identity: prevent users with disposable emails from signing up

while this is not a perfect way to prevent abuse of service, we do want
to avoid getting spammed with fake accounts. Creating a valid email
account is significantly more cumbersome than using a disposable email
address.

Currently the list of blacklisted domains is extracted from
https://github.com/disposable/disposable
and it is refreshed after every 24 hours.
This commit is contained in:
Abdullah Atta
2023-03-02 17:43:10 +05:00
parent 5d5c179810
commit 20eec79cef
2 changed files with 40 additions and 2 deletions
@@ -54,7 +54,7 @@ namespace Streetwriters.Identity.Controllers
public async Task<IActionResult> Signup([FromForm] SignupForm form)
{
var client = Clients.FindClientById(form.ClientId);
if (client == null) return BadRequest("Invalid client_id.");
if (client == null) return BadRequest(new string[] { "Invalid client id." });
await AddClientRoleAsync(client.Id);
@@ -62,6 +62,8 @@ namespace Streetwriters.Identity.Controllers
form.Email = form.Email.ToLowerInvariant();
form.Username = form.Username?.ToLowerInvariant();
if (!await EmailAddressValidator.IsEmailAddressValidAsync(form.Email)) return BadRequest(new string[] { "Invalid email address." });
var result = await UserManager.CreateAsync(new User
{
Email = form.Email,
@@ -85,7 +87,7 @@ namespace Streetwriters.Identity.Controllers
}
else
{
return BadRequest(new string[] { "Email is invalid or already taken." });
return BadRequest(new string[] { "Invalid email address." });
}
return Ok(new