPolicy,
+        blockDisposableAddresses: true,
+      })
+    ).toBe(true);
+
+    expect(
+      isEmailBlocklistPolicyEnabled({
+        ...emailBlocklistPolicy,
+        blockSubaddressing: true,
+      })
+    ).toBe(true);
+
+    expect(
+      isEmailBlocklistPolicyEnabled({
+        ...emailBlocklistPolicy,
+        customBlocklist: ['@bar.com'],
+      })
+    ).toBe(true);
+  });
+
+  it('isEmailBlocklistPolicyEnabled should return false if all blocklist policies are disabled', () => {
+    const emailBlocklistPolicy: EmailBlocklistPolicy = {
+      blockDisposableAddresses: false,
+      blockSubaddressing: false,
+      customBlocklist: [],
+    };
+
+    expect(isEmailBlocklistPolicyEnabled(emailBlocklistPolicy)).toBe(false);
+  });
+});

packages/core/src/libraries/sign-in-experience/email-blocklist-policy.ts

@@ -181,3 +181,15 @@ export const validateEmailAgainstBlocklistPolicy = async (
     );
   }
 };
+
+export const isEmailBlocklistPolicyEnabled = (emailBlockListPolicy: EmailBlocklistPolicy) => {
+  const { blockDisposableAddresses, blockSubaddressing, customBlocklist } = emailBlockListPolicy;
+
+  /* eslint-disable @typescript-eslint/prefer-nullish-coalescing */
+  return (
+    blockDisposableAddresses ||
+    blockSubaddressing ||
+    (customBlocklist && customBlocklist.length > 0)
+  );
+  /* eslint-enable @typescript-eslint/prefer-nullish-coalescing */
+};

packages/core/src/queries/tenant-usage/index.ts

@@ -374,12 +374,18 @@ export default class TenantUsageQuery {
   ] => {
     return [
       sql`
-        select exists (
-          select * from ${signInExperienceTable}
-          where ${signInExperienceFields.captchaPolicy}->>'enabled' = 'true'
-          or ${signInExperienceFields.sentinelPolicy}->>'maxAttempts' is not null
-          or ${signInExperienceFields.sentinelPolicy}->>'lockoutDuration' is not null
-        )
+        select 
+          CASE 
+            WHEN ${signInExperienceFields.captchaPolicy}->>'enabled' = 'true' THEN true
+            WHEN ${signInExperienceFields.sentinelPolicy}->>'maxAttempts' is not null THEN true
+            WHEN ${signInExperienceFields.sentinelPolicy}->>'lockoutDuration' is not null THEN true
+            WHEN ${signInExperienceFields.emailBlocklistPolicy} ->> 'blockDisposableAddresses' = 'true' THEN true
+            WHEN ${signInExperienceFields.emailBlocklistPolicy} ->> 'blockSubaddressing' = 'true' THEN true
+            WHEN ${signInExperienceFields.emailBlocklistPolicy} ->> 'customBlocklist' is not null 
+                AND jsonb_array_length(${signInExperienceFields.emailBlocklistPolicy} -> 'customBlocklist') > 0 THEN true
+            ELSE false
+          END as isSecurityFeaturesEnabled
+        from ${signInExperienceTable}
     `,
       sql`securityFeaturesEnabled`,
     ];

packages/core/src/routes/sign-in-experience/index.ts

@@ -8,6 +8,7 @@ import {
   validateSignUp,
   validateSignIn,
   parseEmailBlocklistPolicy,
+  isEmailBlocklistPolicyEnabled,
 } from '#src/libraries/sign-in-experience/index.js';
 import { validateMfa } from '#src/libraries/sign-in-experience/mfa.js';
 import koaGuard from '#src/middleware/koa-guard.js';
@@ -115,13 +116,19 @@ export default function signInExperiencesRoutes<T extends ManagementApiRouter>(
         validateMfa(mfa);
       }
 
+      /* eslint-disable @typescript-eslint/prefer-nullish-coalescing */
       // Guard the quota for the security features enabled. Guarded properties are:
       // - sentinelPolicy: if sentinelPolicy is not empty object, security features are guarded
       // - captchaPolicy: if captchaPolicy is enabled, security features are guarded
-      // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing
-      if ((sentinelPolicy && Object.keys(sentinelPolicy).length > 0) || captchaPolicy?.enabled) {
+      // - emailBlocklistPolicy: if any of the blocklist policies are enabled, security features are guarded
+      if (
+        (sentinelPolicy && Object.keys(sentinelPolicy).length > 0) ||
+        (emailBlocklistPolicy && isEmailBlocklistPolicyEnabled(emailBlocklistPolicy)) ||
+        captchaPolicy?.enabled
+      ) {
         await quota.guardTenantUsageByKey('securityFeaturesEnabled');
       }
+      /* eslint-enable @typescript-eslint/prefer-nullish-coalescing */
 
       if (removeUnusedDemoSocialConnector && filteredSocialSignInConnectorTargets) {
         // Remove unused demo social connectors, those that are not selected in onboarding SIE config.
@@ -156,7 +163,7 @@ export default function signInExperiencesRoutes<T extends ManagementApiRouter>(
 
       void quota.reportSubscriptionUpdatesUsage('mfaEnabled');
 
-      if (sentinelPolicy ?? captchaPolicy) {
+      if (sentinelPolicy ?? captchaPolicy ?? emailBlocklistPolicy) {
         void quota.reportSubscriptionUpdatesUsage('securityFeaturesEnabled');
       }