The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		May 28, 2026 8:23pm

PR Summary

Medium Risk
Changes signup gate logic in auth hooks; behavior is broader (more signups blocked) but covered by tests and uses dot-boundary suffix rules to limit look-alike false positives.

Overview
Blocked signup domains now use suffix-aware matching instead of exact domain equality: a BLOCKED_SIGNUP_DOMAINS entry like dpdns.org blocks that zone and any *.dpdns.org host (e.g. xx.lucky04.dpdns.org), while avoiding false positives on look-alike names (e.g. xdpdns.org).

Parsing of BLOCKED_SIGNUP_DOMAINS drops empty segments after trim; the denylist is stored as a deduplicated array. Shared helpers isEmailInDenylist (exported) and isSignupEmailBlocked replace duplicated inline checks in the user-create hook and the /sign-up auth middleware. Vitest coverage was added in auth.test.ts.

^{Reviewed by Cursor Bugbot for commit 900f86e. Configure here.}

Greptile Summary

This PR hardens the signup domain blocklist by switching from exact Set.has() matching to suffix-aware comparison, so that a single entry like dpdns.org now blocks both the apex domain and any arbitrary subdomain depth (e.g. xx.lucky04.dpdns.org).

• auth.ts: blockedSignupDomains is now a deduplicated string[] (with empty-entry filtering); the new exported isEmailInDenylist(email, denylist) encapsulates the suffix-match logic, and the thin isSignupEmailBlocked wrapper is used at both the user.create.before database hook and the /sign-up request hook.
• auth.test.ts: New Vitest suite exercises isEmailInDenylist across null/empty inputs, exact match, case-insensitivity, deep subdomain matching, look-alike domain rejection, and multi-entry denylists.

Confidence Score: 5/5

Safe to merge — the suffix-match logic is correct, both signup guard sites are updated, and the new test suite covers the full branch space including look-alike domain attacks.

The change is well-scoped: domain === entry || domain.endsWith('.${entry}') correctly prevents exact-match bypass via subdomains and prevents look-alike bypass (e.g. xdpdns.org does not end with .dpdns.org). The filter(Boolean) and new Set() wrapping preserve the dedup and empty-entry behaviour previously noted. Both call sites behave identically to the old code for the null-denylist path because isEmailInDenylist short-circuits on !denylist. The test suite covers all meaningful edge cases.

No files require special attention.

Important Files Changed

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Signup request / user.create hook] --> B{ctx.path starts with /sign-up or user.create.before?}
    B -- yes --> C[isSignupEmailBlocked email]
    C --> D[isEmailInDenylist email, blockedSignupDomains]
    D --> E{denylist null or empty or email falsy?}
    E -- yes --> F[return false - allow]
    E -- no --> G[Extract domain via split at-sign index 1 .toLowerCase]
    G --> H{domain is falsy?}
    H -- yes --> F
    H -- no --> I{denylist.some: domain === entry OR domain.endsWith .entry}
    I -- match found --> J[return true - throw domain not allowed]
    I -- no match --> F
    B -- no --> K[Continue request]

_{Reviews (2): Last reviewed commit: "improvement(auth): dedupe denylist entri..." | Re-trigger Greptile}

@greptile

@cursor review