eliott/worldmonitor
1
0
Fork 0
mirror of https://github.com/koala73/worldmonitor.git synced 2026-04-25 17:14:57 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
9b94bbc625fdf4e158519903e1c9d6b9de10def3
worldmonitor/api/_email-validation.js
Elie Habib 20c65a4f4f feat(email): add deliverability guards to reduce waitlist bounces (#2819) 
* feat(email): add deliverability guards to reduce waitlist bounces

Analyzed 1,276 bounced waitlist emails and found typos (gamil.com),
disposable domains (passmail, guerrillamail), offensive submissions,
and non-existent domains account for the majority.

Four layers of protection:
- Frontend: mailcheck.js typo suggestions on email blur
- API: MX record check via Cloudflare DoH, disposable domain
  blocklist, offensive pattern filter, typo-TLD blocklist
- Webhook: api/resend-webhook.js captures bounce/complaint events,
  stores in Convex emailSuppressions table, checked before sending
- Tooling: import script for bulk-loading existing bounced emails

* fix(email): address review - auth, retry, CSV parsing

1. Security: Convert suppress/bulkSuppress/remove to internalMutation.
   Webhook now runs as Convex httpAction (matching Dodo pattern) with
   direct access to internal mutations. Bulk import uses relay shared
   secret. Only isEmailSuppressed remains public (read-only query).

2. Retry: Convex httpAction returns 500 on any mutation failure so
   Resend retries the webhook instead of silently losing bounce events.

3. CSV: Replace naive comma-split with RFC 4180 parser that handles
   quoted fields. Import script now calls Convex HTTP action
   authenticated via RELAY_SHARED_SECRET instead of public mutation.

* fix(email): make isEmailSuppressed internal, check inside mutation

Move suppression check into registerInterest:register mutation
(same transaction, no extra round-trip). Remove public query
entirely so no suppression data is exposed to browser clients.

* test(email): add coverage for validation, CSV parser, and suppressions

- 19 tests for validateEmail: disposable domains, offensive patterns,
  typo TLDs, MX fail-open, case insensitivity, privacy relay allowance
- 7 tests for parseCsvLine: RFC 4180 quoting, escaped quotes, empty
  fields, Resend CSV format with angle brackets and commas
- 11 Convex tests for emailSuppressions: suppress idempotency, case
  normalization, bulk dedup, remove, and registerInterest integration
  (emailSuppressed flag in mutation return)
2026-04-08 11:21:40 +04:00

74 lines
2.5 KiB
JavaScript
Raw Blame History

const DISPOSABLE_DOMAINS = new Set([
'guerrillamail.com', 'guerrillamail.de', 'guerrillamail.net', 'guerrillamail.org',
'guerrillamailblock.com', 'grr.la', 'sharklasers.com', 'spam4.me',
'tempmail.com', 'temp-mail.org', 'temp-mail.io',
'throwaway.email', 'throwaway.com',
'mailinator.com', 'mailnesia.com', 'maildrop.cc',
'yopmail.com', 'yopmail.fr', 'yopmail.net',
'trashmail.com', 'trashmail.me', 'trashmail.net',
'dispostable.com', 'discard.email',
'fakeinbox.com', 'fakemail.net',
'getnada.com', 'nada.email',
'tempinbox.com', 'tempr.email', 'tempmailaddress.com',
'emailondeck.com', '33mail.com',
'mohmal.com', 'mohmal.im', 'mohmal.in',
'harakirimail.com', 'crazymailing.com',
'inboxbear.com', 'mailcatch.com',
'mintemail.com', 'mt2015.com',
'spamgourmet.com', 'spamgourmet.net',
'mailexpire.com', 'mailforspam.com',
'safetymail.info', 'trashymail.com',
'mytemp.email', 'tempail.com',
'burnermail.io',
'passinbox.com', 'passmail.net', 'passmail.com',
'silomails.com', 'slmail.me',
'spam.me', 'spambox.us',
]);
const OFFENSIVE_RE = /(nigger|faggot|fuckfaggot)/i;
const TYPO_TLDS = new Set(['con', 'coma', 'comhade', 'gmai', 'gmial']);
async function hasMxRecords(domain) {
try {
const res = await fetch(
`https://cloudflare-dns.com/dns-query?name=${encodeURIComponent(domain)}&type=MX`,
{ headers: { Accept: 'application/dns-json' }, signal: AbortSignal.timeout(3000) }
);
if (!res.ok) return true;
const data = await res.json();
return Array.isArray(data.Answer) && data.Answer.length > 0;
} catch {
return true;
}
}
export async function validateEmail(email) {
const normalized = email.trim().toLowerCase();
const atIdx = normalized.indexOf('@');
if (atIdx < 1) return { valid: false, reason: 'Invalid email format' };
const domain = normalized.slice(atIdx + 1);
const localPart = normalized.slice(0, atIdx);
if (OFFENSIVE_RE.test(localPart) || OFFENSIVE_RE.test(domain)) {
return { valid: false, reason: 'Email address not accepted' };
}
if (DISPOSABLE_DOMAINS.has(domain)) {
return { valid: false, reason: 'Disposable email addresses are not allowed. Please use a permanent email.' };
}
const tld = domain.split('.').pop();
if (tld && TYPO_TLDS.has(tld)) {
return { valid: false, reason: 'This email domain looks like a typo. Please check the ending.' };
}
const mx = await hasMxRecords(domain);
if (!mx) {
return { valid: false, reason: 'This email domain does not accept mail. Please check for typos.' };
}
return { valid: true };
}
Reference in New Issue View Git Blame Copy Permalink