fix(api): prevent users from signing up with habitica or habitrpg emails

fixes #7633 closes #7659
2025-12-16 06:07:21 +01:00 · 2016-09-12 20:40:46 -05:00
parent 0150b355cb
commit 78d5f8c4f5
3 changed files with 50 additions and 1 deletions
--- a/website/server/models/user/schema.js
+++ b/website/server/models/user/schema.js
@@ -10,6 +10,8 @@ import {

 const Schema = mongoose.Schema;

+const INVALID_DOMAINS = Object.freeze(['habitica.com', 'habitrpg.com']);
+
 // User schema definition
 let schema = new Schema({
  apiToken: {
@@ -25,7 +27,19 @@ let schema = new Schema({
    local: {
      email: {
        type: String,
-        validate: [validator.isEmail, shared.i18n.t('invalidEmail')],
+        validate: [{
+          validator: validator.isEmail,
+          message: shared.i18n.t('invalidEmail'),
+        }, {
+          validator (email) {
+            let lowercaseEmail = email.toLowerCase();
+
+            return INVALID_DOMAINS.every((domain) => {
+              return !lowercaseEmail.endsWith(`@${domain}`);
+            });
+          },
+          message: shared.i18n.t('invalidEmailDomain', { domains: INVALID_DOMAINS.join(', ')}),
+        }],
      },
      username: {
        type: String,