Open
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
Adds an operator-managed email regex blocklist feature (DB + shared model + admin API/UI) and enforces it during account registration to block disposable/spam domains without a deploy.
Changes:
- Introduces
emailBlocklistDB table via patch level 188 → 189 (plus rollback patch). - Adds
EmailBlocklistshared model and wires it intofxa-auth-serverregistration to reject matching emails and emit logs/metrics. - Adds admin-server REST endpoints and an admin-panel page (bulk add, file upload, per-row delete, delete-all) gated by a new
AdminPanelFeature.
Reviewed changes
Copilot reviewed 14 out of 15 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/fxa-shared/db/models/auth/index.ts | Exposes the new EmailBlocklist model via shared auth models export. |
| packages/fxa-shared/db/models/auth/email-blocklist.ts | Implements CRUD and “find first matching regex” logic over the new table. |
| packages/fxa-auth-server/lib/routes/account.ts | Enforces blocklist during accountCreate, logs match details, increments statsd counter. |
| packages/fxa-admin-server/src/types.ts | Adds EmailBlocklistEntry API type. |
| packages/fxa-admin-server/src/rest/rest.module.ts | Registers the new EmailBlocklist controller. |
| packages/fxa-admin-server/src/rest/email-blocklist/email-blocklist.controller.ts | Adds list/add/delete/delete-all endpoints with feature gating and auditing. |
| packages/fxa-admin-panel/src/lib/api.ts | Adds admin API client methods for the blocklist endpoints. |
| packages/fxa-admin-panel/src/images/icon-email-blocklist.svg | Adds nav icon for the new page. |
| packages/fxa-admin-panel/src/components/PageEmailBlocklist/index.tsx | New UI page to manage patterns (bulk add + upload + delete). |
| packages/fxa-admin-panel/src/components/Nav/index.tsx | Adds nav entry for the Email Blocklist page behind feature guard. |
| packages/fxa-admin-panel/src/App.tsx | Adds routing for /email-blocklist behind feature guard. |
| packages/db-migrations/databases/fxa/target-patch.json | Bumps schema patch target to 189. |
| packages/db-migrations/databases/fxa/patches/patch-188-189.sql | Creates emailBlocklist table and updates patch level to 189. |
| packages/db-migrations/databases/fxa/patches/patch-189-188.sql | Rollback: drops table and reverts patch level to 188. |
| libs/shared/guards/src/lib/admin-panel-guard.ts | Adds AdminPanelFeature.EmailBlocklist and default permission metadata. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
toufali
force-pushed
the
admin-email-blocklist
branch
from
402f5e6 to
fec34d2
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 16 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
toufali
force-pushed
the
admin-email-blocklist
branch
2 times, most recently
from
17c33d8 to
c8be583
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 16 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
toufali
force-pushed
the
admin-email-blocklist
branch
from
c8be583 to
1d6bb7b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Because
This pull request
emailBlocklistMySQL table (patch 188→189) storing regex patterns with a unique constraintEmailBlocklistshared model with methods for CRUD and registration-time matchingEmailBlocklistadmin panel feature with textarea bulk-add, CSV/TXT file upload, per-row delete and delete-allfxa-auth-serverwhen the email matches any blocklist pattern; logs the matched domain + regex and increments a statsd counter (account.create.blocked)Issue that this pull request solves
Closes: FXA-13431
Checklist
Put an
xin the boxes that applyHow to review (Optional)
email-blocklist.ts(model),email-blocklist.controller.ts(API),PageEmailBlocklist/index.tsx(UI),account.ts(enforcement)http://localhost:8091/email-blocklist, add a pattern like@evildoge\.example\.com$, then attempt to registertest@evildoge.example.com— should fail.Other information (Optional)
nx build fxa-shared && pm2 restart admin-servermay be required after pulling