Email domain restriction added for OAuth2 authorization.

2026-04-19 16:43:26 +02:00 · 2017-01-27 22:02:41 +01:00
parent 79aadbb090
commit 8b9ff7e580
2 changed files with 21 additions and 3 deletions
--- a/lib/units/auth/oauth2/index.js
+++ b/lib/units/auth/oauth2/index.js
@@ -28,10 +28,20 @@ module.exports = function(options) {
  , session: false
  }))

+  function isEmailAllowed(email) {
+    if (email) {
+      if (options.domain) {
+        return email.endsWith(options.domain)
+      }
+      return true
+    }
+    return false
+  }
+
  app.get(
    '/auth/oauth/callback'
  , function(req, res) {
-      if (req.user.email) {
+      if (isEmailAllowed(req.user.email)) {
        res.redirect(urlutil.addParams(options.appUrl, {
          jwt: jwtutil.encode({
            payload: {
@@ -46,8 +56,9 @@ module.exports = function(options) {
        }))
      }
      else {
-        log.warn('Missing email in profile', req.user)
-        res.redirect('/auth/oauth/')
+        log.warn('Missing or disallowed email in profile', req.user)
+        res.send('<html><body>Missing or rejected email address ' +
+                 '<a href="/auth/oauth/">Retry</a></body></html>')
      }
    }
  )