From 8b9ff7e5807fad3cbe470f7f4551a63acdc63f37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karol=20Wr=C3=B3tniak?= Date: Fri, 27 Jan 2017 22:02:41 +0100 Subject: [PATCH] Email domain restriction added for OAuth2 authorization. --- lib/cli/auth-oauth2/index.js | 7 +++++++ lib/units/auth/oauth2/index.js | 17 ++++++++++++++--- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/lib/cli/auth-oauth2/index.js b/lib/cli/auth-oauth2/index.js index 5898c66a..f5a21b83 100644 --- a/lib/cli/auth-oauth2/index.js +++ b/lib/cli/auth-oauth2/index.js @@ -54,6 +54,12 @@ module.exports.builder = function(yargs) { , default: process.env.OAUTH_SCOPE , demand: true }) + .option('oauth-domain', { + describe: 'Optional email domain to allow authentication for.' + , type: 'string' + , default: process.env.OAUTH_DOMAIN + , demand: false + }) .option('port', { alias: 'p' , describe: 'The port to bind to.' @@ -89,6 +95,7 @@ module.exports.handler = function(argv) { , secret: argv.secret , ssid: argv.ssid , appUrl: argv.appUrl + , domain: argv.oauthDomain , oauth: { authorizationURL: argv.oauthAuthorizationUrl , tokenURL: argv.oauthTokenUrl diff --git a/lib/units/auth/oauth2/index.js b/lib/units/auth/oauth2/index.js index f8cd83c7..1e8a23cc 100644 --- a/lib/units/auth/oauth2/index.js +++ b/lib/units/auth/oauth2/index.js @@ -28,10 +28,20 @@ module.exports = function(options) { , session: false })) + function isEmailAllowed(email) { + if (email) { + if (options.domain) { + return email.endsWith(options.domain) + } + return true + } + return false + } + app.get( '/auth/oauth/callback' , function(req, res) { - if (req.user.email) { + if (isEmailAllowed(req.user.email)) { res.redirect(urlutil.addParams(options.appUrl, { jwt: jwtutil.encode({ payload: { @@ -46,8 +56,9 @@ module.exports = function(options) { })) } else { - log.warn('Missing email in profile', req.user) - res.redirect('/auth/oauth/') + log.warn('Missing or disallowed email in profile', req.user) + res.send('Missing or rejected email address ' + + 'Retry') } } )