hotfix(auth): block disposable email domains on signup#1414
Merged
Conversation
Rejects sign-ups from disposable / temporary email providers on both the email+password path and OAuth (Google / GitHub) callbacks. Both paths flow through better-auth's databaseHooks.user.create, so a single before-hook in lib/auth.ts catches them. The blocklist combines a curated headline set (Mailinator, YOPmail, Guerrilla Mail, 10MinuteMail, Maildrop, EmailOnDeck, DisposableMail, Temp-Mail, Mailnesia, GetNada, Throwawaymail, Trashmail, Dispostable, Fakemail, plus aliasing services SimpleLogin, addy.io, Firefox Relay, DuckDuckGo, Burner Mail, IronVest) with the maintained disposable-email-domains.json fallback (5,488 domains, vendored from the disposable-email-domains/disposable-email-domains repo). isDisposableEmailDomain handles case folding, +alias local-parts, and multi-@ inputs via lastIndexOf. Exact-domain match only -- substring collisions like 'notmailinator.com' are intentionally checked against the full vendored list to avoid false positives or negatives.
🧹 PR Environment Cleaned UpThe PR environment has been successfully deleted. Deleted Resources:
All resources have been cleaned up and will no longer incur costs. |
ℹ️ No PR Environment to Clean UpNo PR environment was found for this PR. This is expected if:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
databaseHooks.user.create.beforehook inlib/auth.tsthat rejects sign-ups from disposable / temporary email domains. Both email+password and OAuth (Google / GitHub) flow throughuser.create, so a single hook closes both paths.lib/auth-disposable-email-domains.json(5,488 domains, fromdisposable-email-domains/disposable-email-domains). Lookup isO(1)via aSet.isDisposableEmailDomainhandles case folding,+aliaslocal-parts, multi-@inputs, whitespace around the domain, and exact-domain match only (no substring collisions).Files
lib/auth-disposable-emails.ts-- the lookup module (curated set + bundled fallback)lib/auth-disposable-email-domains.json-- 5,488-domain vendored fallback listlib/auth.ts--databaseHooks.user.create.beforerejects whenisDisposableEmailDomain(email)returns truetests/unit/auth-disposable-emails.test.ts-- 13 unit tests covering the headline set, casing,+alias, malformed inputs, and substring non-collision