From f20c674a414dec98681b5910b5ef9af6ea76ca12 Mon Sep 17 00:00:00 2001
From: Steven Tey <stevensteel97@gmail.com>
Date: Sun, 22 Dec 2024 13:19:51 -0800
Subject: [PATCH] Update send-otp.ts

---
 apps/web/lib/actions/send-otp.ts | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/apps/web/lib/actions/send-otp.ts b/apps/web/lib/actions/send-otp.ts
index be8162470e..92dc490019 100644
--- a/apps/web/lib/actions/send-otp.ts
+++ b/apps/web/lib/actions/send-otp.ts
@@ -2,6 +2,7 @@
 
 import { ratelimit, redis } from "@/lib/upstash";
 import { prisma } from "@dub/prisma";
+import { get } from "@vercel/edge-config";
 import { sendEmail } from "emails";
 import VerifyEmail from "emails/verify-email";
 import { flattenValidationErrors } from "next-safe-action";
@@ -33,22 +34,37 @@ export const sendOtpAction = actionClient
       throw new Error("Too many requests. Please try again later.");
     }
 
+    if (email.includes("+") && email.endsWith("@gmail.com")) {
+      throw new Error(
+        "Email addresses with + are not allowed. Please use your work email instead.",
+      );
+    }
+
     const domain = email.split("@")[1];
-    const isDisposable = await redis.sismember(
-      "disposableEmailDomains",
-      domain,
-    );
+
+    const [isDisposable, emailDomainTerms] = await Promise.all([
+      redis.sismember("disposableEmailDomains", domain),
+      get("emailDomainTerms"),
+    ]);
 
     if (isDisposable) {
       throw new Error(
-        "Disposable email addresses are not allowed. If you think this is a mistake, please contact us at support@dub.co",
+        "Invalid email address – please use your work email instead. If you think this is a mistake, please contact us at support@dub.co",
       );
     }
 
-    if (email.includes("+") && email.endsWith("@gmail.com")) {
-      throw new Error(
-        "Email addresses with + are not allowed. Please use your work email instead.",
+    if (emailDomainTerms && Array.isArray(emailDomainTerms)) {
+      const blacklistedEmailDomainTermsRegex = new RegExp(
+        emailDomainTerms
+          .map((term: string) => term.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")) // replace special characters with escape sequences
+          .join("|"),
       );
+
+      if (blacklistedEmailDomainTermsRegex.test(domain)) {
+        throw new Error(
+          "Invalid email address – please use your work email instead. If you think this is a mistake, please contact us at support@dub.co",
+        );
+      }
     }
 
     const code = generateOTP();