Block signups from .shop, .top, and .xyz email TLDs

[kilo-code-bot]

Summary

• Blocks new account signups from .shop, .top, and .xyz email TLDs to prevent free-credit pooling abuse
• Existing users with these TLDs can still sign in — only new registrations are blocked
• Adds a single BLOCKED_SIGNUP_TLDS constant array in src/lib/schemas/email.ts for easy extension

Changes

Validation layers

Layer	File	Scope
Email schema	src/lib/schemas/email.ts	hasBlockedTLD() utility + integrated into validateMagicLinkSignupEmail() and magicLinkSignupEmailSchema
NextAuth signIn callback	src/lib/user.server.ts	Blocks new signups via all OAuth providers (Google, GitHub, GitLab, LinkedIn)
Magic link API	src/app/api/auth/magic-link/route.ts	Already calls validateMagicLinkSignupEmail() for new users — picks up TLD check automatically
Client-side hook	src/hooks/useSignInFlow.ts	Instant validation feedback on signup pages + blocks provider selection for new users with blocked TLDs
Error UI	src/components/auth/AuthErrorNotification.tsx	User-friendly "Signups from this email domain are not currently supported." message
Error type	src/lib/auth/constants.ts	Added BLOCKED-TLD to AuthErrorType

Tests

• src/lib/schemas/email.test.ts: 25 new test cases for hasBlockedTLD, validateMagicLinkSignupEmail, and magicLinkSignupEmailSchema
• src/app/api/auth/magic-link/route.test.ts: 4 new test cases covering blocked TLD rejection for new users and allow-through for existing users

How to extend

To block additional TLDs, add them to the BLOCKED_SIGNUP_TLDS array in src/lib/schemas/email.ts:

export const BLOCKED_SIGNUP_TLDS = ['.shop', '.top', '.xyz', '.newone'] as const;

All validation layers pick up the change automatically.

---

Built for John Fawcett by Kilo for Slack

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Well-structured PR with proper defense-in-depth enforcement of TLD blocking across multiple layers:

• Client-side validation (emailValidation memo) blocks on signup pages immediately
• Client-side flow (lookupEmailProviderAndContinue) blocks new users with blocked TLDs after server lookup
• Server-side magic link (validateMagicLinkSignupEmail in route handler) enforces for magic link signups
• Server-side OAuth (user.server.ts) enforces for all OAuth provider signups
• UI (AuthErrorNotification) displays a clear error for BLOCKED-TLD

Existing users with blocked TLDs are correctly allowed to sign in at every layer. The hasBlockedTLD function is well-tested including case-insensitivity and substring false-positive prevention. Tests cover all three blocked TLDs and the existing-user pass-through case.

Files Reviewed (7 files)

• src/lib/schemas/email.ts - Core hasBlockedTLD function, BLOCKED_SIGNUP_TLDS constant, integration into validateMagicLinkSignupEmail and magicLinkSignupEmailSchema
• src/lib/schemas/email.test.ts - Comprehensive tests for hasBlockedTLD, validateMagicLinkSignupEmail, and magicLinkSignupEmailSchema
• src/hooks/useSignInFlow.ts - Client-side enforcement in emailValidation memo and lookupEmailProviderAndContinue
• src/lib/user.server.ts - Server-side OAuth signup blocking with Sentry logging
• src/app/api/auth/magic-link/route.ts - No changes needed; already calls validateMagicLinkSignupEmail which now includes TLD check
• src/app/api/auth/magic-link/route.test.ts - Tests for blocked TLD rejection and existing-user pass-through
• src/lib/auth/constants.ts - BLOCKED-TLD added to AuthErrorType
• src/components/auth/AuthErrorNotification.tsx - UI for BLOCKED-TLD error