improvement(auth): layer disposable-email-domains into signup email validation

Compose the disposable-email-domains list (exact + wildcard) into better-auth-harmony's validator alongside its bundled Mailchecker list, so signup rejects an email if either flags it. Server-only module to keep the dataset out of the client bundle.

Author: TheodoreSpeaks

apps/sim/lib/auth/auth.ts

@@ -21,6 +21,7 @@ import {
   organization,
 } from 'better-auth/plugins'
 import { emailHarmony } from 'better-auth-harmony'
+import { validateEmail as validateEmailWithMailchecker } from 'better-auth-harmony/email'
 import { and, count, eq, inArray, sql } from 'drizzle-orm'
 import { headers } from 'next/headers'
 import Stripe from 'stripe'
@@ -78,6 +79,7 @@ import {
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { getBaseUrl, isLocalhostUrl, parseOriginList } from '@/lib/core/utils/urls'
 import { processCredentialDraft } from '@/lib/credentials/draft-processor'
+import { isDisposableEmailDomain } from '@/lib/messaging/email/disposable-domains.server'
 import { sendEmail } from '@/lib/messaging/email/mailer'
 import { getFromEmailAddress, getPersonalEmailFrom } from '@/lib/messaging/email/utils'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
@@ -930,7 +932,14 @@ export const auth = betterAuth({
     }),
   },
   plugins: [
-    ...(isSignupEmailValidationEnabled ? [emailHarmony()] : []),
+    ...(isSignupEmailValidationEnabled
+      ? [
+          emailHarmony({
+            validator: (email) =>
+              validateEmailWithMailchecker(email) && !isDisposableEmailDomain(email),
+          }),
+        ]
+      : []),
     ...(env.TURNSTILE_SECRET_KEY
       ? [
           captcha({

apps/sim/lib/messaging/email/disposable-domains.d.ts

@@ -0,0 +1,10 @@
+/** Ambient types for `disposable-email-domains` — ships JSON arrays with no bundled types. */
+declare module 'disposable-email-domains' {
+  const domains: string[]
+  export default domains
+}
+
+declare module 'disposable-email-domains/wildcard.json' {
+  const baseDomains: string[]
+  export default baseDomains
+}

apps/sim/lib/messaging/email/disposable-domains.server.test.ts

@@ -0,0 +1,31 @@
+/**
+ * @vitest-environment node
+ */
+import { describe, expect, it } from 'vitest'
+import { isDisposableEmailDomain } from '@/lib/messaging/email/disposable-domains.server'
+
+describe('isDisposableEmailDomain', () => {
+  it('flags a known disposable domain', () => {
+    expect(isDisposableEmailDomain('someone@mailinator.com')).toBe(true)
+  })
+
+  it('flags a subdomain of a wildcard base domain', () => {
+    expect(isDisposableEmailDomain('someone@inbox.10mail.org')).toBe(true)
+  })
+
+  it('is case-insensitive on the domain', () => {
+    expect(isDisposableEmailDomain('Someone@MailInator.com')).toBe(true)
+  })
+
+  it('allows a normal provider domain', () => {
+    expect(isDisposableEmailDomain('someone@gmail.com')).toBe(false)
+  })
+
+  it('allows a custom catch-all domain that is not on the list', () => {
+    expect(isDisposableEmailDomain('sim6dc088f506@lordfortescue.org.uk')).toBe(false)
+  })
+
+  it('returns false for malformed input with no domain', () => {
+    expect(isDisposableEmailDomain('not-an-email')).toBe(false)
+  })
+})

apps/sim/lib/messaging/email/disposable-domains.server.ts

@@ -0,0 +1,19 @@
+import disposableDomains from 'disposable-email-domains'
+import wildcardBaseDomains from 'disposable-email-domains/wildcard.json'
+
+const exactDomains = new Set(disposableDomains)
+
+/**
+ * Server-only disposable-email-domain check backed by the `disposable-email-domains`
+ * package (~120K exact domains plus wildcard base domains). Layered alongside
+ * better-auth-harmony's bundled Mailchecker list at the signup gate.
+ *
+ * Never import from client code — the dataset would bloat the browser bundle.
+ * Matches exact domains and any subdomain of a wildcard base domain.
+ */
+export function isDisposableEmailDomain(email: string): boolean {
+  const domain = email.split('@')[1]?.toLowerCase()
+  if (!domain) return false
+  if (exactDomains.has(domain)) return true
+  return wildcardBaseDomains.some((base) => domain === base || domain.endsWith(`.${base}`))
+}

apps/sim/package.json

@@ -126,6 +126,7 @@
     "csv-parse": "6.1.0",
     "date-fns": "4.1.0",
     "decimal.js": "10.6.0",
+    "disposable-email-domains": "1.0.62",
     "docx": "^9.6.1",
     "docx-preview": "^0.3.7",
     "drizzle-orm": "^0.45.2",