feat(auth): support banning specific emails via appconfig blockedEmails list

Author: TheodoreSpeaks

apps/sim/lib/auth/access-control.test.ts

@@ -10,6 +10,7 @@ const { mockFetch, envRef, flagRef } = vi.hoisted(() => ({
     APPCONFIG_APPLICATION: 'sim-staging' as string | undefined,
     APPCONFIG_ENVIRONMENT: 'staging' as string | undefined,
     BLOCKED_SIGNUP_DOMAINS: undefined as string | undefined,
+    BLOCKED_EMAILS: undefined as string | undefined,
     ALLOWED_LOGIN_EMAILS: undefined as string | undefined,
     ALLOWED_LOGIN_DOMAINS: undefined as string | undefined,
     BLOCKED_EMAIL_MX_HOSTS: undefined as string | undefined,
@@ -33,10 +34,15 @@ vi.mock('@/lib/core/config/feature-flags', () => ({
   },
 }))
 
-import { getAccessControlConfig, isEmailInDenylist } from '@/lib/auth/access-control'
+import {
+  getAccessControlConfig,
+  isEmailBlockedByAccessControl,
+  isEmailInDenylist,
+} from '@/lib/auth/access-control'
 
 const empty: AccessControlConfig = {
   blockedSignupDomains: [],
+  blockedEmails: [],
   allowedLoginEmails: [],
   allowedLoginDomains: [],
   blockedEmailMxHosts: [],
@@ -48,6 +54,7 @@ describe('getAccessControlConfig', () => {
     flagRef.isAppConfigEnabled = false
     Object.assign(envRef, {
       BLOCKED_SIGNUP_DOMAINS: undefined,
+      BLOCKED_EMAILS: undefined,
       ALLOWED_LOGIN_EMAILS: undefined,
       ALLOWED_LOGIN_DOMAINS: undefined,
       BLOCKED_EMAIL_MX_HOSTS: undefined,
@@ -62,9 +69,11 @@ describe('getAccessControlConfig', () => {
 
     it('parses, trims, lowercases, and dedupes csv env vars', async () => {
       envRef.BLOCKED_SIGNUP_DOMAINS = 'Gmail.com, yahoo.com ,gmail.com,'
+      envRef.BLOCKED_EMAILS = 'Spam@Evil.com, spam@evil.com'
       envRef.ALLOWED_LOGIN_DOMAINS = 'Sim.ai'
       const result = await getAccessControlConfig()
       expect(result.blockedSignupDomains).toEqual(['gmail.com', 'yahoo.com'])
+      expect(result.blockedEmails).toEqual(['spam@evil.com'])
       expect(result.allowedLoginDomains).toEqual(['sim.ai'])
       expect(mockFetch).not.toHaveBeenCalled()
     })
@@ -146,3 +155,29 @@ describe('isEmailInDenylist', () => {
     expect(isEmailInDenylist('user@example.com', denylist)).toBe(false)
   })
 })
+
+describe('isEmailBlockedByAccessControl', () => {
+  const config: AccessControlConfig = {
+    ...empty,
+    blockedSignupDomains: ['bad.com'],
+    blockedEmails: ['spam@evil.com'],
+  }
+
+  it('matches individually blocked emails case-insensitively', () => {
+    expect(isEmailBlockedByAccessControl('spam@evil.com', config)).toBe(true)
+    expect(isEmailBlockedByAccessControl(' Spam@Evil.com ', config)).toBe(true)
+    expect(isEmailBlockedByAccessControl('other@evil.com', config)).toBe(false)
+  })
+
+  it('matches blocked domains and subdomains', () => {
+    expect(isEmailBlockedByAccessControl('a@bad.com', config)).toBe(true)
+    expect(isEmailBlockedByAccessControl('a@mail.bad.com', config)).toBe(true)
+    expect(isEmailBlockedByAccessControl('a@good.com', config)).toBe(false)
+  })
+
+  it('returns false for missing emails and empty config', () => {
+    expect(isEmailBlockedByAccessControl(null, config)).toBe(false)
+    expect(isEmailBlockedByAccessControl(undefined, config)).toBe(false)
+    expect(isEmailBlockedByAccessControl('a@bad.com', empty)).toBe(false)
+  })
+})

