Skip to content

feat: block registration/sign-in from .shop/.top TLDs#750

Merged
jrf0110 merged 6 commits intomainfrom
block-bad-domains
Mar 3, 2026
Merged

feat: block registration/sign-in from .shop/.top TLDs#750
jrf0110 merged 6 commits intomainfrom
block-bad-domains

Conversation

@jrf0110
Copy link
Contributor

@jrf0110 jrf0110 commented Mar 2, 2026
edited
Loading

Summary

  • Adds TLD-based email blocking via a new BLACKLIST_TLDS env var (pipe-delimited, e.g. shop|top), matching the existing BLACKLIST_DOMAINS pattern
  • Enforced at the NextAuth signIn callback, magic-link API route, and validateUserAuthorization for existing sessions
  • Includes 8 unit tests covering blocked/allowed TLDs, subdomains, case insensitivity, and edge cases

Deployment

Set the BLACKLIST_TLDS environment variable in production:

BLACKLIST_TLDS="foo|bar"

kilo-code-bot[bot]
kilo-code-bot bot reviewed Mar 2, 2026
View reviewed changes
@kilo-code-bot
Copy link
Contributor

kilo-code-bot bot commented Mar 2, 2026
edited
Loading

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Overview

This PR adds TLD-based blocking for new user signups across both the magic-link and OAuth (Google) authentication flows. The implementation is clean and consistent:

  • isBlockedTLD uses String.endsWith() with dot-prefixed TLDs (e.g. .shop), which correctly matches only the TLD portion of email addresses without false positives on subdomains or local parts.
  • Config parsing in config.server.ts properly handles edge cases: empty env var → empty array, with trim(), toLowerCase(), and filter(Boolean) applied.
  • Blocking is consistently applied in both magic-link (route.ts) and OAuth (user.server.ts) flows, only for new users (existing users can still sign in).
  • Test coverage is thorough — covers case insensitivity, subdomains, non-TLD occurrences of blocked strings, empty blocklist, and multi-part TLDs like .co.uk.

Previous review comments have been addressed or dismissed by the repo owner.

Files Reviewed (4 files)
  • src/app/api/auth/magic-link/route.ts - TLD blocking for magic-link signups
  • src/lib/config.server.ts - BLACKLIST_TLDS env var parsing
  • src/lib/user.server.ts - isBlockedTLD function + OAuth flow integration
  • src/lib/user.server.test.ts - Comprehensive tests for isBlockedTLD

kilo-code-bot[bot]
kilo-code-bot bot reviewed Mar 2, 2026
View reviewed changes
jrf0110
jrf0110 commented Mar 3, 2026
View reviewed changes
jrf0110 added 5 commits March 3, 2026 10:34
@jrf0110
feat: block registration and sign-in from configurable TLDs via BLACK…
bda954a 
…LIST_TLDS env var

Add TLD-based email blocking alongside the existing BLACKLIST_DOMAINS mechanism.
The BLACKLIST_TLDS env var uses the same pipe-delimited format (e.g. "shop|top")
and is enforced at the signIn callback, magic-link route, and user authorization.
@jrf0110
fix: only block new signups from blocked TLDs, not existing users
6496b8d 
Move TLD check after the existing-user lookup so returning users with
blocked TLDs can still sign in. Remove TLD check from
validateUserAuthorization to avoid locking out existing sessions.
@jrf0110
style: add blank line between TLD check and existing user block
c20270d
@jrf0110
refactor: simplify isBlockedTLD to use endsWith with dot-prefixed TLDs
4fb0b74 
Expect BLACKLIST_TLDS entries to include the leading dot (e.g. ".shop|.top|.co.uk").
This naturally supports multi-part TLDs without special parsing logic.
@jrf0110
refactor: move BLACKLIST_TLDS env var read to config.server.ts
2232e26
@jrf0110 jrf0110 force-pushed the block-bad-domains branch from e4a6db8 to 2232e26 Compare March 3, 2026 16:34
jrf0110
jrf0110 commented Mar 3, 2026
View reviewed changes
kilo-code-bot[bot]
kilo-code-bot bot reviewed Mar 3, 2026
View reviewed changes
markijbema
markijbema reviewed Mar 3, 2026
View reviewed changes
src/lib/config.server.ts
'SECURITY_CLEANUP_BETTERSTACK_HEARTBEAT_URL'
);

// Pipe-delimited list of TLDs to block from new signups, each with a leading dot (e.g. ".shop|.top|.co.uk")
Copy link
Contributor

@markijbema markijbema Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we're banning the UK?

Copy link
Contributor Author

@jrf0110 jrf0110 Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, someone needs to put a stop to their questionable cuisine

Copy link
Contributor Author

@jrf0110 jrf0110 Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In all seriousness, we are not blocking .co.uk but it was just an example the agent put in there

@jrf0110 jrf0110 merged commit 98d6639 into main Mar 3, 2026
12 checks passed
@jrf0110 jrf0110 deleted the block-bad-domains branch March 3, 2026 17:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kilo-code-bot kilo-code-bot[bot] kilo-code-bot[bot] left review comments

@markijbema markijbema markijbema approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jrf0110 @markijbema