improvement(auth): dedupe denylist entries, extract isEmailInDenylist with tests

waleedlatif1 · waleedlatif1 · commit 900f86ed2cfb · 2026-05-28T13:23:05.000-07:00
diff --git a/apps/sim/lib/auth/auth.test.ts b/apps/sim/lib/auth/auth.test.ts
@@ -0,0 +1,47 @@
+/**
+ * @vitest-environment node
+ */
+import { describe, expect, it } from 'vitest'
+import { isEmailInDenylist } from '@/lib/auth/auth'
+
+describe('isEmailInDenylist', () => {
+  it('returns false when denylist is null, empty, or email is missing', () => {
+    expect(isEmailInDenylist('a@example.com', null)).toBe(false)
+    expect(isEmailInDenylist('a@example.com', [])).toBe(false)
+    expect(isEmailInDenylist(null, ['example.com'])).toBe(false)
+    expect(isEmailInDenylist(undefined, ['example.com'])).toBe(false)
+    expect(isEmailInDenylist('', ['example.com'])).toBe(false)
+  })
+
+  it('returns false when email has no @', () => {
+    expect(isEmailInDenylist('not-an-email', ['example.com'])).toBe(false)
+  })
+
+  it('matches exact domain', () => {
+    expect(isEmailInDenylist('user@dpdns.org', ['dpdns.org'])).toBe(true)
+    expect(isEmailInDenylist('user@DPDNS.ORG', ['dpdns.org'])).toBe(true)
+  })
+
+  it('matches arbitrary-depth subdomains of a listed parent zone', () => {
+    expect(isEmailInDenylist('user@xx.lucky04.dpdns.org', ['dpdns.org'])).toBe(true)
+    expect(isEmailInDenylist('user@a.b.c.qzz.io', ['qzz.io'])).toBe(true)
+  })
+
+  it('does not match look-alike domains', () => {
+    expect(isEmailInDenylist('user@xdpdns.org', ['dpdns.org'])).toBe(false)
+    expect(isEmailInDenylist('user@notdpdns.org', ['dpdns.org'])).toBe(false)
+  })
+
+  it('does not match disallowed domains', () => {
+    expect(isEmailInDenylist('user@gmail.com', ['dpdns.org', 'qzz.io'])).toBe(false)
+    expect(isEmailInDenylist('user@example.com', ['dpdns.org'])).toBe(false)
+  })
+
+  it('handles multiple denylist entries', () => {
+    const denylist = ['dpdns.org', 'qzz.io', 'cc.cd']
+    expect(isEmailInDenylist('user@foo.dpdns.org', denylist)).toBe(true)
+    expect(isEmailInDenylist('user@bar.qzz.io', denylist)).toBe(true)
+    expect(isEmailInDenylist('user@baz.cc.cd', denylist)).toBe(true)
+    expect(isEmailInDenylist('user@example.com', denylist)).toBe(false)
+  })
+})
diff --git a/apps/sim/lib/auth/auth.ts b/apps/sim/lib/auth/auth.ts
@@ -143,16 +143,27 @@ function getMicrosoftUserInfoFromIdToken(tokens: { accessToken?: string }, provi
 }
 
 const blockedSignupDomains = env.BLOCKED_SIGNUP_DOMAINS
-  ? env.BLOCKED_SIGNUP_DOMAINS.split(',')
-      .map((d) => d.trim().toLowerCase())
-      .filter(Boolean)
+  ? Array.from(
+      new Set(
+        env.BLOCKED_SIGNUP_DOMAINS.split(',')
+          .map((d) => d.trim().toLowerCase())
+          .filter(Boolean)
+      )
+    )
   : null
 
-function isSignupEmailBlocked(email: string | undefined | null): boolean {
-  if (!blockedSignupDomains || !email) return false
+export function isEmailInDenylist(
+  email: string | undefined | null,
+  denylist: readonly string[] | null
+): boolean {
+  if (!denylist || denylist.length === 0 || !email) return false
   const domain = email.split('@')[1]?.toLowerCase()
   if (!domain) return false
-  return blockedSignupDomains.some((entry) => domain === entry || domain.endsWith(`.${entry}`))
+  return denylist.some((entry) => domain === entry || domain.endsWith(`.${entry}`))
+}
+
+function isSignupEmailBlocked(email: string | undefined | null): boolean {
+  return isEmailInDenylist(email, blockedSignupDomains)
 }
 
 const additionalTrustedOrigins = parseOriginList(env.TRUSTED_ORIGINS, (value) =>