apps/sim/lib/auth/access-control.ts

@@ -16,6 +16,7 @@ const ACCESS_CONTROL_PROFILE = 'access-control'
  */
 export interface AccessControlConfig {
   blockedSignupDomains: string[]
+  blockedEmails: string[]
   allowedLoginEmails: string[]
   allowedLoginDomains: string[]
   blockedEmailMxHosts: string[]
@@ -35,6 +36,21 @@ export function isEmailInDenylist(
   return denylist.some((entry) => domain === entry || domain.endsWith(`.${entry}`))
 }
 
+/**
+ * True when the email is individually banned (`blockedEmails`) or its domain
+ * is in the blocked-domains list. The single predicate for "this email must
+ * not sign up, sign in, or execute anything".
+ */
+export function isEmailBlockedByAccessControl(
+  email: string | undefined | null,
+  config: AccessControlConfig
+): boolean {
+  if (!email) return false
+  const normalized = email.trim().toLowerCase()
+  if (config.blockedEmails.includes(normalized)) return true
+  return isEmailInDenylist(normalized, config.blockedSignupDomains)
+}
+
 function normalizeList(values: unknown): string[] {
   if (!Array.isArray(values)) return []
   return Array.from(new Set(values.map((v) => String(v).trim().toLowerCase()).filter(Boolean)))
@@ -51,6 +67,7 @@ function parseCsv(value: string | undefined): string[] {
 function fromEnv(): AccessControlConfig {
   return {
     blockedSignupDomains: parseCsv(env.BLOCKED_SIGNUP_DOMAINS),
+    blockedEmails: parseCsv(env.BLOCKED_EMAILS),
     allowedLoginEmails: parseCsv(env.ALLOWED_LOGIN_EMAILS),
     allowedLoginDomains: parseCsv(env.ALLOWED_LOGIN_DOMAINS),
     blockedEmailMxHosts: parseCsv(env.BLOCKED_EMAIL_MX_HOSTS),
@@ -61,6 +78,7 @@ function parseConfig(json: unknown): AccessControlConfig {
   const obj = (json && typeof json === 'object' ? json : {}) as Record<string, unknown>
   return {
     blockedSignupDomains: normalizeList(obj.blockedSignupDomains),
+    blockedEmails: normalizeList(obj.blockedEmails),
     allowedLoginEmails: normalizeList(obj.allowedLoginEmails),
     allowedLoginDomains: normalizeList(obj.allowedLoginDomains),
     blockedEmailMxHosts: normalizeList(obj.blockedEmailMxHosts),

apps/sim/lib/auth/auth.ts

@@ -30,7 +30,7 @@ import {
   renderPasswordResetEmail,
   renderWelcomeEmail,
 } from '@/components/emails'
-import { getAccessControlConfig, isEmailInDenylist } from '@/lib/auth/access-control'
+import { getAccessControlConfig, isEmailBlockedByAccessControl } from '@/lib/auth/access-control'
 import { sendPlanWelcomeEmail } from '@/lib/billing'
 import { authorizeSubscriptionReference } from '@/lib/billing/authorization'
 import {
@@ -224,8 +224,8 @@ export const auth = betterAuth({
       create: {
         before: async (user) => {
           const accessControl = await getAccessControlConfig()
-          if (isEmailInDenylist(user.email, accessControl.blockedSignupDomains)) {
-            throw new Error('Sign-ups from this email domain are not allowed.')
+          if (isEmailBlockedByAccessControl(user.email, accessControl)) {
+            throw new Error('Sign-ups from this email are not allowed.')
           }
           return { data: user }
         },
@@ -582,18 +582,21 @@ export const auth = betterAuth({
     session: {
       create: {
         before: async (session) => {
-          // Blocked-domain accounts must not establish sessions, regardless of
+          // Blocked emails/domains must not establish sessions, regardless of
           // provider (email/password, OAuth, SSO). Deliberately outside the
           // try below — a thrown APIError must propagate, not be swallowed.
           const accessControl = await getAccessControlConfig()
-          if (accessControl.blockedSignupDomains.length > 0) {
+          if (
+            accessControl.blockedSignupDomains.length > 0 ||
+            accessControl.blockedEmails.length > 0
+          ) {
             const [sessionUser] = await db
               .select({ email: schema.user.email })
               .from(schema.user)
               .where(eq(schema.user.id, session.userId))
               .limit(1)
-            if (isEmailInDenylist(sessionUser?.email, accessControl.blockedSignupDomains)) {
-              logger.warn('Blocking session creation for blocked-domain account', {
+            if (isEmailBlockedByAccessControl(sessionUser?.email, accessControl)) {
+              logger.warn('Blocking session creation for blocked account', {
                 userId: session.userId,
               })
               throw new APIError('FORBIDDEN', {
@@ -836,12 +839,12 @@ export const auth = betterAuth({
           }
         }
 
-        // Blocked domains gate both signup and sign-in. OAuth/SSO sign-ins have
-        // no email in the body here; the session.create.before hook covers them.
-        if (isEmailInDenylist(requestEmail, accessControl.blockedSignupDomains)) {
+        // Blocked emails/domains gate both signup and sign-in. OAuth/SSO sign-ins
+        // have no email in the body here; the session.create.before hook covers them.
+        if (isEmailBlockedByAccessControl(requestEmail, accessControl)) {
           throw new APIError('FORBIDDEN', {
             message: isSignUp
-              ? 'Sign-ups from this email domain are not allowed.'
+              ? 'Sign-ups from this email are not allowed.'
               : 'Access restricted. Please contact your administrator.',
           })
         }

apps/sim/lib/auth/ban.test.ts

@@ -5,7 +5,10 @@ import { beforeEach, describe, expect, it, vi } from 'vitest'
 
 const { mockWhere, envRef } = vi.hoisted(() => ({
   mockWhere: vi.fn(),
-  envRef: { BLOCKED_SIGNUP_DOMAINS: undefined as string | undefined },
+  envRef: {
+    BLOCKED_SIGNUP_DOMAINS: undefined as string | undefined,
+    BLOCKED_EMAILS: undefined as string | undefined,
+  },
 }))
 
 vi.mock('@sim/db', () => ({
@@ -46,6 +49,7 @@ describe('isEmailBlocked', () => {
   beforeEach(() => {
     vi.clearAllMocks()
     envRef.BLOCKED_SIGNUP_DOMAINS = 'bad.com'
+    envRef.BLOCKED_EMAILS = 'spam@evil.com'
     mockWhere.mockResolvedValue([])
   })
 
@@ -55,6 +59,11 @@ describe('isEmailBlocked', () => {
     expect(mockWhere).not.toHaveBeenCalled()
   })
 
+  it('returns true for individually blocked emails without querying users', async () => {
+    expect(await isEmailBlocked('spam@evil.com')).toBe(true)
+    expect(mockWhere).not.toHaveBeenCalled()
+  })
+
   it('returns true when the email belongs to an actively banned account', async () => {
     mockWhere.mockResolvedValue([{ banned: true, banExpires: null }])
     expect(await isEmailBlocked('a@good.com')).toBe(true)
@@ -71,6 +80,7 @@ describe('getActivelyBannedUserIds', () => {
   beforeEach(() => {
     vi.clearAllMocks()
     envRef.BLOCKED_SIGNUP_DOMAINS = undefined
+    envRef.BLOCKED_EMAILS = undefined
     mockWhere.mockResolvedValue([])
   })
 
@@ -95,6 +105,15 @@ describe('getActivelyBannedUserIds', () => {
     expect(await getActivelyBannedUserIds(['u1'])).toEqual([])
   })
 
+  it('returns ids whose email is individually blocked', async () => {
+    envRef.BLOCKED_EMAILS = 'spam@evil.com'
+    mockWhere.mockResolvedValue([
+      { id: 'u1', email: 'spam@evil.com', banned: false, banExpires: null },
+      { id: 'u2', email: 'ok@evil.com', banned: false, banExpires: null },
+    ])
+    expect(await getActivelyBannedUserIds(['u1', 'u2'])).toEqual(['u1'])
+  })
+
   it('returns ids whose email domain is in the blocked-domains list, including subdomains', async () => {
     envRef.BLOCKED_SIGNUP_DOMAINS = 'bad.com'
     mockWhere.mockResolvedValue([

apps/sim/lib/auth/ban.ts

@@ -1,6 +1,6 @@
 import { db, user } from '@sim/db'
 import { inArray, sql } from 'drizzle-orm'
-import { getAccessControlConfig, isEmailInDenylist } from '@/lib/auth/access-control'
+import { getAccessControlConfig, isEmailBlockedByAccessControl } from '@/lib/auth/access-control'
 
 /**
  * True when a ban is currently in effect. Mirrors better-auth admin-plugin
@@ -13,14 +13,15 @@ export function isBanActive(row: { banned: boolean | null; banExpires: Date | nu
 }
 
 /**
- * True when a raw email (e.g. an inbound sender) is blocked: its domain is in
- * the appconfig blocked-domains list, or it belongs to an account with an
- * active ban. Covers senders that don't resolve to a known user id.
+ * True when a raw email (e.g. an inbound sender) is blocked: it is in the
+ * appconfig blocked-emails list, its domain is in the blocked-domains list,
+ * or it belongs to an account with an active ban. Covers senders that don't
+ * resolve to a known user id.
  */
 export async function isEmailBlocked(email: string | null | undefined): Promise<boolean> {
   if (!email) return false
   const accessControl = await getAccessControlConfig()
-  if (isEmailInDenylist(email, accessControl.blockedSignupDomains)) return true
+  if (isEmailBlockedByAccessControl(email, accessControl)) return true
   const rows = await db
     .select({ banned: user.banned, banExpires: user.banExpires })
     .from(user)
@@ -30,8 +31,8 @@ export async function isEmailBlocked(email: string | null | undefined): Promise<
 
 /**
  * Returns the subset of the given user ids that are currently blocked: an
- * active account ban, or an email domain in the appconfig blocked-domains
- * list. One user query plus the cached access-control fetch. Throws on db
+ * active account ban, or an email/domain in the appconfig blocked lists.
+ * One user query plus the cached access-control fetch. Throws on db
  * failure — callers must fail closed.
  */
 export async function getActivelyBannedUserIds(userIds: string[]): Promise<string[]> {
@@ -47,8 +48,6 @@ export async function getActivelyBannedUserIds(userIds: string[]): Promise<strin
   ])
 
   return rows
-    .filter(
-      (row) => isBanActive(row) || isEmailInDenylist(row.email, accessControl.blockedSignupDomains)
-    )
+    .filter((row) => isBanActive(row) || isEmailBlockedByAccessControl(row.email, accessControl))
     .map((row) => row.id)
 }

apps/sim/lib/core/config/env.ts

@@ -27,6 +27,7 @@ export const env = createEnv({
     ALLOWED_LOGIN_EMAILS:                  z.string().optional(),                  // Comma-separated list of allowed email addresses for login
     ALLOWED_LOGIN_DOMAINS:                 z.string().optional(),                  // Comma-separated list of allowed email domains for login
     BLOCKED_SIGNUP_DOMAINS:                z.string().optional(),                  // Comma-separated list of email domains blocked from signing up (e.g., "gmail.com,yahoo.com")
+    BLOCKED_EMAILS:                        z.string().optional(),                  // Comma-separated list of specific email addresses banned from the platform (signup, sign-in, executions)
     SIGNUP_MX_VALIDATION_ENABLED:          z.boolean().optional(),                 // Opt-in: validate the email's MX backend at signup (blocks no-MX domains and denylisted shared spam backends). Off by default; enable on hosted/abuse-targeted deployments.
     BLOCKED_EMAIL_MX_HOSTS:                z.string().optional(),                  // Comma-separated MX-host substrings blocked from signing up; matched against the domain's resolved MX backend to catch throwaway domains that share a mail backend. No defaults — operators supply their own list. Only used when SIGNUP_MX_VALIDATION_ENABLED is set.
     TRUSTED_ORIGINS:                       z.string().optional(),                  // Comma-separated additional origins to trust for auth (e.g., "https://app.example.com,https://www.example.com"). Merged into Better Auth trustedOrigins.